ASB issuing new standard on internal controls audits

The Auditing Standards Board is issuing a new standard on auditing internal controls. By adopting definitions from Auditing Standard No. 2 of the Public Company Accounting Oversight Board, the standard will make audits of public and private companies more similar."This standard is important because it requires the auditor to communicate with management those areas of their internal control system that are not up to par," said AICPA vice president of professional standards and services Chuck Landes. "We want to make it clear that management has a responsibility for not only their financial statements but their internal control systems, and they are responsible to take appropriate action with respect to any material weaknesses or significant deficiencies that the auditor may identify."

Statement on Auditing Standards 112, Communicating Internal Control-Related Matters Identified in an Audit, supercedes SAS 60 by changing the definitions of "significant deficiency" and "material weakness." It also requires auditors to communicate those deficiencies and weaknesses in writing to corporate management on an annual basis for as long as they exist, rather than just once.

Landes said that the new rules will avoid situations where, typically, an auditor mentions to a management officer that a certain problem exists, but a year or more later, the officer forgets that existence or the nature of the problem.

Defining 'deficiencies'

The new standard would also help auditors understand the nature of significant deficiencies and material weaknesses. The definitions of SAS 60 tried to describe the concepts qualitatively. The new definitions, Landes said, try to better articulate how and why something would be a significant deficiency or a material weakness.

The change will have a real impact on audits of private companies.

"The new standards for moving from reportable conditions to significant deficiency will drive down the level at which things become reportable," said Harold Monk, a partner at Davis, Monk & Co. and a vice chairman of the ASB. "The definition of significant deficiency will be generally interpreted at a level that would potentially be below what we were looking at before. I think this will have a positive effect on the audit process. We'll be reporting more items, but some of them we need to make management aware of anyway. So it's good from the standpoint of audit quality and meeting the needs of various users of financial information."

The new definitions help auditors decide whether an identified problem should be classified as merely a control deficiency or as a material weakness. Likelihood and magnitude are the decision criteria - the likelihood that a given deficiency will continue to be deficient, and the magnitude of the potential or actual error that could be caused by that deficiency.

Under the new definitions, if a deficiency is less than material but more than insignificant, then it would be a significant deficiency. If it is less than significant, then it would not have to be communicated to management.

"While this still requires a great deal of auditor judgment in making those classifications, this standard at least creates a framework that helps the auditor better understand a control deficiency by putting it first into the realm of how likely it is to continue, then the magnitude of the error that could result from it," Landes said.

Under the Public Company Accounting Oversight Board's AS No. 2, an auditor is required to look for and test for material weaknesses in internal control. SAS 112 has no such requirement, Landes explained. It merely requires communication if an auditor detects such weaknesses during the normal procedure of auditing a financial statement. No new audit procedures are required, and the threshold of what constitutes a weakness or deficiency is not changed.

Quality control

At the meeting where the ASB agreed to go to a final written ballot on what would become SAS 112, the board also continued discussion of its project on quality control. One of the more interesting elements of that discussion was the question of how and whether auditors are compensated for the quality of their audit performance, rather than for their performance in sales, business retention or some other non-assurance activity.

"We aren't thinking of telling firms what to pay partners or anything like that," Landes said. "All we're considering is that when a firm designs its quality control policies and procedures, they should make a conscious effort to consider how the compensation system will drive behavior, and whether they're driving behavior in a manner that is consistent with the firm's goal of high-quality auditing work."

The board may be able to issue an exposure draft on a set of proposed quality control standards at its mid-year meeting in June.

The board also discussed its work on a standard on related parties. The project is an international effort being developed in conjunction with the International Auditing and Assurance Board.

More proposals

The board also discussed its project to amend Attest Standard AT-501 to bring it closer to AS No. 2. An exposure draft has been issued. At press time, the comment period was scheduled to close at the end of May.

It is expected to resemble AS No. 2, but would be applied only voluntarily when a client or regulator requests an audit of a private company's effectiveness of internal control over financial reporting.

Most applications would involve banks that must meet Federal Deposit and Insurance Corp. audit standards, though the Government Accountability Office has been looking into the possibility that state and local governments should also have these types of audits.

For reprint and licensing requests for this article, click here.
Accounting standards Regulatory actions and programs Audit Associations
MORE FROM ACCOUNTING TODAY