New Audit Standards Bring a Change to Your Game Plan

By Roger D. Johnson, CPA

Change and ever-evolving professional standards have been constant in my 32 professional years, and it neither started in 1974, nor did it end in 2006. Major changes to auditing standards are occurring, with some having effective dates as early as audits with years ended Dec. 31, 2006. This article is designed to alert you to these major changes and to advise you of other recently issued standards that have been disregarded too frequently.

Audits With Periods Ended On or After Dec 15, 2006

SAS No. 112, Communicating Internal Control Related Matters Identified in an Audit, supersedes SAS 60 to now require written communication to management and those charged with governance of identified control deficiencies that are significant deficiencies or material weaknesses in internal control. These definitions will most likely result in more control deficiencies being reported as at least “significant deficiencies” than were previously communicated as “reportable conditions.” Of course, one of the most common deficiencies noted will be the lack of segregation of duties. The SAS requires this communication. To read this standard, which includes sample letters, go to www.aicpa.org and under search options, choose from professional resources, accounting and auditing, audit and attest standards, authoritative standards for non-issuers and statements on auditing standards.

The appendix to this standard states that there would be a deficiency in the design of controls if “the person responsible for the accounting and reporting function lacks the skills and knowledge to apply generally accepted accounting principles in recording the entity’s financial transactions or preparing its financial statements.” This is not ambiguous, and its frequency of occurrence is likely to be high. Confusion about the ramifications of this statement has already developed. Whether the auditor does or does not assist in drafting the financial statements and notes for the client is irrelevant to whether there is an internal control deficiency. It does not matter who drafts the financial statements. What matters is the client’s system of internal control over financial reporting and whether the client has controls to prevent or detect material misstatements, from the recording of a transaction through the preparation of the financial statements and related disclosures.

It is also important to note that not all controls have to exist throughout the year, but only when that control is needed. For example, a client may prepare interim financial statements without disclosures and without all normal accruals adjusted. This would not represent a control deficiency because it was not the client’s intent to prepare GAAP financial statements. What is important is whether there are effective controls when financial statements subject to audit are being prepared. If a client has appropriate controls over predominately cash basis accounting records but the financial statements are prepared on the accrual basis in accordance with GAAP, there most likely will be control deficiencies if the client has no controls over the conversion. To further illustrate, a client may have a knowledgeable person who has the accounting expertise to maintain accrual accounting records and sufficient expertise to draft the financial statements and the notes but for various business reasons still asks the auditor to assist in that function. As long as the client has the controls in place to be able to prevent and detect misstatements in the financial statements and notes and those controls are effective, there would not be a control deficiency.

Alternatively, some clients may choose to outsource this function. Outsourcing is certainly a way for an entity to strengthen its controls when it does not have the expertise otherwise available. However, the client does not have to outsource this process, and this standard does not suggest that the auditor could not or should not assist the client in drafting the financial statements. There will be some clients who decide the cost of having sufficient controls is not worth the benefit, and they will accept having a deficiency noted in a written communication. It is important that the client understands the risks, if any, in the written communication and that they make an informed decision on how best to respond to those risks. The major points to remember are:

• The auditor cannot be part of the client’s system of internal control because it would impair the auditor’s independence.
• What the auditor does (or does not do) is irrelevant to and independent of the client’s system of internal control over financial reporting. What the auditor does is not a mitigating or compensating control.
• Internal control over financial reporting encompasses controls over the preparation of the financial statements and notes. An effective system of internal control over financial reporting does not stop with the “general ledger” or electronic accounting records that serve the same purpose as a general ledger.
• Having the client designate an individual who possesses suitable skill, knowledge and/or experience as set forth under AICPA Ethics Interpretation 101-3 is not a control. The control is the person’s review of the work and whether that review would prevent or detect a misstatement.
• No two clients or situations will be exactly alike since every client’s system of internal control over financial reporting will be different. Professional judgment is paramount, especially in evaluating compensating controls. There are no automatic answers.
• The standard does not require the auditor to detect control deficiencies, but it does require the auditor to evaluate a control deficiency if he or she identifies one as a result of the audit. In practice, the auditor will almost certainly identify whether or not the client has appropriate controls over financial statement preparation.

The AICPA has issued a risk alert that has a number of case studies dealing with typical small business situations. To obtain a copy, visit www.cpa2biz.com and enter product number 022536 in the search field.

SAS No. 103, Audit Documentation, supersedes SAS No. 96 of the same name and changes and expands current documentation requirements. Included in this SAS is a minimum file retention period of five years from the report release date (unless statutes or other requirements specify a longer period of time). In addition, the final assembly of the audit file should be within 60 days following the report release date, unless statutes or regulations specify a shorter time frame. The SAS also triggers a major change in the date of the auditor’s report. Currently, auditors’ reports are dated as of the last day of fieldwork. The new standard states that “the auditor’s report should not be dated earlier than the date on which the auditor has obtained sufficient appropriate audit evidence to support the opinion. Among other things, sufficient appropriate audit evidence includes evidence that the audit documentation has been reviewed and that the entity’s financial statements, including disclosures, have been prepared and that management has asserted that it has taken responsibility for them.” This may extend the report date and the related required testing for events occurring after field work and will require careful dating of and receipt of the management representation letter prior to issuing the final audit report. Firms should only issue draft audited financial statements to clients until the signed management representation letter is received.

SAS No. 102, Defining Professional Requirements in Statements on Auditing Standards, was effective upon issuance in December 2005. “Unconditional requirements” (auditor is required to comply) are indicated by the words “must” or “is required.” “Presumptively mandatory requirements” (except in rare instances, auditor is required to comply in all circumstances to which the presumptively mandatory requirement applies) are indicated by the word “should.” New standards and eventually all audit standards will use these terms. Auditors sometimes represent (usually when challenged) that an audit standard was not followed because its application was immaterial or inconsequential in the circumstances. SAS 102 will substantially eliminate these situations unless this conclusion was correctly reached (and suitably documented) concurrent with performing the audit.

Audits of Financial Statements for Periods That Begin On or After Dec. 15, 2006 

SAS No. 104 – No. 111, Risk Assessment Standards, may result in significant changes to a firm’s audit methodology and must be carefully studied. An audit risk alert, Understanding the New Auditing Standards Related to Risk Assessment, is available at www.cpa2biz.com (product number 022526). These eight standards affect every audit performed by every firm. Accordingly, a firm with even one audit engagement should acquire this alert and understand its application, ensure its practice aids are updated and understood and include continuing professional education (CPE) on the risk standards in each auditor’s 2007 CPE plan. A July 2006 Journal of Accountancy article, “Assessing and Responding to Risks in a Financial Statement Audit,” is an excellent discussion of the requirements and various implementation suggestions for these new standards. The AICPA’s new audit guide, Assessing and Responding to Audit Risk in a Financial Statement Audit, provides both authoritative and non-authoritative guidance on applying the audit risk standards. The audit guide is available at www.cpa2biz.com (product No. 012456).

Recent Changes in Standards for Review and Compilation Services

The revised standards discussed above affect only audits of financial statements. There are now in excess of 150 official pronouncements of the Financial Accounting Standards Board (FASB). These principles apply to all financial statements to which their subject relates and that are presented in accordance with generally accepted accounting principles, even when the associated accounting service is a review or compilation. There are principles and standards-setting bodies other than the FASB, its companion body the Governmental Accounting Standards Board (GASB) and the AICPA’s Auditing Standards Board (ASB), the issuer of the SASs discussed above.

A discussion of all recently-issued principles or standards by these or other bodies is well beyond the scope of this article. However, there are at least seven other standards frequently misapplied (at best) in firms that have recently undergone peer reviews that are worthy of mention. A substantial portion of these firms do not have an audit practice. It’s a mistake, however, to conclude that forgoing audits of financial statements reduces the need to monitor changes in professional standards. The first six of these standards are pronouncements of the AICPA’s Accounting and Review Services Committee (some not so recent, but clearly less than universally understood), and the seventh is an AICPA ethics ruling, Interpretation No. 101-3 (also no longer new and too frequently unknown or misapplied). These standards and related guidance are available at www.cpa2biz.com

1. SSARS No. 9 Omnibus Statement on Standards for Accounting and Review Services – 2002: provides guidance on communication between a predecessor and successor accountant when the successor accountant decides to communicate with the predecessor accountant regarding accepting an engagement to review or compile financial statements.
2. SSARS No. 10 Performance of Review Engagements: an expansion of previous guidance on analytical procedures, inquiries and other review procedures, including a provision to inquire regarding fraud in a review engagement and to require management representations regarding fraud; and to provide guidance for working paper documentation in a review engagement.
3. SSARS No. 11 Standards for Accounting and Review Services: directs that the SSARS provide a measure of quality and the objectives to be achieved in a compilation or review engagement; clarifies the requirement for the accountant to have sufficient knowledge of the SSARS to identify those that are applicable to an engagement; and specifies that the accountant should be prepared to justify departures from the SSARS.
4. SSARS No. 12 Omnibus Statement on Standards for Accounting and Review Services – 2005: requires the accountant (a) to establish an understanding with the client, preferably in writing, that the accountant will inform the appropriate level of management of any evidence or information that comes to the accountant’s attention that fraud or an illegal act may have occurred and (b) to report to management any such evidence or information; and defines “fraud” and “illegal acts” for purposes of the statement.
5. SSARS No. 13 Compilation of Specified Elements, Accounts or Items of a Financial Statement: expands SSARS engagement arrangement, performance and reporting requirements that apply when an accountant is engaged to compile or issues a compilation report on one or more specified elements, accounts or items of a financial statement (such as a schedule of rentals, royalties, profit participation or provision for income taxes).SSARS No. 13 Compilation of Specified Elements, Accounts or Items of a Financial Statement: expands SSARS engagement arrangement, performance and reporting requirements that apply when an accountant is engaged to compile or issues a compilation report on one or more specified elements, accounts or items of a financial statement (such as a schedule of rentals, royalties, profit participation or provision for income taxes).
6. SSARS No. 14 Compilation of Pro Forma Financial Information: expands SSARS to apply when an accountant is engaged to compile or issues a compilation report on pro forma financial information, which presentations by definition are not financial statements.
7. Ethics Rule 101-3 Performance of Nonattest Services: revised January 2005, provides detailed answers to the most frequently asked questions regarding performing nonattest services for attest clients (which include review and compilation clients).

The AICPA Peer Review Program is designed as educational and remedial. Too often the “educational” goals are achieved only after a firm is surprised during its peer review to learn about recently issued professional standards. If a firm first learns about a critical standard during the peer review, it has often not been applied on engagements subject to the review. Unfortunately, that sometimes leads to the “remedial” aspect of the program. This article, although it barely scratches the surface, is designed to help firms and practitioners avoid remediation that might otherwise develop as a result of these standards and these firms’ reviews after 2006. All public accounting professionals should stay abreast of all standards that affect their firms and clients. There are a variety of ways to do this, and certainly a preferred way involves carefully choosing appropriate continuing professional education (CPE) programs. If you are unfamiliar with the standards discussed above, your 2007 CPE plan should respond to this need.

About the Author 

Roger D. Johnson, CPA, is the technical reviewer for the Tennessee Society of CPAs Peer Review Committee. He can be reached at rjohnson@tscpa.com.

(Reprinted with permission by the Tennessee Society of CPAs.)