A group of people are working on a financial success plan on a table.
A person is typing on a laptop computer with a graph on the screen.
May 2, 2021

Successfully Preparing For Year-End Audits of Privately-Held Clients

Year-end is typically a busy time for external auditors, even without the added stress of the COVID-19 pandemic. But as most CPA firms know, the hectic atmosphere is not a reason to neglect a highly-developed, measured, methodical year-end audit strategy plan.

In addition to meeting a CPA firm’s quality control standards, audit engagements are subject to a peer review or outside monitoring process — and a peer review report with a rating of pass with deficiencies, or fail, may shake the core confidence of a CPA firm’s leadership, clients and the public interest. Collemi Consulting professionals have been called in when CPA firms have encountered negative peer review results, and we’ve been asked to address some commonly cited matters.
To begin with, a well-crafted audit will address and satisfy the following issues:


  • Common peer review challenges
  • Audit planning and supervision
  • Audit risk and risk assessment procedures
  • Obtaining and documenting an understanding of the audit client and its environment, including its internal controls
  • Materiality considerations
  • Linking audit procedures to mitigate the risks identified and reach audit conclusions
  • Required auditor communications


The auditor’s overall objective when conducting a risk-based approach to audits of financial statements is to provide reasonable assurance that the financial statements, as a whole, are free from material misstatement, enabling the auditor to express an opinion on whether the financial statements are prepared, in all material respects, in accordance with accounting principles generally accepted in the United States of America (U.S. GAAP).


Avoidance of Common Peer Review Issues
Frequently cited mishaps with respect to risk assessment include:

  • Failure to link the substantive procedures performed to the results of the risk assessment
  • Audit procedures not linked to the client’s financial statement and relevant assertion-level risks for significant classes of transactions, account balances, or disclosures
  • Designing audit procedures with little regard for the results of that assessment as required by AU-C 315, Understanding the Entity and its Environment and Assessing Risks of Material Misstatements.


Risk Assessment Shortcomings

Peer reviewers often cite shortcomings in auditors’ understanding of the entity and its control environment. This includes a failure to understand the entity’s internal controls. When conducting your risk assessment, it’s useful to remember that your assessment will generally be more effective at the start of the engagement, and that internal control procedures may be performed before the risk assessment document is completed. The auditor, however, is not required to test internal controls unless mandated under certain circumstances.


Other critical points to keep in mind include the importance of having strong audit workpaper documentation; and that the risk assessment process is an iterative one: repetition in order to generate a sequence of outcomes. Also, the AICPA Professional Standards have changed over the last decade due to the issuance of the suite of risk assessment standards and Clarity requirements.


Please note that practice aids are no substitute for understanding the Professional Standards. Although auditors are only required to document their understanding of the factors that help them draw conclusions, auditors are still responsible for maintaining adequate documentation, and it’s their responsibility to meet Professional Standards.


Audit Documentation Dilemmas

Audit documentation is defined as “the record of audit procedures performed, relevant audit evidence obtained, and conclusions the auditor reached.” Audit documentation should be sufficient to enable an “experienced auditor” — one who is independent and competent enough to challenge the engagement team’s procedures and conclusions — to understand such characteristics as the nature, timing, and extent of the audit, the results of the audit procedures performed, and any significant findings or issues.


Properly executed, audit workpaper documentation can stand on its own without any verbal explanation by the auditor if it answers the 5 “W” and 1 “H” questions: Who?, What?, When?, Where?, Why?, How?


Audit documentation serves as:

  • Evidence that the audit was properly planned and performed in accordance with auditing standards generally accepted in the United States of America (U.S. GAAS) and Evidence of the auditor’s basis for a conclusion


To further increase audit quality, audit documentation should provide sufficient and appropriate evidence that:

  • Risk assessment procedures were performed
  • There was appropriate response to address the risk of misstatement at the financial statement level
  • The nature, timing and extent of audit procedures performed were adequate for the engagement
  • There was linkage of those procedures with the assessed risks
  • The results of the audit procedures
  • Conclusions reached
  • Significant risks were reasonably considered


Audit workpapers should also reflect justification for any departures from presumptively mandatory requirements. They should also identify individuals who performed the work, when it was completed, the person who reviewed the work, and the date and extent of the review.


Audit workpaper documentation should also identify characteristics of the specific items tested, and discuss significant findings or issues with management or those charged with governance. Any information that contradicted or was inconsistent with the final conclusion on a significant audit finding or issue that was addressed should also be documented.


Don’t Forget About Litigation Attorneys

Over the years we’ve worked with litigation attorneys who have shared some “flash points” with us about notes and other workpaper matters that can come back and haunt the auditor. To be on the safe side, these are some real-life phrases and other items that should not make an appearance in your audit workpaper files:

  • Extraneous remarks or irrelevant memoranda, like “the client’s books are a complete mess” or “these expenses seem questionable”
  • Auditor statements that discredit their own work: “close enough for government work”
  • Personal files containing memos, schedules, and other matters related to an engagement
  • Superseded or outdated workpapers


Elements of properly prepared workpaper files include: initialing and dating each audit program step, signing off any audit program step as not applicable “N/A,” or as not considered necessary “N/C/N”, followed by an explanation. Any “Open Items Lists” should be reviewed and any conclusions regarding unique issues should be thoroughly documented. Additionally, time budgets explaining any overages and underages should be maintained, and the completion date should be documented. Professional Standards require that workpapers should be retained for a minimum of five years from the report release date — although practice, legal, regulatory, or other factors may dictate a longer retention period.


Don’t Forget Your Independence

The AICPA Code of Professional Conduct requires auditors to be independent in both fact and appearance. Auditor independence issues can be classified into four high-level areas:

  • Financial interest
  • Family relationship
  • Management function
  • Management decision making


In order to perform permissible non-attest services, the audit client must first agree to:

  • Make all management decisions and perform all management responsibilities
  • Designate an individual with suitable skills, knowledge, and/or experience, preferably within senior-level of management, to oversee the performance of the non-attest services
  • Evaluate the adequacy and results of the non-attest services
  • Accept responsibility for the results of the non-attest services
  • Establish and maintain internal controls, including monitoring ongoing activities


Auditors should exercise caution when it comes to certain “independence” matters that can raise red flags about their independence in a peer review or litigation matter. Some areas include:


  • Providing multiple non-attest work products
  • Significant concentration of revenue coming from one audit client
  • Taking on management responsibilities
  • Providing consultation that goes beyond routine advice
  • Inadvertently engaging in other non-compliance activities like performing non-attest services for a company before it becomes an attest client; loaning staff members to an attest client; certain mergers or purchase of a CPA firm; employment of, or association with, an attest client; performing attest services for a client with unpaid fees; and engaging a client employee


Other red-flag issues include financial interests in an attest client and their affiliates, the adequacy of fees being charged, and the existence of group audits.

Learn More

It’s Time For Year-End Audits

December 20, 2024
Are you prepared?
A woman's hands holding a microphone

Shake It Off

December 9, 2024
Conquer your fear of public speaking and present like a pro
Man with hand by his ear straining to listen.

Hear, Hear!

December 4, 2024
Boost your business by becoming adept at active listening.
Open calendar book laying on desk next to open laptop with time on screen

There’s Only One Year Left to Implement the PCAOB’s New Quality Control Standards

November 18, 2024
ADDITIONAL GUIDANCE: Since this blog was first published, the PCAOB released two new guidance documents. The Nov. 26 updates can be found here: An additional overview of the requirements of QC 1000 and staff guidance for firms about how to comply with the standard. This document provides additional staff insights on scope and applicability, responding to engagement deficiencies, and documentation for AS 2901, Responding to Engagement Deficiencies After Issuance of the Auditor’s Report. The Public Company Accounting Oversight Board (PCAOB) recently announced a new set of quality control standards designed around a risk-based approach. And there’s only one year to design and implement them. The PCAOB’s new QC 1000 standard is more than two decades in the making, as it replaces the quality control standards it adopted on an interim basis back in 2003 from the American Institute of Certified Public Accountants (AICPA). The new standard is intended to make independent registered public accounting firms significantly improve their quality control (QC) systems. QC 1000 applies to all PCAOB-registered member firms, with more extensive requirements for those that audit more than 100 issuer clients annually. It has been approved by the U.S. Securities and Exchange Commission (SEC) and goes into effect on December 15, 2025. The new requirements and the work required to implement them will be extensive, and the larger public accounting firms require external oversight of the QC system. Therefore, it is strongly recommended that firms do not put it off until the last minute. At its core, the new standard is intended to enable firms to identify their specific risks and design a quality control system including policies and procedures to guard against those risks. The overall goal is to establish what the PCAOB calls “a continuous feedback-loop for improvement.” In this, the new standard differs from the International Auditing and Assurance Standards Board’s (IAASB) International Standard on Quality Management No. 1 (ISQM 1) and the AICPA Statement on Quality Management Standards No. 1 (SQMS 1). An extensive but not comprehensive comparison document of the three standards may be found here, but is presented only as a reference tool. New requirements QC 1000 has requirements that do not appear in other QC standards. They can be more prescriptive or more specifically tailored to the U.S. legal and regulatory environment. There are 10 main areas in which the QC 1000 standards go beyond other, existing standards. These are: Evaluation and Reporting: QC systems must be evaluated annually and reported to the PCAOB. They must be certified by specific individuals with responsibility and accountability for the firm’s QC system. Governance and Leadership: Firms must create and maintain clear lines of responsibility and supervision. Larger firms must have outside oversight and a confidential complaint system. Ethics and Independence: Quality objectives must be tailored to the U.S. regulatory environment. Larger firms must implement an automated system for identifying securities investments that could impair independence. Monitoring and Remediation: QC 1000 divides monitoring into engagement and QC system levels. Engagement and QC deficiencies are defined, including requirements for their determination. Larger firms must (and smaller ones should) monitor in-process engagements. Quality Objectives: The firm’s personnel must comply with its policies and procedures Information and Communication: Quality objectives for communication with external parties are established at the firm and engagement level. Communication of the firm’s QC system’s policies and procedures must be communicated in writing. Resources: The firm’s personnel must adhere to standards of conduct. Policies and procedures must address both enumerated and circumstance-specific competencies. Mandatory training, licensure and technological resource requirements are established Risk Assessment Processes: Quality risks must be identified and assessed annually. Roles and Responsibilities: A single person must be assigned responsibility for each role and responsibility in the QC 1000 standard. Documentation: With respect to the QC system’s operation, documentation that allows an experienced auditor to evaluate the operation of quality responses must be provided. Documentation must be retained for at least seven years. That’s not an exhaustive list, but it does give an indication of how much work will be involved. And it’s happening at the same time as the AICPA extensive new Statements on Quality Management Standards (SQMS) requirements are coming into effect . Collemi Consulting leverages nearly three decades of experience to provide trusted technical accounting and auditing expertise when you need it the most. We regularly work with CPA firm leadership to help them reduce risk and maximize efficiencies. To schedule an appointment, contact us at (732) 792-6101.
More Posts
Share by: