How audit standards affect your business

Wiersema, William H

New standards, even for small companies, emphasize documentation

FOLLOWING THE RECENT FINANCIAL SCANils, public companies became subject to new scrutij under the Sarbanes-Oxley Act. The Act regulates many areas of corporate governance. Among other things, it requires top management to assume a higher level of formal responsibility for controls and financial information. Management must establish a system of checks and balances by introducing independent parties into corporate governance. The Act also requires a greater emphasis on preventing fraud.

Similar ideas are now being applied to private companies in significant new ways. Unlike public companies, private ones have no government involvement in their management control systems. The securities and Exchange Commission has no private counterpart. The concepts are being imposed upon private companies by requiring their auditors to take an elevated view of internal control. Major areas of change include rules as to documentation and management responsibility, in addition to a renewed emphasis on traditional internal control concerns.

The changes are effective for outside audits conducted on calendar year 2007 financial statements, under new auditing standards. Implementation of the requirements may prove to be onerous, depending upon how prepared companies are. Fortunately for many small companies, the new requirements apply only to entities issuing audited financial statements, not to those for which the outside firm prepares a review or compilation.

Documentation

The new standards for auditors emphasize documentation. Documentation can take many forms, but most typically it is a written manual of accounting policies and procedures. This material must address internal control concerns, some elements of which are included in the accompanying box (next page). It must be specific to the company. Companies must do much more than keep a copy of authoritative accounting pronouncements or a generic accounting manual.

The documentation must be comprehensive. Besides accounting, information technology controls must be included because of their significant role in modem accounting systems. The documentation must cover not only controls in place, but also identify means by which the controls will be subjected to ongoing testing. Preparing it will be a big task for most small companies, almost along the lines of the documentation of quality control systems under ISO-9000 and related standards.

The documentation provided by the company being audited plays heavily into audit work. Auditors are now required to identify the source of their understanding of internal control and how they tested the source of the information. To do so, they must rely heavily on the documentation provided to them. If documentation is incomplete or does not exist, the auditor must indicate that deficiency in a written letter to management.

The documentation is also subject to evaluation. Auditors will evaluate it as to how well internal controls have been designed. A poorly prepared manual will generate additional comments.

Management responsibility

As with Sarbanes-Oxley for public companies, management's responsibility is expanded to include internal control oversight and tone-setting. Management is expected to be control-conscious. It must perform as specified in the documented controls, not override them.

Management must also obtain ongoing feedback as to how well the controls are operating. In addition to setting up mechanisms for review, the standards mention anti-fraud programs, such as employee whistle-blowing. Management is accountable for responses to auditors' inquiries.

Responsibility includes acting on deficiencies found and reported during the audit. This means that if the auditor finds compliance with these standards to be absent, as reported in this year's audit, and finds them uncorrected in the next, this fact is yet another internal control deficiency.

The scope of responsibility extends to the financial statements themselves. While management has always had to make written representations to its auditors, the new requirements go well beyond that. They now extend to the ability to prepare financial statements that traditionally has been the work of the outside accounting firm.

Companies need to employ accountants internally that are capable of determining and applying accounting policies and principles. The failure to employ individuals competent to perform these functions is a deficiency that auditors must report in writing to management.

Moreover, accounting principles must be applied without bias. They cannot be manipulated in accordance with decisions to increase income up or down. Corrections to current or prior financial statements through auditor adjustments now signify deficiencies in controls over accounting.

Traditional internal control

The new standards also emphasize traditional control concerns. Common elements of internal controls include segregation, independent review, books of account, audit trail, and information technology. These areas must be addressed by management in a documented way.

Conflicting duties potentially result in errors or downright fraud. In broadest terms, segregated duties include authorizing transactions, keeping records, and safeguarding assets. Part of segregation of record keeping is preventing unauthorized individuals from access. It is desirable to restrict computer access to those files necessary for an employee's job.

Where complete segregation of conflicting functions is not possible, certain policies can assure that it occurs. For one thing, duties can be rotated. For another, employees can be required to take vacations, during which others perform their work.

There is also no substitute for independent, knowledgeable review of critical accounting functions. In smaller companies, the owner-manager may best perform these. Critical review can make the difference in establishing an appropriate control environment. Some of the crucial areas for such review include financial statements, bank reconciliations, journal entries, credit approval decisions, past due accounts receivable, accounts receivable write-offs, unmatched documents, and checks issued.

Basic accounting records must be retained, including the general ledger, journal entries, journals of sales, purchases, cash receipts and cash disbursements, and month-end account details, including accounts receivable and accounts payable.

Inventory transaction journals and month-end perpetual listings are also desirable. As part of month-end procedures, supporting details must be reconciled to the general ledger and maintained in a file for subsequent reference.

Accounting records rely on a chart of accounts for posting into financial statements. The chart of accounts must allow for an appropriate level of detail to manage the business. Otherwise, significant, unusual items may be hidden from view.

Journal entries should be numbered and bound together with their supporting documentation. Both the preparer and reviewer should sign off. Only authorized individuals should be allowed to prepare them. Without control, journal entries are dangerous. They convey the power to commit fraud as they can be used to camouflage any number of improprieties.

For each transaction, an audit trail should provide the date and time recorded and by whom. Computer systems can identify the user and terminal as well. Accounting systems should make this trail explicit.

For example, posted data should not be susceptible to modification after the fact without a complete record of what was changed when. Software popular with smaller companies may lack this control. Many programs, for example, allow unlimited changes to information after the fact. Payees on checks, amounts, or even dates can change with the stroke of a key. Auditors of entities that use those systems must be aware of the risks they entail.

The nearly universal use of computers for accounting systems has affected internal control concerns significantly. Common to practically every audit area is the assurance of mathematical accuracy and automated posting controls.

Many other controls may apply, as listed in the accompanying box. Deficiencies exist in design if appropriate controls are not in place. For example, controls must address non-routine transactions in order to be well-designed. If, on the other hand, well-designed procedures are not being followed, there is a deficiency to be reported relative to noncompliance. This may occur if management decides to ignore controls, such as providing backup support for a cash disbursement.

As apparent, complying with the new rules may be difficult. Audit fees are bound to increase. The increase will be even more significant for those companies that have not prepared. The best advice for companies is to start early, to be ready well in advance of their 2007 audit year.

By William H. Wiersema, CPA, EA Contributing Editor

Copyright Barks Publications Mar 2007
Provided by ProQuest Information and Learning Company. All rights Reserved