How to manage risks related to multijurisdictional group audits

Audits of U.S. companies increasingly require accountants to manage the challenges and risks of dealing with multiple foreign jurisdictions.
By Sean T. Lager, CPA, and A.J. Hurst, CPA

How to manage risks related to multijurisdictional group audits
Image by akindo/iStock

Globalization isn't a fad. Accounting firms are increasingly serving clients that are transitioning operations to foreign markets. As a result, firms of all sizes are increasingly providing assurance services and, more specifically, performing audits for their clients that fall within the scope of the group audit standard. That can prove challenging when multiple jurisdictions with differing regulations, professional standards, and languages are involved.

The AICPA Auditing Standards Board (ASB) in 2012 issued SAS No. 122, Statements on Auditing Standards: Clarification and Recodification, which includes AU-C Section 600, Special Considerations—Audits of Group Financial Statements (Including the Work of Component Auditors) (AICPA, Professional Standards, AU-C Section 600). The standard gives guidance to auditors when other auditors are involved in a group audit, which generally requires a significant amount of professional judgment in determining whether to use the work of another auditor, make reference to the report of the other auditor, or perform the work on the component directly. That determination can be very difficult to make, especially when the U.S. auditor is using the work of a firm in a foreign jurisdiction that may not have a capital market, a regulatory regime, or cultural influences on the profession. So, this raises the question of how to get comfortable with the audit quality and determine "what's behind the audit opinion" when a group auditor is relying on other auditors in foreign jurisdictions.

Practitioners should take a proactive approach to understand the inherent risks associated with group audits and how they should be performed. These risks go beyond the risks inherent in the financial statements and include risks associated with using the work of other auditors. Significant planning, communication, and professional judgment are required to ensure that proper steps are taken to reduce these risks while providing continued optimal client service.

WHAT IS A GROUP AUDIT?

Group financial statements include the financial information of more than one component, including combined financial statements of components under common control. AU-C Section 600 provides guidance on special considerations in performing group audits, including defining what constitutes a group, a component of the group, component auditors, and the group engagement team and group engagement partner. AU-C Section 600 also provides parameters under which group audits should be accepted, performed, and reported on. Group audits often include components representing international jurisdictions.

The group engagement partner, as defined by AU-C Section 600, is responsible for overseeing the group audit and ensuring that the group audit is completed under applicable professional standards, applicable regulatory and legal requirements, and the group audit firm's policies and procedures. This includes ensuring that component auditors also complete their audit procedures and reporting under applicable standards.

The group engagement partner is responsible for the group audit opinion, including determining whether to assume responsibility for the work of the component auditors or to make reference to the audit of a component auditor in the auditor's report. Note that AU-C Section 600 has been converged with International Standard on Auditing (ISA) 600, Special Considerations—Audits of Group Financial Statements (Including the Work of Component Auditors). AU-C Section 600 allows making reference to the audit of a component auditor whereas ISA 600 does not.

Strong communication between the group auditor and all component auditors is critical to effectively and efficiently completing a group audit under applicable professional standards. The group auditor should obtain an understanding that all component auditors involved in the group audit will comply with the ethical requirements that are relevant to the group audit, with particular focus on independence requirements, and should request that the component auditor confirm that he or she will cooperate with the group engagement team. The group engagement team should also evaluate whether sufficient appropriate audit evidence on which to base the group audit opinion has been obtained from the audit procedures performed by both the group engagement team and any component auditors.

The responsibilities of the group engagement team and group engagement partner discussed above result in certain inherent risks associated with multijurisdictional group audits that group auditors need to understand and work to mitigate. If these risks are not fully understood and mitigated by group auditors, the result could be a poorly executed audit.

A poorly executed audit can lead to audit failures, which could result in lawsuits against the group audit firm or damaged reputation of the group audit firm. Public confidence in the audit profession could also suffer, which would imperil the success of the audit profession.

MULTIJURISDICTIONAL AUDIT RISKS

Exercising strong professional judgment is necessary related to using audit work performed by component auditors.

A multijurisdictional group audit could, for example, involve a group auditor in the United States and firms in Country A and Country B serving as engaged component auditors in different international jurisdictions. Country A has strict regulatory requirements for auditors. In Country B some auditors are poorly trained, lack oversight and enforcement, and are exposed to negative influences. This example serves to illustrate specific risks and risk-mitigation strategies.

Evaluating the acceptance or continuance of a group audit includes understanding and assessing risks related to differences in jurisdictional reporting frameworks, ethical requirements, education and training, laws, quality-control procedures, regulatory environments, and auditing standards. Additional risks may exist related to jurisdictional auditor oversight, discipline, and external quality assurance and differences in policies and procedures, including audit methodologies. Language and culture are additional considerations.

The nature and magnitude of the differences in relation to the items noted above drive the nature, timing, and extent of procedures required to be performed by the group engagement team with regard to obtaining an understanding of the component auditor (firm) and ultimately being able to use the work performed by the component auditor.

Professional judgment should be used to determine whether the group auditor is able to rely on the component auditor's work. A significant consideration is whether the component auditor can complete audit work in a timely manner to meet group reporting timetables. There may be instances when the group auditor will not rely on the component auditor's work due to the underlying risks that the group auditor is unable to accept, such as that audit risks are not properly addressed and expected procedures are not effectively performed.

In the case of Country B, the engagement of component auditors by the group engagement team may require more thorough consideration by the group engagement team than the engagement of a component auditor in Country A. This would include more involvement in the component audit by the group engagement team. If Country B, for example, has adopted international standards on auditing, but jurisdictional auditor oversight and training policies are not strictly enforced, the group engagement team would need to be more closely involved with the planning, execution, and completion phases of the component audit.

In contrast, the group engagement team would be able to more confidently use component audit work performed by the component audit firm in Country A with less oversight and involvement. The group engagement team may need to be more explicit and detailed when requesting certain audit procedures be performed by the component audit firm, and provide more detailed documentation requirements related to work completed for the component auditor in Country B. The group engagement team may also consider visiting the component audit firm before, during, and/or after fieldwork, in order to assess competence, closely monitor work performed, and/or consider reperforming audit procedures in high- and significant-risk audit areas. Most importantly, the group auditor may wish to communicate more frequently with the component auditor in Country B.

Cultural differences between the jurisdiction in which the group auditor operates and the international jurisdiction of the component auditor can have a significant impact on group auditor oversight and review needed in order for the group auditor to use the work of the component auditor. Professional judgment is necessary for the group auditor to address how the cultural differences may impact the nature, timing, and extent of work to be performed by the group auditor to allow use of the work performed by the component auditor. For example, cultural influences on the interpretation of independence requirements could impact the component auditor's judgment in applying professional standards.

Cultural differences, local laws, or firm policies may also limit the availability and quality of audit evidence and information needed by the group engagement team to obtain an understanding of the work the component auditor performed in supporting its audit opinion. It is incumbent on the group auditor to obtain an understanding of these issues in planning the group audit. Examples of obtaining this understanding could be through the group auditor obtaining an agreement with the component auditor through an engagement letter or reporting package. In addition, working with network firms involves understanding network monitoring and oversight in the component auditor's jurisdiction. Furthermore, involvement in the work of the group auditor may include workpaper review and reperformance of audit procedures for significant components mitigating the aforementioned risks.

Assessing the noted risks and how they might impact the overall group audit requires significant group engagement team and group engagement partner judgment to determine the level of acceptable risk and how to potentially mitigate that risk.

MITIGATING RISKS

Based on the wide range of risks, group engagement teams may at times find it difficult to use the work of component auditors. However, resources and procedures are available to the group engagement team to help alleviate some of these risks and to ensure an effective group audit. Overall, timely auditor communication, sound professional judgment, and significant professional skepticism are integral in performing an effective group audit.

The group engagement team should obtain an understanding of the professional reputation of the component auditor. In the United States, this may include inquiring of the AICPA, the PCAOB, the state board of accountancy by which the component auditor is licensed, and the applicable state society of CPAs (or a local chapter thereof) to which the component auditor belongs. If the component auditor is engaged in a peer review process, obtaining and examining the component auditor's peer review report, if it is available, could provide valuable information related to the component auditor.

For component auditors in foreign jurisdictions, the group engagement team may make inquiries of the corresponding professional organization within the component auditor's jurisdiction.

The component audit firm in Country A would likely be subject to strict requirements, and its professional reputation would reflect those requirements. The group engagement team would likely not have much difficulty getting comfortable with the reputation of the component audit firm in Country A.

In Country B, the group engagement team may want to discuss the reputation of the component audit firm with local audit authorities. However, group engagement teams may find it particularly difficult to determine whether it is appropriate to use the work of a component auditor when professional oversight, discipline, and external quality assurance are lacking in certain jurisdictions, and inquiry to obtain documentation related to the professional reputation of the component auditor is difficult. For Country B, the lack of professional auditor oversight could potentially make it difficult for the group engagement team to effectively mitigate this specific risk.

Regarding Country B, the group auditor would consider whether the component audit firm is in a network and, if so, whether the network is a member of the Forum of Firms, which has strict membership requirements around its member networks maintaining and monitoring audit quality. If the network is not a Forum of Firms member, the group auditor may obtain an understanding of the quality-control requirements and how (or if) the network monitors audit quality of its member firms.

The group engagement team should also determine the nature, timing, and extent of its involvement in the work of component auditors. This may include determining whether it is necessary to review the audit workpapers of the component auditor, which in turn may include a physical visit to the component auditor's office as well as to the component audit client in an international jurisdiction to evaluate the environment in which the component auditor, as well as component management, is operating.

For the component audit firm in Country B, it would be more likely that these risk-mitigation strategies would be necessary. The group engagement team would closely communicate with the component auditor during the audit review process, and reperforming the work of the component auditor would almost always be necessary. These determinations require professional judgment and thorough analysis of the risks described above. The group engagement team's access to information may be restricted by circumstances that may be difficult to overcome by the group engagement team or group management. This may include laws prohibiting the access to the information or denial of access by the component auditor, due to firm policies.

The extent of access to workpapers as well as whether the component auditor is willing to provide copies of the component audit workpapers should the group auditor find it necessary to obtain copies for the group audit file are important considerations. The group auditor should also consider documenting these arrangements with the component auditor during the planning phase of the audit, which can take the form of an arrangements letter, or in the group audit instructions.

Ultimately, the group engagement team is responsible for looking past just the audit opinion of the component auditor to ensure that sufficient and appropriate audit evidence has been obtained by the component auditor, and for taking necessary steps to ensure that this requirement is met. The group audit engagement team would likely feel more comfortable that these requirements have been met related to the component audit firm in Country A.


About the authors

Sean T. Lager (sean.lager@frazierdeeter.com) is an audit partner at Frazier & Deeter in Atlanta, former vice chairman of the AICPA Technical Issues Committee, and a member of the IFAC Transnational Auditors Committee. A.J. Hurst (aj.hurst@frazierdeeter.com) is senior audit manager at Frazier & Deeter.

To comment on this article or to suggest an idea for another article, contact Sabine Vollmer, senior editor, at Sabine.Vollmer@aicpa-cima.com or 919-402-2304.


AICPA resources

Articles

Publications

  • Audit and Accounting Manual (#AAMAAM16P, paperback; #WAM-XX, online access)
  • Understanding the Responsibilities of Auditors for Audits of Group Financial Statements—Audit Risk Alert (#ARAGRP13P, paperback)

CPE self-study

  • Audits of State and Local Governments: What You Need to Know (#746212, text; #157942, online; #GT-AUSL, group training)

For more information or to make a purchase, go to aicpastore.com or call the Institute at 888-777-7077.

SPONSORED REPORT

Cybersecurity threats proliferating for midsize and smaller businesses

This report details how SMBs can properly protect private information from breaches, design and implement a cybersecurity policy, and create safeguards for training and education.

QUIZ

News quiz: Senate health care bill in the spotlight

Reports related to the Republican bill to repeal many provisions of the PPACA, other tax issues, and the giant AICPA ENGAGE Conference offered a diverse reading list for June. See how much you know about recent news with this short quiz.