Home / Archive / Uncertain Inventory
Saturday, February 04, 2012
Feature: September 2008
Uncertain Inventory
Auditors and new guidelines for assessing risk
Story by Mark Larson
First there were the corporate scandals of Enron Corp. and WorldCom Inc., which introduced to the world the ill effects of voodoo-inspired financial reporting spun out by corporate greed heads.
The resulting trail of millions of dollars in lost shareholder value, lost jobs, lost nest eggs, and plenty of shareholders and employees being swindled out of their life savings, pressured federal lawmakers to take action.
Up came the Sarbanes-Oxley Act of 2002, which put legal requirements front and center and demanded that publicly traded companies report financials based on fact and not smoke and mirrors. The message was clear: Make your financials as accurate as possible, or face the legal consequences.
Keith Flodin of Ernst & Young in Roseville, who works with Sarbanes-Oxley requirements, says the new federal law was ambiguous and tough to apply for the first year or so. “There was a learning curve,” Flodin says.
But federal regulators provided numerous guidelines to clarify the intent of its measures, and he says that smoothed out the process in recent years. But it hasn’t been a bulletproof cure as the ongoing meltdown of the subprime mortgage industry — tightened accounting rules or not — found a way to happen on a large scale.
Sarbanes-Oxley applies to public companies and — among many other things — makes CEOs legally accountable for the veracity of their publicly reported financials. But the spirit of Sarbanes-Oxley has moved beyond just publicly traded companies. It has produced a trickledown effect on the auditing industry for other financially accountable sectors: private companies, nonprofits and government agencies.
For the past year or so, eight new auditing standards proclaimed in 2006 by the American Institute of Certified Public Accountants have infused new scrutiny into how the auditing industry and its clients should document financials.
Collectively referred to as risk assessment standards, these guidelines require auditors to have a much deeper understanding of a company’s financial controls, so they can spot areas where misstatements might surface. They look to smoke out errors or fraud when doing audit tasks such as confirming receivables, counting inventory and looking for unrecorded liabilities. They also recommend corrections to minimize future chances of statement errors.
That means audits now need a lot more documentation, and auditors are now testing financial controls for how well they work. That’s different from the typical practice of asking the client if controls are in place for assumed high-risk areas and then simply moving on.
The new standards require auditors to document each risk to assess whether it is a maximum risk. The theory is that this will help the auditor zero in on the truly risky areas for more accurate reporting.
On the client side of the audit, these new standards mean private companies, nonprofits and government agencies must provide auditors much more documentation of internal controls than in the past.
Now, an auditor can ask that financial statements be adjusted and formally report any internal control problems not reported in the past.
For auditors, the stricter procedures mean more billable hours to clients and higher fees for what is, for most clients, an annual need. Local auditors estimate they’re spending about 15 to 25 percent more hours per audit in fulfilling the new requirements than previously, depending on the size of the client.
But since these fee hikes include the cost of installing new accounting standards, next year they’re expected to shrink to about 5 percent of former audit fees, since they’ll theoretically take less time to update.
Still, the new standards should make auditors better at their jobs. Ernie Gini, partner at Sacramento-based Macias Gini & O’Connell LLP says the new regulations force auditors to better understand their clients. “I think it’s a good thing,” he says. “It makes CPAs more accountable as well as companies. If someone wants to commit fraud, they might have a little harder time doing it with these new standards.”
Tom Gilbert, of the Sacramento accounting firm Gilbert Associates Inc., says the demands imposed by the new auditing standards have left his firm looking for experienced auditors to help with the workload. And so far, he’s not having a lot of luck.
“We’re turning down work often,” Gilbert says. “We don’t have the capacity. You can’t just have entry-level people. The increased hours are at the high experience level. It takes five to eight years to get to that.”
The shortage of experienced auditors in the industry came in the past two or three years as the stricter accounting requirements of Sarbanes-Oxley for public companies prompted them to hire accountants. That dried up the labor pool for small accounting houses.
Still, Gilbert figures with extra time needed to implement the new standards, his firm is spending 15 percent more time per engagement on average than in pre-Enron times.
Gilbert says clients not only balk at the higher fees, but during the audit, “We get a lot of ‘You’ve never asked these questions before.’”
Gilbert and others in his industry see the new auditing standards as a natural extension of Sarbanes-Oxley’s financial reporting requirements of publicly traded companies.
“I think it’s a step in the right direction in improving the effectiveness of audits,” he says. “They can identify problem areas that need to be looked at closely.”
Among the areas of risk documented by auditors are payroll, bill payments, sales, cash and inventory control, all of which require detailed knowledge of a company’s partners and management.
If credit checks aren’t monitored to ensure a customer’s qualifications, Gilbert says, there is a financial risk to the company extending the credit. Mortgage companies across the country know all about that.
To check such a risk control system, auditors are now expected to test the system. They take a sample customer and determine whether their stated income qualified them for credit, and whether their stated income was verified through a records check.
“If 20,000 payments are done the same way, you take 60 to make sure the controls are good,” Gilbert says. If no errors are found, all 20,000 are considered covered.
Still, auditors can’t look at every transaction. They are expected to check everything, says Gilbert, which is impossible, especially if there are undocumented transactions. There is a disconnect between public perception of what an auditor does and what is actually feasible with time and money constraints. “The expectation gap is still out there,” Gilbert says. “In financial statements, it’s an art, not a science.”
Auditors can only work with the documentation they get from a company, be it good or bad, and make recommendations for improvements.
Jack Richards, an auditor with Moss Adams LLP in Sacramento, has 37 years of experience in auditing, seven with Seattle-based Moss Adams and 30 with PricewaterhouseCoopers. His firm’s target market is midsized to large private companies with annual sales ranging from $20 million to $300 million. He’s among about 55 Moss Adams auditors in the Sacramento and Stockton areas.
He calls the new auditing standards “Sarbanes Light” because they take existing auditing guidelines and make them much more specific. Auditors can’t take for granted that internal controls of a company are reliable anymore; they’ve got to test them and document those tests.
Inventories held in a warehouse, for example, used to be checked to make sure they existed. Now they have to be verified by count and for correct value. “Prior, it was rare that a company took credit for all the inventory it had,” Richards says.
For small companies, the new scrutiny is tougher than for large ones, he says. The typical small company traditionally closes its own books; an auditor comes in, audits and prepares the financial statements. But now, clients who have operated without internal controls must conduct incremental audits to ensure its accounting systems have produced accurate numbers.
And auditors have to decide the severity of any “material weaknesses” they find in a company’s financial statements. They have to calculate the potential risk to the company the weakness could cause. If considered a large risk, they must recommend to the company chief what is necessary to fix the accounting weakness, says Richards. And even all of that is documented.
“The assumption is people at the highest level of the company will take it seriously and do something about it,” he says.
But Richards says the new rules are designed for midsized to large companies and are overkill for small company audits. “Owners signing checks is a degree of closeness you can’t get with a multinational spread all over the world with hundreds of divisions,” he says. “It really doesn’t take into account the diversity in the style of [audit] customers.”
Gabe Nacht, chief financial officer for Bustos Media LLC in Sacramento, says the new standards didn’t cause much of a stir at Bustos Media because the company had a good accounting system in place to begin with. “Ultimately, if you have good [accounting] practices, you shouldn’t have to do too many things that are different,” Nacht says.
And he’s all in favor of the tighter standards. “If they find something I haven’t,” he says, “I want to know about it. Some people think you pay an auditor to bless your numbers. Hopefully it’s not just a blessing, but a better business risk assessment.”
Nacht says the complexity of a company’s books depends a lot on the type of business it does. He used to be the CFO at a software company, where he says accounting for various versions of software sales was complicated and headache inducing. A media company like Bustos, on the other hand, is relatively simple to track financially because its revenue is easily traced through advertising sales.
The stricter audit was done at Bustos. “It wasn’t terribly time-consuming, but it’s a good exercise for managers to go through,” Nacht says.
Dennis Kauffman, accounting manager for the city of Sacramento, says the city’s 20-year-old accounting procedures have been newly upgraded to help it meet stricter standards now required by auditors.
Last year the city set up an internal control review committee made up of internal auditors, the finance director, treasurer and other staff as needed to conduct quarterly reviews of city financial statements to look for any risky areas prone to inaccuracies.
“The biggest area for us is evaluating our documentation of our internal controls,” says Kauffman. “We know auditors are coming in with new rules.”
The city’s first audit under the new rules began after June 30, the end of its current fiscal year. There is so much new documentation to be done, says Kauffman, the city staff can only do so much. That has put the focus on the city’s riskiest areas of accounting, such as cash.
And this autumn, the city will request bids for its future annual auditing task. Because of the extra time dictated by the new rules, Kauffman says the audit bids are expected to cost more than in the past.
“Under these new standards, if clients don’t have [accounting] processes documented, the auditor will look at it as a weakness,” Kauffman says. The goal is to avoid that. But if an audit finds weaknesses, recommended changes to remedy them will be reported to the council.
Getting the new accounting procedure running smoothly “may take awhile,” says Kauffman. “It’s a big part of our work plan for the next year or two.”
