New and Proposed Auditing Standards

Group Audit Standards

SAS 149: Group Audits
Effective for periods ending on or after December 15, 2026.

Key changes

• Builds a clearer framework for planning and performing group audits.
• Strengthens two-way communications between the group auditor and component auditors.
• Equity-method investees are “components” (with related audit guidance).
• Redefines component auditor as part of the engagement team.
• Introduces referred-to auditor (named in the group report) who is not part of the engagement team.
• Emphasizes:
  • Understanding controls at components and over the consolidation process.
  • Setting group materiality and component performance materiality (PM) to address aggregation risk (component PMs typically < group PM; may vary by component; need not arithmetically sum to group PM; not required for components audited by referred-to auditors).
  • Testing the consolidation process (completeness of entities, consolidation adjustments/reclasses, indicators of management bias, and fraud risks arising from consolidation).

Expected impact on NFP clients

• More up-front coordination: Multi-entity NFPs (consolidated or combined FS; or with equity method investees such as foundations, affiliates, special-purpose entities) will see earlier and more detailed requests about component activities, controls, and consolidation workflows.
• Tailored materiality by component: Some components may face deeper testing due to lower planning materiality, even if small relative to the group.
• Consolidation scrutiny: Increased attention to eliminations, intercompany activity, and manual top-side entries—expect more documentation around judgments.

What NFPs can do now

• Map all entities/business units and document consolidation controls (data capture, eliminations, review/approval).
• Pre-identify components, their systems, and responsible contacts; assess whether any will be handled by a referred-to auditor.
• Prepare component-level packages (PBC lists, closing checklists, and controls narratives) aligned to group timelines.

Proposed SAS: External Confirmations (AU-C 505, with related amendments)

Status: Proposed.

Key changes

• Cash and cash equivalents confirmations become a required procedure (risk-based scope), unless prohibited by law/regulation or the confirmer will not respond; decisions not to confirm must be documented and supported.
• Clarifies that auditor’s direct access to a confirmer’s secure data (e.g., portal access provided by the confirmer) can be an external confirmation response.
• If access is routed through management (e.g., credentials provided by management), it does not qualify as an external confirmation response; it may be an alternative procedure subject to AU-C 500 reliability considerations.
• Adds expectations when using intermediaries/service providers in the confirmation process (understanding their controls; safeguarding against interception/alteration).
• Aligns reliability and response-evaluation guidance with recent PCAOB developments.

Expected impact on NFP clients

• More frequent cash confirmations: Banks/financial institutions will receive direct confirmations; the number of accounts confirmed will reflect risk (e.g., restricted cash, grant-linked accounts, accounts with unusual activity).
• Documentation uplift: If cash accounts aren’t confirmed, expect specific rationale and alternative
  procedures.

Proposed SAS: Consideration of Fraud in Audits (Revises AU-C 240)

Status: Proposed.

Key changes

• Supersedes AU-C 240 with a reframed standard focusing squarely on the auditor’s responsibilities for fraud.
• Required responses when fraud or suspected fraud arises (understand circumstances, assess management’s response, consider further procedures), with partner-level involvement unless clearly inconsequential.
• Continuous alertness throughout the audit for indicators of fraud.
• Enhanced risk assessment:
  • Explicitly treats management override as a financial-statement-level fraud risk.
  • Retrospective review extends to all prior-year estimates (not only significant ones).
  • Heightened focus on revenue-related risks and fraud factors across assertions.
  • Recognizes qualitative materiality of misstatements depending on nature/actor, not just
    size.
• Team competency: Engagement teams must have the skills, knowledge, and time to address fraud risks effectively.
• Clarifies scope to include corruption, bribery, money laundering, and third-party fraud.
• Stronger communications with management and those charged with governance when fraud/suspected fraud is identified.

Expected impact on NFP clients

• More probing discussions and procedures around management override (e.g., journal entry testing, access rights, manual adjustments) and estimates (allowances, valuations, year-end accruals).
• Revenue scrutiny: Contributions, conditional/unconditional grants, government contracts, cost reimbursable arrangements, and program fees will face targeted fraud-risk procedures (cutoff, eligibility, restrictions, and release-from-restriction).
• Governance involvement: Boards/audit committees should expect earlier, richer communication on identified fraud risks and responses.
• Documentation & training: Management may see expanded PBC requests tied to estimates, approvals, and anti-fraud controls; auditors will staff with specialized skills where needed.

What NFPs can do now

• Refresh anti-fraud risk assessments and whistleblower/reporting mechanisms; ensure those charged with governance receive timely information.
• Tighten controls around journal entries, estimates, and revenue recognition for grants/contracts.
• Enhance documentation of grant conditions, restrictions, and releases; maintain support for management judgments.

Quick Cross-walk: What will feel different to clients?

• More coordination across entities (SAS 149): earlier planning, component packages, and consolidation controls evidence.
• Bank confirmations and data access protocols (External Confirmations): more direct third-party interactions; clear justification when not confirming.
• Deeper fraud lens (Fraud SAS): expanded override procedures, estimate lookbacks, and sharper attention to grants/revenue pathways.