By Gary D. Zeune, CPA
Much has been written about the technical requirements of Statements on Auditing Standards No. 104-111, collectively called the Risk Assessment Standards (Risk Standards). So we'll focus on the 10 steps to effectively implement them.
Problem #1: Retaining Your Clients
Clients think the Risk Standards are the Auditors Full Employment Act. Why? Because the vast majority of firms are increasing fees, 10 percent to 30 percent is common, yet clients don't see themselves getting any more value. In other words, clients get the same clean opinion they've always gotten, so why should they pay more for your audit?
Talk to your clients NOW. Don't wait until you show up to start the field work. Take a copy of the standards (200+ pages available from the AICPA in book form). You're not picking on that client; EVERY auditor must follow the rules. Use my simple graphic to explain the Risk Standards to your clients or boss, and explain why fees are increasing. You have to audit the business information, not just the accounting information. Why? Because the accounting records are the result of the business. And you can't audit what you don't understand.
Problem #2: Can you really issue an opinion
Rule 202, Compliance With Standards, of the AICPA's Code of Professional Conduct requires compliance with these standards in an audit of a non-issuer (i.e., non-public entity). Because the requirement to comply with every auditing standard on every engagement is in the AICPA and most, if not all, state society codes of conduct, failure to comply is not just a technical issue. Failure to comply is an unethical act.
Don't just use last year's audit program. Review EVERY audit program for complete compliance with EVERY audit standard, not just the Risk Standards.
Problem #3: How the Risk Standards Affect Current Practice
There are two major changes for most practitioners. You can no longer:
1. Rely on just a canned audit program.
2. Default to maximum risk.
For No. 1 above, if every client is different, how can you use the same canned audit program? You can't have it both ways. Start with a canned audit program, then customize it for each client. For No. 2, you must evaluate internal controls and may conclude risk is maximum. Remember, maximum risk means there is not one single control. Even many small clients will have at least one control, meaning risk may be 95 percent, but you should assume 100 percent.
Problem #4: Circumvent the Risk Standards
Afraid they won't be able to get a clean opinion, some clients will fire your firm, recreate your firm letterhead, and write a fake opinion.
Rather than defending a lawsuit, prevent it from happening. Include a paragraph in your engagement that if a client terminates or reduces your services, you reserve the right to notify the financial statement users of the change. Although the risk of a fake opinion to any one firm is negligible, it only takes one. Same reason you have insurance on your house. Just in case.
Problem #5: SAS 104 defines reasonable assurance as a "high level of assurance", achieved by limiting audit risk to a low level.
According to SAS 104",The auditor must plan and perform the audit to obtain sufficient appropriate audit evidence so that audit risk will be limited to a low level." Yet the opinion still uses the term fairly presented, potentially creating confusion in market place as to how accurate the statements are.
Simply do what our profession demands. Fully comply with all audit standards, including the Risk Standards. If you don't comply, you can't issue an opinion.
Problem #6: Understanding the differences between current practice and what the Risk Standards require.
Get a copy of the AICPA publication, Understanding the New Auditing Standards Related to Risk Assessment. Best $29 you'll spend this year.
Problem #7: Internal control evaluation has moved...
...from a specific part of planning up one level in audit hierarchy to Methodology to be an ongoing, constant, part of the audit process.
A set-it-and-forget-it philosophy no longer applies. See Michael Ramos's Re-Writing the Canon, at AuditWatch.com. See the charts below to compare the old and new heirarchy of internal controls.
Problem #8: Although what management tells you is audit evidence lite, the evidence has virtually no weight if the explanation supports something material. Thus, you now are required to obtain collaborative evidence.
Actually, what management tells you has never been audit evidence, especially if the assertion explains something material, such as "Gross margins are up 5 percent because we got a great deal on raw materials." Figure out how to vouch for the assertion.
Problem #9: Financial Accounting Standards Board Statement of Financial Accounting Concepts No. 2, Qualitative Characteristics of Accounting Information, defines materiality as",The magnitude of an omission or misstatement of accounting information that, in the light of surrounding circumstances, makes it probable that the judgment of a reasonable person relying on the information would have been changed or influenced by the omission or misstatement."
Note there's NO percentage or dollar amount in the definition. Materiality is in the eye of the beholder. In other words, if the user of the financial statements would have made a different decision, then the information was material. For example, if a client has a bank loan covenant requiring $1 million of income to automatically renew the loan, and the client changes the calculation of bad debt expense increasing the bottom line from $980,000 to $1,011,000, the $31,000 change in bad debt expense is material. Why? Because the $31,000 is material to a bank loan officer, who, absent the adjustment, would not have renewed the loan. In other words, an immaterial amount is material if it accomplishes a material event.
Problem #10: Fraud
Paragraph 10 of SAS 107 says",When the auditor encounters evidence of potential fraud, regardless of its materiality, the auditor should consider the implications for the integrity of management or employees and the possible effect on other aspects of the audit.”
In other words, ANY misstatement due to fraud is material. So there is NO such thing as an immaterial illegal amount. So STOP letting your clients or boss run personal expenses through the company's books. How is it ethical to have clients that cheat on their tax returns, even if it's immaterial? So use the Risk Standards to restructure your relationship with clients, or your boss. It's simply not worth the risk.
These are just 10 important things from the Risk Standards. There's a LOT more to them. Study up, talk to your clients, and get ready for busy season.
©2007 Gary Zeune, CPA. Zeune (pronounced like tiny with a z) is the Founder of "The Pros & The Cons", the only speakers bureau in the U.S. for white-collar criminals. Gary and his white-collar ex-cons teach fraud classes for the FBI, the U.S. Attorney, over 30 state and national CPA societies, and numerous banks and accounting firms. They have been profiled in The Wall Street Journal, The New York Times, and many other publications. Zeune's books are The CEO's Complete Guide to Committing Fraud and Outside the Box Performance. He's widely published with 35+ articles on fraud and performance measures in national publications. You can reach him at or .www.TheProsAndTheCons.com