Dave Scudder has been following developments in auditing standards closely.
Scudder has been working for McGladrey & Pullen since 1986 and has been a partner since 1995. He was appointed the audit and assurance services practice leader of the firm's Great Lakes practice in 1998, and concentrates on the manufacturing, distribution and service industries. A CPA, he holds licenses in Illinois and Georgia, and is a member of the American Institute of CPAs and the Illinois CPA Society. He talked about some of the recent auditing standards such as SAS 104-111 and AS5.
Q: What opportunities do the new auditing standards present?
A: I'm actually very excited about the new standards. They refocus the audits and give us the opportunity to make them more valuable and effective. There is concern within small and midsized companies that these audits are an unnecessary evil. We don't like to think of them that way. What the new standards do is require the auditor to have a better understanding of the entity and its internal controls. They require a more rigorous assessment and a linkage of the risks and our audit procedures. As auditors we should have a more focused audit on the more impactful items regarding a company's financial statements. The more we can design our tests to focus on the important areas of the audit, we can have the opportunity to have a more customized audit. The dialogue that's required between the auditor and the client should be a two-way dialogue, and the company should learn more about the effectiveness of its internal controls and the risk to their financial statements. I hope the result will be more dialogue, a more transparent impact on the audit from the client's perspective, a more focused and more effective audit, and hopefully a more efficient audit as well.
Q: Are the companies you've worked with concerned about the new standards?
A: I think there are a lot of concerns that companies have out there. We're hearing from their perspective some horror stories about the early implementation of Sarbanes-Oxley in the public companies. In the time that's elapsed since those procedures came out, they've evolved over time to make large public companies more flexible, with more judgment involved and less rigorous documentation requirements. Ultimately, by the time these new risk standards for the nonpublic companies [were written], the authors of the standards attempted to pull some of the best practices out of the Sarbanes-Oxley requirements, allow more flexibility, take the good and bring that down into the nonpublic environment. The concerns for these small companies and the midsized companies are what will be the audit cost and the internal cost of compliance. That's the fear out there: that the auditors are going to be requiring a lot more internal controls than they did before so their costs will go up. Even though these aren't customized approaches, it just requires the auditor to understand what the internal controls are and design procedures around those. It mandates that the auditor increase testing in areas where a high risk exists. That has very good potential to make these audits much more meaningful and allow the companies to focus their internal controls on their areas of importance.
Q: Are the new audit risk standards going to dramatically change the auditing process?
A: I don't think they will dramatically change it now. They will probably provide better linkage between the procedures and the risks. That's the important thing. They will probably fill some gaps that existed in the past and make sure auditors look at the areas of importance. They will require the auditor to gain an understanding and link the controls that the company has in place and the audit procedures performed. The auditor may not have tested some areas that weren't important or not done deep enough testing on areas that were more important. As auditors we don't want to test areas that aren't important. It takes time away from things we should be doing. It requires you to do a better job of identifying high and low risk areas. It allows you to reduce testing on areas that aren't theoretically as valuable. By reducing testing in those areas, it will be much more of a visible and impactful audit from the client's perspective. In a manufacturing environment, the inventory, purchasing, and cost-of-sales areas are generally very important and the auditor typically spends a lot of time auditing those. If the auditors understand the risks that are there and the procedures the company has to document purchasing and monitor its cost-of-sales and inventory, and the environmental factors such as raw material pricing and raw material availability, the auditors may see the company has substantial control over its inventory and may reduce the testing there. The company may already have significant internal controls, so the auditors may be able to evaluate and rely on the controls in place to reduce the testing they have to do. They also focus on the areas important to the client instead of automatically testing. It could identify risks that do exist and have significant impact on the client that they weren't aware of. Ultimately, these companies want to provide management with financial information to make good business decisions. It's important that they're accurate or otherwise they're risking bad business decisions. If they understand what the risks are and the effectiveness of the controls they have in place, they'll be able to make business decisions that they're comfortable with.
Q: What do you see as the impact on small and midsized businesses compared to large companies?
A: I think the impact will be much less severe from the perspective of initial implementation of the standards than they were when the initial SOX standards came in. This is a much less significant impact on small and midsized companies. It is really designed to take a laser approach as opposed to a shotgun approach where all the controls and all the information were looked at with a high degree of coverage. It's a much more focused approach as compared to what it was for the public companies. I think the big fear is that they're going to be required to have all sorts of added control costs, and auditors could potentially give them a qualified opinion. That's really not the intent of the standards. It's to identify the controls if they exist and customize the audit based on those standards. If there is a fear that the companies do not have the internal controls that the big companies do and that the audit standards won't allow for that, that's not the case.
Q: Do you see in AS5 a move to relax some of the requirements of Sarbanes-Oxley?
A: I think AS5 allows for more judgment. It's really just an increase in auditor judgment. That's a real positive.
Q: Do the changes make auditing a more streamlined or cost-effective process?
A: Absolutely, I think they will be more cost effective. By following those standards you should have a more valuable audit. The auditors are now going to focus their attention on the more important areas. You allow the auditor to get out, understand the entity, and the environment the entity operates in. It requires preliminary procedures. Before you plan the audit and design the audit, you need to interact with the client and design the audit based on the risks they face. As designed it's going to be a much more interactive process. A good auditor will want to get out and see what's happening and interact with the company. From McGladrey & Pullen's perspective, we look forward to more proactive audits, and we ultimately are going to be delivering a better product to the client.
