Early in 2006, policy makers for auditors of non-public companies set new standards that introduced a comprehensive audit methodology that differs significantly from the way audits have been performed for the past three decades.

Although the bulk of the new rules do not become effective until 2007, the sweeping nature of the changes require most audit firms to begin revising their processes immediately. Profession-wide training already has begun in earnest and will continue throughout 2007.

Without question the changes mandated by the new standards will affect not just audit firms, but their clients as well.

New Standards Strengthen the Audit Process

The Enron scandal combined with other high-profile business frauds and failures forced the auditing profession to re-examine the methodologies used to audit financial statements. In 2002, Congress passed the Sarbanes-Oxley Act, which resulted in a greatly expanded set of audit procedures, especially with regard to internal controls.

That law was applicable only to publicly traded companies, but now, some of the best ideas of Sarbanes-Oxley-to the extent they are relevant to smaller, non-public organizations-have been incorporated into the auditing standards applicable to all other entities. Once effective the new auditing standards will affect auditors of privately-held companies, not-for-profit organizations, state and local governments, and others who do not file with the SEC.

The goal of the new standards is simple: to maintain the integrity of the audit process by responding to the evolving needs of financial statement users.

Auditors Adapt to Changing Business Environment

Business models have evolved rapidly in the last decade. For example, the use of e-commerce, the outsourcing of business operations overseas, and the use of complex financing techniques have changed the way businesses operate and the risks they face. These changes no longer are restricted to larger companies-smaller, privately held entities and organizations in the public sector have been forced change if they are to stay competitive.

This dynamic business world requires an audit process that can adapt easily to changing circumstances. A fundamental feature of the revised audit process is its ability to adapt to the unique facts and circumstances of individual entities.

At the heart of the new audit process are requirements that, each year, auditors should-

• Obtain a thorough understanding of their clients' information processing system,
• Evaluate the design effectiveness of the controls over that system, and
• Possess detailed knowledge of their clients' operations, their business objectives and strategies, and the risks to achieving these objectives.

Armed with this knowledge, auditors can then develop customized procedures that vary depending on the dynamics of the business environment and the client's operations. This emphasis on customized audit approaches is a shift away from the current widespread use of standardized audit procedures and checklists.

Understanding the Client and Internal Control

Auditors have always been required to obtain an understanding of their client's business, its information system and internal controls. However under previous standards, the purpose of this understanding was simply to identify the significant classes of transactions, the accounting records used by the entity, and the types of accounting errors that may exist.

Under the new standards, the auditor is required to gain a more thorough understanding of the client and to evaluate the design effectiveness of internal control. The auditor's procedures are not relegated to audit planning, but instead are considered an integral part of the audit itself.

The information the auditor obtains must be sufficiently reliable to be considered "audit evidence." That is, the procedures performed to understand internal control should be just as rigorous as the procedures the auditor performs to verify an account balance or the existence of inventory.

Engagement teams will still be allowed to carry forward knowledge obtained in previous audits. However, the procedures performed to update that knowledge also must rise to the level of "audit evidence."

The new standards mandate that a single inquiry is not sufficient to understand the client and evaluate the design of its information processing and controls. Auditors must perform a variety of procedures that may include the review of relevant documentation, observation of the performance of the control procedure, or "walkthroughs" of systems.

Clarifying Management and Auditor Responsibilities

The fundamental value of an audit is that it is performed by an objective third party. For this reason, professional standards prevent auditors from things such as auditing their own work or acting in the capacity of management. Periodically, the auditing profession has been criticized for "being too close to their clients," and the new auditing standards address this issue as well.

In practice, the line between management's responsibilities and the auditor's responsibilities is often blurry. At smaller entities, it is common for management to rely on the company auditors to perform a good deal of the accounting and bookkeeping functions. For example, the auditor may propose standard journal entries, prepare the financial statements, or draft some or most of the notes to the financial statements.

The new standards do not prohibit auditors from providing any services they traditionally have provided to their clients. However, the standards do require auditors to evaluate carefully the accounting and bookkeeping work they perform as part of the audit and to determine whether the client has relied too heavily on the audit firm to maintain the books and records, prepare its financial statements, or function as part of the company's internal control.

If the audit firm is too involved in the client's accounting function, the firm is required to issue a letter to management that describes the situation as an "internal control deficiency" and makes a determination as to the severity of the deficiency.

By and large, auditors will exercise their judgment to make this determination. However, the new auditing standards spell out certain circumstances that, if they exist, are de facto "significant" deficiencies and probably indicate a "material weakness" in internal control.

For many years, auditors have been required to report internal control deficiencies to their clients, but the new standards are much more specific about the situations that indicate a control deficiency exists. In many cases, auditors will be required to communicate to management and describe as control deficiencies the arrangements between them that have existed for years.

Management may have sound business reasons for involving their auditors in maintaining the accounting records or preparing the financial statements, and as long as the audit firm complies with the professional independence rules, it is perfectly acceptable for these arrangements between the firm and its clients to continue. However, the auditor still will be required by the auditing rules to communicate the matter in writing.

What the New Rules Mean for Audit Clients

The impact the new rules will have on individual audit engagements will vary depending on the procedures the audit engagement teams have performed in the past. Some organizations will see little change in the work performed by their auditors; for others the differences will be dramatic. In general, audit clients should expect their auditors to-

• Perform more work to gather information and form an understanding of the business and its environment.
• Perform more extensive procedures to evaluate internal control design.
• Shift portions of the work relating to understanding the business, its environment, and its internal control to a period of time well in advance of the organization's fiscal year-end.
• Involve more experienced audit personnel in gathering information about the company and its internal control.
• Clarify the organization's responsibilities with regard to performing accounting functions, preparing the financial statements and overseeing the financial reporting process.

In many audits, the additional procedures required under the new standards will result in increased audit costs that will extend beyond the initial year of implementation.

Continued Communication is a Must

The new standards are the most significant change to auditing in the last thirty years, affecting auditors and clients alike. Many of the effects of these standards can be anticipated and planned for, others cannot be. Over the next year, as implementation begins to take place, continued communication between auditing firms and their clients will be a must in order to make the transition as smooth and meaningful as possible.