New Risk Assessment Standards: A Practical, Customized Approach To Auditing

The new assessment standards are deliberately designed to protect privately held companies from risks associated with the increasingly complex activities of the 21st century — e-commerce, global competition, and outsourcing of business operations overseas — as well as errors in judgment or fraud among management. Author Craig Funkhouser explains how the eight new standards will affect companies’ documentation procedures for audits and why the biggest audit overhaul in the past 30 years was necessary.

The widespread mistrust of executives after the fiascos at Enron, WorldCom, and Parmalat forced the auditing profession to re-evaluate the procedures used to audit financial statements. For public companies, the U.S. Congress passed the Sarbanes-Oxley Act of 2002 (SOX) with a much-expanded set of audit methodologies, particularly for internal controls.¹

For privately held businesses, the American Institute of Certified Public Accountants (AICPA) Auditing Standards Board developed eight new Statements on Auditing Standards (SAS), 104 through 111.² While these standards incorporate some of the best ideas from SOX, especially its focus on risks for internal controls, they are more relevant to the audit concerns of privately held organizations.

Although the new risk assessment standards were issued in 2006, companies and their outside auditors are now trying to determine the impact and, specifically, the additional audit procedures necessary to comply with these standards. The AICPA deliberately gave businesses and their outside auditors significant lead time to prepare for implementation.³ While early adoption is allowed, implementation of the new risk assessment standards is required this year for all companies with a fiscal year that began after Dec. 15, 2006.

The goal of SAS 104 through 111 is straightforward — to enhance the integrity of the audit process by responding to the evolving needs of businesses that use financial statements. The standards provide guidance concerning the audit team’s assessment of the risks of material misstatement in a financial statement audit.

The risks for one business differ from those of other businesses, even within the same industry. What are the risks in your business that are keeping the chief executive officer or chief financial officer up at night? Those are the risks of misstatements you need to ask your audit team to review and consider most carefully.

Organizations need to provide documentation for every relevant internal control procedure and financial transaction from start to finish, including the procurement of raw materials, conversion to finished goods, and translation of orders into sales. How does your company record a receivable? What accounts are listed on financial statements? Are any transactions missing? If so, why aren’t they recorded?

Overall, businesses will need to provide their outside auditors with an understanding of how they prepare their financial statements.

• How they enter transactions into the financial records;

• How they initiate, authorize, record, and process transactions in the general ledger;

• How they initiate and record recurring and nonrecurring adjustments for journal entries to their financial statements; and

• How they prepare financial statements and the related required disclosures.

With thorough documentation, an audit team should be able to identify the risks in its operations. Additionally, some risks are inherent to an entity’s particular industry. The auditor needs to recognize and understand those differences.

For example, take two different types of manufacturers: auto parts and luxury handbags. For the auto parts maker, the risks for inventory are focused on speed of turnaround, parts built to customer demand, and cost pressures from global competitors.

On the flip side, the inventory risk for the luxury handbag maker is about changing the products with the season and evolving fashion trends. The risks? Is the product saleable? When is this handbag out of fashion? Is the replacement already in the pipeline? How fast can it be shipped to retail outlets? And results: Will the new handbag sell better?

The audit teams at individual manufacturers need to understand their clients’ products and their unusual risks.

Other individual circumstances require an audit team’s consideration for risk. Specific information-processing systems are good examples that vary in use and application. How one business uses information technology (IT) to provide controls for its financial procedures often differs from another’s IT process.

For instance, is all of your IT processing done in-house? Or is some of it completed by a third-party processor? You need to identify high-risk areas in your business where significant information could be subject to error. If information is being adjusted for errors, how are your managers calculating those adjustments?

Global competition is forcing businesses to make changes like outsourcing manufacturing from Chicago to China to save on labor and even material costs that result in making products less expensive. But what if a company did not change its policies and procedures to reflect the new realities?

For instance, in Chicago a company had its controls — physical control of inventory, quality of inventory, and inspection of goods before shipping — done in the warehouse by thoroughly versed employees. In China, a company may forget about safeguarding its inventory and inspecting it before it reaches customers in the United States or other countries. In other words, you can outsource your manufacturing, but you cannot assume that your internal control procedures are automatically being outsourced as well.

In existence and under implementation for the past year, SAS 112, "Communicating Internal Control Related Matters Identified in an Audit," was designed to smooth the path for private companies — through communication from their auditors — to implement SAS 104 through 111. It gave businesses notice of the items they would have to look at and clean up in preparation for the new risk assessment standards.

Now is the time for your company to gear up for effectively responding to implementation of the new risk assessment standards. Firms must provide reliable documentation for every financial transaction, monthly financial statement, and financial report before auditors arrive.

Previously, some companies relied on outside auditors to document these procedures. Under the new standards, that might be a very costly solution. On the other hand, your business’s compliance will ensure your risks are lower, and your company can navigate the rapids of 21st century commerce more safely and securely.

New Risk Assessment Standards Combine Best of Old and New

Effective for audits of financial statements for periods beginning on or after Dec. 15, 2006, Statements on Auditing Standards (SAS) 104 through 111 are designed to improve auditor performance and, as a result, enhance the financial effectiveness of your business.

SAS No. 104, Amendment to SAS No. 1, Codification of Auditing Standards and Procedures. Expands the definition of reasonable assurance to include a high, but not absolute, level of assurance that the financial statements are free of material misstatement — whether from error or fraud.

SAS No. 105, Amendment to SAS No. 95, Generally Accepted Auditing Standards. Requires an audit team to obtain an adequate understanding of the organization and its environment, including its internal controls, to assess the risk of material misstatement of the financial statements due to either error or fraud. Allows the team to design the nature, timing, and extent of further audit procedures to give a reasonable basis for an opinion of the financial statement under audit.

SAS No. 106, Audit Evidence. No longer permits an audit team to make an automatic assessment of control risk without providing the basis for that assumption. As a result, auditors now need to test controls in two cases: when an auditor’s risk assessment affects the operating effectiveness of the controls and when substantive procedures alone do not provide enough appropriate audit evidence.

Sufficient and appropriate audit evidence are interrelated. Sufficiency means to measure the quantity of audit evidence. Appropriateness pertains to measuring the quality of audit evidence. It needs to be both relevant and reliable — from a knowledgeable, independent source.

SAS No. 107, Audit Risk and Materiality in Conducting an Audit. Takes into consideration how users could reasonably be expected to be influenced in making economic decisions.

Users need to have a basic understanding of how business operates. Additionally, they should show a willingness to study a financial statement; knowledge of how a financial statement is prepared and audited to levels of materiality; recognition of uncertainties inherent in estimates, judgments, and future projections; and ability to make appropriate economic decisions on the basis of information from the financial statement.

SAS No. 108, Planning and Supervision. Provides guidance on the considerations and activities pertaining to planning and supervision. Planning is a recurring process that begins with accepting an engagement and continues throughout the audit. It is a crucial reference point as the audit team performs audit procedures and accumulates enough appropriate audit evidence to support an audit opinion.

SAS No. 109, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement. Presents guidance for assessing the risk of material misstatement and for using professional judgment to determine audit procedures. Throughout the audit engagement, an audit program must be tailored to the individual circumstances of a specific organization and must be part of an overall audit strategy.

This strategy includes determining the characteristics of the engagement that define its scope; ascertaining the reporting objectives to plan the timing of the audit and nature of the communications required; and considering the important factors that will decide the focus of the audit team’s efforts.

SAS. No. 110, Performing Audit Procedures in Response to Assessed Risks and Evaluating the Audit Evidence Obtained. Requires that substantive procedures for all relevant assertions related to each material class of transactions, account balance, and disclosure be performed. An audit team’s selection of audit procedures is based on the risk of material misstatement.

SAS No. 111, Amendment to Statement on Auditing Standards No. 39, Audit Sampling. Enhances guidance for specific procedures and provides additional guidance on sampling.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.