A hot topic in the accounting world centered on the audit reform standards that the American Institute of Certified Public Accountants (AICPA) issued in March, 2006. The standards (SAS 104 through SAS 111), commonly known as the risk assessment standards (RAS), are effective for this year’s calendar year-end audits. They were designed to improve the audit process, requiring auditors to perform risk assessments for each client, while tailoring audit procedures to address specifically identified risks.
According to Andy Kuntz, a CPA with Briggs & Veselka Co. in Houston, the primary objective of the standards is to improve the auditors’ application of the risk model, through a more in-depth understanding of the entity and its environment, including its internal control and, ultimately, an improved linkage between the risks and the nature, timing and extent of audit procedures.
“The objective was a more rigorous and consistent audit process regardless of the size or type of entity being audited,” says Kuntz. “Many have drawn the parallel between RAS and private companies and SOX [Sarbanes-Oxley Act] and public companies.”
Smart Business spoke with Kuntz about the new standards, what they mean, what challenges they’ll present and how companies can overcome those challenges.
What are some changes companies can expect to see as a result of the new standards?
First, more thorough information must be assembled on the nature of your company and its industry and environment in order to identify risks. Significantly more work will need to be performed on internal controls, as well. In the past, our professional standards permitted us to obtain a basic knowledge of the internal controls, and then assess control risk at the maximum level. Now, we are required to obtain a more thorough understanding of the internal control structure, evaluate if controls are designed appropriately and determine if those controls are implemented. Then we have an option as to whether we want to perform specific tests of internal controls or to perform substantive tests. However, we are required to test controls if substantive procedures alone are not sufficient to reduce risk.
Additional changes that companies will notice in future audits are the types of audit evidence being acquired. Historically, an auditor may have simply asked someone in the accounting department to describe a process or an internal control. The RAS clearly indicate that inquiry alone is no longer sufficient. Auditors will now be asking for you to document your internal controls and other procedural items. Additionally, under the new standards, auditors are required to perform walk-throughs of certain transaction flows and corroborate information learned via inquiry with additional procedures.
Private entities can also anticipate different types of communication during the course of the audit. Engagement letters, which are essentially contracts between auditors and companies, will have revised language. Auditors will also communicate some additional information with respect to known and likely misstatements identified during the course of the audit. Private companies can also anticipate receiving additional comments from auditors with respect to issues or weaknesses in their internal control structures.
The RAS will require more time in preparing for and executing the audit. The audit will likely take longer, which could translate to higher fees, especially if proactive steps are not taken to document internal controls and ensure they have been implemented effectively.
What can a company do to prepare for the changes?
Management needs to understand that auditing private companies is a whole new ballgame now. Companies have to be proactive when it comes to these changes, and that should start with a meeting with your auditor. Other steps may include:
- Document your existing controls and ensure they are implemented as documented.
- Consider testing controls, and formally documenting the testing procedures performed, and share this information with your auditor.
- Evaluate your accounting department to see if the existing infrastructure is sufficient based on the size and complexity of the organization.
- Look at credit agreements to see what covenants are in place and whether there is a requirement to provide correspondence from your auditor related to internal controls and other matters. Many believe the new standards will result in additional auditor comments and potentially more severe comments which could lead to covenant violations and events of default.
- Finally, determine if an audit is the most appropriate service. In certain cases where an audit is not needed for an upcoming exit strategy, companies have negotiated to reduce the requirement from a financial statement audit to a financial statement review, which are not currently subject to the RAS.
Your company can save time, money and potentially improve the overall control structure by taking these steps now.
ANDY KUNTZ, CPA, is a principal in the Audit Department at Briggs & Veselka Co. in Houston. Reach him at (713) 667-9147 or firstname.lastname@example.org.