A group of people are working on a financial success plan on a table.
A person is typing on a laptop computer with a graph on the screen.
April 28, 2023

Each Audit Client Is Unique in Some Regards

Are You Treating Your Audit Approach Accordingly?

There’s a common mistake we at Collemi Consulting see many auditors make time and time again: not appropriately tailoring their audit programs to address each client’s unique situation. Most auditors use purchased programs from independent third-party service providers, or take a cookie-cutter approach to audits. With each client, there are esoteric issues that need to be considered. In addition, each client has unique management and internal controls and financial reporting systems. Using canned audit approaches that are not a response to risk can lead to deficiencies in risk assessment and audit procedures.


In reality, the key to efficient and effective auditing is selecting procedures for each high-risk account and their relevant assertions that respond to its respective risks. Simply put, we should be spending more time auditing higher-risk accounts and less time in responding to the lower-risk accounts.

 

With that in mind, here are some best practices for tailoring your audit program:

 

The audit programs for general procedures cover the general steps performed in any audit. Tailoring generally involves removing or adding procedures to fit the specific circumstances of the engagement such as group audits using the work of a specialist, use of a service organization, environmental remediation liabilities, related party transactions.

 

When tailoring individual financial statement account areas, it’s important to note that the audit programs for individual financial statement account areas are designed to correspond with the engagement team's risk assessments and decisions about the audit approach at the assertion level, as documented on the risk assessment form. On that form, the team documents significant audit areas, the risk of material misstatement affecting relevant assertions for account balances, transaction classes, or disclosures included in each audit area (including fraud risks or other significant risks), the assessment of those risks at the assertion level, the planned audit approach that is appropriately tailored to respond to the assessed level of risk, and the linkage of the assessed risks to the audit procedures that respond to those risks.

 

When teams determine an account to have either a fraud risk or a significant risk, the engagement team must determine which extended procedures are needed and select procedures that are most appropriate to respond to the risk assessment. Other considerations include:

  • In selecting appropriate procedures and to show linkage between the assessed risk and the further audit procedures performed to respond to the risk, each procedure on the audit program indicates the assertions that are primarily and secondarily addressed by that procedure.
  • When selecting extended procedures, the goal is to find the appropriate mix of analytical procedures and tests of details to respond to the risk of material misstatement.

 

When tailoring your audit program, keep in mind that AU-C 330B.30 requires the engagement team to document the following related to preparing the detailed audit plan:

  • Overall responses to the assessed risks of material misstatement at the financial statement level.
  • Nature, timing, and extent of further audit procedures performed.
  • Linkage of the procedures performed with the assessed risks at the relevant assertion level.
  • Results of the audit procedures performed, including conclusions that are not otherwise clear.
  • A description of the nature and extent of planned risk assessment procedures sufficient to assess the risks of material misstatement.
  • A description of the nature, timing, and extent of planned further audit procedures at the relevant assertion level for each material class of transactions, account balance, and disclosure.
  • A description of other audit procedures planned to be carried out for the engagement in order to comply with generally accepted auditing standards (for example, seeking direct communication with the client's attorneys).
  • Planning continues throughout the audit, and performance of risk assessment or other procedures may cause a change in planned further audit procedures.
  • AU-C 300B.10 notes that the auditor should document changes to the original audit plan.

 

The bottom line: Every business is unique. Putting together an effective audit program requires CPAs to narrow the audit-related aspects of the client's business down to a relatively fine level so that they can explain to the audit team precisely what they are expected to do. This requires that the planning process be something more than a formality, and that the auditor truly understands the uniqueness of the client's business, the management team and related accounting system and internal controls. As an auditor, you need to continually ask yourself early in the planning stage of an engagement if you have addressed your client’s unique issues. Doing so will ensure that you’ve properly tailored the engagement — and are using your time wisely.

 

Collemi Consulting leverages more than two decades of experience to provide trusted technical accounting and auditing expertise when you need it the most. We work with CPA firm leadership to tailor their audit programs and checklists to maximize efficiency and minimize risk. To schedule an appointment, contact us at (732) 792-6101.


Learn More

It’s Time For Year-End Audits

December 20, 2024
Are you prepared?
A woman's hands holding a microphone

Shake It Off

December 9, 2024
Conquer your fear of public speaking and present like a pro
Man with hand by his ear straining to listen.

Hear, Hear!

December 4, 2024
Boost your business by becoming adept at active listening.
Open calendar book laying on desk next to open laptop with time on screen

There’s Only One Year Left to Implement the PCAOB’s New Quality Control Standards

November 18, 2024
ADDITIONAL GUIDANCE: Since this blog was first published, the PCAOB released two new guidance documents. The Nov. 26 updates can be found here: An additional overview of the requirements of QC 1000 and staff guidance for firms about how to comply with the standard. This document provides additional staff insights on scope and applicability, responding to engagement deficiencies, and documentation for AS 2901, Responding to Engagement Deficiencies After Issuance of the Auditor’s Report. The Public Company Accounting Oversight Board (PCAOB) recently announced a new set of quality control standards designed around a risk-based approach. And there’s only one year to design and implement them. The PCAOB’s new QC 1000 standard is more than two decades in the making, as it replaces the quality control standards it adopted on an interim basis back in 2003 from the American Institute of Certified Public Accountants (AICPA). The new standard is intended to make independent registered public accounting firms significantly improve their quality control (QC) systems. QC 1000 applies to all PCAOB-registered member firms, with more extensive requirements for those that audit more than 100 issuer clients annually. It has been approved by the U.S. Securities and Exchange Commission (SEC) and goes into effect on December 15, 2025. The new requirements and the work required to implement them will be extensive, and the larger public accounting firms require external oversight of the QC system. Therefore, it is strongly recommended that firms do not put it off until the last minute. At its core, the new standard is intended to enable firms to identify their specific risks and design a quality control system including policies and procedures to guard against those risks. The overall goal is to establish what the PCAOB calls “a continuous feedback-loop for improvement.” In this, the new standard differs from the International Auditing and Assurance Standards Board’s (IAASB) International Standard on Quality Management No. 1 (ISQM 1) and the AICPA Statement on Quality Management Standards No. 1 (SQMS 1). An extensive but not comprehensive comparison document of the three standards may be found here, but is presented only as a reference tool. New requirements QC 1000 has requirements that do not appear in other QC standards. They can be more prescriptive or more specifically tailored to the U.S. legal and regulatory environment. There are 10 main areas in which the QC 1000 standards go beyond other, existing standards. These are: Evaluation and Reporting: QC systems must be evaluated annually and reported to the PCAOB. They must be certified by specific individuals with responsibility and accountability for the firm’s QC system. Governance and Leadership: Firms must create and maintain clear lines of responsibility and supervision. Larger firms must have outside oversight and a confidential complaint system. Ethics and Independence: Quality objectives must be tailored to the U.S. regulatory environment. Larger firms must implement an automated system for identifying securities investments that could impair independence. Monitoring and Remediation: QC 1000 divides monitoring into engagement and QC system levels. Engagement and QC deficiencies are defined, including requirements for their determination. Larger firms must (and smaller ones should) monitor in-process engagements. Quality Objectives: The firm’s personnel must comply with its policies and procedures Information and Communication: Quality objectives for communication with external parties are established at the firm and engagement level. Communication of the firm’s QC system’s policies and procedures must be communicated in writing. Resources: The firm’s personnel must adhere to standards of conduct. Policies and procedures must address both enumerated and circumstance-specific competencies. Mandatory training, licensure and technological resource requirements are established Risk Assessment Processes: Quality risks must be identified and assessed annually. Roles and Responsibilities: A single person must be assigned responsibility for each role and responsibility in the QC 1000 standard. Documentation: With respect to the QC system’s operation, documentation that allows an experienced auditor to evaluate the operation of quality responses must be provided. Documentation must be retained for at least seven years. That’s not an exhaustive list, but it does give an indication of how much work will be involved. And it’s happening at the same time as the AICPA extensive new Statements on Quality Management Standards (SQMS) requirements are coming into effect . Collemi Consulting leverages nearly three decades of experience to provide trusted technical accounting and auditing expertise when you need it the most. We regularly work with CPA firm leadership to help them reduce risk and maximize efficiencies. To schedule an appointment, contact us at (732) 792-6101.
More Posts
Share by: