What to know to avoid deficient not-for-profit audits

Peer reviews that monitor compliance with professional standards provide insights into what to look out for in not-for-profit audits to avoid deficiencies. These insights are particularly valuable because firms that audit not-for-profits are facing increasing work demands with fewer resources.

“There are fewer qualified people doing audits, and there is auditor fatigue and stress as a result,” said Brian Archambeault, CPA, a partner in firm quality at Crowe who provides quality oversight for the firm’s public sector service audit practice. “I see it internally and hear it from others in the profession. The requirements for NFP and government audits are not much less than for public companies, with many complexities and little margin for error.”

“In a diverse not-for-profit sector, some entities feel the effects, others don’t,” said Andrew Prather, CPA, a shareholder at Clark Nuber who works in the firm’s not-for-profit and audit practice groups. “At a firm level, it’s about leadership and investment, making sure staff is getting relevant, on-point training, especially to meet heightened [Generally Accepted Government Auditing Standards (GAGAS), also referred to as the Yellow Book] CPE requirements.”

The following are some of the most common issues in peer reviews of not-for-profit audits from Jan. 1, 2023, to Dec. 31, 2023, with Archambeault and Prather providing comments and suggestions for addressing the problems.

DOCUMENTATION

The most prevalent findings were related to documentation, noted in more than half of the audits and in all aspects of the audit. Generally accepted auditing standards (GAAS) require audit documentation to meet a reperformance standard sufficient to enable an experienced auditor to understand the procedures performed and their results.

Issues included inadequate documentation of:

• Required planning procedures, including understanding the entity, internal controls, risk assessment, fraud, and materiality;
• Sampling considerations — total population, how sample was selected, conclusions;
• Design and implementation of the internal control system, identification of key controls;
• Walk-throughs of significant transaction cycles;
• IT environment and IT controls;
• Expectations of recorded amounts when performing analytical procedures;
• Audit procedures performed for going concern, related parties, subsequent events, and compliance with laws and regulations;
• Evaluation of the skills, knowledge, and experience of management taking responsibility for nonattest services provided;
• Nonattest services performed and individual potential impact on independence;
• Subsequent events review; and
• Required communication to those charged with governance.

Other issues involved missing and incomplete workpapers and not using checklists and engagement quality control review documents required by the firm’s system of quality management.

Commentary and recommendations

Many of the documentation issues are evergreen, Prather said: “The basics about not filling out standard workpapers and not documenting areas like internal controls and subsequent events continue to be missed. It appears there continues to be a need for staff supervision, with more involvement by the engagement partner and audit managers.”

“Documentation requirements today are more extensive than in the past, and it requires more effort to both do the work and document it,” Archambeault said. “There is a lot of fee pressure from clients, especially among not-for-profits with cash constraints, and auditors must get more done within tight budgets.”

ENGAGEMENT ADMINISTRATION

Findings covered all aspects of administering engagements, including:

People

• Failure to comply with human resources policies and procedures requiring personnel to participate in CPE in subjects relevant to engagements they perform and their responsibilities.
• Firm’s professionals not obtaining and applying sufficient professional competencies on accounting and auditing subjects relevant to the firm’s NFP entity audits.
• Professional education taken that did not provide firm personnel with a clear understanding of financial statement presentation and reporting matters.
• A firm performing an engagement subject to Government Accountability Office (GAO) standards although the manager did not meet the 80-hour continuing professional education requirement.

Processes

• Engagement letter signed after the report date.
• The firm accepted a not-for-profit audit engagement and did not own the proper quality control materials, which caused the engagement to not conform to professional standards in all material respects. The firm’s client acceptance policies and procedures specify criteria that should be considered when making client acceptance decisions, specifically accepting clients only when the firm has the requisite competence and capabilities to perform the engagement, and require that such decisions be documented on all initial engagements.
• The firm did not identify and communicate preparation of financial statements as a nonattest service and did not document its evaluation of management’s responsibilities for nonattest services.
• Audit report not properly updated to comply with latest professional standards.
• Firm’s system of quality control utilizes a practice aid illustration of an audit report to assist in drafting. The firm did not consult the practice aid and issued a nonconforming report.
• Management representation letters not tailored to the engagement or the financial statements. Letters dated significantly later than the report date.
• The firm did not prepare a letter to communicate matters to those charged with governance.

Commentary and recommendations

“Training needs to be effective,” Archambeault said. “Today, so much of it is done online with people multitasking.”

“The new quality management standards and required root cause analysis should improve the process for correcting audit deficiencies, thus leading to better-quality audits in the future,” he said. “It has always been the case, but the new standards provide increased focus on the engagement partner’s responsibility for the entire audit, and the system of quality control points to the critical oversight role played by partners.”

Archambeault noted the challenge will be partner resources, as partners typically have responsibility for many other activities. He recommended firms implement monitoring procedures on NFP audits while they are in process, focused on areas of increased risk of deficiency. This gives engagement teams a chance to correct issues while wrapping up before the report is issued.

AUDIT PLANNING — RISK ASSESSMENT AND CONTROL TESTING

Proper planning results in more efficient engagements and ensures risks are identified and evaluated. Changes in the geopolitical environment and economy overall create new risks, including fraud, that auditors must address.

“Fraud risks, including cybersecurity risks, require auditors to look back and assess whether events resulted in misstatement of the financial statements,” Prather said. “Audit requirements relating to risks from noncompliance with laws and regulations (NOCLAR) require auditors to look forward and consider unidentified risks in areas like contingent liabilities and grants and contracts.”

The following findings were noted:

• No performance of risk assessment as a basis for identification and assessment of risk at the financial statement or relevant assertion levels; no assessment to obtain an understanding of the internal controls or evaluation of whether relevant controls were properly designed; no identification of any significant risks to obtain an understanding of the control activities relevant to those risks.
• No performance of any fraud risk considerations, specifically, inquiries of management.
• No performance of risk assessment associated with the role of IT relative to financial transactions and reporting.
• Risk assessment did not identify at least one area of the audit with higher risk. Did not identify any significant risks in any of the significant audit areas and performed only basic audit procedures in all areas of the audit.
• Risks were assessed at the financial statement level and the assertion level. However, control risk was assessed at less than maximum in areas where controls were evaluated but not tested.
• Did not evaluate risk assessment at the assertion level to provide a basis for designing and performing audit procedures. The firm utilized a practice aid to document risk, but it was not completed at the assertion level … linkage between risk assessment and procedures performed not well documented.
• Control risk assessed at moderate for all relevant assertions for all significant audit areas and did not perform tests of controls to support assessing control risk below maximum.
• NFP single audit assessed control risk as less than maximum but did not provide evidence that supported planned reliance on controls. Did not document tests of controls and how control tests supported reduced substantive audit procedures.

Commentary and recommendations

“There is often insufficient involvement by partners in planning, risk identification, and designing procedures,” Archambeault said. “Engagement teams can have a great planning meeting and discuss risks and responses but then not document them. The ideal is to document and have a partner sign off shortly after the planning meeting rather than months later.” He noted auditors should communicate early with audit committees and boards about the audit plan and process to get their input.

“The risk assessment standards were purposely written to apply to all entities and all size audits, so firms need to create an audit methodology and turn the standards into useable, practical guidance,” Prather said. This includes tailoring third-party practice aids to the firm’s engagements.

“Inherent risk and control risk must be assessed at an account and assertion level, and control risk is high unless it is tested for operating effectiveness,” Archambeault said. “At times, teams assess control risk as other than high when they haven’t performed testing. There should be a very clear linkage in the documentation between the risk assessment and the procedures performed to mitigate the risks, but that linkage is often broken.”

GENERALLY ACCEPTED ACCOUNTING AND AUDITING STANDARDS

The following issues were noted that are not unique to NFP audits:

• Omitted required disclosures under FASB ASC Topic 606, Revenue From Contracts With Customers, for implementation and accounting policies.
• Firm’s quality control policies and procedures require consultation with practice aids in determining applicable required financial statement disclosures. Firm failed to effectively consult with disclosure checklists.
• Report did not include a description of the evaluation regarding entity’s ability to continue as a going concern … disclosure covering liquidity and availability did not include all required elements.

Commentary and recommendations

“In the last seven or eight years, there were significant accounting standard changes for not-forprofits, but these have come to a close,” Prather said. He noted clients’ and auditors’ ongoing struggles with applying Topic 606 and FASB ASC Subtopic 958-605 to diverse revenues received and correctly identifying if the revenue type is a contribution.

“New standards in the last two to five years, including revenues and leases, require more robust disclosures, and firms need to create a standard package of disclosures to normalize this process and make it more routine,” he said. Prather expects to see more peer review issues about lease disclosures in the next year or two, as many not-for-profits implemented FASB ASC Topic 842, Leases, for 2022 calendar year ends.

The next one to three years will be about the new quality management standards effective in 2025, and Statement on Auditing Standards (SAS) No. 145, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement, and related risk assessment standards, Prather added. He noted SAS No. 145 was issued in response to ongoing quality risks and is intended to make the standards more specific and easier to understand and apply. “As I talk to auditors about implementing SAS 145, I am hearing best practice is to standardize as much as possible by having procedures and using checklists to cover the basics on every engagement and then adding on as needed for particular engagements.”

UNIFORM GUIDANCE SINGLE AUDITS

The GAO issued the updated Yellow Book in March. “Auditors doing a lot of these audits have been waiting and watching for this, and for them it should not be a big deal,” Prather said.

“The chapter on quality management has been completely overhauled to incorporate new quality management standards, which does not necessarily impact engagement performance audit-by-audit but requires firms to have a system of quality management in place with documentation and written policies,” Archambeault said.

Prather noted NFPs are now at the tail end of any COVID-19 funding programs that caused significant issues a year and a half ago when there were many new programs and first-time single audits. “COVID programs were flagged as higher risk in the Office of Management and Budget Compliance Supplement, and many missed this,” Archambeault noted.

Peer review comments included:

• Lack of experience with Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance).
• Using the wrong Compliance Supplement.
• Inadequate documentation of evaluation and determination of major programs or calculation of materiality for major programs.
• Failure to assess and document risk of material noncompliance with each major program’s compliance requirements due to fraud.
• Did not determine from the Compliance Supplement applicable material and direct compliance requirements and develop audit procedures accordingly; internal control over compliance to support low assessed control risk for the major program and testing of relevant assertions related to each material compliance requirement.
• Yellow Book report on internal control and compliance referred to a significant deficiency noted in the audit. The auditor’s results section of the Schedule of Findings and Questioned Costs indicated no significant deficiencies reported.
• Reporting oversights in the Schedule of Expenditures of Federal Awards (SEFA) not identified during audit procedures. Audit documentation did not identify that a program presented in the SEFA was not properly identified as part of a cluster, and other programs had multiple awards but did not report the total of the awards.
• No prior experience with Uniform Guidance.
• Did not report control deficiencies identified in formal communications with those charged with governance.

Commentary and recommendations

“Auditors who perform single audits need to standardize procedures as much as they can and properly supervise and train staff in this specialized area,” Prather recommended.

“Specialization in this area is important because there are so many accounting, financial reporting, and auditing nuances,” Archambeault said. “Larger firms may perform many single audits, but smaller firms may dabble, increasing the likelihood of audit deficiencies.”

“SEFA presentation issues, which may or may not be catastrophic, continue to arise,” he noted.

OVERALL RECOMMENDATIONS

Quality management and staff training are underlying issues that affect all areas of peer review findings.

“Firm leaders must invest both time and money to help make every staff hour spent very valuable,” Prather said. “This includes making audit procedures more efficient and doing it right, along with having more valuable training hours rather than a greater number of hours.”

The AICPA Peer Review Program Manual can be a resource for firms to identify areas of noncompliance with professional standards and firm policy. “Our firm has implemented an approach to use peer review comments to make us better auditors,” Prather said.

“We have an obligation to the public interest — donors, investors, federal agencies providing funding — to do a quality audit regardless of the size of the fee, and we must always keep this in mind,” Archambeault said. “We need to be efficient but must comply with requirements to avoid poor audit quality, which could expose our firms and ourselves to negative ramifications, such as regulatory penalties, lawsuits, or reputational harm.”

About the author

Maria L. Murphy, CPA, is a senior content management analyst, Accounting & Auditing Products for Wolters Kluwer Tax & Accounting North America and a freelance writer based in North Carolina. For more information or to make a purchase, go to aicpa-cima.com/cpe-learning or call 888-777-7077.

LEARNING RESOURCES

Not-for-Profit Certificate I

This comprehensive program covers the essentials of not-for-profit financial management, including accounting and financial reporting, tax compliance, governance, and assurance.

CPE SELF-STUDY

Not-for-Profit Certificate II

Demonstrate your leadership in the not-for-profit field. Get intermediate training on NFP accounting and financial reporting, governance and assurance, and tax compliance.

CPE SELF-STUDY

Not-for-Profit Subscription

With content created by NFP industry leaders, the AICPA’s NFP Subscription serves as your onestop shop for the latest news, tools, and resources supporting not-for-profit board members and non- CPAs and finance leaders who work with or for NFPs.

CONTENT

AICPA & CIMA RESOURCES

NFP publications

2024 Not-for-Profit Entities — Audit and Accounting Guide

2023 Not-for-Profit Entities — Best Practices in Presentation and Disclosure

2023 Government Auditing Standards and Single Audits — Audit Guide

Other NFP resources

Not-for-Profit illustrative auditor’s report

Workpaper template overview