The Auditing Standards Board of the American Institute of CPAs has issued a suite of eight new standards on risk assessment that should significantly improve the quality of audits of private companies.For the many audit firms that have traditionally offered high-quality audits, the new standards will probably not require a lot of additional effort.
For others, however, audits will have to go deeper and farther than ever before, requiring more work, albeit toward a better audit.
Lynford Graham, a former partner with BDO Seidman who is currently a writer and consultant and, until recently, was a member of the ASB, said that the standards, together with standards recently issued and about to be issued, represented a "sweeping change" in the way audits are conducted. He praised the standards for being more specific than existing guidance.
"One of the reasons the standards are more specific is to try to get more consistency among auditors and in how they document it," Graham said.
American Institute of CPAs vice president of professional standards and services Chuck Landes called the set of standards "very significant," so much so that the institute is developing a multifaceted program to help auditors deal with the changes.
"These standards, coupled with Statement on Auditing Standards 99, on fraud, and an upcoming standard on communicating internal control weaknesses, get to the very nature of how an auditor conducts an audit," Landes said. "Many firms will not have to change their methodology, but a number of other firms will, because these standards will require that an audit firm have an in-depth knowledge of the entity they are auditing."
The standards would require that auditors go through a detailed risk profile and analysis based on the business environment and comparisons within the industry sector, looking at internal controls and going through a number of other procedures to identify where the risk of material misstatement could occur. Once auditors have identified where risks are most likely to be found, they will need to devise an audit plan that is appropriately responsive to those risk areas.
The standards also provide improved linkage between the assessed risks and the nature, timing and extent of audit procedures performed in response to those risks.
"These standards will help AICPA members work smarter," Landes said. "Not necessarily harder - they may or may not increase audit time - but we think they will allow them to better employ the resources they have to better find any misstatements."
Graham agreed, adding that people expect more from audits than they did in the past, and that the better audits resulting from the standards will reduce exposure to litigation.
"If these standards are taken in the right spirit - the right spirit is very important - auditors will do a better job," Graham said. "They will protect themselves, their clients and the profession. But if the standards are just looked upon as things you have to do and then you do them mechanically and as cheaply as possible, the result won't be there."
Time to hit the books
Even the most assiduous audit firms would need to review these standards and, in all likelihood, adjust at least some audit procedures. To facilitate comprehension, education and implementation, the AICPA plans to roll out several support programs. An audit risk alert will be issued in March. A number of conferences will include presentations and discussions. Two self-study continuing professional education programs will be released this summer, and by fall, an audit guide with case studies will be issued.
Landes emphasized that the ASB is giving auditors plenty of time to study the new standards and train personnel to use them. The standard will go into effect for fiscal years beginning after Dec. 15, 2006.
Graham, who will be presenting seminars and educational information at various AICPA events in 2006, suggests that firms begin to implement the new standards in audits they perform this year.
"If firms begin to integrate these standards into their audits in 2006, finishing the integration in 2007 will be a lot easier," Graham said. "If they try to do everything at once, and do the additional risk items, the additional controls, and try to do all of the other things, it's going to seem like a tremendous task. People need to strategize this so they don't have a big, dramatic fuss to deal with in the spring of '07."
The standards do not require companies to do anything differently or provide different or additional information, Landes explained, but he added that audit firms could avoid unnecessary audit costs by encouraging companies to improve internal controls and be prepared to provide information more efficiently.
"It may be kind of hard for small mom-and-pop companies to implement strong internal controls, but larger private companies should be doing some of this risk analysis themselves," Landes said. "A CEO ought to be thinking about where financial information might be improper. To provide the best and most accurate information, they will want to design internal controls around those areas where the risks are higher. That kind of parallel process should be occurring inside the company and with respect to the external auditor."
The ASB approved the standards in October of 2006, pending a few modifications that were to be made to keep the standards compatible with related decisions expected from the Public Company Accounting Oversight Board. That board has no standards on risk assessment beyond its interim adoption of previously issued ASB standards.
According to a board spokesperson, the board's Standing Advisory Committee has been analyzing possible approaches to a new standard on risk assessment for audits of public companies, but the board has not indicated what direction it might take.
