CHANGES IN THE ACCOUNTING AND
Brief History of Auditing Standards
American Institute of Certified Public Accountants (AICPA)
? The AICPA is the national professional organization for certified public accountants. The AICPA and its
related organizations are organized as non-profit organizations under the applicable sections of the
Internal Revenue Code.
? The Auditing Standards Board (ASB) is the senior technical committee of the AICPA designated to issue
auditing, attestation, and quality control standards and guidance to certified public accountants for non-
public company audits.
? The AICPA Code of Professional Conduct requires members to comply with standards issued by the ASB.
Statement on Auditing Standards (SAS) No. 95, Generally Accepted Auditing Standards, states that
auditors should be prepared to justify any departures from the SASs issued by the ASB.
Internal Control Reporting
The Committee of Sponsoring Organizations of the Treadway Commission (COSO)
? COSO is a voluntary private-sector organization dedicated to improving the quality of financial reporting
through business ethics, effective internal controls, and corporate governance.
? COSO is jointly sponsored by five major professional associations: the American Accounting Association
(AAA), the AICPA, Financial Executives International (FEI), The Institute of Internal Auditors (IIA), and the
Institute of Management Accountants (IMA). COSO is wholly independent of each of the sponsoring
organizations; contains representatives from industry, public accounting, investment firms, and stock
markets; and has observers from the Securities Exchange Commission (SEC), the Public Company
Accounting Oversight Board (PCAOB), and the Government Accountability Office (GAO), the audit,
evaluation, and investigative arm of the United States Congress.
? SAS No. 109, Understanding the Entity and Its Environment and Assessing the Risks of Material
Misstatement, requires auditors to obtain an understanding of the entity and its environment, including its
internal control. SAS No. 109 requires an understanding of five interrelated components of internal control
defined and described in COSO's Internal Control—Integrated Framework. Those components are as
? Control environment ? Monitoring
? Risk assessment ? Control activities
? Information and communication
Statement on Auditing Standards No. 112
? In 2006, the ASB issued SAS No. 112, Communicating Internal Control Related Matters Identified in an
Audit. The primary reasons for issuing SAS No. 112 were to incorporate certain internal control related
definitions used in PCAOB Auditing Standard (AS) No. 2, An Audit of Internal Control Over Financial
Reporting Performed in Conjunction With an Audit of Financial Statements, and to require certain
communications to be in writing.
? Under SAS No. 112's reporting criteria, there are three categories for severity of deficiencies of controls
(listed in order from least severe to most severe):
? Control deficiency—A control deficiency exists when the design or operation of a control does not
allow management or employees, in the normal course of performing their assigned functions, to
prevent or detect misstatements on a timely basis.
? Significant deficiency—A control deficiency, or combination of control deficiencies, that adversely
affects the entity’s ability to initiate, authorize, record, process, or report financial data reliably in
accordance with generally accepted accounting principles such that there is more than a remote
likelihood that a misstatement of the entity’s financial statements that is more than inconsequential will
not be prevented or detected.
? Material weakness—A significant deficiency, or combination of significant deficiencies, that results in
more than a remote likelihood that a material misstatement of the financial statements will not be
prevented or detected.
SAS No. 112 requires auditors to communicate in writing all significant deficiencies or material weaknesses
that they identify. This requirement also includes any significant deficiencies or material weaknesses that were
identified in previous audits that have not yet been corrected. Control deficiencies that the auditor identifies but
does not consider to be significant deficiencies or material weaknesses may be communicated orally or in
writing. Additionally, other suggestions on how to improve administrative or other functions may be
communicated in the same manner.
Financial Reporting Process
? The overall purpose of the accounting function is to accurately process, record, summarize, and report
transactions of the organization. The following exhibit illustrates how source documents and other financial
records are processed through the accounting system to produce the organization’s financial statements.
Flow of Accounting Records
documentsjournalsstatementsGeneral ledger(vendor invoices, (cash receipts, cash (generally accepted checks, time card, disbursements, general accounting principles journal entries, etc.)journal, etc.)or OCBOA)
reports(management-use financial statements, reports to funding sources, etc.)
? Preparing financial statements is the culminating step in the accounting process. Once all other processing
steps have been completed for the period, financial statements may then be prepared. As the end product
of the accounting function, both financial statement content and form are important. An organization’s
financial statements are often used to communicate the organization’s activities, operations, and programs
to funding sources and others outside the organization.
? To best achieve the objectives of financial reporting and to inform financial statement users, the
organization’s financial statements should be prepared in accordance with generally accepted accounting
? SAS No. 69 (as amended), The Meaning of Present Fairly in Conformity with Generally Accepted
Accounting Principles, describes GAAP in general terms as "…a technical accounting term that
encompasses the conventions, rules, and procedures necessary to define accepted accounting practice at
a particular time. It includes not only broad guidelines of general application, but also detailed practices and procedures. Those conventions, rules, and procedures provide a standard by which to measure financial presentations." GAAP includes pronouncements of authoritative bodies designated by the AICPA to establish accounting principles, such as Statements of Financial Accounting Standards (SFAS) issued by the Financial Accounting Standards Board (FASB), FASB Interpretations, AICPA Statements of Position, and AICPA Industry Audit and Accounting Guides.
? In many audit engagements involving small businesses and non-profit organizations, the auditor drafts or assists with drafting the financial statements, which may include assistance with:
? Overall preparation of the financial statements and related notes in accordance with GAAP ? Calculating depreciation on property and equipment
? Classifying expenses by functional category
? Calculating unrelated business income taxes, excise taxes, etc.
? Preparing the statement of cash flows
? It is important that the organization’s management and the governing board understand that the auditor’s involvement in preparation of the financial statements does not change the fact that management is responsible for them. The organization's management is expected to acknowledge this responsibility in the management representation letter obtained by the auditor at the conclusion of the audit engagement.
? SAS No. 112 provides guidance about control deficiencies that usually are considered to be at least significant deficiencies, and deficiencies that are considered to be at least significant deficiencies and strongly indicate material weaknesses. Included in the former category are deficiencies in controls over the selection and application of accounting principles that are in conformity with GAAP, which includes having sufficient expertise in selecting and applying accounting principles, and deficiencies in controls over the period-end financial reporting process, including controls over procedures used to record recurring and non-recurring adjustments to the financial statements.
? Thus, the auditor’s involvement in preparation of the financial statements often represents a significant deficiency or material weakness in internal control that must be communicated, in writing, to management and those charged with governance.
? Management's options for addressing significant deficiencies or material weaknesses will depend upon the significant deficiencies or material weaknesses that are communicated. Using the example of lack of controls over the preparation of the financial statements, management's options could include: ? Doing nothing and choosing to continue to have the auditor prepare the financial statements and
receive the written communication at the end of the audit identifying a material weakness. This option
is a viable option given that the communication is a restricted use communication intended for use by
only management and those charged with governance. It is not uncommon for small businesses and
non-profit organizations to use the same public accounting firm for both the preparation of the financial
statements and the audit.
? Train an employee to have the appropriate skills to prepare the financial statements or hire another
public accounting firm to prepare them.
Management ultimately needs to determine the value of incurring the additional expense of training an employee or hiring another public accounting firm to prepare the financial statements. If management determines that the value or additional benefit does not justify the cost, it can continue to have the same public accounting firm it uses for the audit to prepare its financial statements.
Risk Assessment Standards
? In March 2006, the ASB issued eight new SASs, collectively referred to as the risk assessment standards, which bring sweeping changes and provide definitive guidance for the conduct of audits of non-public companies. The primary objective of these standards is to enhance auditors’ application of the audit risk model by requiring auditors to obtain a more in-depth understanding of an entity in order to better identify risks of material misstatement of financial statements.
? Before the issuance of the risk assessment standards, generally accepted auditing standards required
auditors to consider and limit audit risk in all audits; so in a sense, auditors were required to assess risks.
However, before the risk assessment standards, the auditor may not have always leveraged his or her
knowledge of the entity's operations and experience in prior audits to determine the level of assurance
needed in significant audit areas. An audit approach based on risk assessment provides a method to
identify higher-risk areas so that audit effort can be focused on those areas. By focusing efforts in higher-
risk areas and limiting procedures in lower-risk areas, the auditor performs a more effective and focused
? Some of the key provisions and changes in the audit process through the application of the risk
assessment standards include:
? Improvements in the quality and depth of the required understanding of the entity and its
environment—In addition to the components of internal control, the guidance specifies aspects of the
entity and its environment about which the auditor should obtain an understanding to identify and
assess where material misstatements could occur.
? Expansion of the risk assessment process—The risk assessment standards eliminate the concept of
assessing control risk at the maximum by default. Risk assessment, at whatever level, should be
supported by the auditor’s understanding of the entity and its environment and internal controls.
Auditors are also required to identify significant risks that need special audit consideration, along with
other risks where the application of substantive procedures alone will not sufficiently reduce audit risk. ? Additional emphasis on evaluating and testing controls—SAS No. 109 notes that “obtaining an
understanding of internal control involves evaluating the design of a control and determining whether it
has been implemented.” Since control risk can no longer be at a default maximum level without
documenting the basis for that conclusion, testing of controls may increase in some situations.
However, similar to existing guidance, testing of controls is not required unless the auditor intends to
rely on the operating effectiveness of controls to alter the nature, timing, or extent of substantive
procedures, or the auditor concludes that substantive procedures alone will not sufficiently reduce
? Improvements in the linkage between assessed risks and resulting audit procedures—Auditors are
required to develop overall responses that address risks of material misstatement at the financial
statement level along with additional procedures that are clearly linked to assessed risks of material
misstatement at the relevant assertion level. The risk assessment standards stress the importance of
the nature of audit procedures in responding to assessed risks.
? Enhanced guidance on substantive procedures—The risk assessment standards indicate that
substantive procedures should be applied to all relevant assertions related to each material class of
transactions, account balance, and disclosure to detect material misstatements at the assertion level,
regardless of the assessed risk of material misstatement. The standards also require the auditor to
reconcile financial statements (and the accompanying notes) with supporting records, and to examine
material journal entries and other adjustments that were made when preparing financial statements. ? Additional emphasis on testing of disclosures—Assertions about presentation and disclosure have
been expanded to include completeness and understandability to users. The risk assessment
standards emphasize that risks of material misstatement should be considered for disclosures. ? New documentation requirements—Auditors are required to document their overall response to
address the assessed risk of misstatement at the financial statement level; risk assessment at the
relevant assertion level; the nature, timing, and extent of the further audit procedures; the linkage of
audit procedures to assessed risks; and the nature, timing, and extent of audit procedures performed
and the results obtained.
? The risk assessment standards expand the scope of the understanding that the auditor must obtain and
require the auditor to document and evaluate the design of internal controls over financial reporting. Thus,
the risk assessment process will most likely result in an increased number of control deficiencies,
significant deficiencies, and material weaknesses being reported under SAS No. 112 than were reported
under previous standards.
? The risk assessment standards are effective for audits of financial statements for periods beginning on or
after December 15, 2006 (generally calendar year 2007). For school districts these standards are
effective for audits of beginning fiscal year 2007-2008.
Auditor’s Communication With Those Charged With Governance ? SAS No. 114, The Auditor’s Communication with Those Charged With Governance, establishes
requirements and provides guidance on the auditor’s communication with the individuals responsible for
an entity’s governance. The communication requirements of SAS No. 114 apply to all entities regardless of
their governance structure or size.
? The SAS defines those charged with governance as the persons “with responsibility for overseeing the
strategic direction of the entity and its obligations related to the accountability of the entity. This includes
overseeing the financial reporting process.” The SAS further states that those charged with governance
encompasses a board of directors or audit committee referred to in other auditing standards.
? Under previous standards, certain communications were applicable only to entities that either had an audit
committee or that had otherwise formally designated oversight of the financial reporting process to a group
equivalent to an audit committee (such as a finance committee or budget committee).
? The auditor must clearly communicate matters that are, in the auditor’s professional judgment, significant
and relevant to the responsibilities of those charged with governance in overseeing the financial reporting
process. The matters required to be communicated under SAS No. 114 include:
? The auditor’s responsibilities under generally accepted auditing standards.
? An overview of the planned scope and timing of the audit that is not so detailed as to compromise
? The auditor’s views about findings or issues that the auditor considers to be significant and relevant to
those charged with governance regarding their oversight of the financial reporting process, including
the auditor’s views about qualitative aspects of the entity’s significant accounting practices, significant
difficulties encountered during the audit, uncorrected misstatements, and disagreements with
management about matters that could individually or in the aggregate be significant to the financial
statements or auditor’s report.
? SAS No. 114 requires written communication of significant findings when, in the auditor’s professional
judgment, oral communication would not be adequate.