CPA Hall Talk

Dec 13

Auditing Payroll: A Step by Step Guide

Auditing payroll is a critical skill. Today I explain how.

While payroll is often seen as a low-risk area, considerable losses can occur here. So, knowing how to audit payroll is important.

Auditing Payroll – An Overview

Payroll exceeds fifty percent of total expenses in many governments, nonprofits, and small businesses. Therefore, it is often a significant transaction area.

To assist you in understanding how to audit payroll, let me provide you with an overview of a typical payroll process.

First, understand that entities have payroll cycles (e.g., two weeks starting on Monday). Then, payments are made at the end of this period (e.g., the Tuesday after the two-week period). Also, understand that most organizations have salaried and hourly employees. Salaried personnel are paid a standard amount each payroll, and hourly employees earn their wages based on time.

Second, an authorized person (e.g., department head) hires a new employee at a specified rate (e.g., $80,000 per year).

Third, human resources assists the new-hire with the completion of payroll forms, including tax forms and elections to purchase additional benefits such as life insurance.

Fourth, a payroll department employee enters the approved wage in the accounting system. The employee’s bank account number is entered into the system (if direct deposit is used).

Fifth, employees clock in and out so that time can be recorded.

Sixth, once the payroll period is complete, a person (e.g., department supervisor) reviews and approves the recorded time.

Seventh, a second person (e.g., payroll supervisor) approves the overall payroll.

Eighth, the payroll department processes payments. Direct deposit payments are made (and everyone is happy).

In this article, we will cover the following:

Primary payroll assertions
Payroll walkthroughs
Payroll fraud
Payroll mistakes
Directional risk for payroll
Primary risks for payroll
Common payroll control deficiencies
Risk of material misstatement for payroll
Substantive procedures for payroll
Common payroll work papers

Primary Payroll Assertions

The primary relevant payroll assertions are:

Completeness
Cutoff
Occurrence

I believe—in general—completeness and cutoff (for accrued payroll liabilities) and occurrence (for payroll expenses) are the most important payroll assertions. When a company accrues payroll liabilities at period-end, it is asserting that they are complete and that they are recorded in the right period. Additionally, the company is saying that recorded payroll expenses are legitimate.

Additionally, payroll auditing requires an understanding of threats in light of these assertions. So how do I gain this knowledge? Payroll walkthroughs.

Payroll Walkthroughs

Perform a walkthrough of payroll to see if there are any control weaknesses. How? Walk transactions from the beginning (the hiring of an employee) to the end (a payroll payment and posting). And ask questions such as the following:

Does the company have a separate payroll bank account?
How often is payroll processed? What time period does the payroll cover? On what day is payroll paid?
Who has the authority to hire and fire employees?
What paperwork is required for a new employee? For a terminated employee?
Is payroll budgeted?
Who monitors the budget to actual reports? How often?
Who controls payroll check stock? Where is it stored? Is it secure?
If the company uses direct deposit, who keys the bank account numbers into the payroll system? Who can change those numbers?
Do larger salary payments require multiple approvals?
Who approves overtime payments?
Who monitors compliance with payroll laws and regulations?
Who processes payroll and how?
Who signs checks or makes electronic payments? If physical checks are used, are they signed electronically (as checks are printed) or physically?
How are payroll tax payments made? How often? Who makes them?
Who creates the year-end payroll tax documents (e.g., W-2s) and how?
What controls ensure the recording of payroll in the appropriate period?
Are the following duties assigned to different persons:
- Approval of each payroll,
- Processing and recording payroll,
- The reconciliation of related bank statements
- Possession of processed payroll checks
- Ability to enter or change employee bank account numbers
- Ability to add employees to the payroll system or to remove them
Who can add or remove employees from the payroll system? What is the process for adding and removing employees from the payroll system?
Who can change the master pay rate file? Does the computer system provide an audit trail of those changes?
Who approves salary rates and how?
Who reconciles the payroll bank statements and how often?
Who approves bonuses?
What benefits (e.g., retirement accounts) does the company offer? Who pays for the benefits (e.g., employee) and how (e.g., payroll withholding)?
Who reconciles the payroll withholding accounts and how often?
Are any salaries capitalized rather than expensed? If yes, how and why?
Are surprise payroll audits performed? If yes, by whom?
Does the company outsource its payroll to a service organization? If yes, does the payroll company provide a service organization control (SOC) report? What are the service organization controls? What are the complementary controls (those performed by the employing company)?

Moreover, as we ask these questions, we need to inspect documents (e.g., payroll ledger) and make observations (e.g., who signs checks or makes electronic payments?).

If controls weaknesses exist, we create audit procedures to respond to them. For example, during the walkthrough, if we see that one person prints and signs checks, records payments, and reconciles the bank statement, then we will plan fraud-related substantive procedures.

As we perform payroll walkthroughs, we are asking, “What can go wrong—whether intentionally or by mistake?”

Payroll Fraud

When payroll fraud occurs, understatements or overstatements of payroll expense may exist.

If a company desires to inflate its profit, it can—using bookkeeping tricks—understate its expenses. As (reported) costs go down, profits go up.

On the other hand, overstatements of payroll can occur when theft is present. For example, if a payroll accountant pays himself twice, payroll expenses are higher than they should be.

Payroll Mistakes

Mistakes also lead to payroll misstatements. Payroll errors can occur when payroll personnel lack sufficient knowledge to carry out their duties. Additionally, misstatements occur when employees fail to perform internal control procedures such as reconciling bank statements.

Directional Risk for Payroll

The directional risk for payroll is an understatement. So, audit for completeness (determining that all payroll is recorded). Nevertheless, when payroll theft occurs (e.g., duplicate payments), overstatements can occur.

Primary Risks for Payroll

The primary payroll risks include:

Payroll is intentionally understated
Inappropriate parties receive payments
Employees receive duplicate payments

As you think about these risks, consider the control deficiencies that allow payroll misstatements.

Common Payroll Control Deficiencies

In smaller entities, it is common to have the following control deficiencies:

One person performs two or more of the following:
- Approves payroll payments to employees,
- Enters time or salary rates in the payroll system,
- Issues payroll checks or makes direct deposit payments,
- Adds or removes employees from the payroll system
- Reconciles the payroll bank account
No one reviews and approves recorded time
No one reviews and approves payroll before processing
No one performs surprise audits of payroll
Appropriate procedures for adding and removing employees are not present
No one reviews the removal of terminated employees from payroll
No one compares payroll expenses to a budget

(Here are suggestions to make your payroll controls stronger.)

Another key to auditing payroll is understanding the risks of material misstatement.

Risk of Material Misstatement for Payroll

In auditing payroll, the assertions that concern me the most are completeness, occurrence, and cutoff. So my risk of material misstatement for these assertions is usually moderate to high.

My response to higher risk assessments is to perform certain substantive procedures: namely, a reconciliation of payroll in the general ledger to quarterly 941s. Why? The company has an incentive to accurately file 941s since the returns are subject to audit by governmental authorities. So, if the 941s are correct, the reconciliation provides support for recorded payroll.

Additionally, consider theft which can occur in numerous ways, such as duplicate payments or ghost employees.

In a duplicate payment fraud, the thief, usually a payroll department employee, pays himself twice.

Ghost employees exist when payroll personnel leave a terminated employee on the payroll. Why would someone in the payroll department intentionally leave a terminated employee in the payroll system? To steal the second payment. How? By changing the terminated employee’s direct deposit bank account number to his own. The result? He receives two payments (his own and that of the terminated employee).

Once your payroll risk assessment is complete, decide what substantive procedures to perform.

Substantive Procedures for Auditing Payroll

My customary tests for auditing payroll are as follows:

Reconcile 941s to payroll
Recompute accrued payroll liability (amount recorded at period-end)
Review payroll withholding accounts for appropriateness and vouch subsequent payments for any significant amounts
Compare payroll expenses (including benefits) to budget and examine any unexplained variances
When control weaknesses are present, design and perform procedures to address the related risks
Compare accrued vacation to prior periods and current payroll activity

In light of my risk assessment and substantive procedures, what payroll work papers do I normally include in my audit files?

Common Payroll Work Papers

My payroll work papers normally include the following:

An understanding of payroll-related internal controls
Risk assessment of payroll at the assertion level
Documentation of any payroll control deficiencies
Payroll audit program
Accrued salaries detail at period-end
A summary of any significant payroll withholding accounts with supporting information
A detail of vacation payable (if material) with comparisons to prior periods
Budget to actual payroll reports
A reconciliation of payroll in the general ledger to quarterly 941s
Fraud-related payroll work papers (when needed)

In Summary

In this article we looked at the keys to auditing payroll. Those keys include risk assessment procedures, determining relevant assertions, assessing risks, and developing substantive procedures. My go-to substantive procedure is to reconcile payroll to 941s. I also review payroll withholding accounts and recompute salary accruals. Comparisons of payroll expenses are useful. Finally, if merited, I perform fraud-related payroll procedures.

See my book on Amazon: The Why and How of Auditing.

Dec 11

Stop White-Collar Crime: Prevent Fraud in Your Business

By Charles Hall | Fraud

Chances are white-collar crime is occurring in your business as you read this–or at least within the last thirty days. Those you trust may be taking you for a ride. Therefore, you need to know how to prevent white-collar crime.

Below I provide you with plenty of free understandable resources to help you stop fraud. Take a look.

White Collar Crime Happens!

For most organizations, it’s not a matter of if fraud will occur, it’s a question of how much will be taken. The Association of Certified Fraud Examiners’ biennial survey shows that the average business loses 5% of its revenues to fraud. Imagine adding that amount to your bottom line, because when theft occurs, your net income is reduced by the amount stolen.

No One Steals from My Business

Most business owners, board members, governments, and nonprofits think “fraud may happen in other organizations, but not in our place. Our people are honest.” Well, let me say I’ve seen plenty of “honest” people steal.

In almost every fraud I’ve seen, the business owners and fellow employees are greatly surprised by the theft, usually by a trusted employee.

And these trusted people steal because they can. You may be thinking, “What?” Let me repeat, the reason people steal is because they can. In fraud prevention parlance, we call it “opportunity.”

Fraud Cycle

And, how do trusted employees steal? Here’s the typical cycle:

We hire a likable, trustworthy person
The employee serves the organization well
He moves to higher positions (where he has greater opportunity to steal)
No one monitors the employee because he is honest–or at least, he appears that way
The employee believes he can steal without detection
Small amounts of money are taken to test the water
Larger amounts are taken when he is sure no one is watching

So, the employee goes from trusted employee to fraudster. The transformation occurs gradually. Then when the discovery of fraud occurs, everyone is shocked.

Examples of People Who Steal

And what kinds of persons commit white-collar crime?

I have seen the following individuals take money:

Chief executive officer
Board member
Pastor
Church secretary
Healthcare executive
A lady who was dying
Doctor
College president
Swim club volunteer
Seminary Foundation employee
School principal

I could go on, but you get my point. People who we think would never steal, do.

So, how can we prevent–or at least lessen–the threat of fraud? Transparency is a key.

Transparency Lessens Fraud

If transparency is important, why don’t businesses create it?

Small businesses often lack the ability to segregate accounting duties, and this lack of segregation creates opportunities for theft. Why? One employee controls several critical accounting processes, resulting in the ability to steal without detection.

To lessen the possibility of fraud, we must create transparency in accounting processes. Employees are less likely to steal when their actions are visible to others. That’s why segregation of duties is necessary: more eyes see the accounting activity, making theft more difficult to occur without detection. But even if an organization has few employees, it’s possible to create transparency and lessen the threat of theft.

Stop White-Collar Crime

CPA Hall Talk provides you with fraud prevention information to help you stop white-collar crime.

While I can’t visit everyone that needs fraud prevention assistance, I can provide (free) information about how theft occurs and how you can lessen the threat of fraud.

Here are some of my fraud prevention posts (each with a clickable link):

I hope you find these articles helpful in fighting white-collar crime in your organization.

Dec 07

Extended Audit Procedures: When Segregation of Duties is Absent

By Charles Hall | Accounting and Auditing

Should an auditor perform extended audit procedures when there is no segregation of duties? Or are basic procedures sufficient?

No Segregation of Duties

A few months ago, I was talking to a CPA about audit procedures where a client had only one person performing accounting duties. In other words, there was no segregation of duties, and no one reviewed the activity. Regarding cash, the CPA said basic procedures would be sufficient. In other words, test the bank reconciliation and tie the book balance back to the trial balance, and you’re done.I said, “What if the bookkeeper stole $100,000 before it was deposited? Would a test of the bank reconciliation detect the theft?” But he insisted that basic procedures were appropriate. Why? Because the entity was small.The size of the entity does not matter. The risks do.

Extended Procedures

When segregation of duties is lacking, especially if severe (e.g., one person does everything), extended procedures such as fraud detection steps are warranted. In the example above, the auditor should test receipts and disbursements.Balance sheet audit steps (like testing a bank reconciliation) will usually not detect theft of funds. Cash, receivables, and payables can still reconcile to the trial balance–but the stolen funds are gone.

Responsibility for Fraud Detection

Through the years, I’ve heard CPAs say, “I’m not responsible for fraud.” They incorrectly believe they don’t have to look for fraud.

That idea died in 2002 with the issuance of SAS 99, Consideration of Fraud in a Financial Statement audit. Yes, it’s been a while. The auditor is responsible for the detection of material fraud.

So, the auditor should plan to detect fraud if risk assessment calls for it. In the above situation, where there is no segregation of duties, the walkthroughs of cash receipts and disbursements would reveal high risks of material misstatement.

Additionally, if the entity receives a significant amount of cash (currency, not checks), the risk is even higher.

And how many ways can theft occur through disbursements? There are many.

Let’s consider revenue and expense cycle tests that you might use when segregation of duties is lacking.

Extended Procedures – Revenue Cycle

So, how does an auditor know what extended procedures might be appropriate?

First, review the revenue cycle processes and controls with a walkthrough. Consider the related risks of material misstatement, and plan your tests.

Nonprofit Example

For example, if you are auditing a nonprofit that receives contributions through the mail, review the processes and controls. Here are example questions:

Who opens the mail?
Is a second person present when the mail is opened?
Is a list of daily receipts created and signed by the two persons opening the mail?
Does a video camera record those opening the mail?
Are daily deposits reconciled to the daily cash receipts log?
Are contributions tracked in a contributions software package? If yes, does someone other than those who opened the mail enter the amounts received?
Do persons opening the mail (those with access to checks) reconcile the related bank account?
Are daily deposits made?
Who takes the daily cash receipts to the bank for deposit?
Are acknowledgment letters mailed to contributors? Are those reconciled to the daily receipts log and contributions software by someone who did not initially open the mail?

I could go on, but these are the types of questions to ask before deciding whether extended audit procedures are required and, if they are, what those might be.

What extended audit procedures might the auditor perform in this situation?

Receipt Tests

Testing in the nonprofit environment described above is challenging, especially if currency is received in the mail. Even so, here are some extended procedures that one might perform:

On a sample basis, reconcile the daily receipts log to the contributions software entries.
On a sample basis, reconcile the daily receipts log to the daily deposits. Agree the bank deposit receipt to the total daily bank deposit.
On a sample basis, compare the daily receipts log to the donor acknowledgment letter (you may need to review the contribution software entries if multiple payments are received).

You could perform other tests, but these provide you with some examples for this entity.

For companies that bill and receive payment, it’s easier to design revenue cycle tests–and those tests will be different than the nonprofit examples. You can, for example, compare amounts billed with collections and review receivable write-offs for appropriateness.

But what about expense tests?

Extended Procedures – Expense Cycle

There are many ways to steal funds through the expense cycle, so I will provide a few examples. Again, understand the processes and controls walkthrough. Assess your risk and create your responses.

Here are example questions for a nonprofit:

Who can add vendors to the payables software?
Are new vendors reviewed for existence (to ensure the entity exists)? Who performs this review and how?
Who can authorize a payment, and how?
Who can sign checks or disburse funds in other ways (e.g., electronic payment)?
Who enters invoices in the payables software?
Who has logical access (as provided by I.T.) to the payables module?
Who reconciles the bank account used for vendor payments?
Is a budget-to-actual report provided to management?

Again, these are example questions. There are many more that you can ask.

Expense Tests

Once you understand the payables process, consider where fraud might occur. For example, if someone can sign checks, add vendors, and enter invoice amounts, theft could happen. Then you might perform extended audit procedures such as the following:

On a sample basis, review cleared checks for appropriateness by inspecting the payees and comparing those to the descriptions in the general ledger
On a sample basis, compare cleared checks to invoices
Review new vendors with someone outside of the payables department who is familiar with vendors used by the company

As you can see, context (the processes and controls) aids in designing the control tests.

Summary

Test revenue and expense cycles when there is a lack of segregation of duties. You’ll know if the accounting system has this control weakness from your walkthroughs of the revenue and expense cycles. Once you understand those dynamics, you can assess the risks of material misstatement and plan your extended audit tests, such as those listed above.

Oct 30

When is a Gift a Bribe?

By Charles Hall | Auditing , Corruption

When is a gift a bribe?

Vendors often give sporting event tickets to clients. Or maybe they take them out for a nice dinner. Others might pay for a trip to Vegas.

So, at what point does a gift become a bribe? A friend of mine recently asked me this question. He said, "I give football tickets to clients. Is that a bribe?" I responded, "Maybe not, but if you give them season-long tickets, probably yes." (Such tickets cost several thousand dollars.) My friend followed with, "What if I go to every game with them?" My answer was, "That makes no difference." And doing so could be worse.

Cozy Vendor Relationships

20% of the 2022 fraud cases in the ACFE's recent study revealed "unusually close association with a vendor" as a red flag.

I've lost count of the fraud cases involving close vendor-client relationships. For example, the vendor and client might take annual family vacations together (think Aspen ski trip), with the former footing the bill.

I once spoke at a conference with vendors in the audience. One of them asked, "What can vendors give?" I responded, "I can't give you a list, but I would never give cash." He wanted a list of acceptable gifts. So, here's one: planes, trains, and automobiles. Yes, I'm trying to be funny, though I know of one vacation home gifted to a CEO. Why? So, a construction company could win a bid.

Some presents (like a vacation home) are obviously a bribe, but lower-cost ones are more difficult to define.

Gray Gift Decisions

You may wonder, "How can I know when a gift is okay?" There's no easy answer to this question. But consider these scenarios. A vendor offers one of the following to you:

-A sleeve of golf balls
-Takes you to play golf
-Pays for you to attend a PGA tournament at Pebble Beach and all expenses for a week-long trip (including your spouse and children)
-Pays your annual dues at your local country club (cost is $25,000 annually)

I'll take the sleeve of balls and play golf, but I'm uncomfortable with the other two.

Front Page Litmus Test

When there is a gray ethical decision, I always say, "Put it on the front page of the paper and see how you feel." If you're comfortable with it, you're probably okay. If not, then don't do it. Another step you might take is to ask an honest friend what they think, someone who has no vested interest. (If you're unwilling to ask your friend the question, your conscience is probably telling you, "This is not okay.")

Most vendors want to give gifts without crossing the line (they want to avoid going to jail). But the line is not usually defined, and naming particulars can be futile. After all, how many things could be on such a list? So, creating a list of proper (or improper) gifts may not work.

So, how do we know if a gift is a bribe?

Quid Pro Quo

In the context of bribery, the concept of "quid pro quo" plays a significant role. This Latin phrase means a direct exchange, where something is given with the expectation of receiving something in return. To determine if a gift can be considered a bribe, one key question is: Was the gift given with the expectation of receiving something in return?

It's easier to argue that a gift is not a bribe if it's small or of low value. In such cases, it may appear more like a token of appreciation than an inducement for a particular action. However, when a vendor gives an expensive gift, it becomes much more challenging to assert that there's no expectation of something in return. Expensive gifts raise red flags and make it more likely that the present is, in fact, a bribe.

So, your company should create a gift policy, defining what is acceptable and unacceptable.

Gift Policies

Gift policies should limit amounts to a specific dollar amount, such as $100 annually. As I said earlier, cash (at least, in my mind) is never an acceptable gift.

The gift policy might provide examples of proper activity with a vendor, such as playing golf together once or twice a year. It might also provide examples of improper actions, such as going on vacations with vendors.

You could list unacceptable gifts, but this is challenging. I would instead define inappropriate gifts in terms of dollars. Doing so is a blanket covering all types of activity.

Moreover, consider including actions the company might take if the employee violates the policy. You may want to say that violations could lead to the loss of their job. But, consult with your legal advisors about the written policy.

And remember to communicate the policy.

Communicate the Gift Policy

Give your written gift policy to new employees, and discuss the importance of transparency regarding vendor gifts. Additionally, remind existing employees of the policy. You might do so in annual training classes.

So, should companies require written disclosure of gifts received?

Gift Disclosure Forms

Companies might also require a signed disclosure form once a year where employees provide details of what they receive from vendors. (Here’s a sample disclosure form.) Additionally, provide such disclosures to your compliance department if you have one. If not, consider giving these to the company owner.

And who might you require to complete such a disclosure form? Anyone with the power to purchase, whether a person issuing a purchase order, a department head authorizing payments, or someone signing checks--anyone able to pay a vendor (or cause a vendor to be paid).

Again, consult with your legal advisors about your disclosure form and processes.

So, is bribery a significant threat to most businesses?

Bribery is Real

ACFE fraud surveys continue to reveal that bribery is one of the leading causes of fraud. 50% of the ACFE's 2022 fraud cases involved corruption (bribery is a form of corruption). Why is this so?

Because it's easy for employees to receive illegal payments (or gifts) without anyone's knowledge, but make no mistake: This activity adversely affects the employer. How? The vendors usually pass the bribe cost to the company through inflated prices or substandard goods. Strangely enough, the vendor often sees a bribe as a cost of doing business, albeit an illegal one.

Oct 19

Understand Engagement Quality Reviews and Monitoring and Remediation

By Charles Hall | Auditing

The new quality management standards include (1) engagement quality reviews and (2) monitoring and remediation. So what are these, and how will they impact CPA firms? Will they require changes in how you operate? Will you need additional personnel? Can firms review their own work, or will you need external help?

In this post, I explain how engagement quality reviews (EQR) and monitoring are different and how they complement each other. We also look at the objectivity requirements for monitoring (which can be tricky, especially for small firms).

SQMS No. 1, A Firm’s System of Quality Management, requires firms to create a monitoring and remediation process. That standard also requires an Engagement Quality Review for higher-risk engagements (as defined by the firm). SQMS No. 2, Engagement Quality Reviews, provides information about the reviewers’ appointments and responsibilities.

So, how do EQRs relate to monitoring and remediation?

To answer this question, let’s first look at a summary of these two functions.

1. Engagement Quality Reviews

EQRs are at the engagement level. For example, a designated reviewer will review a completed audit file for compliance with standards and an appropriate audit report. The purpose of an EQR is to provide an objective evaluation of significant judgments and conclusions. The EQR will, if done appropriately, reduce the risk of noncompliance with professional standards and the risk of issuing improper reports. It is not, however, an evaluation of the entire engagement.

Firms perform EQRs for selected (usually high-risk) engagements. SQMS No. 2 requires EQRs for two types of engagements:

When laws or regulations require an EQR for an audit or other engagement (which is rare)
When a firm determines that an EQR is an appropriate response to one or more quality risks (which is common)

The second engagement type is one most firms will encounter, especially if it audits more complex entities such as banks. Why? Because such entities have estimates with a high degree of estimation uncertainty, making it higher risk. Additionally, an entity with significant going concern uncertainties will usually need an EQR, another example of a higher risk engagement.

Next, we’ll look at EQR criteria.

EQR Criteria

Firms must create EQR policies and procedures defining the engagements requiring such reviews. The firm’s EQR criteria (see SQMS No. 1, A145) might include the following:

Types of engagements (e.g., audits)
Types of reports (e.g., Single Audits)
Types of entities (e.g., employee benefit plans)
Engagements with a high level of complexity or judgment (e.g., banks)
Engagements with recurring internal or external inspection findings
Engagements involving regulatory filing information
Entities in emerging industries (e.g., artificial intelligence)
Entities for which the firm has no prior experience
Entities with public accountability characteristics (e.g., benefit plans)
Governmental entities, if large or complex

So, consider these criteria as you define which engagements will require an EQR. Create a firm policy for this purpose.

Now, let’s consider the monitoring and remediation requirements.

2. Monitoring and Remediation

Firms perform a monitoring and remediation process, a component of the engagement quality control system. Another component is the risk assessment process. The QM system also includes the following six components:

Governance and leadership
Relevant ethical requirements
Engagement performance
Acceptance and continuance
Information and communication
Resources

As we saw in my previous QM post, firms create quality objectives, quality risks, and responses for these six components (as a part of their risk assessment process). Once those are in place, firms must monitor them–and remediate deficiencies when noted.

Monitoring activities may include in-process engagements and should include the inspection of completed engagements. These reviews may include engagements not subject to an EQR, such as those with lower risk (e.g., a client with no estimates or complex accounting).

In-Process Reviews (Optional)

So, why might a firm review a lower-risk job while it’s in process as a part of monitoring? To see if the QM system is working. For instance, the reviewer might look at risk assessment documentation if the previous inspection revealed problems in this area. Additionally, the firm may want to look at a particular engagement partner’s work if that person had prior deficiencies.

Completed Engagement Reviews (Required)

Firms should also perform inspections of completed engagements. The firm should review at least one completed engagement for each engagement partner on a cyclical basis (e.g., once every three years).

Remediation

If a firm notes deficiencies, it will remediate the issues by planning and performing corrective steps. For example, suppose Single Audit engagements reviewed in monitoring did not have appropriate major program determination documentation. In that case, the firm might require that a designated reviewer look at this part of each future Single Audit file. The purpose of the step is to cure the deficiency.

So, what’s the difference between EQRs and monitoring?

Differences in EQRs and Monitoring

Engagement risk triggers an EQR, but monitoring has a broader perspective, one focused on the QM system as a whole.

Engagement Reviews

So, EQRs occur based on the firm’s policies and procedures that define higher-risk jobs. If a firm has only three audits that meet the firm’s EQR criteria (as we previously discussed), then only those are subject to an EQR.

But even if a firm has no EQR engagements (which would be unusual), it still needs to monitor its QM system. And that may entail reviews of in-process jobs.

Other Components Monitoring

Additionally, monitoring includes reviews of the QM responses to the six components listed above. (Remember, the firm establishes quality objectives, quality risks, and responses for each of the components.)

For example, a firm could test its hiring practices for the resource component’s response to a related quality risk. Or a firm might see if peer review findings are being communicated to relevant firm members as a test of the information and communication component. Notice these monitoring examples do not focus on a particular engagement (as an EQR does).

EQR Findings Affect Monitoring and Remediation

Firms should communicate EQR findings, if any, to firm members. Such findings might lead to remedial action. For example, if the EQRs discover a need for more documentation related to estimates, the firm might require a second partner review of specific estimates (e.g., a bank’s allowance for loan losses). Then, the firm might monitor the response to see if the second review takes place.

Next, we will discuss the importance of objectivity.

Maintaining Objectivity

Reviewers need to be objective, whether in an engagement quality review or when monitoring.

SQMS No. 1 (paragraph 40) requires firms to create policies and procedures that address the objectivity of individuals performing monitoring activities. Objectivity is enhanced when someone monitoring does not review their prior work (such as (1) serving as a member of the engagement team or (2) as an engagement quality reviewer).

Self Review Threat

A self-review threat exists if a monitoring person reviews their previous work. For example, if the quality management director serves as the EQR person in the audit of ABC Company and then checks that job in the monitoring process, she examines her own work. Such a situation can adversely affect her objectivity. It would be better for another person (someone not a part of the ABC Company audit engagement team or who did not serve as the engagement quality reviewer) to look at that engagement during monitoring.

EQR in Stages

So, can the person performing the EQR do so at different engagement stages (e.g., beginning, middle, end) or only after the file is complete? You can do either. Consider doing that which lessens your risk the most.

If the EQR person reviews the engagement at stages (e.g., beginning, middle, end), can they be objective? Yes, as long as they don’t make engagement decisions. For example, they can review and sign off on planning but can’t tell the engagement team how to plan the job. In another example, the EQR person can review risk assessment, but they can’t make those decisions.

Firms are not required to perform EQRs in stages, but they can. Alternatively, the firm might decide to do the EQRs once the engagement is finished.

Safeguards

SQMS No. 1 states it does not preclude self-inspection. Nevertheless, it says self-review leads to a higher risk that noncompliance with policies and procedures may occur. It is best to remove self-inspection, but if this is not possible, the firm may provide safeguards (actions to reduce the self-review threat) such as the following:

Promote continuing professional education and provide training programs to ensure that personnel are current in accounting, auditing, and QM standards
Require the use of peer review or other inspection checklists in the monitoring work
Provide training about proper monitoring procedures
Perform the self-inspection after some time has passed since the completion of the engagement

Responses to Quality Risks

Additionally, the firm’s responses to certain quality risks (as developed in the risk assessment process) may be helpful, such as the following:

Develop strong client acceptance and continuance policies that require the firm to have the competence and time to perform the engagement
Create a consultation policy that requires the engagement team to consult with another person (e.g., external or internal CPA) when they encounter difficult accounting and auditing issues
Take corrective action to cure issues noted in internal monitoring, EQRs, peer review, or other outside reviews (e.g., DOL inspection)
Require the use of an outside service provider to perform EQRs when deficiencies were previously noted (e.g., in peer review) or the firm or its environment changes (e.g., the firm starts auditing a client in a new industry)

Summary

So, engagement characteristics trigger EQRs, and firms need to perform monitoring and remediation, regardless of the EQRs. Furthermore, firms perform EQRs at the engagement level, but monitoring and remediation focuses on the QM system as a whole.

As you prepare for the new QM standards, consider if you have the personnel to perform the EQRs and monitoring. You may need to hire new staff or contract with external CPAs.

Finally, if there are objectivity threats from self-review, your firm may need safeguards such as using a peer review checklist in performing a cold engagement review. Strong quality risk responses are also helpful.

« Previous 1 2 3 4 5 … 41 Next »