How audit standards affect your business

Electrical Apparatus, Mar 2007 by Wiersema, William H

New standards, even for small companies, emphasize documentation

FOLLOWING THE RECENT FINANCIAL SCANils, public companies became subject to new scrutij under the Sarbanes-Oxley Act. The Act regulates many areas of corporate governance. Among other things, it requires top management to assume a higher level of formal responsibility for controls and financial information. Management must establish a system of checks and balances by introducing independent parties into corporate governance. The Act also requires a greater emphasis on preventing fraud.

Most Popular Articles in Technology: An overview of continuous data protection; Why all those current ratings?; Many countries now have a mobile penetration rate above 100%, report says; The Tata Group's big telecom gamble: VSNL's recent acquisition of Tyco ...; MEASURING BANK BRANCH EFFICIENCY USING DATA ENVELOPMENT ANALYSIS: MANAGERIAL ...; More »

Similar ideas are now being applied to private companies in significant new ways. Unlike public companies, private ones have no government involvement in their management control systems. The securities and Exchange Commission has no private counterpart. The concepts are being imposed upon private companies by requiring their auditors to take an elevated view of internal control. Major areas of change include rules as to documentation and management responsibility, in addition to a renewed emphasis on traditional internal control concerns.

The changes are effective for outside audits conducted on calendar year 2007 financial statements, under new auditing standards. Implementation of the requirements may prove to be onerous, depending upon how prepared companies are. Fortunately for many small companies, the new requirements apply only to entities issuing audited financial statements, not to those for which the outside firm prepares a review or compilation.

Documentation

The new standards for auditors emphasize documentation. Documentation can take many forms, but most typically it is a written manual of accounting policies and procedures. This material must address internal control concerns, some elements of which are included in the accompanying box (next page). It must be specific to the company. Companies must do much more than keep a copy of authoritative accounting pronouncements or a generic accounting manual.

The documentation must be comprehensive. Besides accounting, information technology controls must be included because of their significant role in modem accounting systems. The documentation must cover not only controls in place, but also identify means by which the controls will be subjected to ongoing testing. Preparing it will be a big task for most small companies, almost along the lines of the documentation of quality control systems under ISO-9000 and related standards.

The documentation provided by the company being audited plays heavily into audit work. Auditors are now required to identify the source of their understanding of internal control and how they tested the source of the information. To do so, they must rely heavily on the documentation provided to them. If documentation is incomplete or does not exist, the auditor must indicate that deficiency in a written letter to management.

The documentation is also subject to evaluation. Auditors will evaluate it as to how well internal controls have been designed. A poorly prepared manual will generate additional comments.

Management responsibility

As with Sarbanes-Oxley for public companies, management's responsibility is expanded to include internal control oversight and tone-setting. Management is expected to be control-conscious. It must perform as specified in the documented controls, not override them.

Management must also obtain ongoing feedback as to how well the controls are operating. In addition to setting up mechanisms for review, the standards mention anti-fraud programs, such as employee whistle-blowing. Management is accountable for responses to auditors' inquiries.

Responsibility includes acting on deficiencies found and reported during the audit. This means that if the auditor finds compliance with these standards to be absent, as reported in this year's audit, and finds them uncorrected in the next, this fact is yet another internal control deficiency.

The scope of responsibility extends to the financial statements themselves. While management has always had to make written representations to its auditors, the new requirements go well beyond that. They now extend to the ability to prepare financial statements that traditionally has been the work of the outside accounting firm.

Companies need to employ accountants internally that are capable of determining and applying accounting policies and principles. The failure to employ individuals competent to perform these functions is a deficiency that auditors must report in writing to management.

Moreover, accounting principles must be applied without bias. They cannot be manipulated in accordance with decisions to increase income up or down. Corrections to current or prior financial statements through auditor adjustments now signify deficiencies in controls over accounting.

Traditional internal control

The new standards also emphasize traditional control concerns. Common elements of internal controls include segregation, independent review, books of account, audit trail, and information technology. These areas must be addressed by management in a documented way.

Featured Download

Speak Like a CEO

How audit standards affect your business

Electrical Apparatus, Mar 2007 by Wiersema, William H

Find Research Guides for:

Find Featured Titles for: Technology

Most Popular Articles in Technology

Most Popular Publications in Technology