Many auditors have begun to turn their sights to their next group of audits: clients with 2020 fiscal year ends. The World Health Organization declared a public health emergency on Jan. 30, 2020, meaning many of these clients will have been affected by the COVID-19 pandemic during the period under audit.
Auditing these clients will carry unique challenges, and certain areas may present heightened risks of material misstatement for the audit. Here are four such areas for auditors to consider as they prepare for their next audits of commercial entities.
When states issued stay-at-home orders in March and April, many entities were presented with a new reality. As they shifted from the office environment to remote working, and as financial reporting processes moved from in-person to virtual, the risk of breakdowns in internal control was heightened.
Auditors are required to evaluate the design and implementation of controls relevant to the audit for each client. To determine whether a control is relevant to the audit, auditors should exercise their professional judgment. Auditors should consider what could go wrong from a financial reporting perspective and whether certain controls can mitigate those risks.
The client’s relevant controls may have changed dramatically during the pandemic to accommodate remote workforces and process flows. When this is the case, the auditor may be required to conduct two evaluations of the design and implementation of relevant controls: one for controls that were in place before the pandemic and another for controls put in place after the pandemic commenced. This will depend upon the nature of the control and how the pandemic affected the client’s operations.
For example, if a restaurant had no activity while stay-at-home orders were in effect, evaluating controls during that period may be less relevant.
The auditor’s evaluation of the design and implementation of relevant controls affects the rest of the audit. For example, an auditor may have historically placed reliance on the operating effectiveness of a given control. If that control stopped operating during the pandemic, such an approach may no longer be possible. In that case, the auditor may need to revise the nature, timing, and extent of substantive testing in order to obtain sufficient appropriate audit evidence.
When auditors detect significant deficiencies and material weaknesses in internal control over financial reporting, AU-C Section 265, Communicating Internal Control Related Matters Identified in an Audit, requires written communication to those charged with governance. As COVID-19 may present an increased possibility of control deficiencies for 2020 year-end audits, setting expectations with clients before the audit commences may be a practical first step.
COVID-19 presents a veritable “perfect storm” for fraud risk, and auditors should be on high alert. Recall the three sides of the fraud risk triangle: incentives or pressure, opportunity, and rationalization.
As many businesses were affected economically, employees may have felt pressure to make fraudulent journal entries to sustain the corporation’s viability. For example, if a client was on the verge of violating a loan covenant, there may have been pressure and incentive to misstate results to avoid that outcome.
Employees may have also felt pressure if their personal financial situation worsened. From mid-March to late May, there were over 40 million initial jobless claims in the United States, according to U.S. Department of Labor statistics. If an employee’s spouse was furloughed or laid off, the employee may have had an incentive to replace the lost income.
Breakdowns in internal controls over financial reporting may have presented opportunities for fraudulent financial reporting or misappropriation of assets. For example, if a client’s accounting department was suddenly unable to access their office and many of their controls were manual, management may have overridden controls. In many cases, this reaction may have been well intentioned — however, auditors should approach management override with a healthy degree of professional skepticism.
Employees could rationalize these fraudulent activities, thinking, “I’m only changing the numbers to help the company survive,” or, “I’ll pay this back as soon as things return to normal.”
When planning the audit, audit teams should consider any potential fraud risks that could have a material effect on the financial statements. They should gain an understanding of the actions taken by management to mitigate those risks and then evaluate whether the audit procedures they’ve planned need to be adjusted.
Noncompliance with laws and regulations
Similarly, the risk of noncompliance with laws and regulations (NOCLAR) at certain clients may be heightened. During the pandemic, many small businesses have found it necessary to participate in various forms of federal economic stimulus funding, including programs enacted through the pandemic-relief legislation provided by the Coronavirus Aid, Relief, and Economic Security (CARES) Act, P.L. 116-136. As is the case with many programs of this nature, regulations put in place to ensure proper use of the funding can be complex.
The complexity of these regulations, combined with the fact that applications for funding had to be submitted quickly with accounting staff working remotely for the first time, may have led to a heightened risk of inadvertent noncompliance with regulations established by Treasury and the U.S. Small Business Administration.
Consistent with fraud risks, audit teams should be aware of potential risks with respect to NOCLAR that could materially affect the financial statements. They should consider management’s response and mitigation strategy and evaluate the appropriateness of planned further procedures in that light.
Auditing accounting estimates
Another area that could present heightened risk for 2020 year-end clients is auditing accounting estimates. The risks related to revenue recognition could be especially acute with FASB ASC Topic 606, Revenue From Contracts With Customers, in its first year of implementation for private companies that have adopted the new standard.
In addition to estimates associated with revenue recognition, auditors may find that other audit areas, such as the allowance for doubtful accounts, may have a heightened risk of material misstatement. And for clients with goodwill or intangible assets, management may need to consider whether impairment is necessary.
Ultimately, while auditors may have been able to evaluate management’s estimates in prior years by considering historical results or other measures, audits of clients with 2020 year ends may require the use of valuation specialists.
To support auditors, the AICPA has launched a free COVID-19: Audit & Assurance resources page at aicpa.org/covidaudit. Visitors can access resources on topics such as auditing remotely, financing reporting considerations, and industry-specific guidance. For information about how COVID-19 may impact other areas, from personal financial planning and tax to forensic accounting, visit the AICPA’s Coronavirus (COVID-19) Resource Center at aicpa.org/coronavirus.
For more news and reporting on the coronavirus and how CPAs can handle challenges related to the pandemic, visit the JofA’s coronavirus resources page.
— Bob Dohrer, CPA, CGMA, is chief auditor, and Carl Mayes, CPA, is an associate director, both with the Association of International Certified Professional Accountants. To comment on this article or to suggest an idea for another article, contact Ken Tysiac, the JofA’s editorial director, at Kenneth.Tysiac@aicpa-cima.com or 919-402-2112.