Audit rules hit private companies

If you are the CEO or a CFO of a private
company, beware the wrath of Sarbanes-Oxley (SOX). In the post-Enron era, the heavily criticized American Institute of
Certified Public Accountants (AICPA) has
issued audit reform standards that will
affect private companies. The eight new
standards will be effective for audits of
financial statements for periods beginning
on or after Dec. 15, 2006.

The new standards require auditors to
look more carefully at every organization’s
financial reporting process and business
environment, and they require auditors to
obtain more evidence before rendering an
opinion on the financial statement.

“We are moving toward having the same
types of internal controls in private companies as are required of public companies,”
says Sam Salty, audit manager with Haskell
& White LLP. “Auditors can no longer
merely inquire about the controls; we have
to test them.”

Smart Business spoke with Salty about
the impact of the suite of new standards on
companies and organizations and how
CEOs can prepare for the changes.

What audit changes will affect private companies?

There are eight major provisions designed
by AICPA — SAS 104 through SAS 111 —
that will affect the audits of private companies. The impetus behind the provision
changes is to drive more effective audits
and to enhance the auditor’s application of
the audit risk model in practice.

The provisions establish standards and
provide guidance concerning the auditor’s
assessment of the risks of material mis-statement in a financial audit. In addition,
the new standards provide guidance on
planning and supervision, the nature of
audit evidence, and evaluation of whether
the audit evidence is strong enough to support the auditor’s opinion on the financial
statements under audit.

How will these changes affect the way audits
are conducted?

Auditors will no longer be able to rely on one-size-fits-all checklists. They will need
to customize each audit and prioritize their
time according to the risks of the business.
Depending on the auditor’s judgment about
a financial statement’s level of risk, more
experienced members may be necessary
on the audit team.

Simply stated, audits will be more thorough.

As an example, one of the major changes
is that SAS 104 expands the definition of
‘reasonable assurance.’ In the past, auditors were required to collect enough evidence to be reasonably assured of the audit
findings as a way to limit audit risk. Now
the auditor must obtain a higher level of
assurance by looking at more evidence.

Essentially, auditors will need to perform
more testing and they will need to see evidence that internal controls are documented and implemented. In the past, we gained
an understanding of the existence of internal controls and only for audit planning
purposes. Now, gaining an understanding
is not sufficient and documentation alone
is not enough. We now must evaluate the
design of internal controls and decide if
they have been implemented.

The new standards effectively eliminate
the ability of the auditor to assess risk
related to controls at a maximum level without having a basis for the assessment.
Audits may become a bit more time-consuming, but there are steps that can be
taken to help reduce the time and cost of
upcoming audits.

How will SAS 104 through SAS 111 require
the auditor to examine the business risk from
new perspectives?

The auditor is now required to examine
how the business compares to other businesses or competitors in the same industry
as part of the documentation that supports
the auditor’s risk assessment of the business. In addition, the auditor will dive
deeper into an analysis of the skill level and
the tone set by the management team in
order to assess the organization’s internal
control environment.

How can CEOs and their auditors prepare for
these changes?

Document your existing controls and
make certain they are in place. Tasking
small steps like designing flow charts of
your control processes before the auditor
arrives will not only save time and money
once the audit begins, but the mapping
process itself may expose gaps in your
processes so that CEOs have the opportunity to take the necessary steps to close the
gaps.

Consider having an audit planning conference with your auditor to know how to
collect the documentation necessary for
the new audit process. Not only will you
save on billable hours once the auditor
arrives, you can avoid costly rework resulting from the need to restate the documentation or capture the information once the
audit has commenced.

While controls in smaller organizations
can be less formal, they must be equally
effective. By starting now and talking with
your auditor about what will be required,
you will be able to save time, money and
headaches once audit time rolls around.

SAM SALTY is an audit manager with Haskell & White LLP.
Reach him at (949) 450-6359 or [email protected].