In a pair of proposals that may eliminate much of the confusion surrounding audits of companies that outsource certain functions, such as payroll processing, the Auditing Standards Board has approved the issuance of an exposure draft that splits Statement of Auditing Standards 70 into two separate kinds of standards.Chuck Landes, American Institute of CPAs vice president of professional standards and services, said that the new standards follow the natural lines of division between types of audits — those of audit clients, and those of “service organizations” that perform outsourced functions.
“We decided to divide the standard into two parts primarily because we felt that the type of work being done by service organization auditors — the testing of internal controls — was more closely aligned with other attestation standards, while our auditing standards deal with audits of financial statements,” Landes said.
Under current rules, an auditor of a company that uses a service organization must extend auditing procedures to consider the controls that have been outsourced to a service organization. That consideration is typically fulfilled by receiving and reading an “SAS 70 report” on the effectiveness of those internal controls.
In order to deal with the confusion of responsibilities (and, ultimately, to converge with international auditing standards), the ASB has tentatively decided to amend SAS 70 so that generally accepted auditing standards treat only the actual audit of the user company’s financial statements. At the same time, a new statement on standards for attestation engagements would provide guidance on testing controls at the service organization.
Though the proposal would not change rules significantly, it would help auditors of service organizations understand how to examine and report on controls, and it would help the auditor of the client company understand how to use the results of the service organization audit.
“The proposed standards won’t change auditor practice as much as it will affect practice at the service organization,” Landes said. “Under the current SAS 70, an auditor doesn’t require management at the service organization to make public an assertion about controls. Under the proposed standard, management would have to make an assertion about whether it believes that controls are effective. The auditor will then test those.”
GETTING CLEARER
The board is also working on a project to rewrite all of its standards in a clearer format. It is now close to issuing a proposed clarification of SAS 74, on compliance auditing of governmental and not-for-profit programs that receive federal funding.
The project responds to a report from the President’s Council on Integrity and Efficiency, which found that 51 percent of these “single audits” had deficiencies severe enough to classify them as unacceptable or, at best, of limited reliability.
“This is a tough standard to write,” Landes said. “It’s difficult to understand the depth of testing and the amount of evidence that is needed in an audit to express an opinion on compliance. Federal inspectors found that in many cases auditors haven’t had a good understanding of internal controls or where the risks of noncompliance could occur, and there were issues in sampling procedures.”
Mary Foelster, AICPA director of governmental auditing and accounting, heads the institute’s broader efforts to improve the quality of single audits, and is supporting the ASB’s efforts to clarify the standards for audits of compliance. Her team is hammering out ways to ensure that the SAS clarification appropriately supports the more detailed guidance in the related AICPA audit guide. At the same time, they are working to expand the audit guide to include more detail and illustrative examples.
The intent of the SAS 74 project is to clarify the existing standards for doing a compliance audit, “but that,” said Foelster, “is not to say that [the new standard] won’t change practice if auditors have been misinterpreting what their responsibilities had been all along.”
Foelster said that a draft of a new standard may be issued by the end of the year, but work on the audit guide will continue for another year or more.
The board is also beginning to work on the clarification of standards on fraud, risk assessment and required supplemental information in governmental financial statements. Until the clarification project is completed in 2010 or 2011, the board will be meeting seven or eight times a year for four days, rather than its traditional five times a year for three days.
