Avoiding Deficiencies in Peer Reviews: Focus on Engagement

© Surgent • www.surgentcpe.com

Avoiding Deficiencies in Peer Reviews:Focus on Engagement Quality


Today’s presenter

Marci Thomas, MHA, CPA, CGMA

Marci Thomas, MHA, CPA, CGMA, licensed as a CPA in Georgia and North Carolina, is an author and nationally recognized speaker on various accounting and auditing topics to companies, nonprofits, CPA firms, and state societies of CPAs around the country. A frequent speaker at local, regional, and national conferences, she also writes and teaches courses in governance, financial management, grants accounting, strategy, and various operational topics. Marci is a clinical assistant professor in the School of Public Health at the University of North Carolina at Chapel Hill. She works with numerous accounting firms, performing quality control and efficiency reviews and with boards on strategic planning, internal control, and governance issues. Marci serves on the Not-for-profit Committee for the North Carolina Association of CPAs.

Marci has written and co-written several books, including Essentials of Physician Practice Management, published by Jossey Bass in 2004. Her book Best of Boards: Sound Governance and Leadership for Nonprofit Organizations was published by the AICPA and Wiley Publishing in 2018 and is on its second printing. Her book on health care financial management was published by Wiley Publishing in 2014, with a new edition expected in 2020.

Marci received her Bachelor in Business Administration with a concentration in accounting from the Georgia State University and her Masters in Health Administration from the University of North Carolina at Chapel Hill.

E N Q 42


Overall learning objectives

• After completing this course, you should be able to:

– Understand the AICPA’s Engagement Quality Initiative

– Understand the peer review issues that have been recently identified by the AICPA, regulators and peer reviewers

– Implement corrective action in audit, review and compilation engagements and in the firm’s system of quality control

E N Q 43


Course overview

• Chapter 1 – AICPA Focus on Audit Quality

• Chapter 2 – Risk Assessment

• Chapter 3 – Understanding Internal Control

• Chapter 4 – Linking the Risk Assessment to Further Audit Procedures

• Chapter 5 – Disclosure Issues

E N Q 44


A quick word on policy vs. politics

• Many times when discussing accounting, tax and financial policy issues, it can be difficult to divorce the politics from the policy

• Today, when discussing the various issues we will encounter over the next several hours, let’s agree to keep our own view of politics out of the application of the policy and focus on doing the very best we can for all our clients

• This goes for religious/faith views as well

E N Q 45

Chapter 1:AICPA Focus on Audit Quality


Learning objectives

• Upon reviewing this chapter, the reader will be able to:

– Identify key elements of the AICPA’s Enhancing Audit Quality initiatives;

– Recognize key trends noted in recent peer reviews; and

– Recognize the importance of audit documentation in the system of quality control

E N Q 47


B. Peer review, an integral part of EAQ

• Enhancing Audit Quality Initiative (EAQ) in 2014

• Data driven approach to improving audit quality

• The AICPA:

– Collects data from peer reviews and other reviews, for example, from regulatory agencies;

– Analyzes the data to see where deficiencies are prevalent;

– Studies emerging trends; and

– Takes action to create articles, webcasts, tools and other resources to help auditors improve

E N Q 48


AICPA developed the Peer Review Oversight Program

Peer Review Oversight Program:

• Subject matter experts perform the reviews after the firm has been peer reviewed but before the peer review goes to the Peer Review Committee

• Oversight Program detected three times the number of instances of nonconformity with professional standards on must-select engagements since 2015

• This resulted in four times the number of peer reviewers that are getting remediation to improve their performance since 2014

E N Q 49


Types of peer reviews

• System review, a peer reviewer obtains an understanding of:

– The firm’s accounting and auditing practice; and

– The design of the firm’s system, including its policies and procedures and how it monitors compliance with the policies and procedures

• The peer reviewer assesses the risk in the different parts of the firm’s practice

E N Q 410


A system review

• The peer reviewer’s objective is to determine whether the system is designed to ensure conformity with professional standards and whether the firm is complying with its system

• Guidance in SQCS 8

• The System review also includes evaluation of a sample of the firm’s engagements, including:

– “Must select” engagements

E N Q 411


A system review

– Engagements performed under Government Auditing Standards;

– Audits of employee benefit plans;

– Audits of depository institutions;

– Audits of broker-dealers; and

– Examinations of service organizations

E N Q 412


Peer reviewers’ classification system

• Classification system of circumstances noted during the peer review as:

– Matters

– Findings

– Deficiencies

– Significant deficiencies

• Ratings are:

– Pass

– Pass with deficiencies

– Fail

E N Q 413


C. Progress on audit quality

• January 2015, AICPA Peer Review Board approved changes to its Standards for Performing and Reporting on Peer Reviews

• Focus on enhanced peer reviewer training

• Reviews beginning on or after May 1, 2016

• Changes made to the Peer Review program focused on:

– Resolving disagreements between CPA firms and reviewers;

– Increasing the qualifications for a peer reviewer; and

– Strengthening the consistency of peer review performance criteria to facilitate remediation or removal of deficient reviewers

E N Q 414


C. Progress on audit quality

• AICPA’s 2018 report to the profession found that changes are working

• Peer reviewers detected 62% of nonconforming engagements up from:

– 18% in 2014;

– 40% in 2015; and

– 47% in 2016

• Remediation for firms includes pre-issuance reviews and additional targeted CPE

E N Q 415


D. AICPA focus areas and peer review issues identified

Question for Discussion

The AICPA has been issuing Audit Risk Alerts for over 30 years. Among other things, they focus on deficiencies that have come to light in audits. Why do you believe that audit quality continues to be a problem?

E N Q 416



• Top issue identified for 2018 - Risk assessment

• Documentation - 25% of engagements subject to review were materially nonconforming due to failure to comply with documentation standards

• Single Audits - Most significant issue arising in 2018 is the failure to test internal controls over compliance

• Additional focus areas for 2019 include:

– Internal control over financial reporting;

– Auditing accounting estimates; and

– SOC engagements E N Q 417



• SAS 134 modified the form and content of auditor’s report to more closely align with the PCAOB standards. Makes changes to the following:

– AU-C 700, Forming an Opinion and Reporting on Financial Statements;

– AU-C 705, Modifications to the Opinion in the Independent Auditor’s Report; and

– AU-C 706, Emphasis of Matter Paragraphs and Other Matter Paragraphs in the Independent Auditor’s Report

E N Q 418



• SAS 135 is also designed to align with the PCAOB guidance. It amends three AU-C sections:

– AU-C 260, Communications with those Charged with Governance;

– AU-C 550, Related Parties; and

– AU-C 240, Consideration of Fraud in a Financial Statement Audit

E N Q 419



• SAS 136 addresses the auditor’s responsibility to form an opinion and Reporting on Financial Statements of Employee Benefit Plans Subject to ERISA. It also adds new requirements for:

– Engagement acceptance;

– Audit risk assessment and response;

– Communications with those charged with governance;

– Procedures for an ERISA §103(a)(3)(C) audit; and

– Considerations related to the Form 5500

E N Q 420



• SAS 137 addresses the Auditor’s Responsibilities Relating to Other Information included in Annual Reports. This standard supersedes SAS No. 118, Other Information in Documents Containing Audited Financial Statements (AU-C 720)

• SAS 138 changes the definition of materiality

• SAS 139 and 140 primarily make conforming changes to the reports for special purpose frameworks and reports on supplementary information

• SASs 134-140 were deferred one year by SAS 141 and are now effective for audits of financial statements for periods ending on or after December 15, 2021. Early implementation is permitted

E N Q 421



• SAS 142, Audit Evidence was issued in July 2020

• Modifies the existing standard on audit evidence to address evolving practices, such as:

– Emerging technologies being used by preparers of financial statements and auditors;

– Data analytics;

– Application of professional skepticism; and

– Expanding use of external information as audit evidence and assessing its reliability, completeness and accuracy

E N Q 422



• SAS 143 was issued in July 2020

• Makes revisions to the existing standard on Auditing Accounting Estimates:

– Discusses the concept of estimation uncertainty;

– Requires a separate evaluation for inherent risk and control risk for estimates;

– Proposes additional risk assessment procedures for estimates including assessment of management bias;

– Emphasizes that internal controls over the development of accounting estimates is important; and

– Makes clear that lack of internal controls over significant estimates with high estimation risk could be a material weakness or significant deficiency

E N Q 423


II. Documentation – peer review issues identified

• Documentation - major issue in nonconforming audits

– Auditors may perform the work but use tick marks on checklists to document what they have done; this may not be enough

– Auditors may not be aware of all standards

E N Q 424


A. General standards on documentation

• AU-C 230 states: “The auditor should prepare audit documentation that is sufficient to enable an experienced auditor, having no previous connection with the audit to understand:

– The nature, timing and extent of the audit procedures performed to comply with GAAS and applicable legal and regulatory requirements;

– The results of the audit procedures performed, and the audit evidence obtained; and

– Significant findings or issues arising during the audit, the conclusion reached, and significant professional judgments made in reaching the conclusions”

E N Q 425



• When preparing documentation, the auditor should document:

– The identifying characteristics of the specific items tested;

– The person who performed the work and the date the work was performed; and

– The person who reviewed the work performed, the date and the extent of review

E N Q 426



• Exercise 1: Presumptively Mandatory Requirements

– Professional standards require that accounts receivable be confirmed. The audit partner on the engagement knew that in situations involving nursing home patients that the chances of confirmations being returned were very low. Therefore, he directed the staff to test subsequent payments instead. The workpaper contained a list of the patients selected for testing along with a record of payments vouched and a summary at the bottom showing the extent of the testing performed and the results.

Was this documentation sufficient to meet professional standards?

E N Q 427


B. General matters arising after the date of the auditor’s report

• When an auditor identifies an issue after the audit report has been issued and must perform procedures to address it, the auditor should document:

– The circumstances encountered;

– New or additional procedures performed, evidence obtained, and conclusions reached as well as their effect on the auditor’s report; and

– The timing of the work and the person who made and reviewed the changes made to the workpapers

E N Q 428


C. Assembly and retention of the final audit file

• Document the report release date in the audit documentation when auditor delivers report

• This should be no earlier than when the auditor has obtained sufficient appropriate audit evidence including:

– Evidence that the audit documentation has been reviewed; and

– All the statements including the related notes have been prepared and management has asserted that they have taken responsibility

• Subsequent event procedures – should cover to the date of the auditor’s report or as near as possible

E N Q 429


C. Assembly and retention of the final audit file

• FASB requires management to disclose the date through which subsequent events have been evaluated

• Auditing standards provide a 60-day window until documentation completion date

• Retention period can be no shorter than 5 years from the report release date

• Quality Control standards require that the firm must have:

– Controls in place to ensure documentation is not altered or deleted; and

– Policies and procedures related to protection of the information, and client confidentiality

E N Q 430


D. Documentation of quality control standards

• In 2018, peer review issues related to poor quality control included:

– Use of templates from practice aids and other vendors without tailoring them to the unique qualities and risks of the firm; and

– Some firms were not performing key quality control functions such as consultations with others on engagement issues and engagement quality control reviews

E N Q 431


D. Documentation of quality control standards

• System of quality control should address:

– Leadership responsibility for quality within the firm;

– Relevant ethical requirements including independence;

– Acceptance and continuance of client relationships and specific engagements;

– Human resources;

– Engagement performance; and

– Monitoring

E N Q 432


4. Client acceptance and continuation

• Peer reviewers have noted that firms are not always:

– Documenting acceptance and continuance procedures;

– Obtaining the proper licensure in the states where engagements were accepted; and

– Evaluating the risk of performing an engagement in a specialized industry or obtaining the necessary knowledge of current standards in specialized areas prior to performance of the audit

E N Q 433


5. Human resources

• Peer reviewers have also noted firms’ noncompliance with human resource aspects of quality control such as:

– Failure to design policies that ensure partners and staff obtain appropriate CPE to meet state board requirements, membership requirements etc.;

– Failure to design policies to require relevant CPE for levels of service and industries of engagements performed; and

– Failure to maintain current licenses in all jurisdictions in which the firm practices

E N Q 434


6. Engagement performance

• With regard to engagement issues, the following were noted:

– Failure to properly complete or use purchased practice aids;

– Failure to establish appropriate criteria for engagement quality control review (EQCR);

– Failure to perform EQCR on engagements that meet the firm's criteria;

– Failure to maintain current quality control materials for the performance of engagements; and

– Failure to establish a policy for the retention of engagement documentation

E N Q 435


7. Monitoring

• Peer reviewers noted the following issues related to monitoring:

– Failure to design appropriate policies and procedures for the completion of monitoring;

– Failure to include all elements of quality control in monitoring procedures; and

– Failure to document the results of monitoring and inspections

E N Q 436


E. Documentation of independence considerations

• Two basic risks of independence:

– Risk that the practitioner is not independent (independence in mind); and

– Risk that the practitioner is perceived as not being independent (independence in appearance)

• Practitioners should use a conceptual framework which involves:

– Identifying threats to independence

– Evaluating the threat that the AICPA member would not be independent or would be perceived by a reasonable and informed third party as not being independent

– Threats must be eliminated or reduced to an acceptable level to be independent

E N Q 437



• Threats to independence:

– Adverse interest threat;

– Advocacy threat;

– Familiarity threat;

– Management participation threat;

– Self-interest threat;

– Self-review threat; and

– Undue influence threat

• Nonattest service rules apply during the period of professional engagement and during the period covered by the financial statements

E N Q 438



• Independence Conceptual Framework

Is the nonattest service(s) specifically mentioned in ET Sec. 1.295?

Evaluate the nonattest service using the conceptual framework at ET Sec. 1.210.010.

No

Does the nonattest service(s) specifically impair independence?

Service may not be performed for attest client.

Are there threats that would need supplemental safeguards to bring them to an acceptable level?

Yes

Evaluate firm safeguards and apply them. Document the safeguards and how they were applied.

Firm is independent if management is willing and able to provide a person with suitable skill, knowledge and experience to review and take responsibility for the service. Ensure that this documentation is thorough and that the important engagement letter and rep letter provisions are included.

Yes

E N Q 439


2. Safeguards

• Safeguards that could applied by the firm are:

– Firm leadership that stresses the importance of independence

– Policies and procedures that are designed to implement and monitor quality control in attest engagements

– Documented independence policies

– Internal policies and procedures that are designed to monitor compliance

– Use of different partners, partner equivalents, and engagement teams that have separate reporting lines

– Training timely communication of a firm’s policies and procedures, and any changes to them

E N Q 440


2. Safeguards

• Safeguards that could applied by the firm are:

– Discussing independence issues with the audit committee or others responsible for the client’s governance

– Disclosures to the audit committee (or others responsible for the client’s governance) regarding the nature of the services

– Involvement of another professional accountant who reviews the work that is done

– Consultation on engagement issues with an interested third party

– Rotation of senior personnel who are part of the attest engagement teams

– Involvement of another firm to perform or reperform part of the attest engagement

E N Q 441

Chapter 2:Risk Assessment


Learning objectives


– Discuss the changes in auditing standards over the last 20 years including the direction auditing standards are taking today;

– Note the elements of the risk assessment process that have been identified as deficient in peer reviews; and

– Identify and implement best practice techniques and documentation for key elements of the risk assessment process

E N Q 443


A. Brief history

• Risk assessment standards have been effective since 2008

• Not an overhaul of performing substantive testing but focused on:

– Documentation

– Obtaining an understanding of internal control over financial reporting

– More rigorous documentation of sampling

– Improved testing of the income statement which includes more than an overall fluctuation analysis

E N Q 444


A. Brief history

• Risk assessment procedures help to focus an auditor’s attention on the account balances and classes of transactions that are most likely to have material misstatement and identify errors and irregularities

• The procedures also help to uncover deficiencies in internal control so that improvements can be made to prevent and detect their occurrence in the future

E N Q 445


A. Brief history

• Overall objectives when conducting risk-based audits of financial statements are to:

– Obtain reasonable assurance about whether the financial statements, as a whole, are free from material misstatement, whether due to error or fraud; and

– Report on the financial statements

E N Q 446


II. Performing a conforming risk assessment A. Summary of the risk assessment process

• Step 1: Make inquiries of management and other members of the client to develop an understanding of the entity, its environment, and internal control relevant to the audit

– Assess prior experience with the entity as well as results of audit procedures performed in prior audits. The assessment of prior experience is documented, in part in the client continuance form. This was discussed earlier

• Step 2: Perform preliminary analytical procedures on financial and nonfinancial information

E N Q 447


A. Summary of the risk assessment process

• Step 3: Make inquiries of management, those charged with governance and others to assist in identifying the risk of material misstatement due to fraud

– Perform procedures to understand the risk of fraud such as inspection of journal entries, evaluation of significant estimates and the rationale for unusual business transactions

– Conclude on the risk of fraud related to revenue recognition and management override of controls

E N Q 448



• Step 4: Identify the entity’s significant accounting processes including the financial reporting process and those that are outsourced and identify the key controls within those processes. Identify the key entity level controls

• Step 5: Conduct observations and inspections of those entity level controls and accounting processes with purpose of understanding the design of the key internal controls and whether they have been implemented

– Decide whether to test internal controls

E N Q 449



• Step 6: Accumulate the data points on risk identified

– Conduct discussions with the engagement team, brainstorming where the entity’s financial statements are susceptible to material misstatement due to fraud or error. Identify significant and fraud risks so they can be specifically documented

– Conclusions will be summarized in the risk assessment summary form

• Step 7: Assess inherent risk at the account balance/class of transaction and assertion level

– Be sure to document elements used to assess inherent risk

E N Q 450



• Step 8: Assess the risk of material misstatement at the account balance and assertion level as high, moderate or low

– Ensure that significant and fraud risks are identified. Assess the risk of material misstatement at the overall financial statement level, that is, those risks that cannot be identified as specific to an account balance and assertion

• Step 9: Develop tailored audit procedures to be responsive to the risks of material misstatement and link them to the overall risks of material misstatement, the significant risks and the level of risk in the other account balances and classes of transactions at the assertion level

E N Q 451



• Step 10: Document the results of the risk assessment process, including:

– Significant decisions reached in engagement team discussions, as well as timing of those discussions, and audit team members who participated in those discussions;

– Key elements associated with obtaining an understanding of the audit client, its environment, internal control components as well as the sources from which the understanding was obtained, and the risk assessment procedures performed; and

– Risk of material misstatement assessed at both the financial statement and relevant assertions level including the controls related to those risks that require special audit consideration (i.e., fraud risk, risks associated with significant related party transactions, economic and accounting matters, etc.).

– Revise documentation if things change

E N Q 452


III. Issues related to the risk assessment process identified by peer reviewers and others

• A. Peer Review Issue #1 – Failure to communicate or document the communication between the auditor and those charged with governance

– Beginning of the audit communication

– Communications related to fraud

– End of the audit communication

E N Q 453


A. Peer Review Issue #1 – failure to communicate or document the communication between the auditor and those charged with governance

• NEW!! AU-C 260 has been amended by SAS 135:

– Additional communications about the auditor’s views relating to the entity’s significant unusual transactions

• Communication of significant unusual transactions may include the auditor’s views on the policies and practices management used to account for significant unusual transactions as well as

• The auditor’s understanding of the business purpose for significant unusual transactions

– Communications about the potential effects of uncorrected misstatements on future-period financial statements are required

– When management communicates some or all of the information to governance

E N Q 454


B. Peer Review Issue #2 – failure to properly perform/document preliminary analytical procedures

• Purpose of performing/documenting preliminary analytical procedures is to:

– Identify areas that might indicate the presence of risk whether due to error or fraud; and

– Investigate the unusual relationships between what he/she expected to occur based on inquiries with the client, board, and understanding of the industry

• Preliminary analytical procedures are performed at a high level with aggregated data

• The auditor has discretion in how he/she performs the procedures

E N Q 455



Case Study 1: Peer review issue identified -- Preliminary analytical procedures

An auditor of a small entity with a lack of segregation of duties prepared a fluctuation to serve as preliminaryanalytical procedures to meet professional standards. The expectation stated on the workpaper was that, “allsignificant account balances and classes of transactions would remain constant since there was very littlechange in operations during the year and no significant transactions occurred.” The auditor identified severalfluctuations greater than the scope set but instead of concluding as to the risk that might be present, she crossreferenced the line item with the significant fluctuation to a workpaper representing substantive testing.

Subsequent to the issuance of the report the audit firm learned there had been a fraud at this company. Thetrusted bookkeeper created a fictitious company and over a seven-year period had embezzled $1.8 million. Thefraudulent expenses were concentrated in one general ledger account. Bookkeeper held the amount of thebalance constant so that it would not be questioned by the board or by the auditor.

If you were the manager on the account, what review comments might you have written to the auditorwho prepared the analysis?

E N Q 456



Exercise 1: Peer Review Issue Identified -- Documentation of the risk of fraud, journal entries

An auditor was performing a review of journal entries to comply with AU-C 240. The objective of the review of the journal entries is to address, in part, the risk of management override of controls. The auditor is testing journal entries and other adjustments for indications of possible material misstatements due to fraud. The audit program required the auditor to perform the following steps:

Step 1: Consider the risks of material misstatement due to fraud identified in planning the engagement and their

effect on the nature and extent of journal entry testing. This may require journal entries to be tested throughout the

period, at closing points during the period when financial statements are issued, and at the end of the period.

Step 2: Obtain an understanding of the entity’s financial reporting processes and the internal controls over journal

entries and other adjustments. Make inquiries of personnel who process journal entries about inappropriate activity that

may have taken place.

Step 3: Perform audit procedures to determine the completeness of the population of journal entries and other

adjustments.

E N Q 457



Exercise 1: Peer Review Issue Identified -- Documentation of the risk of fraud, journal entries (continued)

Step 4: Identify and select journal entries and other adjustments for testing. Include automated routine journal entries,

ad hoc journal entries for specific purposes such as to record investment activity from investment statements and

topside entries made directly to the financial statements.

Step 5: Perform journal entry audit procedures. The tick mark should make it clear what the auditor considered. The

auditor should then document the results of the test and conclude on whether there are any indications that there are

possible material misstatements due to fraud.

The audit staff person signed off on each of the steps (1-5) and documented that the step was performed.

Was this enough documentation to comply with professional standards? What would you have done in the

circumstances?

E N Q 458


B. Peer Review Issue #2 – failure to properly perform/document preliminary analytical procedures ̶ example

Expectation: Based on discussions with management, review of the board minutes for the year and review of trends in the industry we have the following expectations. Based on discussions with management and review of sales reports provided by operations personnel we noted that sales of product were flat, and services decreased. We learned that there was some increased competition in the area from a larger company that sold at lower prices. We were able to corroborate this from external sources. Based on the review of the minutes we noted that the company replaced a piece of equipment that was old for $6,500. In addition, we know discussions with management that there were significant issues with their billing system and as such bills for the last few months did not go out as scheduled. We corroborated this by review of the AR run that took place shortly before year end. This accounts for the significant difference in accounts receivable. Accounts payable and cash typically fluctuate due to timing and so we do not expect that any fluctuations +/- $25,000 would be unusual. In 20X8 the company wrote off a significant amount of inventory due to some damage sustained to the warehouse. Margin appears consistent and inventory did not decrease from 20X8 to 20X9. We will follow up on this issue as it appears to be a risk The only fluctuation, aside from inventory that is unexplained is other assets. The amount is not significant and so although we will follow up on this during our substantive testing, it does not appear to be a significant risk or risk of fraud. We will carry forward the risk associated with inventory to be considered in the team discussion.

E N Q 459



E N Q 460



Statements of Operations

20X9 20X8$ Change

20X9‐20X8 % Change 20X9‐20X8

Revenue:

Product Sales $ 1,184,327 $ 1,174,814 $ 9,513 0.81%

Service contracts 289,275 337,483 (48,208) ‐14.28%

Investment income 8,275 7,806 469 6.01%

Total revenue 1,481,877 1,520,103 (38,226) ‐2.51%

Expenses:

Payroll and benefits 238,406 254,873 (16,467) ‐6.46%

Cost of product sold 1,045,395 1,050,021 (4,626) ‐0.44%

Administrative expenses 58,652 51,459 7,193 13.98%

Total expenses 1,342,453 1,356,353 (13,900) ‐1.02%

Pretax income 139,424 163,750 (24,326) ‐1%

Income tax expense (14,530) (16,550) 2,020 ‐12.21%

Net income 124,233 147,200 (22,967) ‐15.60%

Supplemental analytics ‐ Revenue

Product Sales $ 1,184,327 $ 1,174,814 $ 9,513 0.81%

Cost of product sold (1,045,395) (1,050,021) 4,626 ‐0.44%

Margin 138,932 124,793 14,139 11.33%

Margin % 12% 11%

Service contracts $ 289,275 $ 337,483 (48,208) ‐14.28%

Number of customers served 175 205 (30) ‐14.63%

Average Revenue per contract $ 1,653 $ 1,646 7 0.41%

E N Q 461


C. Peer Review Issue #3 – failure to discuss the risk of fraud with governance

• AU-C 315 states that the auditor should make inquiries of management, those charged with governance and others to assist in identifying the risk of material misstatement due to fraud

– Peer review comments primarily note the failure to hold discussions with members of governance about their perceptions of the risk of fraud and whether they have knowledge of any actual, suspected or alleged fraud

E N Q 462


D. Peer Review Issue #4 – auditors are failing to identify at least one significant risk

• Auditors are failing to identify at least one significant risk. Significant risks tend to be related to:

– Judgments and estimates;

– Nonroutine, nonsystematic transactions;

– Going concern;

– Related parties;

– Risk of fraud;

– Transactions outside of the normal operations of the entity; and

– Risk due to significant economic, accounting or other developments

E N Q 463


E. Peer Review Issue #5 – auditors are failing to assess the risk of material misstatement at both the financial statement level and relevant assertion level

• AU-C 315.26 states that the auditor is required to assess risk for account balances and classes of transactions at the assertion level

• Peer reviewers have noted that some auditors are making a blanket assessment assuming that all assertions are the same

E N Q 464


E. Peer Review Issue #5 – auditors are failing to assess the risk of material misstatement at both the financial statement level and relevant assertion level

E N Q 465


F. Peer Review Issue #6 – auditors are assessing the risk of material misstatement as a whole, not considering inherent and control risk separately

• Peer reviewers noted that auditors were assessing the risk of material misstatement (RMM) with one value representing their combined assessment of inherent and control risk

• This would be deemed an inadequate risk assessment. Inherent and control risk are two very separate evaluations

E N Q 466


DR =AR

IR X CRDR= Detection RiskAR= Audit RiskIR = Inherent RiskCR= Control Risk

Using the Audit Risk Model to Determine the Audit

Evidence Required

Inherent Risk Control Risk RMMHigh High HighHigh Moderate HighHigh Low ModerateModerate High ModerateLow High ModerateModerate or Low Moderate Low/ModerateModerate or Low Low Low

3. Detection risk

E N Q 467


G. Peer Review Issue #7 – auditors are not adequately documenting the rationale for the assessment of inherent risk

• Auditors are documenting their inherent risk assessment as high, moderate or low but are not discussing the rationale for the assessment

• AICPA’s risk assessment audit guide goes into additional detail as to the consideration points that could be used to assess inherent risk

E N Q 468


1. Exercise 2: risk assessment

Risk Assessment – True or False

1. Auditors should assess risk at account and relevant assertion level.

E N Q 469




1. Auditors only need to assess risk at the account balance and relevant assertion level.

E N Q 470




2. Auditors should document the basis for their risk assessment only if either control risk or inherent risk is set below high. Otherwise they can carry forward the assessment from the prior year.

E N Q 471




2. Auditors should document the basis for their risk assessment only if either control risk or inherent risk is set below high. Otherwise they can carry forward the assessment from the prior year.

E N Q 472




3. Auditor can combine the assessment of inherent and control risk if they believe that the two are the same.

E N Q 473




3. Auditor can combine the assessment of inherent and control risk if they believe that the two are the same.

E N Q 474




4. Auditor should assess inherent risk at the account balance and relevant assertion level separately.

E N Q 475




4. Auditor should assess inherent risk at the account balance and relevant assertion level separately.

E N Q 476

Chapter 3: Understanding Internal Control


Learning objectives


– Identify the changes in internal control from 2013 and beyond;

– Understand the professional standards related to internal controls and where peer reviewers are noting deficiencies; and

– Identify and implement best practice techniques and documentation for key elements of the risk assessment process

E N Q 478


I. Internal controls – very important and ever evolving

• 2013 COSO revised its integrated framework to reflect changes in technology, global markets, complexity of transactions and other factors

• Major changes to the framework at that time were in the areas of:

– Expectations for governance oversight;

– Globalization of markets and operations;

– Changes and greater complexities in laws, regulations and standards;

– Expectations for competencies and accountabilities;

– Use of and reliance on technology; and

– Expectations relating to preventing and detecting fraud

E N Q 479


B. Components of internal control

• Internal controls is defined as a process effected by those charged with governance, management, and other personnel that is designed to provide reasonable assurance about the achievement of the entity’s objectives with regard to the reliability of financial reporting, effectiveness and efficiency of operations, and compliance with applicable laws and regulations. Internal control over safeguarding of assets against unauthorized acquisition, use, or disposition may include controls relating to financial reporting and operations objectives

• 5 Components

• 17 Principles

E N Q 480


1. Component 1: control environment

• Objectives of AU-C 315 include ensuring that:

– Management, with the oversight of those charged with governance, has created and maintained a culture of honesty and ethical behavior; and

– The strengths in the control environment elements collectively provide an appropriate foundation for the other components of internal control

• A good control environment is one that:

– Demonstrates commitment to integrity and ethical values;

– Exercises oversight responsibility;

– Establishes structure, authority, and responsibility;

– Demonstrates commitment to competence; and

– Enforces accountability

E N Q 481


2. Component 2: risk assessment

• Objective of AU-C 315 is also to ensure that the entity has a process that is adequate for identifying business risks relevant to financial reporting objectives, estimating the significance of the risks, assessing the likelihood of their occurrence, and deciding about actions to address those risks

• A good risk assessment is one that:

– Specifies suitable objectives;

– Identifies and analyzes risk;

– Assesses fraud risk; and

– Identifies and analyzes significant change

E N Q 482


3. Component 3: control activities

• Objective of AU-C 315 is that the entity should have a mix of preventive and detective controls designed to prevent, detect and enable management to correct misstatements on a timely basis. Types of controls are:

– Authorization controls;

– Safeguarding assets;

– Asset accountability; and

– Segregation of duties

E N Q 483


4. Component 4: information and communication

• Objective of AU-C 315 is that the information systems must be adequate to properly reflect transactions in the financial statements

• Communication system is to adequately communicate financial reporting roles including communications with those charged with governance and external communications such as with regulatory authorities

• A good communication system is one that securely and efficiently:

– Uses relevant information

– Communicates internally

– Communicates externally

E N Q 484


5. Component 5: monitoring activities

• Objective of AU-C 315 is to allow management and the board to perform activities monitoring internal control over financial reporting, including those related to those control activities relevant to the audit, and enable the entity to initiate remedial actions to deficiencies in its controls

• A good system of monitoring of controls both:

– Conducts ongoing and/or separate evaluations; and

– Evaluates and communicates deficiencies

E N Q 485


6. Exercise 1: peer review issue identified – entity level controls

• An auditor identified the following controls as key controls for the entity’s control environment. She prepared a workpaper identifying the key controls.

– Management sets the appropriate tone from the top

– Those charged with governance meet regularly. They review the internal financial statements at each meeting and ask questions about significant fluctuations

– The entity has a code of conduct and all employees are required to acknowledge that they have read it

– Management conducts performance evaluations of staff members

• The auditor concluded that management had implemented these controls

• If you were reviewing this workpaper what review comments would you have for the auditor? Assume that you are only reviewing the work on the control environment controls.

E N Q 486


C. Peer Review Issue #1 – auditors are not performing the appropriate level of procedures on internal control related to financial reporting

• Auditors are omitting critical required audit procedures related to gaining an understanding of the client’s internal control over the financial reporting process. Obtaining this understanding is an important part of the risk assessment process. Specifically, auditors are not:

– Considering what could go wrong as the client personnel prepare financial statements;

– Identifying controls intended to mitigate financial reporting risks; and

– Evaluating the likelihood that the client’s controls are adequate to prevent and/or detect material misstatements in the financial statements

E N Q 487


C. Peer Review Issue #1 – auditors are not performing the appropriate level of procedures on internal control related to financial reporting

• Financial reporting process includes the closing process, combining or consolidating entries, evaluating significant accounting estimates and disclosures. Understand the controls over the:

– Inputs (automated or by JE), procedures performed (testing for completeness, accuracy, presentation and disclosure) and outputs of the process

– Information technology involved

– Types of JEs used in the process

– Nature and extent of oversight by management, board of directors, and audit committee

• Auditors should evaluate the design of the controls and whether they have been implemented

• Auditors do not always conclude on deficiencies noted

E N Q 488


D. Peer Review Issue #2 – auditors are concluding that their clients have no controls

• Auditors are concluding that their clients have no controls in order to justify a default to control risk being assessed at the maximum level

E N Q 489


E. Peer Review Issue #3 – auditors fail to understand which controls are relevant to an audit

• Peer review findings indicate that auditors do not always obtain an understanding of which controls are relevant to an audit

• They evaluate the controls relevant to the “big three” significant systems; cash receipts, cash disbursements, and payroll and obtain an understanding of the controls over those systems

• There may be more significant systems including ad hoc spreadsheets

• Relevant controls also include those that:

– Address significant risks;

– Address risks where the auditor believes that substantive testing alone will not provide sufficient appropriate evidence (those would be tested);

– Support journal entries; and

– Will be tested for control reliance

E N Q 490


F. Peer Review Issue #4 – auditors have misconceptions about key controls, walkthroughs, and the level of testing necessary for control reliance

• Auditors are reducing control risk due to the results of the tests performed on entity level controls

• Auditors are reducing control risk due to the test results of attribute tests conducted on 40 cash disbursements for goods/services and payroll disbursements

• Often the only internal control tested is an approval

• Other attributes may consist of tracing information from a source document to the general ledger

E N Q 491



• Auditors should determine if they either need or want control reliance

• To be an effective test controls should be related to activities conducted by client personnel

• Test of controls vs test of attributes evidencing appropriate accumulation of information

E N Q 492



Example ̶

An auditor was performing a test of controls over cash disbursements so he could rely on controls and reduce the level of substantive testing. He obtained a narrative that explained the process used for cash disbursements. The process is the journey that a transaction takes from initiation to authorization to processing and recording. The narrative helped him to understand the flow of the process. However, he realized that this narrative did not provide enough documentation for a complete understanding of controls.

The auditor went through the narrative and identified control activities that were designed to prevent, detect and correct misstatement on a timely basis. To ensure that his understanding was complete he identified activities performed by the client to support the appropriate authorization, safeguarding of assets and reconciliations. He also evaluated the segregation of duties.

He then selected key controls to support the assertions that were relevant to the account balance/class of transactions. The auditor’s objective was to evaluate the controls in place to ensure that purchases were approved, the goods or services represented bona fide obligations of the entity (i.e. that they were ordered), that the purchases were supported by source documentation evidencing receipt and the amounts were recorded accurately. He identified controls relevant to the assertions as follows:

E N Q 493



Expense/Accounts Payable

Occurrence/Existence -- the purchase requisition is attached to the receiving document and the invoice before the expense is recorded in the general ledger. The accountant reviews the documents to ensure that they match and then signs the documentation.

Completeness -- pre-numbered purchase orders are used. Open purchase orders are investigated at the end of the month to determine if they were void or just failed to be recorded. Management reviews checks written toward the end of the period to ensure the underlying transactions were posted in the appropriate period. This review is documented in an excel checklist that is completed at the end of each month for these activities.

Rights and Obligations -- purchases are approved before they are ordered to ensure they are bona fide purchases of the company. Purchases at a certain level must be approved by a member of senior management. This is evidenced by a signature (initials).

Accuracy/Valuation -- invoices are checked against receiving documentation and the purchase requisition to ensure that amounts recorded in expenses and accounts payable are accurate. This is evidenced by a stamp on the documentation.

E N Q 494


G. Peer Review Issue #5 – auditors are failing to conclude on the design of controls

• The understanding of internal controls includes both evaluating the design of controls as well as whether they have been implemented

• Control design -- consider whether the control, individually or in combination with other controls, is capable of effectively preventing, or detecting and correcting, material misstatements

E N Q 495


G. Peer Review Issue #5 – auditors are failing to conclude on the design of controls

Exercise 2: Peer Review Issue Identified -- Walkthrough of Control Activities

An auditor identified the two signatures required on checks as a key internal control. The control activity was supposedto cover the occurrence/existence assertion, ensuring that the supporting documentation matched the amount of thecheck, that the name on the check was the proper payee and that receiving documents, if any, were attachedconfirming quantities and other information. The control additionally was important because although the purchaseswere approved in an earlier step it was possible that the check preparer could prepare an unauthorized check. Withoutthe appropriate documentation the check signer was supposed to question the check thereby preventing fraudulentdisbursements.

The auditor obtained an understanding from reviewing the prior year process chart and asked the client for a specifictransaction to determine if the two signatures were present on the check. He documented the information from thetransaction selected noting that two signatures were on the check.

If you were the auditor what other steps, if any would you have performed and documented in your evaluation of the design and walkthrough to see if the control had been implemented?

E N Q 496


H. Peer Review Issue #6 – auditors are not linking control risks to further substantive procedures

• Peer review data indicates that some auditors are identifying control weaknesses but failing to link those risks to the right level of substantive procedures

• Auditors do not always go back to the team discussion documentation and risk assessment summary to document that a risk has emerged during testing along with the further audit procedures to be performed to lower detection risk

E N Q 497



Exercise 3: Peer Review Issue Identified -- Ramifications of Control Weaknesses

An auditor was gaining an understanding of internal control over a significant accrual for an entity that raises livestock for milk production. In reviewing the process, she noticed that the CFO prepared the unborn livestock accrual (a significant asset) and gave the staff accountant an entry to post to the general ledger. In past years the controller would prepare the estimate and journal entry with the CFO reviewing it. However, the entity went through a cost cutting initiative after losing a major contract during the year to improve its financial performance. The controller position was eliminated. When asked, the CFO indicated that there was no review of the journal entry. He did not feel it was necessary. The auditor concluded that this estimate had many sensitive and subjective components and therefore was subject to a high degree of estimation uncertainty. She believed that it was a significant deficiency because of the risk of management bias. Due to the loss of the contract the company had been close to violating two of its debt covenants in the second and third quarter. The auditor was aware that the CEO and the board reviewed the financial statements each month, but the auditor was concerned that they were not likely to question an estimate such as this.

E N Q 498



Exercise 3: Peer Review Issue Identified -- Ramifications of Control Weaknesses

In the prior year when controls were functioning, and the company was profitable the auditor performed the followingprocedures.

• Determine whether the assumptions used in forming the estimate are reasonable. This involves challengingmanagement’s assumptions and evaluating the quality of the data.

• Evaluate the internal controls. This includes the review of estimates by management. Understand the data andreliability of the sources used to develop the estimate and recalculate.

In light of the situation in the current year, how might the auditor link this control deficiency to further auditprocedures?

E N Q 499


I. Peer Review Issue #7 – auditors are not evaluating control weaknesses

• Auditors are failing to identify weaknesses in internal controls and classify them as control deficiencies, significant deficiencies, or material weaknesses

• Several ways that control deficiencies come to light:

– Lack of segregation of duties

– Weaknesses identified during understanding the design of controls and whether they have been implemented

– The auditor may identify a misstatement in the financial statements. He/she will want to identify the significance of the misstatement and its root cause when documenting the control deficiency

• Material weakness

• Significant deficiency

• Control deficiency

E N Q 4100


I. Peer Review Issue #7 – auditors are not evaluating control weaknesses (cont.)

• Peer reviewers have noted that auditors:

– Sometimes fail to identify control deficiencies as such at the workpaper when identified;

– Identify the control deficiency but do not aggregate it with others;

– Fail to communicate the deficiencies to management that are not significant deficiencies or material weaknesses;

– Do not document the evaluation of deficiencies as to type as discussed above; and

– Do not consider circumstances identified in AU-C 265 that are present at the client as deficiencies

E N Q 4101


I. Peer Review Issue #7 – auditors are not evaluating control weaknesses (cont.)

• AU-C 265 identifies the following as indicators of material weaknesses:

– Identification of fraud, even if not material, on the part of senior management

– Restatement of previously issued financial statements to reflect the correction of a material misstatement due to fraud or error

– Identification by the auditor of a material misstatement of the financial statements under audit in circumstances that indicate that the misstatement would not have been detected and corrected by the entity’s internal control

– Ineffective oversight of the entity’s financial reporting and internal control by those charged with governance

E N Q 4102


I. Peer Review Issue #7 – auditors are not evaluating control weaknesses ̶ Example

An audit firm was hired by a midsized not-for-profit entity to audit the financial statements. In the first meeting with the board of directors the board chair mentioned that she would like to see the material weakness in the AU-265 report be removed. She was concerned with the perception donors would have of the organization. The auditor agreed subject to one of the board members also reviewing the checks and supporting documentation before they were released. The lack of segregation of duties was related to cash disbursements. There was one bookkeeper who initiated, authorized, processed and recorded the transactions. She also prepared the bank reconciliation and the analytical comparisons that were reviewed monthly by the CFO and the board.

The material weakness was removed. Two years later it came to light that the bookkeeper was embezzling fromthe company. As is often the case with fraud, she authorized disbursements to a company she created. Thiswas discovered by a regulator and it made headlines. The auditor’s work and ethics were called into question.The firm’s workpapers did not contain documentation of why the auditor believed that adding a board member’sreview of checks could mitigate a lack of segregation of duties as significant as this.

E N Q 4103


I. Peer Review Issue #7 – auditors are not evaluating control weaknesses (Example cont.)

E N Q 4104


I. Peer Review Issue #7 – auditors are not evaluating control weaknesses (Example cont.)

E N Q 4105


1. Exercise 4: internal control

Internal Control -- True or False

1. Auditors should always gain an understanding of their client and its internal control.

E N Q 4106




1. Auditors should always gain an understanding of their client and its internal control.

E N Q 4107




2. When testing operating effectiveness of controls, the auditor should focus solely on controls related to significant risks.

E N Q 4108




2. When testing operating effectiveness of controls, the auditor should focus solely on controls related to significant risks.

E N Q 4109




3. If the auditor tests the control environment and the monitoring process, he/she can rely on internal controls at the transaction level.

E N Q 4110




3. If the auditor tests the control environment and the monitoring process, he/she can rely on internal controls at the transaction level.

E N Q 4111

Chapter 4:Linking the Risk Assessment to Further

Audit Procedures


Learning objectives


– Understand the professional standards related to designing audit procedures in response to assessed risk and where peer reviewers are noting deficiencies;

– Identify and implement best practice techniques and documentation for linkage from the risk assessment to further audit procedures; and

– Prepare appropriate documentation for sampling applications

E N Q 4113


I. Risks have been assessed – now what?

Overall responses can take the form of:

– Emphasizing to the audit team the need to maintain professional skepticism;

– Assigning more experienced staff or those with specialized skills or using specialists;

– Providing more supervision;

– Incorporating additional elements of unpredictability in the selection of further audit procedures to be performed; and

– Making general changes to the nature, timing, or extent of audit procedures

E N Q 4114



Example ̶

During the risk assessment process an auditor was concerned that management could override controls due to their need to meet earnings expectations. The entity had 2 complex and significant estimates, the CFO prepared most of the journal entries himself and numerous nonroutine journal entries were made during the year. Since there was no formal oversight mechanism the audit partner concluded that the risk was pervasive. The engagement team spent time in their meeting discussing professional skepticism. The partner highlighted that this is an area where the ASB is refining audit standards. More experienced personnel were assigned the responsibility for auditing the significant estimates. In addition, the audit plan called for additional testing of journal entries for a bona fide business purpose and the risk of fraud than was typical in engagements with less risk. This risk response was documented in the team discussion memo, on the risk assessment summary form and cross-referenced to the workpaper where the audit work was performed. The results of the additional procedures were documented on the workpapers where the work occurred. Had there been any findings that led to expansion of testing this would have been documented in the risk assessment documentation and further modifications made to the audit plan.

E N Q 4115



• Auditor will consider tests of controls and substantive procedures

When there is a: The auditor may:

Significant risk

• Use tests of details alone • Use SAP and tests of details• Use tests of controls and SAP• Use tests of controls and tests of details

Note that analytical procedures alone will not provide sufficient audit evidence where there are significant risks.

Risk is not significant

Use whatever combination of tests of controls and substantive tests will reduce risk of material misstatement to a low level

Substantive procedures must be performed for each material balance or class of transactions regardless of risk.

E N Q 4116



Example ̶

The auditor of a health insurer was auditing a significant accrual for the claims that had been incurred but not reported to the insurer (IBNR). The estimate was based off historical estimates of the length of time it takes for claims to become substantially complete along with the lag time from the service to the receipt by the insurer. The estimate was also adjusted for claims incurred that were outliers. Due to the complexity and inherent risk of the estimate the auditor concluded that controls would need to be tested because substantive tests would not provide sufficient evidence. The risk assessment documentation reflected this decision. Since the area was identified as a significant risk, the special audit consideration was documented along with the workpaper where the testing occurred. Had there been any issues identified that would have caused a reassessment of the audit plan, the auditor would have returned to the risk assessment documentation and made those changes.

E N Q 4117


A. Peer Review Issue #1 – some auditors are properly performing the risk assessment but designing audit procedures with little regard for the results

• Some auditors are properly performing the risk assessment but designing audit procedures with little regard for the results

– What could go wrong?

– Special audit consideration

E N Q 4118



E N Q 4119



E N Q 4120



Example ̶

After performing their risk assessment, the engagement team considered the special audit consideration needed to address the risks of material misstatement. The team identified revenue recognition, which included the deferred revenue account, as significant risks for the occurrence and cutoff assertions. They also identified accounts receivable as a significant risk related to the valuation and cutoff assertions.

Significant risk: Accounts ReceivableAssertions: Cutoff and Valuation

What could go wrong? Accounts are frequently 120+ days old. Management makes special deals with certain customers extending the payment period, but those decisions are frequently undocumented. In addition, the economy in the area has been poor heightening the team’s assessment of risk. The receivables are a very large asset balance and the allowance is material to the financial statements.

E N Q 4121



Example (cont.) ̶

Special audit consideration: The team decided to alter the nature and extent of testing. All testing is performed at year end. They discussed the following additional procedures.

• Perform a hindsight review of prior year receivables collected to determine if management’s estimates were accurate. This supports management’s ability to forecast collectability. In addition to balances that would normally be part of a sample, confirm receivables greater than 90-days-old accounts larger than $20,000. This may result in additional selections.

• On all confirmations, ask if any fees are disputed.• In addition to the evaluation of the aging that is normally performed, for any receivables over $100,000 and 120 days

old, perform procedures to evaluate whether the customer can pay including:• Examining financial statements, where available.• Examining correspondence with the entity, where available.• Performing internet searches to see if delinquent customers have been in the news – be alert to events that

might affect their ability to pay. • Examine the correspondence logs that collections personnel are required to maintain.

E N Q 4122


Linkage in a Financial Statement AuditRisk Assessment Components

Understand the entity and its environment• Relevant industry, regulatory, and other external factors• Financial reporting framework• Nature of the entity, including its operations, ownership

and governance structures• Investments that the entity is making and plans to make• Way that the entity is structured and how it is financed• Entity's selection and application of accounting policies,

including changes• Entity's objectives and strategies and related business

risks • Measurement/ review of the entity's financial performance.

Understand the entity’s internal control and perform tests if necessary or desired

Client acceptance/continuance procedures

Perform preliminary analytical procedures

Develop theaudit strategy

Develop theaudit plan

Make fraud inquires and perform procedures such as journal entry testing to understand risk

Supports the determination of inherent risk

Supports the determination of control risk

Audit team discussion-brainstorm –Risk of fraud,

significant risks

Document- Risk

assessment summary and conclusions

An audit is an iterative process. It’s not over until it’s over!

Link to workpapers

Read the Minutes of the Governing Board

B. Peer Review Issue #2 – auditors are failing to link elements of the risk assessment to the team discussion and other testing

E N Q 4123


Develop the audit strategy

Develop theaudit plan

Document- Risk assessment

summary and conclusions

Link to workpapers

Linkage in a Financial Statement Audit

Identification of issues and adjustments

Post adjustments or pass to Summary of passed adjustments

Evaluate effects of passed adjustments on financial stmts.

Evaluate internal control deficiencies

Draft governance Letter

Perform final analytical review and draft f/s. If issues identified go back and investigate.

Communicate with mgt/draft SAS 265 letter, if applicable

An audit is an iterative process. It’s not over until it’s over!


E N Q 4124



Questions for Discussion

1. Which of these links appear to be the most problematic for audit staff and partners?

2. What are some techniques that you use to keep broken links from occurring?

E N Q 4125


C. Peer Review Issue #3 – auditors are not using appropriate sampling strategies to test internal control

• Inquiry alone is not sufficient to test operating effectiveness of controls

• Peer reviewers have noted that auditors sometimes believe that if written documentation is absent, that inquiry is sufficient testing

• Common misunderstanding -- If the auditor observes a process, this is a test of controls. In the context of internal controls, observation is only relevant at the time it is performed

• Auditor may use evidence relative to tests performed in prior periods after determining if changes have been made by corroborative inquiry, review of document, observation and inspection

• Prior year tests are most effective to use for automated controls but be sure to test general computer controls

• Tests must be performed every three years and some controls tested each year

E N Q 4126



1. Extent of control tests

• The auditor will need to plan the sample considering the following:

– How often the control is performed;

– The length of the period where the auditor wants to rely on the operating effectiveness of the control (generally for the year);

– The auditor’s confidence in the audit evidence available evidencing performance of the control;

– How much evidence is obtained from tests of other controls such as inquiry, observation and review of documents;

– How much reliance the auditor needs to place on the control; and

– How many deviations the auditor expects from testing the control

E N Q 4127



90% Confidence Level

E N Q 4128



Smaller Populations

Less Frequent Procedures

E N Q 4129


2. Exercise 1: peer review issue identified – testing internal control and sample size calculation

2. Exercise 1: Peer Review Issue Identified --Testing Internal Control An auditor decided to test controls over the authorization of disbursements prior to mailing. The entity processed over 500 payments a year. Based on experience gained in prior audits, the auditor determined that controls were generally effective but was not confident that the client personnel would be completely consistent in signing off even though she believed the control was being performed. The auditor planned to perform other tests controls (corroborative inquiry, review of documents, observation) so she only needed moderate assurance from this one control.

What sample size do you think she should choose to meet this objective?

E N Q 4130



• Documentation (from AU-C 230) states that an experienced auditor, having no previous connection with the audit, should be able to understand (from the documentation):

– Extent of the audit procedures performed (sample size and how it was derived);

– The results of the audit procedures performed, and the audit evidence obtained;

– Significant findings and conclusions reached; and

– Significant professional judgments made in reaching those conclusions

E N Q 4131



• Sampling with replacement

• Auditors frequently want to use sample selections to test for accumulation of information and perform substantive testing

– If a dual-purpose sample is constructed the auditor should evaluate if the sample size is large enough to meet both needs (a sample size of 40 may not be large enough to be of much value for substantive testing)

– The population for the test should be complete for the purpose for which each test was designed

– The sample should be evaluated by considering each purpose of the test separately

E N Q 4132


D. Peer Review Issue #4 – auditors are not using appropriate sampling strategies to perform substantive tests

• The AICPA Audit Sampling Guide defines variables sampling as “classical statistical sampling method that reaches a conclusion on the monetary amounts of a population”

• Type of sampling is used to test account balances and classes of transactions to determine if items are recorded appropriately

• Distinction between testing 100% of a population or a portion of a population and sampling

• Auditor is likely to remove the significant items from a population before the remaining population will yield a smaller number of test selections

• Auditor uses tolerable misstatement as a guide

E N Q 4133



Dollar value of the population being tested $1,200,000Tolerable Misstatement $ 75,000Risk of Material Misstatement ModerateReliance on detailed test Moderate

Auditor decided to stratify the sample.Significant items to be tested 100% ($500,000 represents 5 items)

Sample Size = Amount of Population X Risk FactorTolerable Misstatement

Sample Size = $700,000 X 1.6 = 15 + 5 = 20$75,000

If RMM is assessed as low because controls were tested and found to be reliable andthe reliance on the test was moderate, then the sample size would be:

Sample Size = $700,000 X 1.2 = 12 + 5 = 17$75,000

E N Q 4134



• Auditors should document the following:

– How the sample size was determined;

– Method of sample selection;

– How the auditor was sure the population was complete;

– Items selected with characteristics identified on the workpaper;

– The work performed on each item;

– Any deviations;

– Aggregation of differences noted;

– Extrapolation of differences noted; and

– Amounts recorded as a journal entry or passed to the summary of passed adjustments.

– Document if differences are below trivial

E N Q 4135



Questions for Discussion

1. How well do you believe the auditors in your firmdocument sampling applications?

2. How many items would be tested in the sampling exampleabove?

E N Q 4136

Chapter 5:Disclosure Issues


Learning objectives


– Understand the most frequently missed GAAP disclosures;

– Understand disclosure issues related to special purpose frameworks; and

– Identify and implement best practice techniques and documentation to correct deficiencies

E N Q 4138


A. Peer Review Issue #1 – disclosures related to special purpose frameworks

E N Q 4139



• Fair presentation

• Consider overall presentation, structure and content of the financial statements and whether the financial statements, including the related notes, represent the underlying transactions and events in a manner that achieves fair presentation

• When statements prepared on the cash basis or modified cash basis contain items that are the same as, or similar to, those in financial statements prepared in accordance with GAAP, informative disclosures similar to those required by GAAP are necessary

E N Q 4140



• Financial statements should include all informative disclosures that are appropriate for a special purpose framework, including:

– Policy notes that describe the important differences between GAAP and the special purpose framework;

– A description of the special purpose framework, including a summary of significant accounting policies;

– A description of how the framework differs from GAAP; and

– Any additional disclosures that may be necessary for the special purpose financial statements to achieve fair presentation

E N Q 4141


B. Peer Review Issue #2 – frequently missed GAAP disclosures

• Peer reviewers and regulatory reviewers have noted that firms may not be using disclosure checklists or may not understand the requirements in disclosure checklists

• Recently they identified the following deficiencies:

1. Failure to disclose the date through which subsequent events were evaluated. This is a FASB disclosure requirement as well as an important audit step. Nonpublic entities are required to provide information about management’s evaluation of subsequent events

E N Q 4142



• Recently they identified the following deficiencies (cont.):

2. Failure to correctly classify long-term debt, cash flows, and presenting gross amounts instead of net

– ASC 230 requires separate presentation of gross cash inflows and outflows no matter the method (direct or indirect) the cash flow statement is presented. There are some exceptions:

• Cash and cash equivalents (transfers between categories); and

• Financial instruments that are short-term in nature and have a quick turnover, for example, draws and payments on lines of credit

E N Q 4143



• Long-term debt appears to be a challenge as follows:

– Classification of due-on-demand debt should be current

– Long-term debt callable by the creditor because of covenant violations would be current unless the creditor has provided a waiver or lost the right to demand the payment

• ASC 470 states that long-term debt should be classified as noncurrent unless bothof the following exist:

– There is a loan violation at the balance sheet date or a violation would have occurred if the loan was not modified; and

– It is probable that the default would not be cured or covenant would not be complied with at the measurement date without the next 12 months (or operating cycle)

E N Q 4144



• Long-term debt callable by the creditor is a violation if not cured within a grace period. If it is probable that the violation would be cured, it could be classified as noncurrent. But if it is not, the debt would be classified as current

E N Q 4145



Heads Up!

• The FASB is currently working on an exposure draft that will modify the way debt is classified

• The new guidance would be principles-based and applied based on the facts and circumstances that exist at the balance sheet date

• It would include an exception related to waivers of debt covenant violations obtained after the balance sheet date but before the financial statements are issued

• The new guidance would require noncurrent classification of debt if one of the following criteria is met: (1) Debt must be settled 12 months or more after the balance sheet date; (2) The entity has a contractual right to defer settlement of the debt for at least 12 months after the balance sheet date

• Less focus on judgment or intent.

E N Q 4146



3. Failure to identify noncash transactions on the cash flow statements

4. Failure to appropriately disclose related party transactions, debt maturation schedules, and significant estimates

– AICPA has recently issued guidance that highlights the procedures that should be performed relative to related party transactions

– Disclose:

• Nature of the relationship;

• Description of the transaction;

• Dollar amount of the transaction;

• Effect of changes on the terms of the transactions; and

• Balances, terms and settlement of related party receivables and payables

E N Q 4147



5. Failure to appropriately disclose fair value hierarchy of investments, description of the levels. In addition, there was failure to perform procedures or document procedures on the assurance of fair value measurements

E N Q 4148


Update to professional literature – ASU 2018-13, Changes to Fair Value Disclosure

Heads Up!

Update to professional literature - ASU 2018-13, Changes to Fair Value Disclosure

• Effective for fiscal years and periods within those years beginning after December 15, 2019 the disclosure requirements have been modified as follows:

Disclosure Requirements Removed from ASC 820:

• The amount of and reasons for transfers between Level 1 and Level 2 of the fair value hierarchy;

• The policy for timing of transfers between levels;

• The valuation processes for Level 3 fair value measurements; and

• For nonpublic entities, the changes in unrealized gains and losses for the period included in earnings for recurring Level 3 fair value measurements held at the end of the reporting period

E N Q 4149



Heads Up! (cont.)

Disclosure requirements were modified in ASC 820:

• In lieu of a roll forward for Level 3 fair value measurements, a nonpublic entity is required to disclose transfers into and out of Level 3 of the fair value hierarchy and purchases and issues of Level 3 assets and liabilities

• For investments in certain entities that calculate net asset value, an entity is required to disclose (1) the timing of liquidation of an investee’s assets, and (2) the date when restrictions from redemption might lapse only if the investee has communicated the timing to the entity or announced the timing publicly

• The ASU clarifies that the measurement uncertainty disclosure is to communicate information about the uncertainty in measurement as of the reporting date. Public entities provide this information

E N Q 4150



Heads Up! (cont.)

• Disclosure requirements were added to ASC 820 (nonpublic entities are exempt):

• The changes in unrealized gains and losses for the period included in other comprehensive income for recurring Level 3 fair value measurements held at the end of the reporting period

• The range and weighted average of significant unobservable inputs used to develop Level 3 fair value measurements. For certain unobservable inputs, an entity may disclose other quantitative information (such as the median or arithmetic average) in lieu of the weighted average if the entity determines that other quantitative information would be a more reasonable and rational method to reflect the distribution of unobservable inputs used to develop Level 3 fair value measurements

E N Q 4151


Q&A

We will now answer viewer questions that have come in during the webinar

E N Q 4152

C O N N E C T W I T H U S

Facebook.com/SurgentProfessionalEducation

Twitter.com/SurgentCPE

LinkedIn.com/company/surgent-professional-education

Thank you!

Individuals, CPE certificates will be available in your Surgent profile within 24 hours.Groups, please scan and submit the attendance form to [email protected] for CPE certificates.