by Diane M. Zimmerman, CPA, Director, Baden, Gage & Schroeder, LLC
In 2006, policy makers for auditors of non-public companies set new standards that introduced a comprehensive audit methodology that differs significantly from the way audits have been performed for the past three decades.
Auditors Adapt to a Changing Business Environment
Business models have evolved rapidly in the last decade. The use of e-commerce, outsourcing of business operations overseas, and the use of complex financing techniques have changed the way businesses operate and the risks they face. These changes no longer are restricted to larger companies. Smaller, privately-held entities have been forced to change to stay competitive.
This dynamic business world requires an audit process that can adapt to changing circumstances. A fundamental feature of the revised audit process is its ability to adapt to the unique facts and circumstances of individual entities. At the heart of the new audit process are requirements that, each year, auditors:
- Obtain a thorough understanding of their clients' information processing system,
- Evaluate the design effectiveness of the controls over that system, and
- Possess detailed knowledge of their clients' operations, their business objectives and strategies, and the risks to achieving these objectives.
Armed with this knowledge, auditors can then develop customized procedures, based on identified risks that vary depending on the dynamics of the business environment and the client's operations. This emphasis on a customized audit approach focused on risk is a shift away from the current widespread use of standardized audit procedures and checklists.
Understanding the Client and Internal Control Design
Auditors have always been required to obtain an understanding of their client's business, its information system and internal controls. However under previous standards, the purpose of this understanding was simply to identify the significant classes of transactions, the accounting records used by the entity, and the types of accounting errors that may exist.
Under the new standards, the auditor is required to gain a more thorough understanding of the client and to evaluate the design effectiveness of its internal control. The auditor's procedures are not relegated to audit planning, but instead are considered an integral part of the audit itself.
The information the auditor obtains must be sufficiently reliable to be considered "audit evidence." That is, the procedures performed to understand internal control should be just as rigorous as the procedures the auditor performs to verify an account balance or the existence of an asset. The new standards mandate that inquiry alone is not sufficient. Auditors must perform a variety of procedures that may include reading relevant documentation, observing the performance of control procedures, or the "walkthrough" of a system.
These additional procedures will thus allow the auditor to design a customized audit plan that adapts to the changing business environment.
