If you are the CEO or a CFO of a private company, beware the wrath of Sarbanes-Oxley (SOX). In the post-Enron era, the heavily criticized American Institute of Certified Public Accountants (AICPA) has issued audit reform standards that will affect private companies. The eight new standards will be effective for audits of financial statements for periods beginning on or after Dec. 15, 2006.
The new standards require auditors to look more carefully at every organization’s financial reporting process and business environment, and they require auditors to obtain more evidence before rendering an opinion on the financial statement.
“We are moving toward having the same types of internal controls in private companies as are required of public companies,” says Sam Salty, audit manager with Haskell & White LLP. “Auditors can no longer merely inquire about the controls; we have to test them.”
Smart Business spoke with Salty about the impact of the suite of new standards on companies and organizations and how CEOs can prepare for the changes.
What audit changes will affect private companies?
There are eight major provisions designed by AICPA SAS 104 through SAS 111 that will affect the audits of private companies. The impetus behind the provision changes is to drive more effective audits and to enhance the auditor’s application of the audit risk model in practice.
The provisions establish standards and provide guidance concerning the auditor’s assessment of the risks of material mis-statement in a financial audit. In addition, the new standards provide guidance on planning and supervision, the nature of audit evidence, and evaluation of whether the audit evidence is strong enough to support the auditor’s opinion on the financial statements under audit.
How will these changes affect the way audits are conducted?
Auditors will no longer be able to rely on one-size-fits-all checklists. They will need to customize each audit and prioritize their time according to the risks of the business. Depending on the auditor’s judgment about a financial statement’s level of risk, more experienced members may be necessary on the audit team.
Simply stated, audits will be more thorough.
As an example, one of the major changes is that SAS 104 expands the definition of ‘reasonable assurance.’ In the past, auditors were required to collect enough evidence to be reasonably assured of the audit findings as a way to limit audit risk. Now the auditor must obtain a higher level of assurance by looking at more evidence.
Essentially, auditors will need to perform more testing and they will need to see evidence that internal controls are documented and implemented. In the past, we gained an understanding of the existence of internal controls and only for audit planning purposes. Now, gaining an understanding is not sufficient and documentation alone is not enough. We now must evaluate the design of internal controls and decide if they have been implemented.
The new standards effectively eliminate the ability of the auditor to assess risk related to controls at a maximum level without having a basis for the assessment. Audits may become a bit more time-consuming, but there are steps that can be taken to help reduce the time and cost of upcoming audits.
How will SAS 104 through SAS 111 require the auditor to examine the business risk from new perspectives?
The auditor is now required to examine how the business compares to other businesses or competitors in the same industry as part of the documentation that supports the auditor’s risk assessment of the business. In addition, the auditor will dive deeper into an analysis of the skill level and the tone set by the management team in order to assess the organization’s internal control environment.
How can CEOs and their auditors prepare for these changes?
Document your existing controls and make certain they are in place. Tasking small steps like designing flow charts of your control processes before the auditor arrives will not only save time and money once the audit begins, but the mapping process itself may expose gaps in your processes so that CEOs have the opportunity to take the necessary steps to close the gaps.
Consider having an audit planning conference with your auditor to know how to collect the documentation necessary for the new audit process. Not only will you save on billable hours once the auditor arrives, you can avoid costly rework resulting from the need to restate the documentation or capture the information once the audit has commenced.
While controls in smaller organizations can be less formal, they must be equally effective. By starting now and talking with your auditor about what will be required, you will be able to save time, money and headaches once audit time rolls around.
SAM SALTY is an audit manager with Haskell & White LLP. Reach him at (949) 450-6359 or firstname.lastname@example.org.