AICPA OKs Risk-Based Audit Standards

When hunting down problems in the financial statements of non-public-issuers, the new strictures will deploy a ''rifle'' rather than a ''shotgun.''
David KatzFebruary 24, 2006

Jumping on the current bandwagon promoting greater auditor efficiency, the American Institute of Certified Public Accountants has approved eight new “Risk Assessment Standards” for the audits of private companies and non-profit organizations.

The new standards, which the AICPA will make available March 8, will require auditors to use a “rifle” approach to detecting problems in the financial statements of non-public-issuers, rather than a scattershot, “shotgun” attack, says Chuck Landes, the association’s vice president of professional standards and services.

The AICPA’s audit standards board, which issued the strictures, thinks they’ll spur major changes in the way auditors do their work and spawn much more effective audits. “If my audit methodology is such that I’m pulling a canned audit program out of a manual, that no longer is going to be acceptable,” adds Landes.

Drive Business Strategy and Growth

Drive Business Strategy and Growth

Learn how NetSuite Financial Management allows you to quickly and easily model what-if scenarios and generate reports.

The concept behind the new AICPA standards is identical to the one recently embraced by the Public Company Accounting Oversight Board, according to Landes. In a policy statement last May, regarding attestations to clients’ internal controls over financial reporting, the PCAOB took some auditors to task for not using their own judgment when setting priorities about where to put their heaviest efforts.

Instead, those auditors relied on one-size-fits-all checklists and probed trivial controls with the same effort they gave to highly important ones, according to the PCAOB. For their part, many CFOs are also saying they want the ability to triage their internal-controls assessments.

To be sure, non-public issuers, unlike public companies, aren’t required to report their financials to the Securities and Exchange Commission. But many private entities do make their financial statements public, and many file them with banks, insurance companies, investors, and state governments, Landes notes.

Slated to take effect on December 15, the new AICPA standards provide guidance to auditors concerning their assessment of the risks of material misstatements, whether caused by fraud or error. They also tell auditors how to design and implement “audit procedures whose nature, timing, and extent are responsive to the assessed risks,” according to an AICPA summary of the standards.

To be responsive to the assessed risks, auditors must custom-tailor their approaches. “What we’re getting to here is that every audit is unique,” says Landes. “Each year, your auditing procedures need to be revised so that they are responsive to the risks you’ve identified in that current year’s audit.”

The new standards also set criteria and offer guidance on how to plan and supervise audits, assess audit evidence, and evaluate “whether the audit evidence obtained affords a reasonable basis for an opinion regarding the financial statements under audit.”

One main objective of the standards is to push auditors to gain “more in-depth understanding of the entity and its environment.” Besides a deeper grasp of the client’s internal controls, the auditor should, for instance, learn how the audit numbers compare with broader industry statistics, according to Landes.

What will the new standards mean to non-public clients and their finance chiefs? Chief financial officers won’t have to do anything differently, according to the AICPA official. But the stronger the organization’s controls and the more forthcoming the CFO about how internal accounting decisions were reached, “the better your auditor will understand where your strengths and weaknesses will be, and the more efficient your auditor will be,” he says.

The new auditing standards concern, respectively:

• Codification of auditing standards and procedures.

• Application of generally accepted auditing standards.

• Audit evidence.

• Audit risk and materiality.

• Audit planning and supervision.

• Understanding the entity and its environment and assessing material-misstatement risks.

• Responding to risks and evaluating audit evidence.

• Audit sampling.