The enactment of the Sarbanes-Oxley Act of 2002 has spurred
heavier regulation in the auditing industry. A new auditing standard, SAS
112, affects how auditing work is conducted. Among other things, SAS 112
redefines the types of internal control
issues that are reportable.
Companies of all sizes need to be familiar with the new standard and its implications, says Wade McMullen, partner at
Vicenti, Lloyd & Stutzman LLP. “Things
that might not have been a problem in
the past will now become a problem in
terms of reporting on internal controls.
The bar has been lowered on what is
considered a significant deficiency.”
Smart Business spoke with McMullen
about SAS 112, how the standard relates
to business risk and how companies
should prepare for it.
What is SAS 112?
It is a statement that Certified Public
Accountants are required to follow on
auditing standards. The statement,
issued by the American Institute of
Certified Public Accountants, gives auditors new guidance on how to communicate internal control matters. SAS 112
also provides some new definitions.
When does this auditing standard become
effective?
SAS 112 becomes effective for financial
periods ending on or after Dec. 15, 2006.
For most businesses operating on a calendar-year basis, it would be effective for
last year. For most nonprofit entities, it
would be effective for this year.
What accounting procedures will change as
a result of SAS 112?
It will make accounting procedures
more important in terms of internal controls and the checks and balances that
need to be implemented. Also, it’s going
to affect the documentation of those
procedures. In the past, documentation
has been much more informal. Not
everything was necessarily written
down. Now, procedures need to be documented so that they can be reviewed by
an auditor.
How does the new standard relate to business risk?
Worst case, this new standard makes it
possible for a business to receive an
adverse opinion on its financial statements if an auditor is unable to get reasonable assurance about effective internal controls.
But in general, with the new SAS 112
standard, internal controls are becoming
a larger part of what is expected of businesses. Internal control issues will affect
stakeholders’ opinion about a business,
and more stakeholders might be interested in internal controls than were
before.
How should companies prepare for implementing SAS 112?
First, they should talk to their auditing
firm or conduct research about the new
requirements so that they will fully understand SAS 112 and its implications. With the
new standard, it’s now getting to the point of
‘what could go wrong’ rather than ‘what did
go wrong.’ In other words, the possibility of
a potential problem with internal controls
could be nearly as damaging as an actual
problem that is found. This can be combated by formulating an action plan that can be
phased in over a number of years.
Also, a company should look at its financial closing process and examine what
types of internal controls are in place.
Finally, the company should manage
the expectations of insurers, creditors,
rating agencies and board members (if
applicable), and let them know about
the potential issues that might arise from
the new standard.
In what ways has the auditing process
changed since the advent of the Sarbanes-Oxley Act?
More work is required to complete an
audit. The amount of audit evidence that
needs to be obtained is greater and documentation requirements are more stringent. Also, the new auditing standards
are bringing all companies into a more
regulated environment.
Sarbanes-Oxley started out primarily
for public companies, but there has been
a big trickle-down effect and now even
private companies and nonprofit organizations are being affected. SAS 112 is
another way in which the rest of the
business world is coming into conformity with what has been asked of public
companies with Sarbanes-Oxley.
WADE MCMULLEN is a partner at Vicenti, Lloyd & Stutzman
LLP. Reach him at [email protected] or (626) 857-7300.