Your new financial audit
Hoist your sails and get ready to navigate unfamiliar waters

A new wave of auditing standards from the American Institute of Certified Public Accountants (AICPA) is likely to affect your financial statement audit for fiscal year 2007 and beyond. To ensure smooth sailing through your next audit, familiarize yourself with the changes you’ll encounter.

Remember SAS 99 — the first ripple?

If you had a financial statement audit for your fiscal year 2003, the term “SAS 99” may be familiar seas. You probably talked at length about the then-new standard with your auditors. You also may have noticed some new procedures your auditors performed that year, such as specific fraud inquiries of you and your staff and a detailed review of your journal entries.

Briefly speaking, the AICPA’s Statement on Auditing Standards (SAS) No. 99, Consideration of Fraud in a Financial Statement Audit, requires auditors to perform additional fraud-related procedures. The statement was issued in direct response to high-profile fraudulent accounting scandals of that time, such as Enron and WorldCom. Now SAS 99 has been expanded into a new round of audit standards for fiscal years beginning on or after Dec. 15, 2006, making the sea an ocean.

What are the new standards?

The eight new audit standards change the way your auditors will approach your next audit — they’re now required to gain a detailed understanding of your internal controls, pinpoint where the greatest risks lie and shape their audit procedures accordingly. Here’s a quick look at each new standard:

SAS No. 104, Amendment to SAS No. 1, Codification of Auditing Standards and Procedures (Due Professional Care in the Performance of Work). Auditors always have been required to perform an audit to gain “reasonable assurance” of no significant financial statement errors. This standard clarifies that directive: Though reasonable assurance is certainly high, it isn’t absolute. However obvious, this statement asserts that your auditors may have failed to detect a misstatement in your financial statements.

SAS No. 105, Amendment to SAS No. 95, Generally Accepted Auditing Standards. Auditors always have been required to determine an audit game plan before ever stepping foot in your organization. This statement clarifies that they need to understand “the entity and its environment, including its internal controls” during the planning process, and they must document this understanding in specific ways.

SAS No. 106, Audit Evidence. Audit evidence is all of the information the auditors use to support your account balances and the audit opinion. This includes reports printed from your accounting system and the documents supporting those reports, such as canceled checks, invoices and journal entries. Auditors also use other information, such as board minutes, bank confirmations and internal control manuals. This standard, among other goals, addresses what is sufficient audit evidence, and notes proof is more reliable when the auditors obtain it directly from outside sources.

SAS No. 107, Audit Risk and Materiality in Conducting an Audit. Audit risk is the risk that an auditor may issue an incorrect opinion on the financial statements. You are (hopefully) familiar with an unqualified, or “clean,” opinion on the financial statements. If there was a significant error in the financial statements, the auditor could not rightfully issue this clean opinion.

Materiality is the concept that some matters are important for the fair presentation of financial statements. While auditors always have assessed audit risk and taken into account materiality when conducting your audit, they now must use these concepts to assess the risk of misstatement of each financial statement account. For instance, if your organization has little or no activity in property and equipment for the year, the auditors may assess this account’s risk as “low,” based on this and other factors. They then may be required to perform only scaled-back procedures as compared to what was done in the prior year.

SAS No. 108, Planning and Supervision. This statement provides guidance on communications between your auditor and other firm personnel. The audit firm you use may perform other services for you beyond the audit, such as preparing your tax returns. Your auditors may have asked you to sign a written engagement letter each year that spells out the services they will perform, their responsibilities, your responsibilities and, perhaps, a fees estimate. You may be surprised to know that, though a formal engagement letter is most firms’ practice, it was not required before this standard.

SAS No. 109, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement. This standard requires auditors to understand your industry, the regulations that govern it and other external factors. They also must consider the significance and likelihood of specific risks they identify such as the following, as noted by the AICPA’s Audit Risk Alert for Not-for-Profit Organizations Industry Developments for 2006/2007:

1. Internet-based donations, which may subject the organization to more risk when using such online services as PayPal,
2. Baby boomer retirement — 50% to 70% of executive directors plan to leave within five years, according to surveys analyzed by the AICPA, and
3. The changing face of donors, which takes into account that younger donors recently have shown an increase in their desire to stay in control of their donated dollars.

While auditors were performing this assessment all along, this standard spells out the requirements for documenting the process.

SAS No. 110, Performing Audit Procedures in Response to Assessed Risks and Evaluating the Audit Evidence Obtained. This standard requires that, after all risks are assessed (see SAS No. 109 above), there must be a clear link from the risk assessment to the audit procedures performed. In other words, the auditor must tailor each audit to address the specific organization’s assessed risk.

SAS No. 111, Amendment to SAS No. 39, Audit Sampling. As part of the audit evidence they obtain, auditors may use sampling to test an account balance, such as accounts or pledges receivable or inventory. To determine your organization’s appropriate sample size, an auditor assesses the “tolerable misstatement” for the account — the maximum amount of monetary error the auditor is willing to accept. It should be zero, correct? Yes; however, the auditor must set a floor for the dollar amount of error he or she will follow up on. Otherwise, the audit would be more time-consuming and, thus, more costly.

What can you expect in this year’s audit?

An earlier start, additional work and more communication from your auditors may accompany your audit this year.

For starters, your auditors may contact you a few months earlier than in the past to be engaged to plan the audit in accordance with the new standards. They also may perform more of your audit work upfront, before audit fieldwork is conducted. Additionally, they may perform some interim fieldwork several months before your usual scheduled fieldwork date, and maybe even before your fiscal year-end.

Documenting internal controls will take up most of the auditors’ extra hours. As part of the process, they may ask more probing questions about your organization, its internal controls, and any perceived industry- or organization-specific risks you have identified. They’ll also want to document how your organization responds to these risks.

Finally, because the auditors will concentrate more on understanding your organization’s internal controls, you may see closing comments and recommendations about them. Don’t be offended; use this communication to your advantage, asking for help on how to implement any recommendations they may have.

Ready to sail full speed ahead?

Although you may not like more requirements and paperwork, you can expect the new audit standards to give you a more complete and in-depth audit on your maiden voyage than you had in the past. And the revamped audit should give your governing board comfort that the auditors will take a closer look at your organization’s internal operations — and design an audit plan specific to your, and only your, organization. •