Accounting and Taxes | "Accounting and Tax" Archive

New auditing standards include some Sarbanes-Oxley requirements

by Peter Alfele
for Virginia Business
July 1, 2007

Private companies are feeling the effects of Sarbanes-Oxley in new auditing standards.

Early in 2006, policy makers for auditors of non-public companies set new standards that introduced a comprehensive audit methodology that differs significantly from the way audits have been performed for the past three decades.

The Enron scandal combined with other high-profile business frauds and failures forced the auditing profession to re-examine the methodologies used to audit financial statements. In 2002, Congress passed the Sarbanes-Oxley Act, which resulted in a greatly expanded set of audit procedures, especially with regard to internal controls.

That law was applicable only to publicly traded companies, but now, some of the best ideas of Sarbanes-Oxley have been incorporated into auditing standards for all other entities. The new auditing standards will affect auditors of privately held companies, not-for-profit organizations, state and local governments, and others who do not file with the SEC.

The goal of the new standards is simple: to maintain the integrity of the audit process by responding to the evolving needs of financial statement users.

Adapting to a changing business environment
Business models have evolved rapidly in the last decade. For example, the use of e-commerce, the outsourcing of business operations overseas, and the use of complex financing techniques have changed the way businesses operate and the risks they face. These changes no longer are restricted to larger companies - smaller, privately held organizations have been forced to change to stay competitive.

This dynamic business world requires an audit process that can adapt easily to changing circumstances. A fundamental feature of the revised audit process is its ability to adapt to the unique facts and circumstances of businesses.

The new audit process requires auditors to -

• Obtain a thorough understanding of their clients' information processing system;

• Evaluate the design effectiveness of the controls over that system; and

• Possess detailed knowledge of their clients' operations, their business objectives and strategies, and the risks to achieving these objectives.

Armed with this knowledge, auditors can then develop customized procedures that vary depending on the dynamics of the business environment and each client's operations. This emphasis on customized audit approaches is a shift away from the current widespread use of standardized audit procedures and checklists.

Understanding client and internal control
Under the new standards, the auditor is required to gain a more thorough understanding of the client's operations to evaluate the design effectiveness of internal control. The auditor's procedures are not relegated to audit planning, but instead are considered an integral part of the audit itself.

The procedures performed to understand internal control should be just as rigorous as the procedures the auditor performs to verify an account balance or the existence of inventory.

The new standards mandate that a single inquiry is not sufficient to understand the client and evaluate the design of its information processing and controls. Auditors must perform a variety of procedures that may include the review of relevant documentation, observation of the performance of the control procedure, or "walkthroughs" of systems.

Clarifying management and auditor responsibilities
The fundamental value of an audit is that it is performed by an objective third party. For this reason, professional standards prevent auditors from activities such as auditing their own work or acting in the capacity of management. Periodically, the auditing profession has been criticized for "being too close to their clients," and the new auditing standards address this issue as well.

In practice, the line between management's responsibilities and the auditor's responsibilities is often blurry. At smaller entities, it is common for management to rely on the company's auditors to perform a good deal of the accounting and bookkeeping functions. For example, the auditor may propose standard journal entries, prepare the financial statements, or draft some or most of the notes to the financial statements.

The new standards do not prohibit auditors from providing any services they traditionally have provided to their clients. However, the standards do require auditors to evaluate carefully the accounting and bookkeeping work they perform as part of the audit, and to determine whether the client has relied too heavily on the audit firm to maintain the books and records, prepare its financial statements, or function as part of the company's internal control.

If the audit firm is too involved in the client's accounting function, the firm is required to issue a letter to management that describes the situation as an "internal control deficiency" and makes a determination as to the severity of the deficiency.

For many years, auditors have been required to report internal control deficiencies to their clients, but the new standards are much more specific about the situations that indicate a control deficiency exists. In many cases, auditors will be required to communicate to management and describe as control deficiencies the arrangements between them that have existed for years.

Management may have sound business reasons for involving their auditors in maintaining the accounting records or preparing the financial statements. As long as the audit firm complies with the professional independence rules, it is perfectly acceptable for these arrangements between the firm and its clients to continue. However, the auditor still will be required by the auditing rules to communicate the matter in writing.

What the New Rules Mean for Audit Clients
The impact the new rules will have on individual audit engagements will vary depending on the procedures the audit engagement teams have performed in the past. Some organizations will see little change in the work performed by their auditors. For others, the differences will be dramatic. In general, audit clients should expect their auditors to-

• Perform more work to gather information and form an understanding of the business and its environment;

• Perform more extensive procedures to evaluate internal control design;

• Shift portions of the work relating to understanding the business, its environment, and its internal control to a period of time well in advance of the organization's fiscal year-end;

• Involve more experienced audit personnel in gathering information about the company and its internal control; and

• Clarify the organization's responsibilities with regard to performing accounting functions, preparing the financial statements and overseeing the financial reporting process.

In many audits, the additional procedures required under the new standards will result in increased audit costs that will extend beyond the initial year of implementation.

Peter Alfele is an Audit Partner in the Hampton Roads practice of Cherry, Bekaert & Holland, LLP. He can be reached at 757-228-7077 or palfele@cbh.com.