In March of 2006, the AICPA Auditing Standards Board issued new audit risk assessment standards. The development of these standards was in response to recommendations from the former Public Oversight Board's Panel on Audit Effectiveness. The new standards comprise eight Statements on Auditing Standards (SAS) that relate to the assessment of risk in a financial statement audit, similar to the approach used for audits of public companies. The new standards apply to all nonpublic companies that receive an audit and are effective for audits of financial statements for periods beginning on or after Dec. 15, 2006.

The Auditing Standards Board’s primary objectives for the new standards were as follows:

The new standards have modified the calculation of materiality based on the larger of assets or revenue and require the auditor to calculate materiality at the overall financial statement level and the relevant assertion level. The other overriding change is that the process of gaining an understanding of the client and the internal controls is no longer a planning stage activity. Rather, this process is intended to be a dynamic process conducted throughout the audit. The auditor’s primary consideration in gaining this understanding is the development of customized audit programs to address the assertion level risk at each client.

In general, audits will require more time and most clients will see a corresponding increase in audit fees. This may be especially true for firms that do a small number of audits in a particular industry as this risk assessment will be more difficult to determine.

Many nonpublic companies are exploring the option of a financial statement review rather than an audit. They are requesting their financial institution consider accepting a reduction in assurance so they will not have to comply with the new audit standards. This option may not be available for health care organizations organized as a tax exempt entity under Section 501(c)(3) of the Internal Revenue Code. Under Wisconsin law, organizations receiving greater than $100,000 of charitable contributions are required to have an audit performed.

Historically many auditors used a balance sheet audit approach relying primarily on substantive procedures. Auditors tested the beginning

and ending balance sheet based on quantitatively determined materiality levels and performed primarily analytical procedures on the income statement. The new standards no longer permit this type of audit approach.

To illustrate this point, consider net patient service revenue. When considering the vast number of transactions that are recorded to this financial statement line item, many auditors will consider revenue to be a significant risk. The new standards do not permit auditors to use an entirely substantive approach for an assertion identified as a significant risk. To comply with the new standards, auditors will be required to document the internal controls, determine their effectiveness and whether they were operational during the audit period, and perform tests of those internal controls in the significant risk areas. Properly documented in the audit workpapers, this testing allows the auditor to reduce the amount of substantive testing.

In this example the health care organization is most likely using a computer system to capture census information, a facility fee schedule, and contractual discounts schedule. The system automatically computes and posts gross revenue and contractual discounts to the general ledger based on these schedules. The only data entry is the census information. Once the client has documented this process, detailing internal control measures, the auditor can select a sample of transactions to test that the process is operating as intended. Many firms are using computer-aided audit software to electronically perform a portion of this internal control testing. These software packages allow the auditor to gain efficiency and increase the effectiveness of the tests of controls by selecting a larger sample size that further supports a reduction in substantive audit procedures.

What may differ from one health care organization to the next is the current level of documentation that exists surrounding the internal controls. Some organizations will have controls very well documented and up to date while others have outdated procedure manuals and nonexistent internal control documentation. Under the new standards, if the auditor determines that the internal controls are not documented or are ineffective, the auditor is required to report them to the board of directors as significant deficiencies or material weaknesses.

If your organization has updated internal control procedure documentation, begin a dialogue with your auditor on their plan for gaining a more in-depth knowledge of the organization and the internal controls. Make the internal control documentation available to your auditors and ease the transition to the new standards.

If your internal control procedure documentation is outdated or nonexistent, the first plan of action is to begin the documentation process. The documentation of controls can be done with memos, flowcharts, or matrices. The form of documentation comes down to what makes sense for your organization and what is comfortable for your staff. The Auditing Standards Board did not intend for organizations to become experts at preparing flowcharts.

Begin to test that the controls are operating as intended. Well documented controls that are not operating as documented will not reduce audit time or substantive testing and may in fact increase audit procedures. Also, begin to consider where the organization has significant risk. This risk assessment process is done in collaboration between auditor and client. By working together this will achieve the Auditing Standards Board’s objective of a better designed, more effective audit customized to a specific client.

Michael A. Peer, CPA is manager of health care services at Kolb+Co. He can be reached at (888) 461-8843 ext. 287 or mpeer@KolbCo.com.