September 13, 2024

Group Audits Should Be Far More Common Than They Actually Are

Now new rules are adding complexity with ‘referred-to’ auditors and a risk-based approach to planning and performing a group audit

Group audits are needed far more often than you may think.

 

And now, the new group audit rules are coming, bringing with them a whole new class of “referred-to” auditors.

 

The American Institute of Certified Public Accountants’ (AICPA) Auditing Standards Board (ASB) SAS No. 149 revises the definition of a “component auditor” and takes an updated risk-based approach to planning and performing a group audit.

 

But before we get into that, it’s important to say that far too many auditors see a single business or single business line and say, “this is a regular audit” when what’s really required to be a group audit.

 

Determining what is and what isn’t a “component” can be simple, but it is not always obvious. Depending on how the company runs its operations, you can have a single entity, and yet have multiple business activities inside of it that requires a group audit.

 

Too often, auditors miss that if they are dealing with a single entity — if they don’t have a consolidation of two or more subsidiaries staring them in the face. The key is to look at business activities first and determine if they are significant in terms of dollar amounts, or materiality, or if there’s a high risk in that part of the operations. Follow the flow of the numbers!

 

You have to stop and ask yourself, does the company have multiple product lines, service lines, branches, or anything else where the CFO and the CEO of a company manage their operations by tracking the performance of those multiple product or service lines? Are there multiple locations or divisions?


 

Auditors are required to use professional judgment to determine whether a business activity represents a component, regardless of whether it is a separate legal entity.

 

Enter the new standards

 

The new part of what’s going on is adding a twist to group audits. Along with the work of component auditors cited — for whose work the group auditor is responsible — there’s a new category: Referred-to Auditors

 

At the simplest level, referred-to auditors are in effect secondary auditors, brought in to issue their own opinion on a particular part of the operations that the group auditor will reference in their work. The new group audit standards make clear that the work of the referred-to auditor is relied upon in the final group audit, but was not done by the group auditor.

 

Referred-to auditors are not component auditors under the terms of SAS No. 149, Special Considerations — Audits of Group Financial Statements (Including the Work of Component Auditors and Audits of Referred-to Auditors) .

 

In effect, it tells group auditors to say very clearly, “Hey, we didn’t look at this part of the operation” but we are referring to and relying upon the opinion.

 

SAS No. 149 also revises the definition of component auditors to make clear that they are part of the engagement team, whereas referred-to auditors are not.

 

Issued in March 2023, SAS 149 goes into effect for audits of group financial statements for periods ending on or after December 15, 2026.

 

Getting Risky

 

That’s not the only change. The most significant change ushered in by SAS No. 149 is that it provides an updated risk-based approach to planning and performing a group audit.

 

The existing standard requires a group engagement team to identify significant components at which to perform audit work.

 

However, SAS No. 149 directs the group auditor to use professional judgment in determining the components at which to perform procedures, based on assessed risks.

 

Just as they are required to use professional judgment in determining what should or shouldn’t be a group audit.


Collemi Consulting leverages nearly three decades of experience to provide trusted technical accounting and auditing expertise when you need it the most. We regularly work with CPA firm leadership to help them reduce risk and maximize efficiencies. To schedule an appointment, contact us at (732) 792-6101.

It’s Time For Year-End Audits

December 20, 2024
Are you prepared?
A woman's hands holding a microphone

Shake It Off

December 9, 2024
Conquer your fear of public speaking and present like a pro
Man with hand by his ear straining to listen.

Hear, Hear!

December 4, 2024
Boost your business by becoming adept at active listening.
Open calendar book laying on desk next to open laptop with time on screen

There’s Only One Year Left to Implement the PCAOB’s New Quality Control Standards

November 18, 2024
ADDITIONAL GUIDANCE: Since this blog was first published, the PCAOB released two new guidance documents. The Nov. 26 updates can be found here: An additional overview of the requirements of QC 1000 and staff guidance for firms about how to comply with the standard. This document provides additional staff insights on scope and applicability, responding to engagement deficiencies, and documentation for AS 2901, Responding to Engagement Deficiencies After Issuance of the Auditor’s Report. The Public Company Accounting Oversight Board (PCAOB) recently announced a new set of quality control standards designed around a risk-based approach. And there’s only one year to design and implement them. The PCAOB’s new QC 1000 standard is more than two decades in the making, as it replaces the quality control standards it adopted on an interim basis back in 2003 from the American Institute of Certified Public Accountants (AICPA). The new standard is intended to make independent registered public accounting firms significantly improve their quality control (QC) systems. QC 1000 applies to all PCAOB-registered member firms, with more extensive requirements for those that audit more than 100 issuer clients annually. It has been approved by the U.S. Securities and Exchange Commission (SEC) and goes into effect on December 15, 2025. The new requirements and the work required to implement them will be extensive, and the larger public accounting firms require external oversight of the QC system. Therefore, it is strongly recommended that firms do not put it off until the last minute. At its core, the new standard is intended to enable firms to identify their specific risks and design a quality control system including policies and procedures to guard against those risks. The overall goal is to establish what the PCAOB calls “a continuous feedback-loop for improvement.” In this, the new standard differs from the International Auditing and Assurance Standards Board’s (IAASB) International Standard on Quality Management No. 1 (ISQM 1) and the AICPA Statement on Quality Management Standards No. 1 (SQMS 1). An extensive but not comprehensive comparison document of the three standards may be found here, but is presented only as a reference tool. New requirements QC 1000 has requirements that do not appear in other QC standards. They can be more prescriptive or more specifically tailored to the U.S. legal and regulatory environment. There are 10 main areas in which the QC 1000 standards go beyond other, existing standards. These are: Evaluation and Reporting: QC systems must be evaluated annually and reported to the PCAOB. They must be certified by specific individuals with responsibility and accountability for the firm’s QC system. Governance and Leadership: Firms must create and maintain clear lines of responsibility and supervision. Larger firms must have outside oversight and a confidential complaint system. Ethics and Independence: Quality objectives must be tailored to the U.S. regulatory environment. Larger firms must implement an automated system for identifying securities investments that could impair independence. Monitoring and Remediation: QC 1000 divides monitoring into engagement and QC system levels. Engagement and QC deficiencies are defined, including requirements for their determination. Larger firms must (and smaller ones should) monitor in-process engagements. Quality Objectives: The firm’s personnel must comply with its policies and procedures Information and Communication: Quality objectives for communication with external parties are established at the firm and engagement level. Communication of the firm’s QC system’s policies and procedures must be communicated in writing. Resources: The firm’s personnel must adhere to standards of conduct. Policies and procedures must address both enumerated and circumstance-specific competencies. Mandatory training, licensure and technological resource requirements are established Risk Assessment Processes: Quality risks must be identified and assessed annually. Roles and Responsibilities: A single person must be assigned responsibility for each role and responsibility in the QC 1000 standard. Documentation: With respect to the QC system’s operation, documentation that allows an experienced auditor to evaluate the operation of quality responses must be provided. Documentation must be retained for at least seven years. That’s not an exhaustive list, but it does give an indication of how much work will be involved. And it’s happening at the same time as the AICPA extensive new Statements on Quality Management Standards (SQMS) requirements are coming into effect . Collemi Consulting leverages nearly three decades of experience to provide trusted technical accounting and auditing expertise when you need it the most. We regularly work with CPA firm leadership to help them reduce risk and maximize efficiencies. To schedule an appointment, contact us at (732) 792-6101.
More Posts
Share by: