Search:

General Guidance

Significant Deficiencies

Some reviewers do not fully understand what constitutes a substandard engagement. In order to assist reviewers in making this determination and to provide consistency, the AICPA has provided a listing (see the Consolidation of Peer Reviewers’ Alert) of significant and non significant engagement deficiencies. Additionally, the AICPA website contains listings of the common deficiencies noted during peer reviews. These listings are separated between minor and significant deficiencies. An engagement with one of the listed significant deficiencies is normally considered “substandard”. While these lists are not all-inclusive, they do contain the more common significant deficiencies. Reviewers should refer to these lists when making determinations about the significance of a deficiency.

Reporting on 101-3 Problems

The AICPA has issued guidance available on their website on reporting on documentation problems found resulting from the implementation of Interpretation 101-3. The lack of documentation by itself does not result in a substandard engagement. In a system review, the problem could be included in a LOC if there was a pattern. Such problems noted in an engagement review should always be included in the LOC, and problems noted in a report review would only be mentioned to the firm in the exit conference and would not be included in the report.

Classification Problems (Short/Long Term Debt)

According to the AICPA Peer Reviewer’s Alert, misclassification of a material balance results in a significant engagement deficiency. A common misclassification found during peer reviews concerns the current portion of long-term debt not being presented as a current liability. If the amount that should have been a current liability is significant, the engagement in question would normally be considered substandard, although careful judgment is required when forming a conclusion. Reviewers need to provide enough information to indicate that the significance of the deficiency was determined. Normally this information is provided in the MFCs. If this information is not provided, the reviewer will be requested to provide it. This would just delay the finalization of the review.

Statements of Cash Flows

In a GAAP financial statement, the FASB No. 95 requires that if a balance sheet and income statement are present, there must be a statement of cash flows for each period presented in the income statement. For example, if there is a balance sheet for June 30, 2005 and income statements for the three and six months ended June 30, 2005, there should be a statement of cash flows for both periods. Sometimes there is only a statement for the six months ended. If this occurs in a financial statement that is being peer reviewed, the engagement would be considered substandard because it is missing a required statement. If the CPA or the client of the CPA does not want this statement of cash flows prepared, the CPA should modify the accountant’s report for a GAAP departure.

Monitoring

If a firm has not documented its monitoring, a finding must be included in the letter of comments. If a firm has only partially documented monitoring procedures, including a review of financial statements and work papers, then the reviewer can discuss monitoring during the exit conference and not record the finding in the letter of comments. When documenting monitoring procedures, it is helpful if the firm includes a notation stating the issues found were discussed with the appropriate personnel, including with whom and when the information was relayed.

Pre-issuance reviews can only be included for monitoring when a person with appropriate knowledge, not involved in the engagement, performs the review of the engagement. An effortless approach to this monitoring would be for the individuals performing the pre-issuance reviews to save their review notes and periodically summarize them. The summary would describe the industries, types of engagements and common deficiencies among the engagements. Once the summary has been created and maintained, the review notes can be destroyed. The summary should document any discussion with the staff (as described above). The firm would also need to document the annual review of the other elements of quality control.

Some sole practitioners do not have experienced staff (not involved in the engagement) that can perform pre-issuance reviews. A possible solution to this problem could be for the sole practitioner to perform a post-issuance review prior to the start of the next engagement, since they would commonly be reviewing the files at this time. The checklists already in the files can be used to help in the reviews, eliminating the need to produce new ones. Alternatively, the AICPA has the team captain checklists, that your peer reviewer uses, available on their web site. The post-issuance reviews are performed on a cross section of engagements. As mentioned above, use the summary to document monitoring. Also note that the other elements of quality control must be monitored and documented yearly.

Follow-Up

In determining if a peer review should be accepted, the Peer Review Committee considers whether corrective action, if any, should be monitored prior to final acceptance of the peer review. This monitoring is commonly called follow-up and can take various forms. Common types of follow-up are a review of an additional financial statement, proof of CPE courses taken, and submission of the firm’s next monitoring report. For adverse system peer reviews, team captain revisits may be required.

Follow-up may be requested for a variety of reasons but normally such action is considered when there are substandard engagements or repeat findings. Accordingly, whenever there are substandard engagements or repeat findings, reviewers should alert firms to the possibility of follow-up being requested by the Peer Review Committee when discussing the results of a review. Also, for system reviews, reviewers should provide their specific suggestions on the SRM when follow-up seems appropriate.

Peer Reviewer’s Alerts

The Peer Review Board has revised the format of the Peer Reviewer’s Alerts. The Board is now issuing new Alerts whenever it needs to communicate additional information about the peer review program to all reviewers. Instead of including information from previous editions of the Alerts, only the additional information will be presented so the Alerts will be shorter. The relevant information from all other Peer Reviewer’s Alerts is periodically summarized into a Consolidation of Peer Reviewers’ Alerts. All of the Alerts are available on the AICPA website and reviewers are responsible for staying current with the information provided in the Alerts as well as when new Alerts are issued.

System Reviews Performed Off Site

Interpretation No. 1 has changed significantly. This type of system review can only be performed if the reviewed firm is a sole practitioner with no professional staff who performs a total of three or less engagements covered by the SASs, Government Auditing Standards or examinations of prospective financial statement under the SSAEs.

Accelerated Peer Reviews

A firm does not have to wait three years to have another peer review. If a firm has a modified or adverse peer review report (particularly for a system review), the peer reviewer should tell the firm about the option of an accelerated peer review. A firm cannot have two peer review reports covering any part of the same period. Therefore, the earliest peer review year a firm could use would be a completely new 12 month period after the prior peer review period. For example, if a firm received a modified peer review report for the year ending June 30, 2006, the earliest period that could be used for an accelerated peer review would be for the year ending June 30, 2007. Firms need to be cautioned though to make sure that the problems that had been noted were corrected for the full year, otherwise there could be repeat findings since it would not be appropriate to exclude any engagements from the selection process. Additionally, if a firm opts for an accelerated review, our office must be contacted to begin the paperwork to schedule the review and to avoid other follow up action that might be considered.

Governmental Entities

Peer reviewers need to asses the audit documentation on post-employment benefits other than pensions. Although GASB 45, Accounting and Financial Reporting by Employers for Post-employment Benefits Other Than Pensions, is not effective until December 31, 2007 or later based on a phased-in fashion dependent on the annual revenue of the governmental entity, the current governmental accounting standards require at minimum certain disclosures about these benefits. Many governmental entities have significant and material benefits. In the audit work papers there should be documentation of conversations with accounting and/or human resource staff concerning these benefits. There should also be documentation of a review of union and other employee group current contracts. An article describing this issue is in the August 2006 issue of California CPA and is also available on the peer review website (www.calcpa.org). To help assure firms are fully aware of these issues, you may also wish to make them aware of this article.

Comparative Reports

There has been some confusion on the seriousness of some problems being noted in comparative financial statements. If there are two periods in the F/Ss but only one period is mentioned in the report or vice versa, the engagement would not be substandard but a comment would be included in the LOC. This of course is assuming the same level of service. If, however, there is a difference in the level of service between the two periods and the report does not indicate the difference, it is possible to have a substandard engagement if for example the current level of service is a review engagement and the prior level of service is a compilation

Center Firms

The AICPA has established different Audit Quality Centers that firms can voluntary join to help stay current on sensitive issues. There is a Government Audit Center and an ERISA Center, and membership in these Centers is encouraged. Detailed information about these Centers is available on the AICPA website. It is important for Center firms and reviewers to be aware that for peer reviews of Center firms, the peer review team captain or a team member must be associated with a firm that also belongs to the same Center(s). If the reviewed firm belongs to more than one Center, so must members of the peer review team. The peer reviewer whose firm is a member of a Center must be the one to review audits for industries covered by that Center. Center firms should also be aware that their peer review reports will become part of the public file.

Qualifying Governmental CPE

The Government Auditing Standards (GAGAS) require auditors performing work under GAGAS to maintain their professional competence through CPE. Specifically, 80 hours of CPE that directly enhance the auditor’s professional proficiency to perform audits and/or attestation engagements should be completed every two years (a minimum of 20 of these CPE hours must be taken each year). Tax services, in general, are not related to the subject matter of audits performed under GAGAS so CPE related to tax would normally not qualify as part of the 80 hours of CPE requirement. Also, since 24 of the 80 hours must be in subjects directly related to governmental auditing, reviewers must inquire about how the 24 hour requirement is fulfilled. This requirement applies to all staff on government audits not just CPAs. Specific information on Government CPE requirements is available at the GAO website (ref. GAO-05-5686). The AICPA Consolidation of Peer Reviewer’s Alerts also contains guidance on how to report CPE type problems that impact on Government audits.

Audit Alert

Under the new audit standards, AU Section 339.27, a firm has 60 days from the report release date to complete audit documentation.  It is critical when you are peer reviewing an audit that is still within the 60 day period that you ask and preferably document that the firm has completed the audit files.  Also make certain that all required written communication under SAS No. 112 has been made.  Under AU Section 325.21 this written communication is best made by the report release date but can be made within the 60 days following the release date.  Failure to do this could result in the California Peer Review Committee asking you to look at an additional audit that is complete.

Team Captain/Reviewer Feedback

In accordance with the policies of the AICPA Peer Review Board, if there are matters noted in the documentation of the peer review or the writing of the report and letter of comments, these matters must be communicated by a member of the state peer review committee.  Consequently, most matters that are noted during the technical review process will be re-communicated to you after the peer review has been accepted by the committee.  Many comments could be avoided if peer reviewers used the preissuance checklists for system, engagement and report reviews available at the peer review web site at www.calcpa.org. 

Replying to Technical Notes

When replying to technical notes from the technical reviewers, please also send the reply to peerreview@calcpa.org .  It is your responsibility to make certain that the peer review program gets the reply.  Often, the technical reviewer who wrote the original notes is not the one reviewing the response.

Technical Issues

For OCBOA compilations without disclosure, professional standards (AR Section 100.17) only require that the report disclose the basis of accounting.  It is not required that the report disclose that the basis is different from GAAP.  Consequently this should not be a finding but could be communicated to firms as a “best practice”.

There are two options regarding the presentation of cash overdrafts in the statement of cash flows. It can be presented as cash and cash equivalents or it can be presented as an operating activity, similar to accounts payable.  The AICPA Technical Practice Aid, TIS 1300.15, takes one position, but the other position is a common industry practice.  Since technical practice aids and industry practice are in the same GAAP hierarchy category, either method of presentation is acceptable.

Documentation on Review Engagements

There has been some confusion as to the type and amount of documentation to be reviewed when performing a peer review of a review engagement. Documentation requirements for review engagements were strengthened with the issuance of SSARS No. 10, Performance of Review Engagements, effective for periods ended December 31, 2004 or later. Reviewers are to determine that all documentation requirements have been met by reviewing documentation prepared during the review engagement, including documentation of expectations developed during analytical review. This documentation can be included with the analytics performed by the firm, in a separate memo, or if using PPC checklists, on Appendix 4H-Analytical Procedures Documentation Form. Documentation supporting the review engagement must be reviewed by the reviewer, not simply verified through inquiry.

Common Mishaps in Implementing the New Audit Standards

Peer review season is in high gear and, as suspected, firms are having trouble implementing the new audit risk standards.  We’ve noted some of the hot spots seen in peer reviews so far and have summarized them as follows:
1.       Failure to document observation and inspection procedures.  SAS 109 tells us that observation and inspection procedures should be performed to support inquiries of management regarding the entity and its environment.  These procedures would typically include some or all of the following:  a) observation of entity operations, b) inspection of documents, c) reading management reports, interim financial statements and board minutes and d) walk-throughs.  While firms may be performing these procedures, they are often not documented in the workpapers.
2.       Failure to document risk assessment procedures.  Most firms understand the risks of their audit clients and properly identify significant transaction classes, material balances, and significant fraud risk and other significant risks.  Once the identification process occurs, the new standards require auditors to gain further knowledge of the flow of transactions and controls over these significant areas, and to document the knowledge obtained.  This documentation is often missing from working papers.
3.       Failure to link risk assessments to actual procedures performed.  Risk assessments may be properly identified, but some practitioners do not properly link those assessments to actual procedures performed.  For instance, if the risk of material misstatement for accounts receivable is moderate or high and receivables are a material balance, the “basic” audit procedures from our PPC programs should be supplemented by extended procedures.  Conversely, if the risk of material misstatement for an area is low and the balance is not considered material, then basic procedures (or perhaps even analytical review) will suffice.  Many firms do not understand this link and continue to perform all the procedures they have always performed.  Others just perform the basic procedures for all sections and disregard the extended procedures, even when some of these procedures would be necessary.
4.       Failure to properly use electronic third party practice aids.  Our friends at PPC try to make our lives easier.  In addition to the normal practice aids on audits of non-public companies, they have electronic practice aids that will increase our audit efficiency.  Unfortunately, there may be a big learning curve in the first year of implementation and, like all programs, they are only as good as the information you put in (the old “Garbage In, Garbage Out” rule still applies).  So reviewers have seen a variety of problems in using these electronic practice aids.  First, firms need to make certain that the risk assessments they have made actually get input into the summary form, because that is the form that the software uses to formulate the audit procedures to perform.  For instance, if you have identified cash as a significant risk, but forget to check that box on the summary form, the suggested audit procedures won’t be sufficient to lower audit risk to an appropriate level.  Also, if circumstances change during the audit, and the firm decides to change the audit plan (i.e. the number and type of procedures), they often don’t go back and change the risk assessments to accurately reflect their final decisions.  Instead they use an “override” feature on the programs.  This will often cause a failure to link risk assessments to audit procedures as described above.

Clearly, firms need to understand the standards and their practice aids in order to make certain that the standards are implemented correctly.  Firms that use PPC should seriously consider purchasing PPC’s Guide to Audit Risk Assessment, which gives examples of the completed forms so firm personnel will have some guidance.  Additional CPE on the standards themselves and on use of applicable software may also be necessary.  In addition, firm personnel assigned to the review of engagements should emphasize the link between risk assessments and audit procedures performed during the review of engagements.