James L. Ulvog, CPA
Changes in the audit world

 

             
          An extract from my next book:


 

Massive changes have taken place in audit rules over the last few years.  In my perception, these are probably the most extensive changes in the audit world since the securities acts of the 1930s.  These rules have been in effect for a while, but it will take some more time to really adjust to them.  If you have not gone through the audit process for a while, you will see a lot a changes.

 

Here is a portion of my next book that will help leaders in a church understand the changes that have taken place:

 

Addressing the risk of fraud

Since the beginning of 2004, all auditors have been paying more attention to the risk of major fraud in financial statements.  This increased focus involves additional conversations with management and the board regarding risk for material fraud, increased testing of internal controls, and additional testing in places where there are perceived risks of major fraud.  The goal of this closer focus is to increase assurance to those who look at the financial statements that the risk of fraud is minimized.

 

This additional focus on fraud detection increased the number of hours involved needed for an audit, which in turn increased the cost of having an audit.

 

When an auditor is discussing fraud, there are two different concerns.  The first is embezzlement, or stealing.  This can happen in many ways.  A few examples would be diverting contributions to a personal bank account, writing payroll checks to a fictitious employee, submitting expense reimbursements for costs that were never incurred, or taking church assets home.  A church needs to put controls in place to prevent this type of fraud. 

 

The second concern is fraudulent financial reporting, sometimes called cooking the books.  This can happen in many ways.  Because banks use financial statements to help make decisions on whether to make loans, there might be a motivation for a borrower to play with the numbers.  Sometimes cooking the books could just be excessive optimism as it affects recording a transaction or a heavily biased way of accounting for the transaction.  Sometimes it includes outright fabrication of transactions. 

 

When any organization obtains an audit, there will be additional testing and discussions regarding the risks of fraud.  These requirements have produced many good conversations.  Ironically, talking about the risk of fraud and raising awareness of the risk will probably reduce the likelihood of it occurring.

 

The document that auditors use is called Statement of Auditing Standards #99, Consideration of Fraud in a Financial Statement Audit.  This is referred to as SAS 99.

 

Communicating internal control weaknesses

You should receive a letter of recommendations at the end of the audit.  This letter will contain suggestions on how to improve your internal controls and other ideas on how to do things better.  In the distant past, when there was a fairly serious internal control issue to discuss, the auditor prepared a reportable condition letter.  This letter contained boilerplate wording explaining that the item discussed is a fairly serious weakness in internal control.  The most serious internal control issues are called material weaknesses.

 

Starting in 2007, the threshold for reporting the serious internal control issues was lowered.  As a result, there were more of these special letters written.  The new phrases used are significant deficiency and material weakness.  The phrase significant deficiency replaces the old reportable condition term.

 

There is one major implication of these rules.  For the past several decades, the starting point for an audit was a trial balance printed by the accounting software.  When most of the other work was done, the auditor would draft the financial statements.  The conceptual starting point for an audit will now be the completed financial statements.

 

Essentially, these audit rules change the expectation for who prepares the financial statements, including all those footnotes.  The new expectation is that an organization’s internal controls will include preparing the financial statements.  This is a massive change in expectations.  Please don’t throw things at me---I’m only the messenger.

 

The direct effect is that if an organization does not have the training and ability to prepare the financial statements, then there is a weakness in internal control.  This weakness will need to be reported to the organization in writing.

 

Another option is for the organization to carefully review the financial statements as prepared by the CPA.  If the organization can intentionally and carefully review the work done by the CPA, then this would meet the requirement of preparation.

 

These auditing rules are known as Statement of Auditing Standards #115, Communicating Internal Control Related Matters Identified in an Audit.  This is referred to as SAS 115.

 

Addressing the risk of errors in financial statements

Another series of audit rules went into effect in 2008.  These rules require the auditor to understand the organization in far more detail than before.

 

In the past, auditors usually gained an understanding of internal controls through interviews.  Now, auditors will have to get a more detailed understanding of internal controls, check whether those controls were put into place, and consider whether they are actually working. 

 

More significantly, these new rules will require the auditor to greatly expand the assessments of where the financial statements could contain errors and then develop audit tests to address those identified risks.  The rules will also require far more extensive documentation of the auditor's work. 

 

The new rules were extensive in size and dramatic in terms of the change created.  Economy-wide, these new rules should increase the quality of audits. 

 

The concern on everyone’s mind is what these rules will do to the amount of time it takes to perform an audit.  The immediate impact was to substantially increase the time required to perform an audit.  It remains to be seen how much this time will drop after the first few years.

 

These auditing rules are known as Statement of Auditing Standards #104 through #111.  Collectively, they are referred to as the risk assessment suite of standards.

 

Communication with the audit committee or board of directors

Another rule for 2008 required additional conversations between the auditor and the audit committee.  Often in small organizations, there is no audit committee, so these conversations will take place with the board of directors.

 

There needs to be good two-way communication between the auditor and the audit committee.  Discussions before the audit starts will go over planning issues, any concerns about scope of the audit, and any special issues that need to be addressed.  Another discussion after the audit is complete addresses concerns and issues that arose during the audit.  These conversations will be longer than what has been done in the past.

 

This auditing rule is known as Statement of Auditing Standards #114, The Auditor’s Communication With Those Charged With Governance, or SAS 114.

 

 

Copyright © 2008, 2010 James L.  Ulvog

 

 

Copyright . James L. Ulvog, CPA. All rights reserved.
Web Hosting Companies