Home > Peer Review > e-Newsletter Articles > General Guidance

General Guidance

Center Firms

The AICPA has established different Audit Quality Centers that firms can voluntary join to help stay current on sensitive issues. There is a Government Audit Center and an ERISA Center, and membership in these Centers is encouraged. Detailed information about these Centers is available on the AICPA website. It is important for Center firms and reviewers to be aware that for peer reviews of Center firms, the peer review team captain or a team member must be associated with a firm that also belongs to the same Center(s). If the reviewed firm belongs to more than one Center, so must members of the peer review team. The peer reviewer whose firm is a member of a Center must be the one to review audits for industries covered by that Center. Center firms should also be aware that their peer review reports will become part of the public file.

Qualifying Governmental CPE

The Government Auditing Standards (GAGAS) require auditors performing work under GAGAS to maintain their professional competence through CPE. Specifically, 80 hours of CPE that directly enhance the auditor’s professional proficiency to perform audits and/or attestation engagements should be completed every two years (a minimum of 20 of these CPE hours must be taken each year). Tax services, in general, are not related to the subject matter of audits performed under GAGAS so CPE related to tax would normally not qualify as part of the 80 hours of CPE requirement. Also, since 24 of the 80 hours must be in subjects directly related to governmental auditing, reviewers must inquire about how the 24 hour requirement is fulfilled. This requirement applies to all staff on government audits not just CPAs. Specific information on Government CPE requirements is available at the GAO website (ref. GAO-05-5686). The AICPA Consolidation of Peer Reviewer’s Alerts also contains guidance on how to report CPE type problems that impact on Government audits.

Audit Alert

Under the new audit standards, AU Section 339.27, a firm has 60 days from the report release date to complete audit documentation.  It is critical when you are peer reviewing an audit that is still within the 60 day period that you ask and preferably document that the firm has completed the audit files.  Also make certain that all required written communication under SAS No. 112 has been made.  Under AU Section 325.21 this written communication is best made by the report release date but can be made within the 60 days following the release date.  Failure to do this could result in the California Peer Review Committee asking you to look at an additional audit that is complete.

Replying to Technical Notes

When replying to technical notes from the technical reviewers, please also send the reply to peerreview@calcpa.org .  It is your responsibility to make certain that the peer review program gets the reply.  Often, the technical reviewer who wrote the original notes is not the one reviewing the response.

Common Mishaps in Implementing the New Audit Standards

Peer review season is in high gear and, as suspected, firms are having trouble implementing the new audit risk standards.  We’ve noted some of the hot spots seen in peer reviews so far and have summarized them as follows:
1.        Failure to document observation and inspection procedures.  SAS 109 tells us that observation and inspection procedures should be performed to support inquiries of management regarding the entity and its environment.  These procedures would typically include some or all of the following:  a) observation of entity operations, b) inspection of documents, c) reading management reports, interim financial statements and board minutes and d) walk-throughs.  While firms may be performing these procedures, they are often not documented in the workpapers.
2.        Failure to document risk assessment procedures.  Most firms understand the risks of their audit clients and properly identify significant transaction classes, material balances, and significant fraud risk and other significant risks.  Once the identification process occurs, the new standards require auditors to gain further knowledge of the flow of transactions and controls over these significant areas, and to document the knowledge obtained.  This documentation is often missing from working papers.
3.        Failure to link risk assessments to actual procedures performed.  Risk assessments may be properly identified, but some practitioners do not properly link those assessments to actual procedures performed.  For instance, if the risk of material misstatement for accounts receivable is moderate or high and receivables are a material balance, the “basic” audit procedures from our PPC programs should be supplemented by extended procedures.  Conversely, if the risk of material misstatement for an area is low and the balance is not considered material, then basic procedures (or perhaps even analytical review) will suffice.  Many firms do not understand this link and continue to perform all the procedures they have always performed.  Others just perform the basic procedures for all sections and disregard the extended procedures, even when some of these procedures would be necessary.
4.        Failure to properly use electronic third party practice aids.  Our friends at PPC try to make our lives easier.  In addition to the normal practice aids on audits of non-public companies, they have electronic practice aids that will increase our audit efficiency.  Unfortunately, there may be a big learning curve in the first year of implementation and, like all programs, they are only as good as the information you put in (the old “Garbage In, Garbage Out” rule still applies).  So reviewers have seen a variety of problems in using these electronic practice aids.  First, firms need to make certain that the risk assessments they have made actually get input into the summary form, because that is the form that the software uses to formulate the audit procedures to perform.  For instance, if you have identified cash as a significant risk, but forget to check that box on the summary form, the suggested audit procedures won’t be sufficient to lower audit risk to an appropriate level.  Also, if circumstances change during the audit, and the firm decides to change the audit plan (i.e. the number and type of procedures), they often don’t go back and change the risk assessments to accurately reflect their final decisions.  Instead they use an “override” feature on the programs.  This will often cause a failure to link risk assessments to audit procedures as described above.

Clearly, firms need to understand the standards and their practice aids in order to make certain that the standards are implemented correctly.  Firms that use PPC should seriously consider purchasing PPC’s Guide to Audit Risk Assessment, which gives examples of the completed forms so firm personnel will have some guidance.  Additional CPE on the standards themselves and on use of applicable software may also be necessary.  In addition, firm personnel assigned to the review of engagements should emphasize the link between risk assessments and audit procedures performed during the review of engagements.

Extension Requests

Along with the peer review professional standards changes, there have been AICPA administrative changes.  As a result, the policy on extension requests has been changed.  Extension requests will no longer be approved after the firm’s due date.   All extension requests must come from firms, not reviewers.  Firms must give a valid reason for requesting an extension such as a merger or dissolution, a major engagement has not been completed, turnover of personnel significant to the conduct of the review, major health issues for personnel significant to the conduct of the review, scheduling conflicts with the peer reviewer or disasters. Lack of funds or vacation plans are not valid reasons.  Firms must have engaged a peer reviewer and must tell us the commencement date of the system or engagement peer review prior to us granting any extension, and they must state that the peer reviewer has agreed to the commencement date. Please note, extensions are for short periods of time.

Peer Review Feedback

As stated in a previous newsletter, peer review feedback is sent to a peer reviewer after the peer review has been accepted by the committee.  Currently, feedback forms are emailed to the peer reviewer.  The AICPA Peer Review Board has determined that these forms should not include the name of the firm or the firm’s review number.  Consequently, for reviews that go to the committee for acceptance after February 28, 2009, the review feedback form will be sent to you along with the letter you receive from us ackn owledging the acceptance of the peer review by the California Peer Review Committee.  The feedback form, however, will not be included in the acceptance letter that is sent to the firm. Please watch for these feedback forms as they give you valuable input on how you can improve your performance as a peer reviewer.

Emails

When sending emails to peerreview@calcpa.org , please include the peer review number and a brief description in the subject line.  This will ensure that your email is processed correctly.  Example descriptions are: tech revisions xxxxxx or work papers xxxxxx.

Paperless Peer Review

Please use the following labels for the documents that you submit. 

Report: peer review report

SRM: (system reviews) - summary review memorandum, including attachments 1 (system review engagement statistics data sheet) and 2 (disposition of matter for further consideration form)

MFC: matters for further consideration, presented in the order listed on the disposition of matter for further consideration form. Please send all MFCs together in one document.

FFC: findings for further consideration forms. Please send all FFCs together in one document.

TC checklist: (system reviews) - team captain checklist, including appendix A (peer review completion form)

RC checklist: (engagement reviews) - review captain checklist, including appendix A (engagement review completion form) and appendix B (disposition of matter for further consideration form)

risk: (system reviews) - if you prepare a supplemental risk assessment worksheet or memo, you may attach it to the summary review memorandum document or attach and label it separately

exit: supplemental exit conference notes may be treated in the same way as the supplemental risk assessment document described above

eng summary: (engagement reviews) – engagement summary form

eng data: (engagement reviews) – engagement statistics data sheet

misc work papers: work papers not listed above

Common mistakes noted in applying the new Peer Review Standards

All peer review reports must have a title at the top of the page (either “System Review Report” or “Engagement Review Report”) and must be addressed to both the firm and to the Peer Review Committee of the California Society of CPAs.  In addition, system review reports must include a separate paragraph describing engagements performed under the Government Auditing Standards, audits of employee benefit plans, and/or audits performed under FDICIA if the review has such engagements.

For system peer reviews, the FFCs must describe the underlying cause, i.e. the system problem.  While the form says to include the underlying cause “where possible” we believe it will be a rare instance where the underlying cause is not known.  In order to craft an appropriate recommendation, you must know the underlying system problem.

For system peer reviews, question G (page 4805 of the SRM) requests information on key elements that reside outside the firm.  Most firms do not develop their own practice aids and instead use a third party such as PPC. Therefore, this question should be answered. 

Quality Control Standards

Peer reviewers are in a unique position to help firms understand the new quality control standards.  Since firms are now required to have a written quality control document and written annual confirmation of independence, it is important that firms understand these changes.  Although a firm’s system of quality control is not within the scope of an engagement review, firms that perform only compilations and/or reviews are particularly vulnerable and some do not even realize that these standards apply to them.  We should educate firms on the new standards by providing them with professional resources. There is an article on the new quality control standards available at our web site, www.calcpa.org.  In addition, the quality control standards, audit standards, and the compilation and review standards are available free of charge from the AICPA web site: select “professional resources”, followed by “accounting and auditing”, “audit and attest standards” and “Authoritative Standards for Non-Issuers”.  Another extremely helpful practice aid to assist firms in developing their written policy, Establishing and Maintaining a System of Quality Control for a CPA Firm’s Accounting and Auditing Practice, is also available free of charge at: http://www.aicpa.org/centerprp/PA_Quality Control.htm.

A focus in these new standards is the definition of an engagement quality control review.  It is important to understand that firms are not required to have engagement quality control reviews and most small firms will not implement such policies.  Firms can still have a pre-issuance review that would not meet this definition and it can still be an effective part of their quality control.  However if such a review is not an engagement quality control review as defined by QC Section 10.104, firms cannot use this process as part of their monitoring and will have to use post issuance reviews or inspections instead.