The auditing standards board of the American Institute of Certified Public Accountants is working to modernize standards governing nonfinancial information to include cybersecurity and environmental, social and corporate governance issues.
The board, which sets the standards for audits of private companies in the U.S., is tackling projects to better define the role of new technology in gathering information for auditors of private companies. One of the projects, which spans three standards proposed in 2018, represents a broader effort to revise “attestation standards,” which establish requirements for procedures related to reporting on nonfinancial subjects.
Under the current rules, external auditors of private companies can only test nonfinancial information if management of the company being audited had measured and provided it first, with the intent of providing performance indicators to interested parties such as investors, regulators and creditors.
Companies have requested an auditor’s perspective on nonfinancial issues because they represent an unbiased voice, Robert Dohrer, chief auditor for the organization, said in an interview. “The subject matters evolve so quickly that the clients are looking to their [accountants] to report on that, rather than the client having to do that themselves,” Mr. Dohrer said.
To address that demand, the standards board has proposed rules that would allow auditors to measure nonfinancial information without management having done so first. The company would still need to request that the auditor perform that work.
Auditors also would be able to provide their opinion directly to investors and regulators on companies’ nonfinancial information. Investors and regulators frequently request auditors’ opinions on timely issues of environmental regulation, cybersecurity and social discrimination, Mr. Dohrer said.
Depending on the subject, the auditor’s work could involve measuring a company’s emissions from smokestacks or evaluating a company’s cybersecurity controls, Mr. Dohrer said.
Some companies have expressed concern over the proposed approach because investors could misconstrue an auditor’s approval of a company’s cybersecurity controls, for example, as a “guarantee against a breach,” Mike Santay, audit partner at Grant Thornton LLP and chairman of the AICPA’s auditing standards board, said. The board will consider feedback from companies and others when voting on the rest of the proposals tied to attestation next year, Mr. Santay said.
The board approved one of the standards last week and expects the other two to be approved at its quarterly meeting in May.
The first standard is scheduled to go into effect July 2021, followed by the other two in either December 2021 or July 2022, if approved, Mr. Dohrer said.
The board also is preparing an overhaul of the rules governing audit evidence for private companies to better define the role of new technologies in audits. That rule is expected to be approved in January.