Let’s look at an eight point list of common deficiencies in audits for a quick check of the quality of our engagements. Often times those lists of common deficiencies run for pages and pages, essentially covering just about every major component of an audit. Those kinds of run-on lists don’t really help.
The AICPA’s Audit Risk Alert – General Accounting and Auditing Developments – 2017/18 provides a usable list of eight most common deficiencies identified in the recent peer reviews. Pondering this list provides a good way to do a self-check of your engagements.
Here is my paraphrase of the eight points:
Incorrect dating of the auditor’s report. The report date needs to match the release date which should be after the date all the documentation has been reviewed, the financial statements been prepared, and management has taken responsibility for the financial statements. The risk alert refers to AU-C 700.41.
Inadequate documentation of sampling methodology. AU-C 530 explains how to perform a sample. The methodology must be documented or the reviewer won’t be able to understand why the audit evidence is sufficient.
Insufficient audit documentation. Workpapers must contain “sufficient competent evidence to support the firm’s opinion on the financial statements.” The old saying of “if it wasn’t documented, it wasn’t done” is not actually in the standards. That is not the requirement, but does provide a helpful perspective.
If the documentation, standing on its own, is insufficient to show the work was done, then the firm will have a very difficult time persuading anyone that a competent audit was performed with sufficient evidence to support the conclusion.
Don’t plan to rely on the oral explanation approach as an out. Oral explanations are only allowed to clarify what is in the workpapers. The example I always use is that an incoherent comment which is on point can be explained orally. As an example, let’s say a comment in the workpapers addresses contingent liabilities with a notation such as “cntrl said ins w/cover 4 slipfall.” A scribbled comment like that would allow an auditor to explain that on the last day of fieldwork there was a conversation with the controller in which the controller said the insurance company has agreed that four separate slip and fall incidents reported during the year will be covered by the insurance policy. That incoherent comment constitutes horrible documentation, but would allow an oral explanation.
AU-C 230 discusses audit documentation. In addition each section of the audit standards usually contains additional documentation requirements.
Not updating the auditor’s report for clarified auditing standards. AU-C 700 describes the requirements which went into effect for years ending on or after December 15, 2012.
Yes, these changes went into effect for audits of 12/31/12 financial statements, which is 5 full audit cycles ago.
Yes, this is still a common finding in peer reviews, according to the AICPA.
Not addressing fraud considerations. AU-C sections 240, 315, and 330 address the auditor’s responsibility regarding fraud.
Not documenting planning procedures, particularly regarding risk assessment and linking those risks to procedures performed. AU-C 315 and 330 address planning issues. There is a wide range of issues to address (and document!) regarding risk assessment. Risks must be addressed at the financial statement level and that the assertion level for all relevant assertions for significant financial statement line items. Those risks in turn need to be linked to the work performed to address those risks.
This entire bundle of issues is colloquially referred to as the risk assessment suite of standards. It is still an area that firms are missing.
Yes, the standards went into effect for audits of years ending after December 15, 2012, which was five full audit cycles ago.
Yes, the AICPA is identifying this as a common deficiency during peer reviews. Based on the AICPA’s comments, my experiences as a peer reviewer, and my conversations with other peer reviewers, this bundle of audit rules is still being missed by some firms. Read between the lines of the disciplinary actions taken by the California Board of Accountancy and you can figure out that the regulators are not amused with auditors who completely miss the boat.
Not making required communications to those charged with governance or not documenting those communications. AU-C 260 describes information that must be communicated to those charged with governance. AU-C 265 addresses communication of material weaknesses and significant deficiencies. Those items need to be communicated and there needs to be documentation in the files of the communication.
Not obtaining appropriate management letters. This includes not getting the letter, not updating the letter properly, not mentioning all years included in the financial statements, or omitting required elements of the letter. AU-C 580 has a list of the required elements and samples.
If you read through that list and realize there’s something you are missing in your audits, now would be a really good time to make some changes for your upcoming audits.
If you read that list and you don’t know what one of those items is talking about, today would be a really, really good time to do some research.