Audit awareness: SAS Nos. 104-111 fundamentally alter how auditors ply their trade

California CPA, August, 2007

The AICPA's Audit Risk Standards (SAS Nos. 104-111) are continuing the trend of reworking the landscape of financial statement audits. These standards are effective for audits of financial statements for periods beginning on or after Dec. 15, 2006, and affect the way auditing firms assess the risk of material misstatements in financial statements.

[ILLUSTRATION OMITTED]

To gain some insight on the need for, and utilization of, these standards, California CPA recently interviewed CPA Lynford Graham, Ph.D., CFE.

As a former member of the AICPA's Auditing Standards Board and Risk Assessment Standards Task Force, and chair of the Risk Assessment and Risk Response Audit Guide Task Force, Graham was instrumental in developing these Audit Risk Standards. A frequent lecturer on the subject nationwide, Graham also is the author of a handbook on documenting internal controls for non-public companies.

Q: What were the goals and objectives of the ASB and Risk Assessment Standards Task Force?

A: The ASB, in coordination with the International Audit and Attest Standards Board, undertook a joint project in the latter 1990s to clarify many of the core auditing standards and advance more guidance on the role and performance of risk assessment. This was in response to concerns that audits were becoming increasingly risk-based, but there was a lack of guidance on how to go about the risk assessment process.

There were also concerns that, in some cases, too little audit work was being done to identify and correct any errors that might exist in the pre-audit financial statement records.

Auditors of major entities were becoming more reliant on the seemingly improved and automated systems, and internal audit resources of these entities.

The role of the Task Force was to coordinate the domestic and international standards-setting efforts and to make sure the standards fit well within the existing U.S. audit literature in terms of form and language.

The disastrous events and audit failures in early 2000 that lead to the Sarbanes-Oxley Act of 2002 are evidence that the project was on target, but that it was too late to avoid the events of Enron, WorldCom and the litany of business and audit failures in that time period.

SAS No. 99, Consideration of Fraud in a Financial Statement Audit (a revision of SAS No. 82), was originally part of the group of risk assessment standards, but was pulled out of the "suite" and issued as final in early 2002, in response to the stormy climate that was brewing.

While released for exposure here and internationally in 2002, the formation of the PCAOB in 2002 created a pause in the implementation of these standards, pending the formation of the PCAOB and conversations as to how the ASB and PCAOB would work together.

When it was clear that the PCAOB would go its own way in future standards setting, the ASB reorganized the Task Force, tuned-up the proposed risk assessment "suite" and re-exposed the standards in 2005.

Q: What were the goals and objectives of the Risk Assessment and Risk Response Audit Guide Task Force?

A: The Guide was envisioned as key to the effective implementation of the standards. Words in the auditing standards are carefully considered results of Task Force and ASB discussions, but professionals need a clear understanding of their meaning. The ASB's Audit Guide is the way to do this.

Q: How revolutionary are these standards?

A: Tough question. Much of the answer depends on what you have been doing in your audits all along.

The standards mostly clarify the intent of existing standards. Many firms have been successfully using the concepts in these new standards for a long time. For example, using audit assertions as an integral part of the audit planning and performance of the audit is not new. Neither is the assessment of controls as part of understanding the audited entity. That requirement extends to before SAS No. 55.

There are only a few "new" concepts, such as the identification of "significant risks" for audit engagements, which was not part of the auditing literature before, but were still practices of some firms before SAS No. 109. In any case, the extent of change these standards will bring will differ from firm to firm.

Q: What are the implementation areas that firms are struggling with?

A: The requirement to assess internal controls design and implementation for audit clients seems to be giving some firms consternation. While not a new concept, this assessment was often glossed over for smaller client audits where controls reliance was not planned.

Clarifying this requirement creates a need for broad understanding of the COSO framework and its components, how control objectives or attributes are used to assess controls design, and how to identify any obvious "holes" in the internal controls of an entity.

Concerns are out there that this is a Sarbanes approach, which it is not. SAS No. 78 put the COSO framework clearly in our literature long ago, before SOX. The "suite" requirement is only to assess the design of controls and there is no requirement to test them.