New audit standards

A hot topic in the accounting world
centered on the audit reform standards that the American Institute of Certified Public Accountants (AICPA)
issued in March, 2006. The standards (SAS
104 through SAS 111), commonly known
as the risk assessment standards (RAS),
are effective for this year’s calendar year-end audits. They were designed to improve
the audit process, requiring auditors to perform risk assessments for each client,
while tailoring audit procedures to address
specifically identified risks.

According to Andy Kuntz, a CPA with
Briggs & Veselka Co. in Houston, the primary objective of the standards is to
improve the auditors’ application of the risk
model, through a more in-depth understanding of the entity and its environment,
including its internal control and, ultimately,
an improved linkage between the risks and
the nature, timing and extent of audit procedures.

“The objective was a more rigorous and
consistent audit process regardless of the
size or type of entity being audited,” says
Kuntz. “Many have drawn the parallel
between RAS and private companies and
SOX [Sarbanes-Oxley Act] and public companies.”

Smart Business spoke with Kuntz about
the new standards, what they mean, what
challenges they’ll present and how companies can overcome those challenges.

What are some changes companies can expect
to see as a result of the new standards?

First, more thorough information must
be assembled on the nature of your company and its industry and environment in
order to identify risks. Significantly more
work will need to be performed on internal
controls, as well. In the past, our professional standards permitted us to obtain a
basic knowledge of the internal controls,
and then assess control risk at the maximum level. Now, we are required to obtain
a more thorough understanding of the
internal control structure, evaluate if controls are designed appropriately and determine if those controls are implemented.
Then we have an option as to whether we
want to perform specific tests of internal controls or to perform substantive tests.
However, we are required to test controls if
substantive procedures alone are not sufficient to reduce risk.

Additional changes that companies will
notice in future audits are the types of
audit evidence being acquired. Historically,
an auditor may have simply asked someone in the accounting department to
describe a process or an internal control.
The RAS clearly indicate that inquiry alone
is no longer sufficient. Auditors will now
be asking for you to document your internal controls and other procedural items.
Additionally, under the new standards,
auditors are required to perform walk-throughs of certain transaction flows and
corroborate information learned via
inquiry with additional procedures.

Private entities can also anticipate different types of communication during the
course of the audit. Engagement letters,
which are essentially contracts between
auditors and companies, will have revised
language. Auditors will also communicate
some additional information with respect
to known and likely misstatements identified during the course of the audit. Private
companies can also anticipate receiving
additional comments from auditors with
respect to issues or weaknesses in their
internal control structures.

The RAS will require more time in
preparing for and executing the audit. The
audit will likely take longer, which could
translate to higher fees, especially if proactive steps are not taken to document internal controls and ensure they have been
implemented effectively.

What can a company do to prepare for the
changes?

Management needs to understand that
auditing private companies is a whole new
ballgame now. Companies have to be
proactive when it comes to these changes,
and that should start with a meeting with
your auditor. Other steps may include:

  • Document your existing controls and
    ensure they are implemented as documented.

  • Consider testing controls, and formally
    documenting the testing procedures performed, and share this information with
    your auditor.

  • Evaluate your accounting department
    to see if the existing infrastructure is sufficient based on the size and complexity of
    the organization.

  • Look at credit agreements to see what
    covenants are in place and whether there is
    a requirement to provide correspondence
    from your auditor related to internal controls and other matters. Many believe the
    new standards will result in additional
    auditor comments and potentially more
    severe comments which could lead to
    covenant violations and events of default.

  • Finally, determine if an audit is the most
    appropriate service. In certain cases where
    an audit is not needed for an upcoming exit
    strategy, companies have negotiated to
    reduce the requirement from a financial
    statement audit to a financial statement
    review, which are not currently subject to
    the RAS.

Your company can save time, money and
potentially improve the overall control
structure by taking these steps now.

ANDY KUNTZ, CPA, is a principal in the Audit Department at
Briggs & Veselka Co. in Houston. Reach him at (713) 667-9147
or [email protected].