The AICPA’s annual Audit Risk Alert General Accounting and Auditing Developments—2016/17 provides a useful summary of common peer review findings on audits.
What I like about this particular list is that it is short enough to actually provide focus. Frequently such lists have the filter set so broadly that the list covers practically all the findings that have surfaced during all peer reviews. Sometimes I’m left with the feeling that a list of findings reads like a list of every single step you need to perform during an audit.
Here is the short list provided in the risk alert, along with my explanation:
Incorrect dating of audit report – The auditor’s report needs to be dated no earlier than when sufficient appropriate audit evidence has been obtained to support the opinion. This means
- the audit documentation has been reviewed,
- the financial statements including all the notes have been prepared, and
- management has taken responsibility for those financial statements (you don’t have to have the representation letter in hand, but management needs to have indicated they are going to sign the letter).
Sampling methodology failure – The documentation needs to be sufficient to explain the sample. From the documentation, a reviewer needs to understand the approach, how the sample was selected, how it was pulled, and how it was evaluated. The sample also needs to have been constructed appropriately.
Insufficient documentation – Risk alert does not give any specific illustrations. Based in my experience, lack of documentation is an issue when the reviewer looks at workpapers, can infer the thought process and the conclusion, but the workpapers don’t explain what seems to have been done. While we are not at the point of “if it wasn’t documented it wasn’t done”, if there’s nothing in the workpapers to support work, it will be very difficult to believe the work was done.
The condensed, thumbnail rule to use is that an experienced auditor needs to understand what was done and the conclusions reached based on only the documentation in the workpapers.
My favorite illustration here is that while a detailed memo would be the best way to explain why a particular piece of litigation is not of audit concern, a too-brief, hard to understand comment would at least provide some documentation that something was done. Zero documentation to explain why litigation was not addressed won’t fly.
Lacking a well thought out and explained memo, a scribbled comment such as “cfo said friv / nuis. settle” would be something. An oral explanation would be allowed to expand that comment, which might have been a conversation that the CFO said the even though the claims look severe, the lawsuit was frivolous with the company currently engaged in serious negotiations over an amount which is in the range of a nuisance settlement. An experienced auditor would thus be able to understand that scribbled comment and conclude the documentation is sufficient and lack of disclosure is appropriate.
Auditor’s report not updated – The clarified auditing standards overhauled the audit report. There is new wording, required section headings, and a required title. By the way, those requirements were first effective for your 12/31/12 reports, so that new wording should have long since been implemented. Yet I have reason to believe there are some firms still missing the wording.
As a word to the wise, if the reviewer sees an audit report that was blown, that means there is a risk the rest of the clarified auditing standards were missed as well. As a result the reviewer’s skepticism will go through the roof.
Fraud risk considerations – There are a variety of specific steps that need to be taken to address fraud. Those steps need to be performed and documented.
Document risk assessment and linking risks to procedures performed – Specific procedures need to be performed to address the risks in the engagement. There is a specific methodology to do so. Those risks need to be linked down to the work that will be done to address those risks.
Required communications to those charged with governance – Auditors are required to communicate specific matters to those charged with governance. In addition, any material weaknesses or significant deficiencies must be communicated.
So, here’s a quick checklist to make sure you don’t have the same problems mentioned in the risk alert:
- Make sure the auditor’s report is updated
- Make sure the audit report is dated correctly
- Document sampling methodology and perform the sample correctly
- Document your work!
- Address required fraud risks
- Document risk assessment
- Link risk assessment to procedures
- Prepare and send those two required communications