To help audit firms develop more-focused remedies for their accounting and auditing practices, the AICPA Peer Review team has been collecting data since December 2012 on Matters for Further Consideration (MFCs). An MFC form is used by peer reviewers to electronically capture “matters” detected during a peer review that are the most granular level of information indicating accounting and auditing deficiencies.
The AICPA Peer Review team is using the data to identify problem areas in order to provide firms with tools to increase audit quality. Reviewing these trends can help raise awareness of potential problems at audit firms and significantly improve audit quality.
This list describes the most frequent matters the Peer Review team has found related to the following professional standards and practice areas:
U.S. GAAP AUDITS
- No disclosure of tax years that remain subject to examination by major tax jurisdictions.
- No disclosure of the date through which subsequent events were evaluated.
- Incorrect classifications on the cash flow statement.
- Long-term debt was not segregated into current and long-term portions.
- Missing or insufficient sinking funds disclosure, term, interest rate, maturity, covenants, and collateral, if any, for a note payable.
- Missing or insufficient fair value disclosures related to fair value hierarchy of investments, description of the levels, descriptions of the methods used, and tabular presentation of amounts. This also included insufficient procedures and documentation regarding the procedures to obtain assurance of the fair value measurements.
Clarified Auditing Standards
- Failure to update the audit report to conform to the audit standards.
- Failure to appropriately document planning procedures, including risk assessment (and linkage of risks to procedures performed), planning analytics, and internal control testing.
- Representation letters that were dated incorrectly, did not cover the appropriate periods, or were missing required representations.
- Failure to communicate and/or document required communications with those charged with governance.
- Insufficient competent evidence in audit documentation to support the firm’s opinion on the financial statements.
Accounting and Review Services
- Reports were not prepared in accordance with professional standards. The following matters were noted:
- Not updated for Statement on Standards for Accounting and Review Services (SSARS) No. 19, Compilation and Review Engagements.
- No headings on the report.
- Inappropriate titles.
- No explanation of the degree of responsibility the accountant is taking with respect to supplementary information.
- Failure to mention that substantially all disclosures are omitted.
- Failure to obtain an engagement letter or revise the letter for SSARS 19.
- Representation letters that were dated incorrectly or did not cover the appropriate periods.
- Reports were not updated for SSARS 19 or had inappropriate titles.
- Failure to obtain an engagement letter or revise the letter for SSARS 19.
Various matters were identified related to agreed-upon procedure reports, most frequently failure to include the word “independent” in the report title. Other matters included failure to include:
- A title;
- Reference of the AICPA attestation standards;
- A statement that the sufficiency of the procedures is solely the responsibility of the specified parties, and a disclaimer of responsibility for the sufficiency of those procedures; and
- Identification of the subject matter or the engagement or written assertion or the character of the engagement.
- Failure to include all elements required by attestation standards in the engagement letter.
Service Organization Control (SOC) Reports
For SOC 1 engagements, MFCs were most frequently related to:
- The service auditor lacking the experience and training required under Statement on Standards for Attest Engagements No. 16, Reporting on Controls at a Service Organization, to properly complete a Service Organization Control Report.
- The client acceptance, the description of controls, and the audit documentation omitting reference to: the need for complementary user controls if any exist; the risks that threaten the achievement of the control objectives and the linkage between the controls included in the control description; and the proper identification of subservice organizations and related services and ultimate use of the carve-out method.
- The information included in the report lacking sufficient support in the workpapers. Problems included lack of documentation to assess the nature, timing, and extent of the procedures (specifically, sampling methodology); control testing that did not address the elements of the control, all IT general controls, and change-management controls; and a lack of documentation of procedures to support the Other Information included in the report.
- Incorrect references included or incorrect language used in the report, including user controls, carve-outs, and other information.
In the sole MFC discovered related to SOC 2 audits, the report issued nonstandard wording regarding complementary user entity controls.
Governmental, A-133, Housing and Urban Development
- Failure to include all of the required elements of professional standards in the auditor’s report on internal control and compliance, including: omitted “independent” from report title, omitted reference to material weaknesses or significant deficiencies included in the Schedule of Findings and Questioned Costs, and omitted a clause stating that the entity’s responses were not audited and that the auditor expresses no opinion on those responses.
- Failure to include all of the required elements of professional standards in the auditor’s report including the following omissions: identification of the governmental entity’s major funds, and addressing supplemental information and required supplemental information.
- SINGLE AUDIT: Failure to properly report information on the Schedule of Expenditures of Federal Awards including the following errors: missing or improper identification of Catalog of Federal Domestic Assistance (CFDA) numbers or awards, failure to total programs with same CFDA numbers, and failure to properly present programs as clusters.
- Failure to properly document the evaluation of management’s skills, knowledge, and experience to effectively oversee nonaudit services performed by the auditor.
- SINGLE AUDIT: Failure to obtain the applicable written management representations from auditee management tailored to the entity and governmental audit regarding federal awards.
- SINGLE AUDIT: Failure to document an understanding of internal control over compliance of federal awards sufficient to plan the audit to support low assessed level of control risk for major programs, including consideration of risk of material noncompliance (materiality) related to each compliance requirement and major program.
- SINGLE AUDIT: Failure to document the testing of controls and compliance for the relevant assertions related to each compliance requirement with a direct and material effect for the major program.
- SINGLE AUDIT: Improper identification of an auditee as low-risk when the previous two Data Collection Forms were not timely filed or auditor did not fulfill its responsibilities with regard to completion of auditor portion of Data Collection Form.
Employee Retirement Income Security Act
- Missing or insufficient documentation of income-allocation testing at the participant level.
- Insufficient procedures and documentation for reliance upon SOC 1 reports in lieu of testing income allocations and investment options at the participant level.
- Missing or insufficient documentation of benefit payment testing.
- Failure to disclose investments that represent 5% or more of net assets.
Banking, Including Federal Deposit Insurance Corporation Improvement Act
- Failure to include all elements required by professional standards in the accountant’s report on internal controls.
- Failure to understand and comply with the independence rules applicable to these engagements, i.e., SEC independence rules do not allow the auditor to also prepare the client’s financial statements.
- Failure to properly disclose:
- Valuation allowances and related segmentation information of the loan portfolio.
- Consolidated capital ratios and requirements.
- That the entity was subject to expanded regulatory supervision and why.
- Other real estate owned (OREO) and goodwill in the fair value footnote as a nonrecurring measurement item.
- Insufficient audit testing of real estate lending, including inadequate quantitative information such as aging, past-due status, or historical charge-offs. Similarly, insufficient audit testing of foreclosed property data, including inadequate testing of current-year additions or analysis of fair value/carrying value.
- Insufficient audit testing of certain subjective, qualitative components of the allowance for loan loss, and retrospective review of the allowance for loan loss for bias.
- Management representation letter did not contain representations specific to financial institutions.
- Failure to comply with SEC independence rules, including not preparing financial statements for clients.
- Inappropriately referenced use in audit reports of the PCAOB standards to perform the audits when the Statements on Auditing Standards were followed.
- Inappropriate audit reports on internal controls. Problems included use of the noncarrying format for a carrying firm, outdated definitions of internal control, and restrictions of the report to management and regulations.
- Failure to use a broker-dealer specific financial statement checklist, which led to missing required disclosures.
The Peer Review team has developed a webpage, available at tinyurl.com/mdvh896, to be updated quarterly with new MFC data. The page will keep auditors updated on the matters most commonly found in peer reviews.
In addition to reporting on MFC data, the Peer Review team is an integral part of the AICPA’s Enhancing Audit Quality (EAQ) initiative. EAQ is a holistic effort looking at auditing from multiple facets that is expected to bring changes for the peer review process that will be designed to continue to improve audit performance.
To comment on this article or to suggest an idea for another article, contact Ken Tysiac, editorial director, at email@example.com or 919-402-2112.
“Introducing the New Principles-Based Peer Review Standards,” May 2009, page 39
AICPA Peer Review Program Manual (#QR-XX)
- Upcoming Peer Review: Is Your Firm Ready? (#731965)
- AICPA Peer Review Program Competency Exam (#159900)
Governmental and Not-for-Profit Training Program, Oct. 20–22, Las Vegas
For more information or to make a purchase or register, go to cpa2biz.com or call the Institute at 888-777-7077.