In June, Boomer Consulting, Inc. had the honor of sponsoring Wolters Kluwer’s Audit Talks LIVE virtual conference. The event brought together audit experts and technologists to talk about the rapidly changing audit landscape and how firms can transform their practices to better serve clients.
One popular session focused on the AICPA’s Enhancing Audit Quality (EAQ) Initiative. Here are some of the takeaways from that session and insights from the hosts, Cathy Rowe, Director of Product Management for Wolters Kluwer, Carl Mayes, Associate Director of CPA Quality and Evolution at the AICPA, and Matthew Reiter, Audit Partner at Whitley Penn.
4 keys to enhancing audit quality
Risk assessment and internal control are two areas that the AICPA has identified to focus on in 2020. These standards have been around for a long time, but many firms continue to struggle with them.
According to data collected by the AICPA, peer reviewers found noncompliance with one of those standards in over half of all engagements. Mayes shared four ways firms can enhance audit quality and avoid running into these issues during peer review.
#1 Realize that every client has internal controls
In a lot of instances, Mayes says auditors decide that the client is unsophisticated, and they don’t have any controls. Their internal control assessment indicates the auditor is not going to place any reliance on controls and just go straight into substantive testing.
For the firm to conduct the audit, the client must have some controls, which are just policies and procedures set up by management to prevent or detect incorrect material misstatements. If your client really has no such policies and procedures, they cannot detect or prevent fraud. It’s very difficult – if not impossible – to perform an audit in that environment.
The reality is that every client has some controls, so the question is what the auditor has to do with them. On every engagement, the auditor must evaluate the design and implementation of relevant controls.
#2 Realize that every audit has significant risk areas
The second area where auditors run into trouble is identifying significant risks. Every audit has at least one significant risk: management override. And almost every audit has a second significant risk, which is revenue recognition. And of course, there can be additional risks associated with new accounting changes and more.
Significant risks require a different response and specific procedures you must perform. So, every engagement a firm performs should identify at least one – and likely multiple – significant risks.
#3 Identify assertion level risks
Mayes stresses that auditors can’t merely say the risk of material misstatement for a section of the audit is low. They must dig down into the assertions and identify which ones are relevant to the client. For each one of those relevant assertions, you want to assess risk at that level.
For example, you can’t just say the risk of material misstatement for cash is low. The risk of misstatement in cash existence may be irrelevant, but the assertion of cash valuation may not be. Under those circumstances, the auditor needs to design procedures that are responsive to the valuation assertion.
#4 Linking procedures to identified risks
Many times, auditors fill out the risk assessment, identify risks and assess levels and likelihood of risks. Then they move on to their procedures but perform the exact same tests that they would for any other client as if they’d never performed the risk assessment.
Auditors need to make sure their audit procedures are responsive to the risks identified. At the end of the day, Mayes says, what peer reviewers are looking for is:
- Can they tell what risks you’ve identified?
- Can they tell the likelihood and materiality of those risks?
- Can they tell what you did about it at the assertion level?
- Can they see that you’ve tested those assertions with specific procedures?
If they can’t, you run the risk of nonconformity in your peer review.
Importance of the EAQ Initiative
The COVID-19 pandemic and its impact on 2020 year-end audits will make assessing risk and responding to those risks more critical than ever. There will likely be breakdowns in internal controls with people working from home, so the approach to the audit will likely change. If you relied on certain controls that aren’t happening anymore, you won’t be able to rely on them anymore.
“This is a fraud risk perfect storm,” says Mayes. “Plenty of incentive, plenty of rationalization, plenty of opportunity in a lot of cases because of those breakdowns in internal controls.” If you’re not approaching those engagements with a risk assessment mindset and targeting procedures to those areas, then the probability that you’ll miss something is dramatically higher.
Peer reviewers are being trained to pay closer attention to these areas, too. If peer reviewers see these issues, they’re going to call it a nonconforming engagement.
How Knowledge Coach helps enhance audit quality
Reiter discussed how one of the toughest things for new auditors to understand is how different aspects of the audit tie together. They tend to look at planning the audit, assessing risk, and evaluating internal controls in silos and don’t really understand the overall picture and how all these pieces fit together.
Whitley Penn does a lot of internal training and focused on how their audit teams identify significant risks, identify assertions related to those risks, and link audit procedures to those risks.
Four years ago, the firm started using Knowledge Coach. Reiter explained one of the big reasons they chose Knowledge Coach over some of the other tools they evaluated is because it gives them the do the risk assessment as a team, identify significant risks, and develop audit procedures before going into the field. This ensures they don’t spend too much time on low-risk areas.
“The tool does a really, really good job of making sure that you’re addressing all of the relevant assertions that you identified in the planning phase,” Reiter says. “As the staff members move through the audit, they have a better perspective on how it all fits together. It helps them understand how we move from audit planning to execution to wrap-up and issuance in a much better way than just having a bunch of disparate tools that don’t talk to each other.”
To learn more, check out this Audit Talks LIVE session recording, and the entire lineup of them as well.