A Race to Finish for “Sarbox-lite”

The AICPA's risk-based standards are putting private-company auditors under the gun.
Alan RappeportNovember 5, 2007

New risk-assessment rules established by the American Institute of Certified Public Accountants are causing the auditors of privately held companies and non-profits to take between 10 percent and 25 percent longer to complete their work, according to an auditor with Kaufman, Rossin & Co., a Miami-based accounting firm.

The AICPA rules went into effect last December and companies have until the end of this December to comply—creating, for some, a frenzied finish. “This is the first time most will have to deal with it,” Alan Chosed, an audit principal with Kaufman, Rossin, says. “It’s more like a mad rush.”

How much more work an auditor will have to do to comply with the new rules depends on the complexity of the client’s financial structure, according to Chosed. The new AICPA standards provide guidance to auditors concerning their assessment of the risks of material misstatements, whether caused by fraud or error. They also tell auditors how to design and implement “audit procedures whose nature, timing, and extent are responsive to the assessed risks,” according to an AICPA summary of the standards.

Drive Business Strategy and Growth

Drive Business Strategy and Growth

Learn how NetSuite Financial Management allows you to quickly and easily model what-if scenarios and generate reports.

The added legwork stems from auditors’ need for a better understanding of the entity they’re auditing, particularly of their internal controls, experts say. Still, the standards do not match the Public Company Accounting Oversight Board’s standards for public companies in terms of strictness. While the auditing standards of the PCAOB ask for conclusions on the effectiveness of internal controls, the AICPA standards just ask that they be tested. “Sarbox is still a little more in-depth than the AICPA,” Chosed says. “Some people refer to this as Sarbox-lite.”

Standards set by the AICPA are not, technically speaking, mandatory, since the group isn’t backed by a government agency. But the AICPA’s standards are considered to be “Generally Accepted Auditing Standards.” Further, the AICPA has a peer-review system and ethics committee which performs investigations into firms that fail to follow GAAS. State auditing boards have the authority to enforce the standards, and auditors who fail to comply can lose their licenses, according to Mitchell Slepian, an AICPA spokesman.

The new standards set criteria and offer guidance on how to plan and supervise audits, assess audit evidence, and evaluate “whether the audit evidence obtained affords a reasonable basis for an opinion regarding the financial statements under audit.”

Despite the additional time, the eight new standards should ultimately benefit companies once they adjust, according to Chosed. “It’s in the best interest of the companies and [their] owners,” he says. The new standards are intended to force companies to address weaknesses in their internal controls before they are even audited.

For companies and accountants alike, the initial adjustment to the new standards may be the biggest hurdle. “Nobody likes change,” says Chosed. “Accountants don’t like change and their clients certainly don’t like change.”

The new auditing standards concern:

• Codification of auditing standards and procedures.

• Application of generally accepted auditing standards.

• Audit evidence.

• Audit risk and materiality.

• Audit planning and supervision.

• Understanding the entity and its environment and assessing material-misstatement risks.

• Responding to risks and evaluating audit evidence.

• Audit sampling.