Much has been written about the technical requirements of Statement on Auditing Standards No. 104-111, collectively called the Risk Assessment Standards (Risk Standards). This article will focus on 10 steps to effectively implement them.

Problem #1: Retaining your clients
Clients think the Risk Standards are the “Auditors Full Employment Act.” Why? Because the vast majority of firms are increasing fees, 10 percent to 30 percent is common, yet clients don’t get any more ‘value.’ That is, clients get the same clean opinion they’ve always gotten, so why should they pay more for your audit?

Solution #1: Talk to your clients NOW. Don’t wait until you show up to start the fieldwork. Take a copy of the standards (200+ pages available from the AICPA in book form). You’re not picking on the client, EVERY auditor must follow the rules. Use my simple graphic to explain the Risk Standards to your clients or boss, and why fees are increasing. You have to audit the business information, not just the accounting information. Why? Because the accounting records are the result of the business. And you can’t audit what you don’t understand.

Problem #2: Can you really issue an opinion
Rule 202, Compliance With Standards, of the AICPA’s Code of Professional Conduct requires compliance with these standards in an audit of a non-issuer (i.e., non-public entity). Because the requirement to comply with every auditing standard on every engagement is in the AICPA and most, if not all, state society, codes of conduct, failure to comply is not just a technical issue. Failure to comply is an unethical act.

Solution #2: Don’t just use last year’s audit program. Review EVERY audit program for complete compliance with EVERY audit standard, not just the Risk Standards.

Problem #3: How the risk standards affect current practice
There are two major changes for most practitioners. You can no longer…

1. Rely on just a ‘canned’ audit program.

2. Default to ‘maximum’ risk.

Solution #3: For #1, if every client is different, how can you use the same canned audit program? You can’t have it both ways. Start with a ‘canned’ audit program, then customize it for each client. For #2, you must evaluate internal controls, and may conclude risk is maximum. Remember, maximum risk means there is not one single control. Even many small clients will have at least one control, meaning that risk may be 95 percent, but not 100 percent.

Problem #4: Circumvent the risk standards
Afraid they won’t be able to get a clean opinion, some clients will fire your firm, recreate your firm letterhead, and write a fake opinion.

Solution #4: Rather than defending a lawsuit, prevent it from happening. Include a paragraph in your engagement that if a client terminates or reduces your services, you reserve the right to notify the financial statement users of the change. Although the risk of a fake opinion to any one firm is negligible, it only takes one. Same reason you have insurance on your house. Just in case.

Problem #5: SAS 104 defines ‘reasonable assurance’ as a “high level of assurance,” achieved by limiting audit risk to a low level
“…the auditor must plan and perform the audit to obtain sufficient appropriate audit evidence so that audit risk will be limited to a low level." Yet the opinion still uses ‘fairly presented,' potentially creating confusion in market place as to how ‘accurate’ the statements are.

Solution #5: Simply do what our profession demands: fully comply with all audit standards, including the Risk Standards. If you don’t comply, you can’t issue an opinion.

Problem #6: Understanding the differences between current practice and what the Risk Standards require

Solution #6: Get a copy of the AICPA publication Understanding the New Auditing Standards Related to Risk Assessment. Best $29 you’ll spend this year.

Problem #7: Internal control evaluation has “moved”
… from a specific part of planning up one level in audit hierarchy to “Methodology” to be an ongoing, constant part of the audit process.

Solution #7: It’s no longer ‘set-it-and-forget-it.’ See Michael Ramos’ Re-Writing the Canon, at AuditWatch.com. See the charts below where internal controls have moved from/to.

Problem #8: Audit evidence
Although what management tells you is audit evidence ‘lite,’ it has virtually no ‘weight’ if the explanation supports something material. Thus, you now are required to obtain collaborative evidence.

Solution #8: Actually, what management tells you has never been audit evidence, especially if the assertion explains something material, such as “Gross margins are up five percent because we got a great deal on raw materials.” Figure out how to vouch the assertion.

Problem #9: Materiality
Financial Accounting Standards Board Statement of Financial Accounting Concepts No. 2, Qualitative Characteristics of Accounting Information, defines materiality as “the magnitude of an omission or misstatement of accounting information that, in the light of surrounding circumstances, makes it probable that the judgment of a reasonable person relying on the information would have been changed or influenced by the omission or misstatement.”

Solution #9: Note there’s NO percentage or dollar amount in the definition. Materiality is in the ‘eye of the beholder.’ In other words, if the user of the financial statements would have made a different decision, then the information was material. For example, if a client has a bank loan covenant requiring $1 million of income to automatically renew the loan, and the client changes the calculation of bad debt expense increasing the bottom line from $980,000 to $1,011,000, the $31,000 change in bad debt expense is material. Why? Because the $31,000 is material to bank loan officer, who, absent the ‘adjustment’ would not have renewed the loan. In other words, an immaterial amount is material if it accomplishes a material event.

Problem #10: Fraud
Paragraph 10 of SAS 107 says, “… when the auditor encounters evidence of potential fraud, regardless of its materiality, the auditor should consider the implications for the integrity of management or employees and the possible effect on other aspects of the audit.”

Solution #10: In other words, ANY misstatement due to fraud is material. So there is NO such thing as an immaterial illegal amount. So STOP letting your clients or boss run personal expenses through the company’s books. How is it ethical to have clients who cheat on their tax returns or work somewhere cheating is taking place, even if it’s ‘immaterial?’ Use the Risk Standards to restructure your relationship with clients, or your boss. It’s simply not worth the risk.

Final thought … These are just 10 important things from the Risk Standards. There’s a LOT more to them. Study up, talk to your clients, and get ready for busy season.

©2007 Gary Zeune, CPA. Zeune (like ‘tiny’ with a ‘z’) is the Founder of “The Pros & The Cons,” the only speakers bureau in the U.S. for white-collar criminals. Gary and his white-collar ex-cons teach fraud classes for the FBI, the U.S. Attorney, over 30 state and national CPA societies (including the MACPA), and numerous banks and accounting firms. They have been profiled in The Wall Street Journal, New York Times and many other publications. Hiss books are The CEO’s Complete Guide to Committing Fraud and Outside the Box Performance. He’s widely published with 35+ articles on fraud and performance measures in national publications. You can reach him at gzfraud@bigfoot.com or www.TheProsAndTheCons.com.

Top