Like what you see? Click here to sign up for Accounting Today's daily newsletter to get the latest news and behind the scenes commentary you won't find anywhere else.
The completion of an audit program or checklist is not an end in itself; it is only a tool. What is important is what the auditor learns along the way. Use of third-party practice aids does not reduce the amount of professional judgments required to perform an audit and is not a substitute for adequate supervision and review. Auditors should use these practice aids with care and never use them unless they have read and completely understand the instructions for their intended use.
Firms continue to struggle with the practical aspects of how much additional effort is required in planning an audit to comply with the risk assessment standards. While most third-party practice aids and audit programs provide a framework and methodology to accomplish this, some auditors believe that these generalized approaches do not fit many of their particular client situations.
There is also a perception that many of these third-party audit programs are overkill for smaller audits and do not lend themselves to efficient downsizing. In response to these factors, some auditors have elected not to use any, or only use selective portions, of the audit-planning components of these third-party products.
There is nothing inherently wrong with this approach so long as the auditor develops alternative processes and documentation. This approach does, however, introduce risks to the auditor. In an effort to gain greater engagement efficiencies, not all of the relevant planning considerations may be performed or documented.
Auditors should recognize that when there is a significant deviation from a practice aid’s design and intended use, the auditor may not be able to rely on the peer review of that product, since it is not being used in a comprehensive manner.
Inadequate Internal Controls Assessments
Obtaining an understanding of internal controls involves evaluating the design of the controls and determining whether those controls have been implemented. Common deficiencies include not evaluating the relevant controls and limiting the evaluation procedures to single-source inquiries.
While it is not necessary to understand all of an entity’s controls, it is necessary to determine which controls are relevant to the audit and whether those controls reduce the risk of a material misstatement. Inquiry alone, however, is generally not sufficient to evaluate the design of a control nor to determine whether it has been implemented.
Failure to Link Risk Assessments to Audit Procedures
A common deficiency is the failure to link (or document) the audit risk assessments with the nature, timing and extent of further audit procedures performed in response to those risks. There is an expectation within the audit risk assessment standards that untailored generic audit programs will not be appropriate for most audit engagements because the risk will vary from entity to entity.
However, in many instances auditors have not tailored the audit programs to the identified risk, or have arbitrarily identified all the risks as moderate and default to a basic audit approach. Neither of these approaches is consistent with the requirements of the standards.
Failure to Identify or Implement New Standards
Predictably, the issuance of a new standard will not be timely identified or implemented by all firms. This may result in performance, disclosure or reporting deficiencies. This is most often caused by a firm not having an effective approach to monitoring new pronouncements relevant to their clients.
Even where a firm does have policies and procedures to monitor new pronouncements, the firm faces the risk that it has not developed an adequate strategy for rolling out new pronouncements to ensure that they are correctly implemented on all engagements.
Not Understanding Specialized Industry and Reporting Situations
Anytime a firm undertakes an audit of an entity that operates in an industry that has specialized reporting requirements, there are added risks associated with that engagement. In those engagements a firm’s client acceptance policies and procedures are critical since the firm must assess its competencies in that industry before accepting the engagement.
This is especially true where there is a significant public interest in the audit entity. Federal single audits, audits performed under Government Auditing Standards, and audits of employee benefit plans are examples of these types of audits. More recently, because of well-publicized frauds in the securities industry, the AICPA Peer Review Program has increased its focus on audits of broker-dealers. Not understanding the unique reporting and performance requirements for these types of audits creates a risk that a firm may not issue the appropriate reports or not perform the appropriate scope of work.
Inadequate Tailoring of a Firm’s Quality Control System
At a firm-wide level, deficiencies commonly arise from a firm not having a properly designed and implemented quality control system. Some firms have not tailored their quality control system and documents to fit the specific needs and risks present within their practice.
Consideration of the unique nature of the practice, such as industry concentrations, personnel mix and experience, and firm culture, should be taken into account. While quality control standards set broad requirements for a firm’s QC system, the specific design should be fine-tuned to meet a firm’s specific situation.
The Consequences of Noncompliance
It may not be practical to design and implement quality control policies and procedures that eliminate every potential deficiency in an audit practice. However, steps usually can be taken to improve compliance with professional standards in key audit areas and thereby reduce the likelihood of an audit failure.
The risks created by noncompliance in substantive audit matters potentially expose a firm to a number of very real business risks, any of which could have adverse economic effects on its practice. These business risk include: the risk of litigation settlement and defense costs arising from a malpractice claim, the risk of sanctions being imposed by federal or state regulators that could limit or restrict a firm’s acceptance of new clients or practice areas , the risk of failing its peer review and potentially exposing itself to licensing and state board actions, and the risk of adverse publicity and the impairment of professional reputation that could result in a loss of clients and a negative impact on employee retention, recruitment and morale.
Dan Hevia is a shareholder with Gregory, Sharer & Stuart. He is an experienced peer review team captain and chair of the AICPA Peer Review Board.