|
What Are We Paying Our Auditors For?
By Chris Johnson, CPA
A question sure to be echoed through board rooms of nonprofit organizations across the country this year, and likely to be accompanied by a few expletives, is ‘what are we paying our auditors for?' The answer might surprise you because it's significantly different from what it was just a year ago.
Calendar 2007 and fiscal 2008 year ends will be the first for simultaneous application of the controversial requirements of the AICPA's Statement on Auditing Standards No. 112 (SAS112) and the new collection of standards known as the risk standards. There will be significant changes in both the focus and the reporting for most nonprofits as a result. Here's how this combination works:
First, the risk standards require auditors to obtain documentation relative to controls that ensure everything from compliance with laws and regulations to the accuracy of financial statements and footnote disclosures, including all relevant controls related to gathering and processing information along the way. Unless prepared in advance, significant effort will be required in simply assembling this information, let alone assessing it for appropriateness which is the next required step for the auditor. The auditor will then conduct various forms of testing of controls deemed to be most significant to reporting objectives. This can be hampered when, for instance, the controls in place have no manner of verification such as sign-offs or a similar audit trail. Based on the results of this process, the auditor will then determine what specific areas and procedures will become part of the audit process or program. Naturally, high risk areas will receive the most emphasis during the audit itself.
Under SAS112, auditors are not required to search for control deficiencies, but are required to report on them if observed. Since the risk standards require the above-mentioned thorough examination of controls, going far beyond the old benchmark of simply understanding controls sufficient to plan an audit, the likelihood of encountering control deficiencies is greatly increased. In fact, experts predict the likelihood of finding reportable deficiencies is greater than that of not finding any for most organizations. Naturally, this means you're paying your auditors to spend much more time focusing on controls, with predictably little resulting decrease in time spent auditing financial reports. This is compounded by the degree of uniqueness and complexity of each auditee's control environment (no two are the same) and by the need to thoroughly and accurately evaluate controls on account of the serious impact that reporting deficiencies can have.
Another area where auditors anticipate spending more time is in the preparation of financial statements. Historically, auditors have played a primary role in aggregating their clients' financial information in the appropriate format for reporting under Generally Accepted Accounting Principals. The client would commonly provide a trial balance, account reconciliations and related source documents, and the auditor would hand back a set of bound financial statements with an auditor's report. When the 2003 revisions to the Yellow Book independence standards resulted in stricter guidelines than AICPA standards, auditors had to push certain work back to their clients to comply when applicable. Likewise, The Sarbanes-Oxley Act contributed to the concept of best practices and regulatory authorities across the country considered the merits of adopting similar legislation applicable to nonprofits, furthering awareness of separation of the auditor's role in reporting from that of the auditee. Now we have SAS112 and the risk standards which require reporting organizations to have controls over the financial reporting process, but specifically exclude the independent audit from consideration as a control over this process. In other words, the organization is expected to have established controls enabling management to produce GAAP financial statements and disclosures that are free of material misstatements. Technical consulting with the independent auditor is permitted, and the auditor is even permitted to physically draft a document containing statements and disclosures from the client-provided data, but the auditor must still assess the client's controls over financial reporting as described above and must use care to avoid generating data that is the responsibility of the client. Evaluating all significant aspects of reporting under this criteria and possibly pushing some parts of statement and disclosure preparation back to the client can reasonably be expected to take more time unless the auditee possesses an unusual level of proficiency in reporting under GAAP. That's the exception to the rule in the nonprofit world as a matter of resource availability, and in the opinion of some, that's what they pay the auditors for!
Nonprofit organizations have to prepare well in advance in order to ensure a smooth audit under the new standards. An internal risk assessment, evaluation and documentation of controls in a manner that can be easily conveyed, and a review to ensure an audit trail exists are the essential pre-audit steps to take. For more information and tools you can use in preparation for your next audit, contact Chris Johnson at cjohnson@pmn.com.
|
Full Newsletter
