EXECUTIVE SUMMARY | |
![]()
| |
RIC R. ROSARIO, CPA, CFE, is vice-president of risk management and SUZANNE M. HOLL, CPA, is director of loss prevention for CAMICO Mutual Insurance Co., a national provider of professional liability insurance for CPAs. Their e-mail addresses are rrrosario@camico.com and sholl@camico.com , respectively. |
here could be potential trouble in store for auditors
whose private-company clients ask them to apply both PCAOB auditing
standards and generally accepted auditing standards (GAAS). While the
boundaries between the PCAOB’s auditing standards for public companies
and generally accepted auditing standards for nonpublic entities are
clear, nonissuers and those who govern them sometimes are confused
about what the differences are and which standards apply when. The
public—from which juries are drawn—may be confused, too. When you mix
in hungry trial lawyers, you’ve got the makings of a “perfect storm.”
This article will discuss some differences between the two sets of
standards and the steps auditors should take to minimize confusion and
the consequent risk of messy litigation if a private company client
asks them to apply both PCAOB auditing standards and GAAS.
THE FEAR FACTOR
High-profile accounting lapses and more than 1,500
restatements from major corporations over the past four years have
resulted in the most dynamic, negatively charged financial reporting
environment in more than 70 years. Public perception of
CPAs—specifically of their roles and duties as auditors—has been
buffeted as a result. For perspective on how that could pose a danger,
imagine that auditing malfeasance has been alleged against you and a
jury has been selected to hear the case. Now imagine you’re an average
working person who has been impaneled as a juror. How do the
professional issues look from that point of view?
As a CPA, you’re aware that in financial and accounting circles debate about issues of independence, auditing and accounting standards and corporate governance has raged for years. The juror in the jurors’ box doesn’t know that, though. He or she has been inoculated by recent business scandals and those still making headlines today. Moreover, in the course of an auditing malfeasance trial, jurors—to arrive at a verdict—will be expected to acquire a working understanding of the issues and of two complex sets of accounting standards in a very short time. The average person likely will begin to weigh a decision as a choice between nuanced calculations or a more simply expressed complaint by a business owner or other plaintiff.
Private Company
Standards As of 2003 the Auditing Standards Board (ASB) has had jurisdiction to promulgate auditing, attestation and quality control standards relating to the preparation and issuance of audit reports for private companies. Failure to follow ASB standards in auditing a private company is a violation of rule 201 and/or 202 of the AICPA’s Code of Professional Conduct. Source: “GAAS and PCAOB Standards: Applicability and Integration,” The Practicing CPA (May04), AICPA. |
BACK TO BASICS
To help avoid potential misunderstandings that might lead to
litigation, private company auditors should apply these solid practice
management fundamentals:
Be selective about the clients you accept.
AICPA Practice Alert no. 2003-03, Acceptance and
Continuance of Clients and Engagements, describes some crucial
policies and procedures CPAs should follow when deciding whether to
accept or continue a client relationship or to perform a specific
engagement. The guidelines help a firm gauge its competency to perform
an engagement, its independence and objectivity, the client’s
integrity and competence, the client’s commitment to internal control
and generally accepted accounting principles, and the client’s
financial viability. Assess the client’s financial literacy, too.
Do thorough due diligence on all prospective clients.
Perform a background check on the client’s key decision
makers in all significant engagements. This is especially important
when the company is considering a public stock offering, is seeking to
acquire another company, may itself become an acquisition target or is
anticipating involvement in other significant transactions.
Craft carefully worded engagement agreements before taking
on a client. After discussing all the details of the
potential engagement with the client, put your understanding in
writing before you start.
APPLYING BOTH STANDARDS UPS THE RISK
Pay attention to liability-control strategies as you deal with
audit clients and with third-party users of your firm’s other attest
work products.
Probe the client to learn who the work product end users
will be. If a private-company client says it wants
you to use “some” PCAOB auditing and related professional practice
standards instead of GAAS or in addition to them, you need to know
what the client is trying to achieve. Ask who, besides your client,
will use the work product: Will it be banks or other financial
institutions, creditors, investors, supply chain vendors or
governments? Each type of end user has a specific need. Note that
third-party end users also may be confused about the new regulations.
It’s as easy for them to conclude a PCAOB audit is in some way
superior to a GAAS audit as it is for people who are not well-versed
in financial reporting. Be cautious and focus on making an appropriate
match between your firm, the client and the end user of your attest
work.
If a privately held client requests an audit pursuant to PCAOB audit standards, be alert to the issues involved if you comply. For example, a private company considering going public doesn’t need a PCAOB-type internal control audit, but it might believe that one would enhance its perceived value—or it may want to see how such an audit would affect its operations. Another example might be a public company considering acquiring a private company; both parties may want to see how the target company measures up to PCAOB audit standards. Clients making such requests may not be financially sophisticated or aware of the ramifications of using different audit standards—one reason why they rely on a CPA firm.
Some clients may say they are interested in “some PCAOB procedures” but not in having the audit performed in accordance with “all” PCAOB standards because of the expense and effort required. Even third parties such as banks and creditors may think certain practices that mirror PCAOB audit procedures are appropriate, such as having the client CEO and CFO certify internal control or other Sarbanes-Oxley-related procedures. You need to discover why the client is making the request. If the client’s basic goal is rational but the method it suggests is unnecessary, then inform the client what is and isn’t appropriate.
Educate the client. Private-company requests
for PCAOB audits give you an opportunity to educate clients about GAAS
and PCAOB standards and the requirements of each. Inform the client
that private companies are not required to use PCAOB standards and
that GAAS are still the norm. Clarify the audit options available for
privately held companies. Explain the differences between an audit
conducted in accordance with “the auditing standards of the Public
Company Accounting Oversight Board” (PCAOB auditing standards) vs. an
audit conducted in accordance with GAAS.
Audit reports representing that the audit was conducted in accordance with PCAOB audit standards and GAAS, but which are later found not to be in compliance with all applicable PCAOB auditing standards, may be deemed substandard by the AICPA peer review program, depending on the severity of the deficiencies. If a private company decides it wants its auditor to follow and report using PCAOB auditing standards, the auditor must follow both GAAS and all PCAOB auditing standards (see “ A Standard by Any Other Name ”).
Inform the client that voluntary compliance with some variation of PCAOB standards in an audit is not necessarily in its best interest. Let the client know that the expense and effort of complying may well outweigh the potential benefits it is seeking, and the outcomes may differ from what the client expects. For example, a private company may find implementing the new reporting requirements under section 404 of the Sarbanes-Oxley Act imposes a significant burden that diminishes the entity’s viability or attractiveness.
To make sure a private-company client has a well-grounded understanding of all of the issues involved and is able to make informed decisions, you may have to “push back.” If a lender or creditor has requested an audit in compliance with PCAOB auditing standards, communicate to the client—and the lender, if the client authorizes you to—that, although you would like to comply with the request, your services are limited to an audit according to GAAS (or other standards) if that’s what you think is appropriate. (For more information, go to http://www.pcaobus.org/Standards/Staff_Questions_and_Answers/index.aspx .)
RESOURCES | ||
Audit and attest standards team
CPE
Publications
For more information about these resources or to order, go to www.cpa2biz.com or call the AICPA at 888-777-7077.
PCAOB auditing and related attestation, quality control, ethics and independence standards and rules are available free of charge at www.pcaobus.org/standards/index.asp . |
Always document discussions with the client.
If a client makes an informed decision to request an
audit that adheres to GAAS and the auditing standards of the PCAOB, be
clear in the engagement letter and the audit report that the client
requested an audit performed “in accordance with generally accepted
auditing standards as established by the AICPA Auditing Standards
Board and in accordance with the auditing standards of the Public
Company Accounting Oversight Board (United States),” as recommended by
Interpretation no. 18, “Reference to PCAOB Standards in an Audit
Report of a Nonissuer,” to SAS no. 58. In the engagement letter, list
the client’s reasons for using both sets of standards.
If a client who normally has a GAAS audit decides to request additional audit procedures that could be construed as PCAOB procedures, state clearly in the engagement letter that the audit should not be construed as following PCAOB audit standards and that the use of the procedures should not be construed as an upgrading of the level of service.
Be careful if you apply both standards. If you
apply both PCAOB auditing standards and GAAS, know that you must
accept responsibility for performing the audit according to the two
sets of standards, which adds risk to the engagement.
Educate everyone in the firm—especially younger staff
members—about all auditing standards. Institute a
formal training program that covers compliance issues with the
specific auditing and related professional practice standards,
including (audit and other) PCAOB standards. Remember to cover the new
rules and the need for staff to be careful in their conversations with
clients. Teach them to document all conversations and to recognize
when they are being asked to do something outside the scope of an
engagement.
Ensure partners and staff are equally well-informed.
Partners of your firm need to be well-versed in all
standards to advise a client about what is most appropriate.
Communicate early and often with clients. An
auditor’s primary defense consists of frequent, documented
communication with the client, coupled with a signed engagement letter
that addresses and describes in limiting language the standards
applied in the audit. Cultivate frequent communication about the
facets of the engagement with clients. Document all conversations with
them. Send follow-up e-mails that restate the conversations. Include
safe-harbor language (provisions that demonstrate good faith and
reduce liability). In conversations with clients, describe in detail
what each set of standards requires, what each is intended to do and
what each will not do. Clearly communicate that auditing the financial
statements of private companies in accordance with PCAOB standards
does not mean the engagement will be subject to the inspection or
disciplinary processes of the PCAOB.
Know that your audit report’s statement of the methods and
standards used won’t absolutely prevent litigation.
All final reports and letters that accompany an audit
refer to the methods and standards used to perform the engagement.
Many CPAs mistakenly think such acknowledgement is specific enough to
protect them from malpractice litigation. It is not; unfortunately
people often hear—or infer—what they want to.
Although an audit report, with its
definition of which standards were followed, is your final line of
defense should you be sued for malpractice, an aggrieved client may
claim it is unclear. Audit report users may believe that an audit
performed in accordance with PCAOB auditing standards complies with
the entire PCAOB system of regulation, including all internal
control checks and other procedures such as inspection by the PCAOB.
However, the PCAOB enforces compliance for auditors of public
companies only, not private companies. The engagement will be subject
to the AICPA peer review program, which, if you are selected, will
review the engagement for compliance with PCAOB auditing standards as
well as GAAS (see “ Work-Product Documentation ,”
and “ Peer
Review Is Stronger and Better Now, ” JofA , Apr.05,
page 44).
An auditor does not need to be registered with the PCAOB to apply PCAOB auditing standards to private companies. However, the primary qualification for any auditor is competence, and clients, third-party users and the public expect auditors to produce successful results—that is, “to get it right.” In the event of an unsuccessful result, the auditor who has used PCAOB auditing standards but is not registered with the PCAOB may be at risk.
Collect additional fees to offset added risk.
If you perform the audit according to both PCAOB
standards and GAAS, don’t be timid about collecting appropriate fees
for the additional work and risk.
Get ready before the next round of upheaval.
Just as all the confusion surrounding auditing standards
is hitting CPAs, another wave soon will hit the profession from a
similar problem: the possible emergence of differing standards related
to generally accepted accounting principles (GAAP) in public entities
vs. privately owned companies (sometimes referred to as “baby GAAP”).
Many of the issues that have emerged in auditing also will surface in
the looming debate on GAAP.
![]() 360 Degrees of Financial Literacy for Women, an enhancement of the 360 Degrees of Financial Literacy program, launched earlier this summer. Developed by the AICPA’s PFP section, it focuses on educating women to take control of their personal finances and achieve greater financial well-being. The new Web site features more than 600 articles and tools targeted to women’s financial issues. Six topic areas help women focus on how various life issues affect their personal finances:
To find more information on 360 Degrees of Financial Literacy for Women, please visit www.360financialliteracy.org/women . |
PERCEPTION IS YOUR REALITY
As if all this isn’t enough to contend with, there is a higher
standard being applied to the evaluation of CPAs’ work: public review
through juries and the courts. Not long ago, a national survey asked
potential jurors about their perceptions of the accounting profession
and the responsibilities of CPAs. The results showed the public holds
accountants to standards much higher than it did before the recent
financial reporting scandals. For instance, the percentage of the
public expecting accountants to uncover fraud in a review engagement
has gone up to 70% from about 40%. Such expectations can have major
implications for an auditor facing litigation.
Public expectations and perceptions constitute what are called jury or claims standards, which every CPA should consider in his or her daily work. Because the public expects CPAs to produce a successful result, CPAs will find themselves more exposed to liability in the event they do not get it right. If a disappointed client or third party can demonstrate it was confused about the CPA’s services, a jury will be more likely to punish the CPA. Communicating the nature of the audit services in a way the client will understand—and documenting those communications with the client—are therefore essential risk management practices.
CASE STUDYA Standard by Any Other Name
P ost-Sarbanes-Oxley, users as well as auditors are grappling with standards confusion. The issue: Do private company financial statement users understand the difference between what is required when auditing public companies vs. private companies? At Gifford, Hillegass & Ingwersen, LLP (GHI), most of our clients want to know, in simple terms, what affects them and what doesn’t. We take every opportunity to discuss the significant changes in the audit and accounting environment with our clients, but other financial statement users also would benefit from some explanation.
Auditing Standards Board Interpretation no. 17 (AU section 9508 of AICPA Professional Standards ) clarifies the applicability of GAAS and provides optional language to include in a privately held company audit report where an opinion on the effectiveness of the company’s internal control over financial reporting isn’t required. A CPA should consider modifying the standard report’s second paragraph by adding the optional language:
“We conducted our audit in accordance with auditing standards generally accepted in the United States of America. Those standards require that we plan and perform the audit to obtain reasonable assurance about whether the financial statements are free of material misstatements. An audit includes considerations of internal controls over financial reporting as a basis for designing audit procedures that are appropriate in circumstances, but not for purposes of expressing an opinion on the effectiveness of the Company’s internal control over financial reporting. An audit also includes…”
Special audit report language is needed when a nonissuer requests a PCAOB audit. Under PCAOB standards an audit of an issuer’s internal controls over financial reporting is inherent, so if a nonissuer engages a CPA to conduct a PCAOB audit and the client’s internal controls are not audited, it’s necessary to disclose that in the audit report. Instances in which a nonissuer might request an audit in accordance with both PCAOB auditing standards and GAAS are when
A private company is being acquired by a public company.
A private company is preparing to go public.
AICPA Auditing Standards Board Interpretation no. 18, paragraph 92 (AU section 9508), issued in June 2004, illustrates the appropriate wording: “Following is an example of additional language that may be included in the auditor’s report to indicate that an audit was conducted in accordance with both generally accepted auditing standards and the PCAOB’s auditing standards, and to clarify that the purpose and extent of the auditor’s testing of internal control over financial reporting was to determine the auditor’s procedures and was not sufficient to express an opinion on the effectiveness of internal control.”
For a PCAOB report on a nonissuer, here is language to show that an internal control audit was not required for a nonissuer and to clarify the level of internal control work that was done:
[ After same first paragraph as the standard report. ]
“We conducted our audit in accordance with generally accepted auditing standards as established by the Auditing Standards Board (United States) and in accordance with the auditing standards of the Public Company Accounting Oversight Board (United States). Those standards require that we plan and perform the audit to obtain reasonable assurance about whether the financial statements are free of material misstatement. The Company is not required to have, nor were we engaged to perform, an audit of its internal control over financial reporting.
“Our audit included consideration of internal control over financial reporting as a basis for designing audit procedures that are appropriate in the circumstances, but not for the purpose of expressing an opinion on the effectiveness of the Company’s internal control over financial reporting. Accordingly we express no such opinion. An audit also includes examining, on a test basis, evidence supporting the amounts and disclosures in the financial statements, assessing the accounting principles used and significant estimates made by management, as well as evaluating the overall financial statement presentation. We believe that our audit provides a reasonable basis for our opinion.” We conclude with the standard report opinion paragraph.
Audit report language is not a panacea for user confusion. However, it does alert the user that there is a difference and it can open the door for the CPA to provide additional explanation. Our profession is known for its ability to organize, analyze and disseminate data. The profession must be proactive in applying this ability to the changing audit standards environment.
—Cindy Ethridge, CPA
Gifford, Hillegass & Ingwersen,
LLP, Atlanta