Sneaking a Peek: How the New Auditing Standards on Risk Assessment May Affect Fraud Huddles
Hayes, Arthur A., The Journal of Government Financial Management
As noted at the conclusion of the previous article in this series (Summer 2006), the American Institute of Certified Public Accountants (AICPA) has recently promulgated a series of far-reaching auditing standards related to the independent auditor's responsibility to obtain an understanding of the entity's internal control, and assess risk as part of an audit of the entity's financial statements. Those standards, comprising a "suite" of Statements on Auditing Standards numbered 104 through 111, significantly change the auditor's responsibility for auditing internal controls and assessing risk and, by their application through auditors, the way audit clients should design, implement and maintain those controls.
The New Standards Include Requirements for Huddles
Paragraph 14 of SAS No. 109, Understanding the Entity and its Environment and Assessing the Risks of Material Misstatement, captioned "Discussion Among the Audit Team," provides that "the members of the audit team, including the auditor with final responsibility for the audit, should discuss the susceptibility of the entity's financial statements to material misstatements. This discussion could be held concurrently with the discussion among the audit team specified by SAS 99 to discuss the susceptibility of the entity's financial statements to fraud." (Emphasis added.)
What are the New Standards and How Do They Compare with the Fraud Huddle Requirements?
The new huddle standards are presented in paragraphs 14 through 20 of SAS 109, Understanding of the Entity and its Environment and Assessing the Risks of Material Misstatement
Paragraph 14 was restated above, in the introduction of this article.
These new huddle requirements of SAS 109 are summarized and compared with the current huddle requirements of SAS 99 in Figure 1.
As noted in Figure 1, the huddle requirements of SAS 109 are not significantly different from those of SAS 99. The respective numbering of the huddle requirements in each standard is quite similar: paragraphs 14 through 20 in SAS 109 and paragraphs 14 through 18 in SAS 99. The two sets of requirements are complementary and, when combined, provide a very strong statement about how auditors should use the brainstorming sessions to better plan and execute their work. They are interlocked, not only by their similarities, but by the specific references to SAS 99 requirements in the SAS 109 huddle provisions.
Hence, it appears that the transition to the new huddle requirements in the internal control standards, taken by itself, should not pose serious challenges to the auditor. However, the other requirements of the new standards are probably a very different matter. Any set of standards of more than 200 pages, which contain the changes these standards do, is probably going to require a lot of retooling.
And the changes and effect are not limited to the auditors. In the commentary with the standards, the AICPA is quite blunt about the need to improve auditor performance relative to internal control. And, in light of the new standards' emphasis on holding clients more accountable for their risk assessments and their implementation of mitigating controls, there may be a significant effect on clients whose auditors have taken the path of maximizing control risk without taking findings on control weaknesses (reportable conditions, now known as significant deficiencies). And even if the auditor has been taking such findings, the additional emphasis on auditee risk assessments may lead to further findings in any case. The standards appear to be poised to close the door on serious loopholes that have probably contributed to the "expectation gap." Slamming that door might be painful. But at least we are better positioned to take hold of the doorknob and try.
So, How Does This Development Affect the First Huddles-the Ones Dictated by SAS 99?
Although auditors are not required to implement the standards until they are engaged in audits of financial statements that begin on or after December 15, 2006, earlier implementation is permitted. …