The enactment of the Sarbanes-Oxley Act of 2002 has spurred heavier regulation in the auditing industry. A new auditing standard, SAS 112, affects how auditing work is conducted. Among other things, SAS 112 redefines the types of internal control issues that are reportable.
Companies of all sizes need to be familiar with the new standard and its implications, says Wade McMullen, partner at Vicenti, Lloyd & Stutzman LLP. “Things that might not have been a problem in the past will now become a problem in terms of reporting on internal controls. The bar has been lowered on what is considered a significant deficiency.”
Smart Business spoke with McMullen about SAS 112, how the standard relates to business risk and how companies should prepare for it.
What is SAS 112?
It is a statement that Certified Public Accountants are required to follow on auditing standards. The statement, issued by the American Institute of Certified Public Accountants, gives auditors new guidance on how to communicate internal control matters. SAS 112 also provides some new definitions.
When does this auditing standard become effective?
SAS 112 becomes effective for financial periods ending on or after Dec. 15, 2006. For most businesses operating on a calendar-year basis, it would be effective for last year. For most nonprofit entities, it would be effective for this year.
What accounting procedures will change as a result of SAS 112?
It will make accounting procedures more important in terms of internal controls and the checks and balances that need to be implemented. Also, it’s going to affect the documentation of those procedures. In the past, documentation has been much more informal. Not everything was necessarily written down. Now, procedures need to be documented so that they can be reviewed by an auditor.
How does the new standard relate to business risk?
Worst case, this new standard makes it possible for a business to receive an adverse opinion on its financial statements if an auditor is unable to get reasonable assurance about effective internal controls.
But in general, with the new SAS 112 standard, internal controls are becoming a larger part of what is expected of businesses. Internal control issues will affect stakeholders’ opinion about a business, and more stakeholders might be interested in internal controls than were before.
How should companies prepare for implementing SAS 112?
First, they should talk to their auditing firm or conduct research about the new requirements so that they will fully understand SAS 112 and its implications. With the new standard, it’s now getting to the point of ‘what could go wrong’ rather than ‘what did go wrong.’ In other words, the possibility of a potential problem with internal controls could be nearly as damaging as an actual problem that is found. This can be combated by formulating an action plan that can be phased in over a number of years.
Also, a company should look at its financial closing process and examine what types of internal controls are in place.
Finally, the company should manage the expectations of insurers, creditors, rating agencies and board members (if applicable), and let them know about the potential issues that might arise from the new standard.
In what ways has the auditing process changed since the advent of the Sarbanes-Oxley Act?
More work is required to complete an audit. The amount of audit evidence that needs to be obtained is greater and documentation requirements are more stringent. Also, the new auditing standards are bringing all companies into a more regulated environment.
Sarbanes-Oxley started out primarily for public companies, but there has been a big trickle-down effect and now even private companies and nonprofit organizations are being affected. SAS 112 is another way in which the rest of the business world is coming into conformity with what has been asked of public companies with Sarbanes-Oxley.
WADE MCMULLEN is a partner at Vicenti, Lloyd & Stutzman LLP. Reach him at firstname.lastname@example.org or (626) 857-7300.