December 20, 2024

It’s Time For Year-End Audits

Are you prepared?

The end of the year traditionally starts the “busy season” for external auditors. But all of the hectic activity is no reason to neglect a highly-developed, measured, and methodical year-end strategic audit plan.

 

In addition to fulfilling the CPA firm’s own quality control policies and procedures, audit engagements are examined during peer review. A rating of Fail, or even Pass With Deficiencies, can shake the confidence of the firm’s leadership and its clients — to say nothing of the public’s confidence in the results.

 

Here are some of the key factors we’ve had to address while working with CPA firms that have received negative peer review results:

 

A thorough and well-crafted audit approach will have to address and satisfy seven basic issues:

 

  • Common peer review challenges
  • Audit planning and supervision
  • Audit risk and risk assessment procedures
  • Obtaining and documenting an understanding of the audit client and its environment, including its internal controls
  • Materiality considerations
  • Linking audit procedures to mitigate the risks identified and reach audit conclusions
  • Required auditor communications with those charged with governance

 

When conducting a risk-based audit approach to the financial statements, the auditor’s overall objective is to provide reasonable assurance that the financial statements, as a whole, are free from material misstatement by error or fraud. This permits the auditor to express an opinion on whether the financial statements are prepared, in all material respects, in accordance with it’s applicable financial reporting framework (e.g., Accounting Principles Generally Accepted in the United States of America (U.S. GAAP).

 

Right From the Start

 

It’s worth noting that if you’re going to bring in an engagement quality control reviewer (EQCR), the time to do it is right at the beginning of the engagement.

 

The idea is to make sure the EQCR hears what the engagement team is thinking and has their attention during planning, rather than at the end of the engagement when work is done and that person begins to review the financial statements and the work papers. That way the EQCR can chime in and give their perspective on things for the engagement team to think about rather than raising them after the fact, potentially delaying the issuance of the audit report.

 

Audit efficiency is another issue worth focusing on at the beginning, reminding engagement teams to focus on the areas with the most risk — that is, audit smarter and know when they’ve gotten a sufficient amount of audit evidence in an area to make further testing unnecessary.

 

The EQCR can also make sure the team is up to date on any new rules or requirements that have kicked in — and several have in the last year or so, such as the new standard on current expected credit losses, and the new AICPA standards on risk assessment and auditing of material accounting estimates.

 

Common Peer Review Problems

 

There are a number of common mistakes made in risk assessment, starting with the failure to link the substantive procedures performed to the results of the risk assessment.

 

Another is audit procedures failing to link the client’s financial statement and relevant assertion-level risks for significant classes of transactions, account balances, or disclosures.

 

A third is designing audit procedures with little regard for the results of those assessments as required by AU-C 315, Understanding the Entity and its Environment and Assessing Risks of Material Misstatements.

 

Risk Assessment Shortcomings

 

A commonly cited shortcoming by peer reviewers is auditors’ failure to understand the entity and its internal controls. When conducting risk assessment, it’s useful to remember that it will generally be more effective at the start of the engagement, and that internal control procedures may be performed before the risk assessment document is completed. The auditor, however, is required to obtain understanding of whether the client’s controls have been properly designed and implemented, not required to test internal controls unless mandated under certain circumstances.

 

AICPA Professional Standards have dramatically changed over the last decade or so due to the issuance of risk assessment standards and Clarity Standards.

 

 

Audit Documentation Problems


Audit documentation is defined as “the record of audit procedures performed, relevant audit evidence obtained, and conclusions the auditor reached.”

It is evidence that the audit was properly planned and performed in accordance with the U.S. Generally Accepted Auditing Standards (GAAS), as well as evidence of the auditor’s basis for a conclusion.

Audit documentation should be enough to enable an experienced auditor — one who is independent and competent enough to challenge the engagement team’s procedures and conclusions — to understand the nature, timing and extent of the audit. That applies to understanding the results of the audit procedures performed and any significant findings or issues.

Properly executed audit documentation should answer the basic questions of who, what, when, where, why and how without any verbal explanations from the auditor.

Improve Audit Quality

 

Audit documentation should provide sufficient and appropriate evidence that risk assessment procedures were performed and that there was appropriate response to address the risk of misstatement at the financial statement level.

 

It also requires proof that the nature, timing and extent of audit procedures performed were adequate for the engagement, and that those procedures were linked to the assessed risks.

 

The audit team must document the results of the audit procedures, the conclusions reached, and that significant risks were reasonably considered.

 

Any departures from presumptively mandatory requirements to Professional Standards must be justified. It must also identify the engagement team that performed the work, when it was completed, the person who reviewed the work, and the date and extent of the review.


Audit workpaper documentation should also identify characteristics of the specific items tested, and discuss significant findings or issues with management or those charged with governance. Any information that contradicted or was inconsistent with the final conclusion on a significant audit finding or issue that was addressed should also be documented.

 

Remember the Lawyers


Over the years we’ve worked with litigation attorneys who have shared some “flash points” with us about notes and other workpaper matters that can come back to haunt the auditor.

 

One key point is to be sure to avoid any extraneous or irrelevant comments on the work papers that could turn up to bite you later. You want to avoid leaving comments like “the client’s books are a complete mess” or “these expenses seem questionable.”

 

Also beware of statements that discredit the auditors’ work, like “close enough for government work.”

 

Don’t leave personal files containing memos, schedules and other matters related to an engagement, or superseded or outdated workpapers.

 

Properly prepare workpaper files by initialing and dating each audit program step. Sign off any audit program step determined to be not applicable “N/A,” or as not considered necessary “N/C/N”, followed by an explanation.

 

Any “Open Items Lists” should be reviewed and any conclusions regarding unique issues should be thoroughly documented. Additionally, time budgets explaining any overages and underages should be maintained, and the completion date should be documented.

 

Professional Standards require that workpapers should be retained for a minimum of five years from the report release date — although practice, legal, regulatory, or other factors may dictate a longer retention period. You should also consider the requirements by your State Board of Accountancy.

 


Don’t Forget Your Independence

The AICPA Code of Professional Conduct requires auditors to be independent in both fact and appearance. Auditor independence issues can be classified into four high-level areas:

  • Financial interest
  • Family relationship
  • Management function
  • Management decision making

 

If you plan to perform permissible non-attest services, the audit client must first agree to make all management decisions and perform all management responsibilities.

 

This begins with designating a person with suitable skills, knowledge, and/or experience (SKE requirement) — preferably within senior-level management — to oversee the performance of the permissible non-attest services.

 

The client must evaluate the adequacy of and accept responsibility for the results of the non-attest services, as well as establish and maintain internal controls, including monitoring ongoing activities.

 

Auditors should exercise caution when it comes to matters that can raise red flags about their independence in a peer review or in litigation. Areas of concern include:

 

  • Providing multiple non-attest services without adequate firm safeguards
  • Significant concentration of revenue coming from one audit client
  • Taking on management responsibilities
  • Providing consultation that goes beyond routine audit advice

 

Also be wary of inadvertently engaging in other non-compliance activities like performing non-attest services for a company before it becomes an attest client; loaning staff members to an attest client; certain mergers or purchase of a CPA firm; employment of, or association with, an attest client; performing attest services for a client with unpaid fees; and engaging a client employee.

 

Finally, other red-flag issues to consider include having a financial interest in an attest client and its affiliates, the adequacy of the fees charged, and the existence of a group audit.

 

Collemi Consulting leverages nearly three decades of experience to provide trusted technical accounting and auditing expertise when you need it the most. We regularly work with CPA firm leadership to help them reduce risk and maximize efficiencies. To schedule an appointment, contact us at (732) 792-6101.

 


A woman's hands holding a microphone

Shake It Off

December 9, 2024
Conquer your fear of public speaking and present like a pro
Man with hand by his ear straining to listen.

Hear, Hear!

December 4, 2024
Boost your business by becoming adept at active listening.
Open calendar book laying on desk next to open laptop with time on screen

There’s Only One Year Left to Implement the PCAOB’s New Quality Control Standards

November 18, 2024
ADDITIONAL GUIDANCE: Since this blog was first published, the PCAOB released two new guidance documents. The Nov. 26 updates can be found here: An additional overview of the requirements of QC 1000 and staff guidance for firms about how to comply with the standard. This document provides additional staff insights on scope and applicability, responding to engagement deficiencies, and documentation for AS 2901, Responding to Engagement Deficiencies After Issuance of the Auditor’s Report. The Public Company Accounting Oversight Board (PCAOB) recently announced a new set of quality control standards designed around a risk-based approach. And there’s only one year to design and implement them. The PCAOB’s new QC 1000 standard is more than two decades in the making, as it replaces the quality control standards it adopted on an interim basis back in 2003 from the American Institute of Certified Public Accountants (AICPA). The new standard is intended to make independent registered public accounting firms significantly improve their quality control (QC) systems. QC 1000 applies to all PCAOB-registered member firms, with more extensive requirements for those that audit more than 100 issuer clients annually. It has been approved by the U.S. Securities and Exchange Commission (SEC) and goes into effect on December 15, 2025. The new requirements and the work required to implement them will be extensive, and the larger public accounting firms require external oversight of the QC system. Therefore, it is strongly recommended that firms do not put it off until the last minute. At its core, the new standard is intended to enable firms to identify their specific risks and design a quality control system including policies and procedures to guard against those risks. The overall goal is to establish what the PCAOB calls “a continuous feedback-loop for improvement.” In this, the new standard differs from the International Auditing and Assurance Standards Board’s (IAASB) International Standard on Quality Management No. 1 (ISQM 1) and the AICPA Statement on Quality Management Standards No. 1 (SQMS 1). An extensive but not comprehensive comparison document of the three standards may be found here, but is presented only as a reference tool. New requirements QC 1000 has requirements that do not appear in other QC standards. They can be more prescriptive or more specifically tailored to the U.S. legal and regulatory environment. There are 10 main areas in which the QC 1000 standards go beyond other, existing standards. These are: Evaluation and Reporting: QC systems must be evaluated annually and reported to the PCAOB. They must be certified by specific individuals with responsibility and accountability for the firm’s QC system. Governance and Leadership: Firms must create and maintain clear lines of responsibility and supervision. Larger firms must have outside oversight and a confidential complaint system. Ethics and Independence: Quality objectives must be tailored to the U.S. regulatory environment. Larger firms must implement an automated system for identifying securities investments that could impair independence. Monitoring and Remediation: QC 1000 divides monitoring into engagement and QC system levels. Engagement and QC deficiencies are defined, including requirements for their determination. Larger firms must (and smaller ones should) monitor in-process engagements. Quality Objectives: The firm’s personnel must comply with its policies and procedures Information and Communication: Quality objectives for communication with external parties are established at the firm and engagement level. Communication of the firm’s QC system’s policies and procedures must be communicated in writing. Resources: The firm’s personnel must adhere to standards of conduct. Policies and procedures must address both enumerated and circumstance-specific competencies. Mandatory training, licensure and technological resource requirements are established Risk Assessment Processes: Quality risks must be identified and assessed annually. Roles and Responsibilities: A single person must be assigned responsibility for each role and responsibility in the QC 1000 standard. Documentation: With respect to the QC system’s operation, documentation that allows an experienced auditor to evaluate the operation of quality responses must be provided. Documentation must be retained for at least seven years. That’s not an exhaustive list, but it does give an indication of how much work will be involved. And it’s happening at the same time as the AICPA extensive new Statements on Quality Management Standards (SQMS) requirements are coming into effect . Collemi Consulting leverages nearly three decades of experience to provide trusted technical accounting and auditing expertise when you need it the most. We regularly work with CPA firm leadership to help them reduce risk and maximize efficiencies. To schedule an appointment, contact us at (732) 792-6101.
A man is sitting in front of a laptop computer holding his glasses.

Time’s running out on preparing for the new Quality Management Standards!

October 10, 2024
The American Institute of Certified Public Accountants’ (AICPA) new Quality Management Standards have been out for some time, and you can’t wait to read it. That’s not a prediction. It’s a warning. The new standards have to be in place and in use by December 15, 2025, and getting into compliance is not something that can wait until the last minute. Yes, that’s more than a year away, but according to the AICPA, you should have started working on it two years ago. You probably know the new Statements on Quality Management Standards (SQMS) is out there, but not just how much effort coming into compliance will take. That applies to sole practitioners as much as it does to medium-sized and large public accounting firms. The new SQMS is what we call “thinking standards” — you have to really think it through and customize it for your attest practice, based on things like the type of clients you have and the services you provide. It’s not just new requirements and changes in the way you do things. The new SQMS takes an entirely new, risk-based approach to quality, with two completely new components: Risk Control, and Information and Communication. Risk and Information Under the new risk assessment process, firms must establish specific quality objectives. They must “identify and assess quality risks, and then they must design and implement responses to those risks that are tailored to the firm’s unique circumstances.” Information and communication is the second entirely new component of the new SQMS. It requires the establishment of processes that support the SQMS, including the use of reliable internal and external sources of information, and the creation of a culture that supports and reinforces the responsibility for sharing information with colleagues and the firm. This information must be communicated in an understandable and actionable manner to internal personnel, service providers, and external sources as required. Specific quality objectives must be created for each of the eight SQMS components: ● Risk control ● Governance and leadership ● Relevant ethical requirements ● Acceptance and continuance of client relationships and specific engagements ● Engagement performance ● Resources (formerly human resources) ● Information and communications ● Monitoring The other six components have also changed under the new SQMS, several dramatically. Changes Throughout The leadership responsibilities for quality within the firm component, for example, is now Governance and leadership. It includes a new and more robust focus on the role these two elements play in establishing and supporting an environment, and establishing a culture, that supports the SQMS. Leaders are now not only responsible and accountable for quality, but are expected to demonstrate a commitment to quality through their actions. Relevant ethical requirements are less prescribed under the new standards, but have a new focus on responsibility and on ensuring that others involved in the SQMS or in performing engagements understand and meet those requirements. The acceptance and continuance of client relationships and specific engagements has a new emphasis on professional standards and the integrity and ethical values of the client. It also highlights the need to ensure that financial and operational priorities don’t influence acceptance and continuance judgements. Engagement performance has a new focus on an engagement partner’s oversight and involvement. There is also a new emphasis on the exercise of professional judgment and skepticism. Resources is no longer prefaced by “human” and now has new requirements revolving around technological and intellectual resources in the SQMS. Other requirements relate to the competence and commitment to quality of personnel, and bringing in outsiders to fill any personnel gaps. Finally, the Monitoring component has a new focus on the firm’s remediation process, and offers expanded and enhanced guidance throughout. One aspect is a new requirement that firms establish policies and procedures that address the objectivity of the monitors. Monitoring now also includes a new term, findings, that focuses on any deficiencies that exist. The firm must “evaluate the severity and pervasiveness of identified deficiencies using a root cause analysis,” and design appropriate remedial actions. Get Going The end of that three-year time frame suggested by the AICPA for creating and building out the new Quality Management Standards is now just a year and a quarter away, and firms have three responsibilities between now and December 15, 2025. The first, of course, is to continue using the extant standard (Statement of Quality Control Standard (SQCS) No. 8, (Redrafted) until your firm is ready to implement the new requirements. The second is to perform the risk assessment and gap analysis, and then design and implement the new standards. Finally, firms need to consult with their peer reviewer before final implementation. If you haven’t started yet, that’s a lot of work for the next 15 months! Then there’s one more year, until Dec. 15, 2026, to carry out the first annual evaluation of your new quality management system! Collemi Consulting leverages nearly three decades of experience to provide trusted technical accounting and auditing expertise when you need it the most. We regularly work with CPA firm leadership to help them reduce risk and maximize efficiencies. To schedule an appointment, contact us at (732) 792-6101.
More Posts
Share by: