Major Changes Made to Auditing Standards What You Must Know to Survive Your Next Audit
Governmental Advisor, Fall 2007 / Winter 2008

Sweeping changes have been made to auditing standards over the last several years. These new auditing standards (Statement on Auditing Standards Nos. 103-114) require significant changes in how audits are done and how the results of the auditor’s work are communicated to you “the client,” bringing auditing rules for governmental units into closer alignment with the standards imposed on audits of publicly traded companies under Sarbanes Oxley.

Some of these new standards, as you are already aware, became effective for audits of financial statements dated December 31, 2006 and after:

• Auditors are now required to comply with very specific rules related to the form, content and extent of audit documentation, including more thorough documentation of auditing procedures and results. Other new guidelines affect the audit evidence that must be obtained before an auditor can consider an audit complete. (SAS 103)
• Another new auditing standard requires auditors to more formally communicate matters they observe about their clients’ accounting procedures and internal controls. Auditors are now required to inform clients about any “significant deficiencies” in accounting procedures or internal controls that come to their attention. Significant deficiency is a defined term that includes any flaw creating more than a remote risk of errors in financial statements that could reasonably matter to a user of the statements. Auditors must now communicate these matters in writing to all individuals involved in overseeing strategic direction and accountability for operations, in addition to management. This new terminology — replacing what used to be a “reportable condition” with a “significant deficiency” — sets a lower threshold of matters to be reported by auditors. (SAS 112)

The majority of the new standards are effective for audits of financial statements dated December 31, 2007 and later. Eight new statements on auditing standards issued by the American Institute of Certified Public Accountants (AICPA) (Statement on Auditing Standards Nos. 104 - 111), which are known collectively as the new risk assessment standards, significantly change the procedures auditors must perform in all financial statement audits.

Why all these new standards?

The development of these new standards was undertaken in response to recommendations made by the former Public Oversight Board’s Panel on Audit Effectiveness. Their response is directly driven by the major corporate failures of the past several years that have undermined the public’s confidence in the effectiveness of audits and have led to intense scrutiny of the work of auditors. The development of these new standards has been influenced by these events. These new rules have been called “one of the most significant changes in the audit profession in decades.” The general consensus is that if the auditing community failed to change in response to the significant financial scandals at Enron, Worldcom and other large corporate entities then greater government regulation of auditing would have to be imposed.

In developing these new assessment standards (SAS Nos. 104 - 111), the AICPA had three objectives:

• A more in-depth understanding by the auditor of the entity and its environment, including its internal control
• A more rigorous assessment of the risks of where and how the financial statements could be materially misstated (“what could go wrong”)
• Improved linkage between the auditor’s assessment of “what could go wrong” and the nature, timing and extent of audit procedures performed in response to those risks

What do the new standards require?

Under these new rules, auditors will be required to:

• More thoroughly examine and evaluate clients’ accounting processes and controls, including the overall control environment, key controls over significant transactions and the quality of internal oversight of the financial reporting process
• More thoroughly assess and document conditions in clients’ systems and processes that create risks of material misstatement in their financial statements, and identify what the client is doing to mitigate those risks
• Perform additional testing in response to these risks of material financial statement misstatement
• Design and perform more analytical tests of accounting and financial data
• Apply more stringent standards in identifying, assessing and communicating internal control deficiencies (SAS 112)
• Communicate more information about the results of the auditor’s work to individuals involved in overseeing strategic direction and accountability for operations (SAS 114)

Auditors must now explicitly consider higher-risk areas by focusing on what is most likely to go wrong that could affect a client’s financial statements. Once auditors do this, we are required to link each of these high-risk areas to the related program steps that identify and quantify any material misstatements in those high-risk areas.

With respect to internal controls, which are now no longer a subset of audit planning, but rather an integral part of the main audit process, these new assessment standards require auditors to perform our assessments around the five elements of internal control outlined by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) Integrated Framework. This COSO document has become a de facto standard for determining the adequacy of internal controls. These five elements include the control environment, the risk assessment process, communication and information, monitoring and control activities.

The auditor will no longer be able to accept inquiry regarding our understanding of internal controls and accounting procedures; in fact, the standards indicate quite bluntly that “inquiry alone is not sufficient.” Going forward, inquiry of the client must be combined with other procedures such as observation, inspection of documentation and reperformance of the control to substantiate their existence.

How will these new standards impact local governments?

You may be wondering how these new auditing standards will affect you. The changes mandated by these new standards will impact both audit firms and those being audited alike. It is clear that the new rules will require us to gain a more in-depth understanding of your community and its environment, including your internal controls. As a practical effect of these new rules, auditors will need to make more detailed and specific requests for information from clients, particularly about processes and controls, and clients will need to do more work to be well prepared for their audits.

These new audit standards, as written, assume that thorough written documentation on internal controls and accounting procedures already exists in your organization. Our experience is that some type of documentation on internal controls and accounting procedures may exist in your organization. However, it is most likely not complete enough to satisfy the requirements of the new auditing standards.

Plante & Moran began analyzing these new standards and incorporating the necessary changes into our audit process and tools in the spring of 2006. Our goal was to design a method to comply with the new standards that is easy to implement for our clients. As a result, we have developed a series of accounting and control questionnaires that we will be asking you to complete. These questionnaires will help you document your accounting and control systems and will enable us to more efficiently test them. This documentation will be much more extensive than the traditional narratives you have been accustomed to using. The tools that we have created will efficiently bridge the gap between information and documentation that exists today in your organization and the requirements and expectations of the new auditing standards.

How will this benefit local government?

We believe these new standards and the work behind them will be of benefit to you. First, your organization will likely now have more and better documentation of your accounting procedures and internal control systems. The increased knowledge that you will have as a result will provide you with better information to:

• Evaluate staffing levels and performance
• Identify additional areas where controls or processes need to be improved, which should result in more accurate interim financial reporting
• Improve identification of vulnerability to fraud risks, allowing you to more adequately cover those risks
• Improve the value and quality of discussions with the governing body regarding your controls and procedures

The primary objective of these new rules is to strengthen and enhance the independent audit of financial statements, including more thorough evaluation and information about your internal accounting and financial reporting processes and controls. We believe that these new rules, and the additional communications you will receive from us about the results of our audit work, will enhance the overall value you receive from your financial statement audit.

What should you be doing now?

Organizations should have a clear understanding of how these new standards will impact their individual audit. Plante & Moran has been educating our governmental clients on these new standards through a series of educational sessions that took place in August and September. Following those sessions, we began to distribute the accounting and control questionnaires that cover the major transaction cycles. Completion of these documents by your organization will ensure a smooth transition to these new standards. We are anxious to work with you to determine how existing materials can be incorporated into the accounting and control questionnaires and then to plan and complete our testing of these documents before the year end audit fieldwork.

You weren’t able to attend one of our educational sessions on this topic or want it repeated for your organization? We welcome the opportunity to meet in person to discuss these changes and the impact it will have on your audit and the documentation that needs to be available for your annual audit going forward.

SAS 114

The last of the new auditing standards is SAS No. 114, The Auditor’s Communications With Those Charged With Governance. This standard replaces SAS No. 61, Communication With Audit Committees, and will result in more required communication by us to your governing body.

Under SAS No. 61, auditors were required to communicate certain audit-related matters directly to formally designated audit committees. Many entities had no formal audit committees and were thus exempted from SAS 61. Now, under the new standard, these communications are expanded to include communications to “those charged with governance” for all audit engagements. For most governmental entities, the board, commission or council will be the governing body with whom these communications will be made.

The required communications will include the following:

• Responsibilities of the auditor under generally accepted auditing standards
• Overview of the planned audit scope and timing
• Significant audit findings and matters, including:
  • Auditor’s views regarding qualitative matters including accounting policies, significant estimates, and disclosures
  • Significant difficulties encountered in the conduct of the audit (for example, delays, difficulty in obtaining information, etc.)
  • Uncorrected misstatements
  • Management representations
  • Consultations with other accountants
  • Adjusting entries identified in the audit
  • Issues discussed with management
  • Other significant findings

The new standard also emphasizes the need for adequate two-way communication to occur between the governing body and the auditor to enhance the effectiveness of the audit process and the governance of the entity.

This new standard will be effective for all audits with year ending December 31, 2007 or later.