Newsroom

New Releases

RSSM Accounting & Audit Alert

Private Company Risk Assessment Standards - Changes To
The Fiscal 2007 Audit Process

To Clients and Friends of the Firm:

In February of 2006, the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA) issued eight new Statements on Auditing Standards (SASs) collectively referred to as the Risk Assessment Standards. These new Risk Assessment Standards were developed to fill in gaps in widely used audit methodologies such as the "balance sheet" approach. For more than twenty-five years, auditors have utilized the "balance sheet" approach to perform successful audits which included a thorough testing of all material balance sheet accounts and an analytical review and other specific procedures related to the statement of operations. Additionally, auditors gained an understanding of the business and the control environment and major cycles. Although this method was effective, the perception was that it often led to "cookie cutter" audits and disjointed audit documentation files and potentially did not sufficiently modify audit procedures based on the financial controls at specific companies. To remedy this, the ASB issued the new Risk Assessment Standards which are effective for audits of financial statements for periods beginning after December 15, 2006. This means that all privately-held businesses will be subject to a process that will include an emphasis on reviewing financial controls for all fiscal year 2007 audits.

Objectives of the New Risk Assessment Standards. The ASB designed the new Risk Assessment Standards with the following three objectives in mind.

1. For auditors to obtain a more in depth understanding of the audited entity and its environment, including internal control;
2. For auditors to perform a more rigorous assessment of the risks of where and how financial statements could be materially misstated;
3. For improved linkage (and better documentation of this linkage) between the auditor's assessed risk and the nature, timing and extent of audit procedures performed in response to identified risks.

The standards, which have succeeded in improving the fundamental building blocks of the audit process, also introduce an audit methodology that differs in subtle, yet significant ways from the audit methodology used by a majority of audit firms.

A Better Understanding of the Entity. Auditors are already required to obtain an understanding of the audited entity, so what does the ASB mean by "a more in-depth understanding?" Essentially, auditors are now required to increase the breadth (i.e. what they know) and depth (i.e. how well they know it) of their understanding of the audited entity. For example, while performing the new audit methodology, an auditor should obtain detailed information concerning the entity's capital structure, ownership and governance as well as how certain industry practices and/or government regulations will affect the organization.

A Better Understanding of Internal Control. Arguably, the most significant change brought about by the new standards is the auditor's requirement to understand their client's internal control environment. In the past, auditors invested a limited amount of time on internal controls. This was due to the fact that very few audit firms placed any reliance on an audited entity's internal controls. This allowed firms to assess control risk at "maximum" and, therefore, perform the audit relying primarily on substantive procedures. Internal control memos in most audit files usually focused on process flow (i.e., how sales are recorded, billed and subsequently collected) and allocated limited time to addressing the controls over each process. Under the new Risk Assessment Standards, auditors are no longer allowed to default to maximum control risk. If an auditor believes control risk for their client should be assessed at maximum, they must now document their justification for this assessment.

In addition, under the new standards, an auditor must now obtain an understanding of each company's entity level controls (i.e. management's control over the entity as a whole) as well as their activity level controls (specific controls over revenue/receivables, purchases/payables, inventory/cost of sales, etc). Each auditor must obtain a sufficient understanding of controls to be able to determine if each control is properly designed and appropriately implemented. How will this information be obtained? The new standards give three options: (1) inquiry, (2) observation and (3) re-performance. Inquiry alone, however, is no longer sufficient. No longer will an auditor simply ask management about topics such as their attitude towards financial reporting, their operating philosophy or their commitment to competence. Auditors are now required to corroborate management's responses by either observation or re-performance.

A More Rigorous Assessment of the Risk of Material Misstatement. Under the new standards, the planning meeting has been emphasized and because of the new risk assessment standards is one of the most important steps in the new audit methodology and is a high priority for all team members.

As the audit team increases the breadth and depth of their understanding of the audited entity and its internal control environment, the audit team then uses this information to make a better determination of where the risks of material misstatements are most likely to reside. While each team member is gathering information about the entity's environment, conducting interviews with personnel about the process and controls over significant cycles, and observing or re-performing certain key controls, they must also be on the lookout for "what could go wrong."

The new standards assume that if the process of gathering information about an entity's environment and internal controls over key cycles is done to the extent now required, then the audit team will be better equipped to assess the areas of highest risk for each entity. It is during the planning meeting that the audit team synthesizes their information and assesses the areas of highest risk.

Improved Linkage Between Assessed Risk and Audit Procedures Performed. Finally, after the audit team has successfully determined "what could go wrong" and assessed risk, the last step in the process is to determine exactly what audit procedures will be performed in response to all identified risks. Traditionally, most audit firms have used prepackaged audit programs with few, if any, modifications. If an audit program step was not considered necessary, it was not typically removed from the program. Instead, it was annotated as "not considered necessary" or "not applicable" and there was rarely a clear link between why certain audit procedures were performed or were not performed. Now, under the new standards, there is a direct and well documented link between assessed risk and the audit procedures performed.

Noticeable Changes to the Fiscal 2007 Audit Process. What changes will be most noticeable to privately-held companies during their upcoming fiscal 2007 audit? First and foremost, their auditor will appear to be more curious about their business. Although most firms have a good understanding of each of their clients, the new standards require auditors to more thoroughly and systematically document information about a wide range of topics that affect the entity's environment. As a result, many clients will probably spend a significant amount of time with their auditors discussing items such as management's philosophy and operating style, how current economic conditions are affecting the entity and whether or not the entity plans to implement any significant new marketing programs during the next year.

Secondly, auditors will be asking more detailed and specific questions about processes and internal controls over significant accounting cycles. Fortunately, these new standards do not require auditors to test controls over every accounting cycle. But, for those cycles that are deemed to be significant, clients should expect to discuss them in detail with their auditor. It is also possible that their auditor will test certain controls over those cycles. Finally, each client can expect an auditor who better understands the unique aspects of their business.

We would be pleased to discuss in more detail the effects of the new standards on your audit and your financial statement preparation process. Please do not hesitate to contact Burgman Connolly at 212-303-1017 or via e-mail at bconnolly@rssmcpa.com.

Sincerely, Rosen Seymour Shapss Martin & Company LLP

For information contact:

Alisa Morris
Director of Marketing
(212) 303-1880
amorris@rssmcpa.com