What's in your audit?

Just what are the underlying causes of some of the more pervasive and substantial audit deficiencies identified in peer reviews in recent years?

To find out, read on.

Inappropriate use of third-party practice aids. The use of these aids and audit programs has become widespread as an effective means of keeping audit materials up to date and comprehensive. However, some auditors have become too checklist-oriented, driven in part by these standardized materials. Use of these types of materials creates risks that auditors may get lost in the completion of the checklist, and lose sight of what they should be doing, which is assessing and responding to audit risk.

The completion of an audit program or checklist is not an end in itself - it is only a tool. What is important is what the auditor learns along the way. Use of third-party practice aids does not reduce the amount of professional judgments required to perform an audit, and is not a substitute for adequate supervision and review. Auditors should use them with care and never use them unless they have read and completely understand the instructions for their intended use.

Firms continue to struggle with the practical aspects of how much additional effort is required in planning an audit to comply with the risk assessment standards. While most third-party practice aids and audit programs provide a framework and methodology to accomplish this, some auditors believe that these generalized approaches do not fit many of their particular client situations. There is also a perception that many of these third-party audit programs are an overkill for smaller audits and that they do not lend themselves to efficient downsizing.

In response, some auditors have elected not to use any, or only use select portions, of the audit planning components of third-party products. There is nothing inherently wrong with this, so long as the auditor develops alternative processes and documentation. This approach does, however, introduce risks to the auditor that, in an effort to gain engagement efficiencies, not all relevant planning considerations are performed or documented. Auditors should also recognize that when there is a significant deviation from a practice aid's design and intended use, the auditor may not be able to rely on the peer review of that product, since it is not being used in a comprehensive manner.

Inadequate internal controls assessments. Obtaining an understanding of internal controls involves evaluating the design of controls and determining whether those controls have been implemented. A common deficiency is where relevant controls have not been evaluated or where the evaluation procedures were limited to single-source inquiries. While it is not necessary to understand all of an entity's controls, it is necessary to determine which controls are relevant to the audit and whether those controls reduce the risk of material misstatement. Inquiry alone, however, is generally not sufficient to evaluate the design of a control or to determine whether it has been implemented.

Failure to link risk assessments. A common deficiency is the failure to link (or document) the audit risk assessments with the nature, timing and extent of further audit procedures performed in response to those risks. There is an expectation within the audit risk assessment standards that untailored generic audit programs will not be appropriate for most audit engagements, because risk will vary from entity to entity. However, in many instances auditors have not tailored the audit programs to the identified risk, or have arbitrarily identified all risk as moderate and defaulted to a basic audit approach. Neither of these approaches is consistent with the requirements of the standards.

Failure to identify or implement new standards. Predictably, the issuance of a new standard will not be timely identified or implemented by all firms. This may result in performance, disclosure or reporting deficiencies. This is most often caused by a firm not having an effective approach to monitoring new pronouncements relevant to their clients. Even where a firm does have policies and procedures to monitor new pronouncements, it faces the risk that it has not developed an adequate strategy for rolling out new pronouncements to ensure that they are correctly implemented on all engagements.

Not understanding specialized industry and reporting situations. Any time a firm undertakes an audit of an entity that operates in an industry that has specialized reporting requirements, there are added risks associated with that engagement.

In those engagements, a firm's client acceptance policies and procedures are critical, since the firm must assess its competencies in that industry before accepting the engagement. This is especially true where there is a significant public interest in the audit entity. Federal single audits, audits performed under government auditing standards, and audits of employee benefit plans are examples of these types of audits.

More recently, because of well-publicized frauds in the securities industry, the AICPA Peer Review Program has increased its focus on audits of broker-dealers. Not understanding the unique reporting and performance requirements for these types of audits creates a risk that a firm may not issue the appropriate reports or not perform the appropriate scope of work.

Inadequate tailoring of a firm's quality control system. At a firm-wide level, deficiencies commonly arise from a firm not having a properly designed and implemented quality control system. Some firms have not tailored their quality control system and documents to fit the specific needs and risks present within their practice. Consideration to the unique nature of the practice, such as industry concentrations, personnel mix and experience, and firm culture should be taken into account. While quality control standards set broad requirements for a firm's QC system, the specific design should be fine-tuned to a firm's specific situation.

 

NONCOMPLIANCE CONSEQUENCES

It may not be practical to design and implement quality control policies and procedures that eliminate every potential deficiency in an audit practice. However, steps usually can be taken to improve compliance with professional standards in key audit areas.

Noncompliance in substantive audit matters can potentially expose a firm to a number of very real business risks, any of which could have adverse economic effects. These business risk include: the risk of litigation settlement and defense costs arising from a malpractice claim; the risk of sanctions being imposed by federal or state regulators that could limit or restrict a firm's acceptance of new clients or practice areas; the risk of failing its peer review; and the risk of adverse publicity and the impairment of professional reputation. That could result in loss of clients and a negative impact on employee retention, recruitment and morale.

 

Dan Hevia is a shareholder with Gregory, Sharer & Stuart, and an experienced peer review team captain and chair of the American Institute of CPAs' Peer Review Board.

For reprint and licensing requests for this article, click here.
MORE FROM ACCOUNTING TODAY