Wipfli LLP - CPAs and Consultants
Affiliates Contact Us Careers Events About Wipfli
 
subscribe
Rate Content

 
View all Financial Institutions articles

New Risk-Based Audit Standards: How New Rules Will Affect You
October 01, 2007

In early 2006, policy makers were determined to strengthen the quality of audits and introduced sweeping new standards for comprehensive audit methodologies. Taking the best ideas of Sarbanes-Oxley—to the extent they are relevant to smaller, nonpublic organizations—the coming new standards significantly alter the way audits have been performed over the past three decades.

The new risk-based auditing standards are designed to focus auditors on matters that are most important to internal control over financial reporting and apply to all audits, not just those of financial institutions. The new rules reflect some of the guidelines FDICIA institutions are accustomed to and applies those guidelines to nonpublic institutions that fall below the $1 billion FDICIA threshold.

The new rules become effective for calendar year-end 2007 financial statement audits, and audit firms are currently busy revising their policies and procedures to ensure compliance by the end of the year. Although the new audit standards apply to audit firms, financial institutions share an important role in the audit process as well, and can also begin preparing for the new rules. Institutions that assist auditors with documentation of internal controls or have an internal audit function to assist with auditors’ testing can work now to ensure a more efficient audit, and thus help curb audit fees later on.

Adapting and responding to change

The new audit standards give the dynamic world of business an audit process that can adapt easily to changing circumstances. Audits will now be scaled to the size and complexity of each institution. In fact, a fundamental feature of the revised audit process is its ability to adapt to the unique facts and circumstances of individual institutions.

However, before auditors can develop customized procedures based on the dynamics of the client’s business environment and operations, the new standards require auditors to:

  • Obtain a more in-depth understanding of their clients’ operations, their business objectives and strategies, and the risks related to achieving those objectives. 
  • Evaluate the design effectiveness and implementation of identified key internal controls.
  • Perform an assessment of the risks of material misstatement based on that knowledge.
  • Link the assessed risks to the audit procedures. 

This new emphasis on a customized audit approach is a fundamental shift away from the current widespread use of standardized audit procedures and the one-size-fits-all checklists. Auditors will now have to design and implement audit procedures “whose nature, timing, and extent are responsive to the assessed risks.” Every audit will be unique, and each year, auditing procedures will be revised to address the risks identified during the year’s audit.

Such customized procedures will require more interaction, communication, planning, and responsiveness between auditors and their clients. In fact, the new standards mandate that auditors must perform a variety of procedures that may include the review of relevant documentation, observation of the performance of the control procedure, or “walk-throughs” of systems.

What the new rules mean to your institution

The impact the new standards will have on individual audit engagements will most certainly vary depending on the procedures audit engagement teams have performed in the past. Some financial institutions will see little change in the work performed by their auditors; for others, the differences will be dramatic. In any event, the additional procedures required under the new standards will result in increased audit costs that will extend beyond the initial year of implementation.

In general, you should expect your auditor to:

  • Perform more work to gather information and form a greater understanding of your business and its environment.
  • Perform more extensive procedures to evaluate internal control design.
  • Shift portions of the work relating to understanding your business, its environment, and its internal controls to a period of time well in advance of your institution’s fiscal year-end.
  • For higher risk areas, involve more experienced audit personnel in gathering information about your organization and its internal controls.
  • Clarify responsibilities with regard to accounting functions, financial statement preparation, and oversight of the financial reporting process.

While your audit firm works now to revise its processes, your financial institution should take the time to assess and document its internal control over financial reporting against these five essential COSO (widely used internal control framework) elements:

  • The control environment
  • The risk assessment
  • Control activities
  • Information and communication
  • Monitoring

The stronger your institution’s documentation and application of internal controls, the better your auditor will understand where your strengths and weaknesses will be and the more efficient your audit will be under the impending new standards.