When it comes to “delivering quality audits that result in successful peer reviews”, there are strategies that firms should consider. Fortunately for our readers, this blog is based on a recent Wolters Kluwer panel discussion webinar on that topic. Fortunate for all of us, the webinar panelists included these industry experts:
- Carl Mayes – Senior Technical Manager of Special Projects at the AICPA, and Project Manager for the AICPA’s Enhancing Audit Quality Initiative
- Vincent Gaudiuso – Peer Reviewer and Quality Control Partner at Buchbinder
- Mona Dickerson – National Assurance Director at CohnReznick
To continue, the goal of the panel discussion was two-fold:
- Share what firms need to consider when preparing for their next peer review
- Ensure the highest quality audits possible by passing along strategies firms should consider
Lastly, the webinar covered four important issues, each of which deserves its own blog. This blog, part 1 in the series, covers “understanding internal controls”. That is the first important issue firms must address.
Conduct a Quality Check
Before proceeding, though, STOP! First, you must do a quality check. That is essential to the audit of the future. Moreover, it is also essential to simply advancing and growing your practice. Consequently, start by asking yourself:
- Has your firm always passed peer review?
- Did you know there were changes to the peer review program in October 2018?
- Do you know the most common issues found in peer review?
- Do you use third party practice aids?
Now, evaluate your answers. Because, if you answered ‘yes’ to any of those questions, then you should absolutely continue reading. Also, even if you didn’t answer ‘yes’, there’s still plenty to learn from our experts!
So, let’s start with some basic understanding of the AICPA Enhancing Audit Quality Initiative.
Q: What is the AICPA Enhancing Audit Quality Initiative?
Carl: The Enhancing Audit Quality Initiative launched in 2014. Its goal, then and now, is to find areas that cause the most noncompliance for practitioners. After identifying those areas, we develop resources around them.
- First, we raise awareness about the misconceptions that are happening in practice
- Second, we do research
- Third, we dig into peer review results for a better understanding of where folks trip-up
- Fourth, we then train peer reviewers
Ultimately, we change the materials that peer reviewers use. That way peer reviewers are as effective as possible when executing their responsibilities.
Q: What are the 4 main issues discovered by the Enhancing Audit Quality Initiative?
Carl: The area of highest concern to the AICPA is risk assessment. Moreover, within the realm of risk assessment, four areas cause a lot of problems out there in practice including:
- Understanding Internal Controls
- Identification of Significant Risks & Responding to Significant Risks
- Assessing Risk at the Assertion Level
- Linking Procedures Performed and Assertion Level Risk
Q: What are the issues with “Understanding Internal Controls”?
Carl: Understanding internal controls can also be broken down into the following four areas.
Not believing that controls exist
A lot of firms mistakenly believe their clients do not have controls. However, if your client has no controls, then that client is unable to prevent or detect a material misstatement. If that is the case, then you shouldn’t even be auditing them! If you ever really do get to that point, then you are likely becoming their bookkeeper. So, remember, all clients have some form of controls. Now, the question is what are those controls? Step back and think about all the different elements within the COSO Framework. Some of those take place even in the smallest entities. For example, you might have an owner who places emphasis on getting accurate financial reporting. That is a control. My point is, all clients have controls!
Not understanding which controls are relevant
The next area is “not understanding which controls are relevant to the audit”. When you identify an assertion underneath one of your accounts that you think has a reasonable possibility of material misstatement, and there are controls that make that assertion work, then that’s a relevant control. There are other forms of relevant controls, but that example is where folks trip-up.
Not understanding when control risk is less than maximum
Many firms assess control risk at below maximum without testing operating effectiveness. Just remember, when you set control risk below maximum, you must test operating effectiveness. Doing so is prescribed in the requirements of the standard.
Not assessing and evaluating the design and implementation of the controls
The last area around controls is related to “assessing and evaluating the design and implementation of your controls”. In other words, it is not good enough to simply stop once you’ve determined that a control exists. What we see a lot of times in peer review is the peer reviewer thinks, “Okay, here’s this control in this area. It seems like it’s probably the right kind of control. So, I’m going to move on.” Then, the peer reviewer documents the nature of that control and they really do just move on. A higher bar is really needed, though. So, determining that a control is properly designed and properly implemented is that higher bar. It requires peer reviewers to act above and beyond just determining that something exists.
Q: Vincent, from a peer reviewer perspective, can you relate to what Carl shared?
Vincent: Yes. Very much so.
Additionally, we also see weaknesses in firm’s documentation with respect to:
- Internal control narratives
- Identifying the relevant controls “responsive to the significant account areas on the engagement”
Furthermore, this problem has ripple effects through the entire audit engagement. If you’re not documenting the controls properly, then your risk assessment documentation is not complete. Therefore, it is difficult to link that risk assessment to your audit procedures. I’m not asserting to make this a linear process. It certainly is not. However, it does start with “gaining that understanding of your client”. You must make that risk assessment, and then properly document it. That is required.
In closing, let’s discuss how you can get peace of mind in this area. Quite frankly, the right technology helps. In fact, CCH ProSystem fx Knowledge Coach requires and helps the auditor identify and understand internal controls. Even more, it reminds the auditor if they skip this critical step. Valuable follow-up resources in the solution help the auditor walk-through “what if” scenarios.
Here is what Mona says, “It is important to verify you have the proper tools in your audit bag. Additionally, those tools must be sufficient to help you make sure you apply the standards correctly and fully. So, ask yourself two things. First, are your tools designed effectively to address the objectives of the standards? Second, have you implemented these tools consistently and appropriately on your engagements?”.
Remember to look for next week’s blog. It will address the second important issue, which is:
- Identification of significant risks & responding to significant risks