|
|
|
|
Major changes to auditing standards are occurring, with some having effective dates as early as audits with years ending December 31, 2006. Audits with periods ending on or after December 15, 2006 SAS No. 112, Communicating Internal Control Related Matters Identified in an Audit, supersedes SAS 60 to now require written communication to management and those charged with governance of identified control deficiencies that are significant deficiencies or material weaknesses in internal control. These definitions will most likely result in more control deficiencies being reported as at least significant deficiencies than were previously communicated as reportable conditions. Of course, one of the most common deficiencies noted will be the lack of segregation of duties. The AICPA Peer Review Board will be determining how significant a failure to provide this written communication to those charged with governance would be for peer review purposes. To read this standard, which includes sample letters, go to www.aicpa.org and under search options choose professional resources, accounting and auditing, audit and attest standards, authoritative standards for non-issuers, statements on auditing standards. In the appendix to this standard it states that there would be a deficiency in the design of controls if “the person responsible for the accounting and reporting function lacks the skills and knowledge to apply generally accepted accounting principles in recording the entity’s financial transactions or preparing its financial statements.” There has been confusion about the ramifications of this statement. Whether the auditor does or does not assist in drafting the financial statements and notes for the client is irrelevant to whether there is an internal control deficiency. It does not matter who drafts the financial statements. What matters is the client’s system of internal control over financial reporting and whether the client has controls to prevent or detect material misstatements, from the recording of a transaction through the preparation of the notes to the financial statements. It is also important to note that not all controls have to exist throughout the year but only when that control is needed. For example, a client may prepare interim financial statements without disclosures and without all normal accruals adjusted. This would not represent a control deficiency because it was not the client’s intent to prepare GAAP financial statements. What is important is whether there are effective controls when financial statements subject to audit are being prepared. If a client has appropriate controls over a cash basis general ledger but the financial statements are prepared on the accrual basis, there may be control deficiencies if the client has no controls over the conversion. To further illustrate, a client may have a knowledgeable person who has the accounting expertise to maintain an accrual general ledger and who has sufficient expertise to draft the financial statements and the notes but for various business reasons still asks the auditor to assist in that function. As long as the client has the controls in place to be able to prevent and detect misstatements in the financial statements and notes and those controls are effective, there would not be a control deficiency. Alternatively, some clients may choose to outsource this function. Outsourcing is certainly a way for a company to strengthen its controls when they do not have the expertise in house. However, the client does not have to outsource this process and this standard was in no way suggesting that the auditor could not or should not assist the client in drafting their financial statements. There will be some clients that decide the cost of having sufficient controls is not worth the benefit and they will accept having a deficiency noted in their written communication. It is important that the client understands their risks and that they make an informed decision on how best to respond to those risks. Again, the major points to remember are: · The auditor can not be part of the client’s system of internal control because it would impair the auditor’s independence · What the auditor does (or does not do) is irrelevant to and independent of the client’s system of internal control over financial reporting. What the auditor does is not a mitigating or compensating control. · Internal control over financial reporting encompasses controls over the preparation of the financials statements and notes. An effective system of internal control over financial reporting does not stop with the general ledger. · Having the client designate an individual who possesses suitable skill, knowledge, and/or experience as set forth under 101-3 is not a control. The control is the person’s review of the work and whether that review would prevent or detect a misstatement. · No two clients or situations will be exactly alike since every client’s system of internal control over financial reporting will be different. Professional judgment is paramount, especially in evaluating compensating controls. There are no “automatics.” · The standard does not require the auditor to detect control deficiencies but it does require the auditor to evaluate a control deficiency if he or she identifies one as a result of their audit. The AICPA has issued a risk alert that has a number of case studies dealing with typical small business situations. To obtain a copy, visit www.cpa2biz.com and enter product number 022536 in the search field. SAS No. 103, Audit Documentation, supersedes SAS No. 96 and changes and expands current documentation requirements. Included in this SAS is a minimum file retention period of five years from the report release date (since California’s rules require a seven year retention period, California rule takes precedent over this standard). In addition, the final assembly of the audit file should be within 60 days following the report release date unless other statutes or regulations specify a shorter time frame. There is also a major change in the date of the auditor’s report. Currently, auditor’s reports are dated as of the last day of fieldwork. The new standard states that “The auditor’s report should not be dated earlier than the date on which the auditor has obtained sufficient appropriate audit evidence to support the opinion. Among other things, sufficient appropriate audit evidence includes evidence that the audit documentation has been reviewed and that the entity’s financial statements, including disclosures, have been prepared and that management has asserted that it has taken responsibility for them.” This may extend testing for events occurring after field work and will require careful dating of and receipt of the management representation letter prior to issuing the final audit report. Firms should only issue draft audited financial statements to clients until they get the signed representation letter. SAS No. 102, Defining Professional Requirements, was effective upon issuance. Unconditional requirements are indicated by the words “must” or “is required” and presumptively mandatory requirements are indicated by the word “should”. New standards and eventually all audit standards will use these words. Audits of financial statements for periods beginning on or after December 15, 2006 SAS No. 104 – No. 111, Risk Assessment Standards, may result in significant changes to a firm’s audit methodology and must be carefully studied. Currently there is an audit risk alert, Understanding the New Auditing Standards Related to Risk Assessment, available at www.cpa2biz (No. 022526 for $29). Expected to be published December 2006 is an Audit Guide on risk assessment and internal control which every firm performing audits should acquire. The above information was written and provided by the California Society of CPAs’ Peer Review Committee. |
|
