When it comes to “delivering quality audits that result in successful peer reviews”, there are strategies that firms should consider. Repeating that statement in all four parts of this blog series is valuable. To remind, this 4-part series is based on a Wolters Kluwer panel discussion webinar about successful peer reviews. Industry-expert panelists included:
- Carl Mayes – Senior Technical Manager of Special Projects at the AICPA, and Project Manager for the AICPA’s Enhancing Audit Quality Initiative
- Vincent Gaudiuso – Peer Reviewer and Quality Control Partner at Buchbinder
- Mona Dickerson – National Assurance Director at CohnReznick
If you haven’t read the other blogs yet, this webinar covered four important issues firms must address regarding peer review. Today’s Part 4 blog addresses “linking procedures performed”.
So, here we go. Continue reading to learn what the expert-panelists had to say about this important issue.
Q: Linking risks to the audit procedure is another common misstep. What can you tell us about the requirements and the problems being encountered?
Carl: Yes, linkage is another focus area where there are common missteps. Just look at AU-C Section 330: Performing Audit Procedures in Response to Assessed Risks and Evaluating the Audit Evidence Obtained. It specifies that you must document your linkage between:
- The procedures you’re performing
- And your assertion level risk
What we frequently see in practice, though, is that folks perform their risk assessment, then set that off to the side, and then go do the exact same procedures they would do for any other client in that area. Quite frankly, that is just not a risk-based approach.
The question your peer reviewer will ask you is, “How can I tell that this procedure you’ve performed is responding to the risk that you identified?” The firm’s inability to answer that question is a very common issue.
|AU-C Section 330: Performing Audit Procedures in Response to Assessed Risks and Evaluating the Audit Evidence Obtained
.30 The auditor should include in the audit documentation5
5 Paragraphs .08–.12 and .A8 of section 230, Audit Documentation.
a. the overall responses to address the assessed risks of material misstatement at the financial statement level and the nature, timing, and extent of the further audit procedures performed;
b. the linkage of those procedures with the assessed risks at the relevant assertion level; and
c. the results of the audit procedures, including the conclusions when such conclusions are not otherwise clear. (Ref: par. .A76)
Q: Vincent, from your peer reviewer perspective, what issue do you want to highlight?
Where is the documentation?
Vincent: When performing a peer review, one common observation to the auditor is:
- “We don’t see a comprehensive narrative of your understanding of the auditee’s environment, including the relevant control activities over the controls of these significant account areas.”
Interestingly, the response we often get is:
- “Well, we audited the heck out of these numbers.”
Now, while it may be true that going back and properly documenting your risk assessment in accordance with the Standards may not result in the identification of any new material misstatement, that does not make the audit correct. Put simply, it does not make you and the engagement team in compliance with respect to the audit standard.
Moreover, equally imperative – and interconnected with all the issues we are discussing – is the importance of AU-C Section 230: Audit Documentation. Fact is, documentation must be such that it would allow an independent auditor not associated with the engagement to understand the:
- Procedures applied
- Reasons why those procedures were applied
- Conclusions reached through the documentation
Are all the risks being documented?
Documentation must include a proper risk assessment, a proper gaining of understanding, and properly documenting the specific risks that were identified in your risk assessment matrix. Which again, to Carl’s point earlier, we often don’t see risks beyond the presumptive risks of fraud and management override and improper revenue recognition. It’s very infrequent that we see other risks being identified, and that’s an indication that the firm is either, not properly documenting those risks in the table that they know about; or they’re not identifying those risks because there’s an improper understanding of the internal control environment.
|AU-C Section 230: Audit Documentation
Documentation of the Audit Procedures Performed and Audit Evidence Obtained
Form, Content, and Extent of Audit Documentation
.08 The auditor should prepare audit documentation that is sufficient to enable an experienced auditor, having no previous connection with the audit, to understand (Ref: par. .A4–.A7 and .A19–.A20)
a. the nature, timing, and extent of the audit procedures performed to comply with GAAS and applicable legal and regulatory requirements; (Ref: par. .A8–.A9)
b. the results of the audit procedures performed, and the audit evidence obtained; and
c. significant findings or issues arising during the audit, the conclusions reached thereon, and significant professional judgments made in reaching those conclusions. (Ref: par. .A10–.A13)
Q: Carl, can you reflect on the changes to the peer review program itself, and what action firms must take?
Carl: There are changes in peer review to “retrain reviewers”. To retrain, we have courses and resources available. However, from the perspective of peer review itself, peer reviewers are going to take a different approach to risk assessment than they have previously. This is effective for reviews commencing October 1, 2018 through reviews commencing September 30th, 2021, and the new approach is this.
When the peer reviewer identifies a series of nonconforming engagements associated with risk assessment, due to noncompliance with 315 or 330, it will not necessary hit your peer review report. Here is why. When we are doing peer reviews, we are looking at the firm’s system of quality control. Overall, firms share a lot of these misconceptions we are discussing. Therefore, many, many firms have a lack of understanding, which means it’s not necessarily just one firm’s quality control system causing the nonconformity.
Now is your chance to take corrective action!
So, when you have a nonconforming engagement where you haven’t complied with 315 or 330 in this context, it could mean other things as well. Yet, if you just have one, then that means you have a matter for further consideration. Furthermore, if you have a systemic failure to comply, then you could get an FFC and an implementation plan. Also, a lot of times those implementation plans are going to require you to take education on this topic. However, when you have a systemic failure to comply along with other deficiencies, then that means there are problems outside of 315 and 330 and that’s a deficiency in your report.
How does a firm take corrective action?
Taking corrective action is remedial. In fact, the entire process is remedial. It’s meant to help you get better. It varies based on the issues that are discovered, and can range from:
- A pre-issuance review on a future engagement
- Engagement quality control criteria (EQCR) being redefined
- Or simply training
From a firm perspective, what should you anticipate?
Basically, firms should anticipate that what’s happened in the past probably will not happen in the future. For example, if you haven’t been doing the stuff that we are talking about here – and your peer reviewer in the past has said that’s not a big deal – that probably will not happen anymore.
Q: Vincent, have you changed how you peer review? What impact has it had?
Vincent: Absolutely. The peer review checklist has changed. If you compare these checklists over the last few years, you can see the expansion and detail of the specific questions. The questions are becoming more direct, and they’re directing the peer reviewer to be more specific and less apologetic in terms of determining whether the documentation and the team met the standard or not. We are encountering more “no” answers through the AICPA checklists which are leading to more findings and deficiencies.
Tip: Everyone should review the AICPA checklists, and your internal inspection monitoring process incorporates it.
When polled, only a small portion of the audience chose the correct answer to the below question.
What are significant risks? Are they:
- Any risks that require consideration during the audit
- Any matters that result in high risks of material misstatement
- Always fraud risks, or
- Often related to non-routine transactions that require significant judgment
Carl: A “significant risk” has a specific definition in the standard. It is not any risk that is significant, or any risk that has a high RMM, or any risk at all during the audit.
The correct answer is D – “often related to non-routine transactions that require significant judgment”. That the majority answered it wrong is indicative of what we are seeing in peer review, I think.
Mona suggested that folks read through AU-C Section 315: Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement . I reiterate that recommendation. Significant risks are “risks that require special audit consideration”, and they often relate to “non-routine transactions.
Q: Mona, how does CCH ProSystem fx Knowledge Coach and its risk-based methodology help avoid these missteps?
Mona: Knowledge Coach’s risk-based audit methodology is instrumental to avoiding missteps. For example, Knowledge Coach is instrumental in educating practitioners about the Standards throughout its tools and forms. Those refer you back, and closely tie to the source which is the Standards. Therefore, you really can’t just go on autopilot and perform steps without understanding why you are performing them.
Walks you through the Standards!
To continue, Knowledge Coach prevents you from not addressing controls or forgetting that you do have to answer questions about controls. So, I really like that aspect of it. Additionally, it’s intuitive in a sense that it guides you — sort of “holding the auditor’s hand” in applying the standards. Even more so, it’s also smart. It asks you proper tailoring questions to trim down the steps that are not applicable. That means you are not inundated with huge checklists on controls or other things that end up making you lose focus and efficiency.
Diagnostics are key
The biggest part, though, is that it makes sure that at the end of the day you have not missed things. For example, the diagnostic tool makes sure you
- Performed procedures to address each relevant assertion
- Have specific procedures that are specifically tied to each specific risk addressed
Even in its design, it does not allow you to miss doing your risk assessment at the relevant assertion level or the financial statement level.
I don’t know how you do without it, honestly. Actually, I do know how you do without it because, without Knowledge Coach, the audit takes a lot of manual effort, triple checking and going through your binder again to ensure you have procedures documented and linked — by documentation to each assertion and to each risk.
As Vincent mentioned before, it is truly hard when a peer reviewer asks the team,
- Hey, what did you do for this specific risk?
- Show me what you did for this specific risk.
- Where did you document exactly what you did to address this?
Linking and flow of answers help
Without Knowledge Coach, it is difficult to show whether you have extensive documentation and have manually ensure everything is linked. With Knowledge Coach, the flow of information in the software design itself makes that documentation easier and more intuitive. It’s more intuitive because it enables the practitioners that are actually auditing those areas to stay well informed about what the risk levels are, what the assertion risks are, and what specific risks are tied to their specific audit area.
Tailored Audit Programs are really important
When using Knowledge Coach, a practitioner no longer wonders how many pages they need to review to be okay, or simply trust that all procedures are done. The solution eliminates that because:
- First, we’ve talked about the linkage
- Second, we’ve tailored the procedures so that each audit program is built in response to the risk assessment and actually linked
Additionally, from an efficiency standpoint, I also like that there are tailoring questions. For example, “Do you have cash accounts that are sitting in foreign accounts in foreign currencies?” Well:
- If you answer “Yes,” then it prompts you to consider, “Okay, maybe all of these procedures are applicable to you. Go and figure out the valuation. Do this or that.”
- But if you answer, “No,” immediately it prompts with, “Hey, these procedures they have right here in the library, maybe you don’t want to pick those because they don’t really apply based on what you just answered.”
Bottom line, Knowledge Coach makes you a more effective and efficient auditor.
Ultimately, to get peace of mind in this area, you need the right technology. That’s exactly why you should consider CCH ProSystem fx Knowledge Coach. The solution:
- Prompts you to tailor the audit programs for both the relevant audit areas and the relevant assertions for those areas
- Contains an extensive series of diagnostics related to risk assessment, with prompts if you do not determine relevant assertions
- Further tailors the summary of risk assessment workpaper, and all audit programs, with the relevant assertions to help ensure you design the procedures accordingly
To conclude, in Part 1’s blog, Mona shared this. “It is important to verify you have the proper tools in your audit bag. Additionally, those tools must be sufficient to help you ensure you’ve apply the standards correctly and fully. So, ask yourself two things.
- Are your tools designed effectively to address the objectives of the standards?
- Have you implemented these tools consistently and appropriately on your engagements?”
That’s it for our 4-part blog series. Review them all as often as you’d like.
- “Understanding internal controls”, focus of Part 1
- “Identification of significant risk & responding to significant risk”, focus of Part 2
- “Assessing risk at the assertion level”, focus of Part 3
- “Linking procedures performed and assertion level risk”, this blog – Part 4
Also, remember these two good tools for continuing your education: