Audit awareness: SAS Nos. 104-111 fundamentally alter how auditors ply their trade.

The AICPA's Audit Risk Standards (SAS Nos. 104-111) are continuing the trend of reworking the landscape of financial statement audits. These standards are effective for audits of financial statements for periods beginning on or after Dec. 15, 2006, and affect the way auditing firms assess the risk of material misstatements in financial statements.

[ILLUSTRATION OMITTED]

To gain some insight on the need for, and utilization of, these standards, California CPA recently interviewed CPA Lynford Graham, Ph.D., CFE.

As a former member of the AICPA's Auditing Standards Board and Risk Assessment Standards Task Force, and chair of the Risk Assessment and Risk Response Audit Guide Task Force, Graham was instrumental in developing these Audit Risk Standards. A frequent lecturer on the subject nationwide, Graham also is the author of a handbook on documenting internal controls for non-public companies.

Q: What were the goals and objectives of the ASB and Risk Assessment Standards Task Force?

A: The ASB, in coordination with the International Audit and Attest Standards Board, undertook a joint project in the latter 1990s to clarify many of the core auditing standards and advance more guidance on the role and performance of risk assessment. This was in response to concerns that audits were becoming increasingly risk-based, but there was a lack of guidance on how to go about the risk assessment process.

There were also concerns that, in some cases, too little audit work was being done to identify and correct any errors that might exist in the pre-audit financial statement records.

Auditors of major entities were becoming more reliant on the seemingly improved and automated systems, and internal audit resources of these entities.

The role of the Task Force was to coordinate the domestic and international standards-setting efforts and to make sure the standards fit well within the existing U.S. audit literature in terms of form and language.

The disastrous events and audit failures in early 2000 that lead to the Sarbanes-Oxley Act of 2002 are evidence that the project was on target, but that it was too late to avoid the events of Enron, WorldCom and the litany of business and audit failures in that time period.

SAS No. 99, Consideration of Fraud in a Financial Statement Audit (a revision of SAS No. 82), was originally part of the group of risk assessment standards, but was pulled out of the "suite" and issued as final in early 2002, in response to the stormy climate that was brewing.

While released for exposure here and internationally in 2002, the formation of the PCAOB in 2002 created a pause in the implementation of these standards, pending the formation of the PCAOB and conversations as to how the ASB and PCAOB would work together.

When it was clear that the PCAOB would go its own way in future standards setting, the ASB reorganized the Task Force, tuned-up the proposed risk assessment "suite" and re-exposed the standards in 2005.

Q: What were the goals and objectives of the Risk Assessment and Risk Response Audit Guide Task Force?

A: The Guide was envisioned as key to the effective implementation of the standards. Words in the auditing standards are carefully considered results of Task Force and ASB discussions, but professionals need a clear understanding of their meaning. The ASB's Audit Guide is the way to do this.

Q: How revolutionary are these standards?

A: Tough question. Much of the answer depends on what you have been doing in your audits all along.

The standards mostly clarify the intent of existing standards. Many firms have been successfully using the concepts in these new standards for a long time. For example, using audit assertions as an integral part of the audit planning and performance of the audit is not new. Neither is the assessment of controls as part of understanding the audited entity. That requirement extends to before SAS No. 55.

There are only a few "new" concepts, such as the identification of "significant risks" for audit engagements, which was not part of the auditing literature before, but were still practices of some firms before SAS No. 109. In any case, the extent of change these standards will bring will differ from firm to firm.

Q: What are the implementation areas that firms are struggling with?

A: The requirement to assess internal controls design and implementation for audit clients seems to be giving some firms consternation. While not a new concept, this assessment was often glossed over for smaller client audits where controls reliance was not planned.

Clarifying this requirement creates a need for broad understanding of the COSO framework and its components, how control objectives or attributes are used to assess controls design, and how to identify any obvious "holes" in the internal controls of an entity.

Concerns are out there that this is a Sarbanes approach, which it is not. SAS No. 78 put the COSO framework clearly in our literature long ago, before SOX. The "suite" requirement is only to assess the design of controls and there is no requirement to test them.

In addition, the controls requirements can be limited to the most significant control activity processes, like sales, major cost processes and payroll, and maybe the consolidation and closing process. SOX requirements are much more extensive and require controls testing.

Reporting material weaknesses and significant deficiencies in controls, in writing, to the governance group is also an area of attention and concern. While not officially in the suite, SAS No. 112, Communicating Internal Control Related Matters Identified in an Audit, works with SAS No. 109 to ensure internal control matters are identified and communicated.

More issues will be identified as more attention is given to controls under SAS No. 109. As Yogi Berra is quoted as saying "It's amazing what you see when you look."

The number of disputes over "who is responsible" for what and "who told whom what, and when" are rising, especially on non-issuer engagements. Documentation of such matters can clarify the communications.

Q: Are these primarily large client or large firm standards? Will these standards make it harder for small firms to compete?

A: The standards are not focused on just large entity audits. The ASB is focused on the standard's needs of the smaller firms and smaller clients, even though many non-issuers are larger entities, including governments. However, audits of smaller entities are not supposed to be a second-class service compared with audits of larger entities. By clarifying the standards, all firms will compete on an equal footing, and not by re-defining what constitutes an audit under Generally Accepted Auditing Standards.

A 2006 Certified Fraud Examiners survey revealed the median size of reported fraud in entities of less than 100 employees is $190,000. How many businesses of that size can withstand losing that amount of money and survive?

Auditors need to be reminded that our professional responsibility is to design our audit to detect and prevent material misstatement in the financial statements, whether due to error or fraud. Can nonprofit entities withstand allegations of waste and fraud and still attract contributions? Will the IRS challenge the tax-exempt status of organizations that do not keep adequate books and records and have proper internal controls in place? Will governments provide grants to entities without adequate controls? We need to step up to the plate in this regard.

What auditors sometimes do not realize is that the standards have a defensive element. By following the standards as written and intended, the auditor will identify more critical audit issues and avoid costly mistakes that, farther down the road, can threaten their own business viability.

By not following the standards, auditors are more exposed to missing these critical issues and are exposed to peer review sanctions and auditor liability. There are a lot of auditor-client disputes and litigations that take place under the radar screen because they don't involve public disputes.

The professional standards are crafted to communicate best audit practices and detective procedures that have been effective in identifying and correcting errors, and yet allow for auditor judgment. The AICPA is committed to enforcing the implementation of the risk assessment suite of standards in its peer review program.

Q: Was your appointment to the ASB your first standards setting experience?

A: No. Back in the late 1970s, when at Coopers & Lybrand, I was appointed to the Statistical Sampling subcommittee working on SAS No. 39, Audit Sampling. I also served as an adviser and later a Task Force member to the Audit Risk and Materiality standard (SAS No. 47). I sense my historical perspective on these two keystone standards was helpful to the ASB in the revisions to these standards.

In the national audit policy groups of Coopers & Lybrand and BDO Seidman LLP, I've also been involved in various auditing standards projects over the years. It was a hoot to serve on the IAASB Task Force on Materiality and Risk and be part of their deliberations on those issues.

Q: What is being done to get the word out regarding these standards?

A: There is a multi-point plan to communicate and educate practitioners:

* The AICPA "suite" Guide and several Audit Risk alerts are primary guidance tools to assist in defining the requirements.

* The AICPA developed several courses related to the risk suite. One specifically addresses internal controls to assist company auditors in implementing controls documentation for non-issuers. There have also been several AICPA webcasts.

* The Journal of Accountancy has run two articles directed at the suite that are designed to communicate an overview of the SASs, including SAS 103.

* The risk assessment suite was a topic at all major AICPA conferences in 2006 and again in 2007.

* The major vendors of CPA materials are releasing practice aids and guidance.

* The AICPA is marketing an internal controls software program called ControlsDocsm designed around the COSO framework to assist companies in documenting their controls. ControlsDocsm can also be used by auditors to document their understanding of client controls. It can be flexibly and economically used for non-issuer audits or for SOX engagements in smaller public companies. More information can be obtained at www.cpa2biz.com or www.cobre.com.

* This summer I have a book coming out, Internal Controls: Guidance for Private, Government and Nonprofit Entities, which helps companies understand how to document their controls and helps to bridge the auditor-client issues in controls assessment and testing. It is specifically directed to non-issuer entities. I also co-authored with Xenia Parker the 2007 edition of Information Technology Audits, a reference work for auditors assessing IT issues, one of the control elements the new SASs require auditors to include in their controls assessments. The work was updated to include the new SASs as well as for audits of internal control (PCAOB Standard No. 5).

Q: What do CPAs need to understand most clearly about the standards?

A: Many of the new requirements will require a real first-year effort to get up and running. The maintenance in year two, and beyond, of well-implemented changes will not be that hard or expensive.

The changes we are talking about will benefit practitioners and clients in creating value in the audit.

By embracing the requirements and developing a plan for cost-effective implementation and integration into their practices, firms will be protecting themselves and the profession--helping third parties see the value of the audit and preserving the value the audit brings to the financial reporting process.

And if we do not take up the challenge, further changes in the profession will be forthcoming.