Mobile Edition
Print
Get the Mag
Weekly UpdatesIn December 2005, the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants issued Statement on Auditing Standards (SAS) No. 103, Audit Documentation. Two months later, in February 2006, the ASB released a set of eight pronouncements (SAS Nos. 104111) dealing with various aspects of the assessment of risk in a financial statement audit that are commonly referred to as the "risk-assessment suite." May of that same year saw the release of SAS No. 112, Communicating Internal Control Related Matters Identified in an Audit. Normally, the issuance of new auditing standards is largely, if not exclusively, of concern to audit professionals. These 10 pronouncements, however, should be of interest to a much broader audience because of their potential impact on those being audited. This article will explore SAS Nos. 103-112 uniquely from this latter perspective.
A NEW DATE FOR THE AUDITOR'S REPORT AND ITS PRACTICAL IMPLICATIONS (SAS NO. 103)
From the vantage point of those being audited, the most relevant feature of SAS No. 103 is undoubtedly the change in the date of the independent auditor's report. The date of the auditor's report is important because it can affect the amount of audit work that must be performed. Prior to the report date, the auditor is responsible for actively seeking out all information relevant to the fair presentation of the financial statements. After that date, the auditor need only be alert to newly available information.
Prior to SAS No. 103, the independent auditor's report was dated as of the completion of field work, which, in practice, might precede the actual release of the report by several weeks (if not months). In contrast, the new standard directs the auditor to refrain from dating the report until the audit is substantially complete:
Simply put, the independent auditor's report henceforth normally will bear the date it is delivered to the entity under audit. Since auditors are responsible for actively seeking out new audit evidence that may become available prior to that time, delays in completing the final stages of the audit will increase the likelihood that the auditor will need to perform additional procedures to stay current, which could increase audit fees. Therefore, it is more important than ever for governments to do everything in their power to facilitate the timely completion of the audit. (1)
SAS 103 took effect starting with fiscal years that ended December 31, 2006.
A NEW APPROACH TO RISK ASSESSMENT AND ITS PRACTICAL IMPLICATIONS (SAS NOS. 104-111)
The clear trend in recent years has been for independent auditors to take a more "risk-oriented" approach to performing the financial statement audit. SAS Nos. 104-111 now mandate that approach. To understand the implications of the new standards, some brief background information on audit theory may be helpful.
Financial statements are essentially representations by management concerning an entity's finances (e.g., the entity had $X cash as of the close of the period; revenue of the period amounted to $Y, debt service principal payments in each of the next five years will be $Z). Each such representation involves a number of implied assertions. For example, if government reports $X dollars of equipment on its statement of net assets, it effectively is asserting that 1) the equipment really is there (i.e., existence), 2) the government actually owns it (i.e., rights and obligations), 3) the amount reported includes all of the government's equipment (i.e., completeness), and 4) the dollar amount reported for the equipment is correct (i.e., valuation and allocation). Similar implied assertions have been identified for transactions and events reported in a statement of changes and for data disclosed in the notes to the financial statements.
The role of the independent auditor is to provide potential users of the financial statements with reasonable assurance that those statements can be relied upon as a basis for decision making. Note that the auditor's goal is not to ensure that each individual item reported is 100 percent accurate, but rather that that financial statements are free from misstatements that are so material (i.e., significant) that they could lead a financial statement reader to make a different decision or reach a different conclusion than if the misstatement had not been present. The financial statement audit is the process whereby the independent auditor obtains the evidence necessary to support an opinion whether the financial statements are, in fact, free of such material misstatements.
Some audit procedures are designed to provide direct evidence for financial statement assertions (i.e., substantive procedures). For example, an auditor will contact the bank to confirm the balance in an entity's bank account at the end of the fiscal period. Other audit work is designed to produce evidence that is more indirect, focusing on the reliability of the systems and procedures used to produce data rather than on the reliability of specific data elements (i.e., tests of controls). For instance, auditors ordinarily will test compliance with the various procedures used to process purchases. There is, of course, no completely adequate substitute for direct evidence; therefore, while tests of controls can limit the extent of substantive procedures, they can never replace them.
Auditing standards have long required auditors to obtain an understanding of an entity's internal control as part of the audit planning process. Until now, this requirement commonly has been understood as being primarily aimed at justifying an eventual decision by the auditor to rely upon tests of controls to limit the extent of substantive procedures. Consequently, auditors who did not intend, for one reason or another, to rely upon tests of controls to limit the extent of substantive testing (e.g., anticipated unreliability of those controls, experience) considered themselves free to reduce efforts at gaining an understanding of internal control to a bare minimum.
The new risk-assessment suite of auditing standards fundamentally alters how auditors henceforth are to view the requirement that they gain an understanding of an entity's internal control. First, the new standards substantially broaden the requirement from "gaining an understanding of internal control" to "gaining an understanding of the entity and its environment, including its internal control" Second, the risk-assessment suite standards take the position that it simply is not possible for an auditor meaningfully to assess the risk of material misstatement for a given set of financial statements without the benefit of this broader, environmental perspective. That is, gaining an understanding of the entity's environment, including its internal control, is no longer seen primarily as a matter of efficiency (i.e., a practical way to potentially limit the extent of substantive procedures) but as one of effectiveness. Indeed, the new standards go a step further and actually classify the process of gaining an understanding of the entity and its environment, including its internal control, as a substantive procedure in its own right for which there is never an adequate substitute. The key practical effects of this change are as follows:
* Auditors will now have to document not just an entity's internal control, but the broader environment in which the entity operates;
* The intent not to rely upon tests of controls to limit the extent of substantive tests will not eliminate the need to gain a solid understanding of the entity and its environment, including internal control; and
* Because every entity's environment will be different, it is unlikely that auditors would be able to justify relying exclusively on standardized audit programs.
The new risk-assessment auditing standards also impose substantial new procedural and documentation requirements. As explained earlier, the independent auditor's objective is to provide reasonable assurance that the financial statements are free of material misstatements. In the past, auditors enjoyed considerable flexibility in how they arrived at this conclusion and documented it in their working papers. From now on, the auditor will need to explicitly assess and document the risk of material misstatement both 1) from the perspective of the financial statements as a whole and 2) from the perspective of each of the assertions applicable to various financial statement items.
All auditors, including those who have already adopted a more risk-oriented approach, are likely to incur substantial additional costs to comply with the new requirements, especially regarding documentation. An informal poll of a number of firms that perform audits of governments that participate in GFOA's Certificate of Achievement for Excellence in Financial Reporting Program found general agreement that costs for auditors are normally likely to increase by 10 to 15 percent. Therefore governments should be prepared to face increased audit costs in the near future. At the same time, they should exercise professional skepticism at proposed increases substantially in excess of the range just mentioned.
SAS Nos. 104-111 will take effect starting with fiscal years that end December 31, 2007.
A NEW APPROACH TO REPORTING DEFICIENCIES AND ITS PRACTICAL IMPLICATIONS (SAS 112)
At first glance, SAS No. 112, Communicating Internal Control Related Matters Identified in an Audit, appears to do little more than change some of the language used to describe deficiencies uncovered in the course of an audit to conform to the terminology set for private-sector companies by the Public Company Accounting Oversight Board established by the Sarbanes-Oxley Act. However, from the point of view of entities being audited, the most significant change is the specific identification of some commonly encountered situations as constituting, at a minimum, significant deficiencies that must be reported. Examples include the following:
FEED