SAS 125 Alert

Guidance Regarding Auditor’s Written Communication

By Andrew M. Mintzer, CPA
In 2011 the AICPA’s Auditing Standards Board published Statement on Auditing Standards (SAS) No. 122, Statements on Auditing Standards: Clarification and Recodification—fondly known as the Super SAS as it was a newly codified re-write of virtually all of U.S. Generally Accepted Auditing Standards. When published, however, there remained a small handful of auditing standards remaining to be re-written.

One of these standards, SAS 125, Alert That Restricts the Use of the Auditor’s Written Communication, was issued in December 2011 and is effective for auditor’s written communications issued after Dec. 15, 2012, on any audit engagement.

SAS 125 affects any auditor written communication (auditor report) when, due to circumstances, the auditor restricts the use of its reports. The reports subject to SAS 125 are all written communications that the auditor issues, ranging from reports on financial statements to management letters. Previously, guidance on when and how to restrict the use of the auditor’s report was scattered throughout GAAS.

Most auditor reports are unrestricted—that is to say, they’re intended to be used by anyone. However, there is the potential that certain subjects in the report may be misunderstood if taken out of context:

• Measurement or disclosure criteria used by the client are suitable only for a limited number of users. Example: A basis of accounting and disclosure established by and for use of regulators.
• Measurement or disclosure criteria used by the client are available only to specified parties. Example: A basis of accounting and measurement in a contract between the specified parties.
• Matters identified by the auditor during the course of the audit that are a byproduct of the audit process. Example: Management letters that cover internal control matters.

Most reports on financial statements will likely not fall into any of the above circumstances. Most financial statements are prepared using a measurement or disclosure criteria that is widely understood—including generally accepted accounting principles and the cash and tax bases of accounting. The first two subjects, however, deal with measurement or disclosure criteria that are not widely used or readily available. The most common examples:

• Client’s financial statements prepared for the special purpose of reporting to an industry regulator like the banking or insurance oversight agencies when that regulator mandated accounting different than GAAP; and
• Debt covenant compliance calculations based on a loan contract. In such cases the audit report will be modified by an “other matters” paragraph following the opinion paragraph with a description of the nature of the restriction.

By far, the most common auditor report subject to SAS 125 is listed third in the above list—the “by product” report is usually not even called a report—namely the “management letter.” The primary objective of an audit of financial statements is to determine if they are stated in accordance with GAAP. In the course of this process, however, the auditor may become aware of weaknesses in internal control, which it communicates to the management of its client in the form of a management letter.

Since it wasn’t the primary purpose of an audit to identify weaknesses, it has long been established under GAAS that a management letter may be misunderstood if taken out of context of the audit engagement. Since the auditor wasn’t trying to form an opinion regarding the client’s internal controls, as such (just the financial statements) any report about identified weaknesses may be misunderstood as assurance that there are no other weaknesses.

Yet this information is valuable to the client in its responsibility of establishing and maintaining effective internal controls and is not likely to be understood by the client. In such cases these letters will include a statement by the auditor that it’s intended solely for use of management and not intended to be used, and should not be used, by others.

SAS 125 provides a single source of guidance covering alert language and, for the most part, does not substantially change current practice. However there is one requirement that was dropped.

Current standards required the auditor to consider informing the client that the report should not be distributed to others. SAS 125 does not include a comparable requirement and makes clear that the auditor is not responsible or controlling, and cannot control distribution of its reports. The auditor’s objective is to make sure that the report clearly alerts the reader of its limitations so that it will not be taken out of context in the event it is distributed and read by others than intended.
Andrew M. Mintzer is a principal in the Los Angeles Office of Hemming Morse, LLP.