Peer Review Inherent Risk Questions Revised

Separate inherent risk assessments are not required by GAAS; however, changes to peer review checklists (several months ago) were causing “no” answers (which implies a deficiency) when audit firms did not use separate practice aids to assess inherent risk.

These “no” answers were an unintended consequence of the way the peer review inherent risk questions were worded. (I scratched my head the first time I saw them.) The questions are now revised.

Now the peer reviewer will focus on the risk assessments related to the risk of material misstatement (RMM) (which is the result of the control risk and the inherent risk). The revised questions still ask the reviewer to consider if the RMM is impacted by a less-than-high inherent risk assessment.

The intent of the inherent risk questions, I believe, is to cause the reviewer to consider whether the inherent risk assessment is appropriate and not used to falsely reduce the amount of substantive work.

Remember Inherent Risk x Control Risk = RMM, so an auditor could lessen his response to risk (substantive work) by lowering the inherent risk (without a proper basis for doing so).

What does this mean for you? Make sure you can defend your lower inherent risk assessments (provide a logical explanation for the lower IR assessment).

Key Highlights from the 2016 Fraud Survey: Association of Certified Fraud Examiners

The Association of Certified Fraud Examiners conducts a biennial fraud survey titled Report to the Nations on Occupational Fraud and Abuse.

Fraud Survey

Picture from

Key Fraud Survey Statistics

Here are some statistics from the 2016 report:

  • The most common detection method is tips — 39% of fraud was detected by tips
  • The median loss per fraud case is $150,000
  • 41% of fraud cases are not referred to law enforcement (mainly due to fear of bad publicity)
  • The typical organization loses 5% of its revenue to fraud
  • Large organizations are more apt to use antifraud programs than small ones
  • Banking, governments and manufacturing suffer the largest losses (and in that order)
  • The average fraud exists 18 months before detection
  • Fraud schemes lasting more than 5 years caused a median loss of $850,000
  • 82% of the entities in the survey underwent audits
  • 95% of the time the fraudster took efforts to conceal the theft
  • Fraud losses increase with the number of people involved in the theft
  • Most fraudsters are first-time offenders (with only 5% having been previously convicted of theft)
  • The typical fraudster is:
    • Male (69%),
    • Middle-aged (30 to 50 years of age),
    • Educated (60% had college degrees), and
    • Works with the organization for a number of years
  • 19% of the frauds involved owners or executives resulting in median losses of $703,000
  • Only 8% of the frauds were committed by an employee with less than one year of employment
  • Billing schemes such as fictitious vendors continue to cause significant losses
  • 23% of the fraud cases were for more than $1 million dollars

See the complete ACFE survey here.

See my fraud prevention book on Amazon here.

Time to Change Your Single Audit Engagement Letters

Single Audits for years ending December 31, 2015, are subject to the Uniform Guidance. So related engagement letters need to state that the engagement will be performed using the Uniform Guidance rather than A-133.

See my prior post here for more information about the Uniform Guidance.

Assess RMM at High and Avoid Internal Control Documentation?

Can an auditor assess the risk of material misstatement (RMM) for all transaction cycles and accounts at high and not gain an understanding of the auditee’s accounting processes and internal controls?

An auditor is always required to gain an understanding of the auditee’s accounting processes and internal controls.

What if the auditee has only ten transactions and the auditor plans to substantively audit each one?

Same answer: An auditor is always required to gain an understanding of the auditee’s accounting processes and internal controls.

Auditors cannot avoid the risk assessment procedures–understanding controls, brainstorming, planning analytics (to name a few). We are required to gain an understanding of the entity and its controls. The audit standards do not allow auditors to default to a high risk assessment in order to avoid the risk assessment and planning parts of an engagement–regardless of how small the entity is or how few the transactions are.

Are Your Audit Reports Dated in Conformity with Audit Standards?

The AICPA peer review checklist (May 2015 version) asks the following:

Is the report dated in conformity with the requirements of professional standards? [AU-C sec. 700.41]

The audit report should be dated no earlier than the date on which the auditor has obtained sufficient appropriate audit evidence on which to base the auditor’s opinion on the financial statements, including evidence that:

the audit documentation has been reviewed;
all the statements that the financial statements comprise, including the related notes, have been prepared; and
management has asserted that they have taken responsibility for those financial statements.

Suggestion for Dating Audit Reports

Scan your audit file for the latest dates. I look for the quality control and partner review dates that are (generally) performed last. The audit opinion date should not precede these review dates. Why? Our evidential matter is not complete.

For example, let’s say the engagement partner completes her review of the file on July 31, 2015; she signs off in the file using that date. The date of the opinion should not precede July 31, 2015. If we use an opinion date of July 25, then we are opining on evidential matter (i.e. audit file) that is not complete.

AICPA Changes Requirement to Disclose Open Tax Years

The AICPA Center for Plain English Accounting (CPEA) reports the following:

As a result of investigative work conducted by the Center for Plain English Accounting (CPEA), Technical Practice Aid (TPA or TIS) 5250.15, which required an entity to disclose a description of tax years that remain subject to examination regardless of whether an entity has any uncertain tax positions (i.e., unrecognized tax benefits), has been deleted. In researching our recent report titled, Controversy Over the Applicability of the Disclosure Requirement of Open Tax Years: Unintended Consequences and Lessons for All, we communicated with appropriate individuals at the FASB and AICPA on the issues noted in that report. Consequently, members of the FASB and Private Company Council (PCC) said that the guidance in TPA 5250.15, Application of Certain FASB Interpretation No. 48 (codified in FASB ASC 740-10) Disclosure Requirements to Nonpublic Entities That Do Not Have Uncertain Tax Positions, should change and that disclosures of open tax years are necessary only if an entity has unrecognized tax benefits. The March update for AICPA Technical Questions and Answers, which contain TPAs, has deleted TPA 5250.15.

Practitioners also should be aware that it may take a period of time for Peer Review Checklists and AICPA Accounting and Auditing Guides to be updated to reflect the elimination of TPA 5250.15.

Summary of Effect

In short: Entities are not required to disclose open tax years if they do not have material unrecognized tax benefits.

This is interesting since many peer reviews nationwide have included comments about disclosure deficiencies related to this area.

The report from the CPEA is posted on the AICPA with a date of March 24, 2015.

Preparation of Financial Statements Prior to Another Accountant’s Audit

Does your firm prepare financial statements that are provided to another firm that performs an audit or a review? If yes, what are the new requirements under SSARS 21?

AR-C 70, Preparation of Financial Statements, is applicable.

What are the main implications?

  • Your firm should obtain a signed engagement letter that covers the preparation service; the letter should be signed by your firm and your client
  • Each page of the financial statements should contain the language “no assurance is provided” or a disclaimer paragraph should be provided
  • If the notes are omitted, the omission should be disclosed on the face of the financial statements or in a selected note
  • Known departures from the applicable reporting framework should be disclosed on the face of the financial statements or in a note
  • If your firm is subject to peer review, this engagement could potentially be selected for review during the peer review
  • Any other requirements of AR-C 70 are in play

The effective date for AR-C 70 is for years ending on or after December 15, 2015. The standard can be early implemented.

Of course your firm could prepare financial statements under the compilation standards, AR-C 80; then you would follow the requirements for compilations. Usually, however, firms that prepare financial statements to be provided to other accountants prior to an audit or review will prepare the financials using AR-C 70.

Disclosing the Use of Third-Party Service Providers: AICPA Code of Conduct

Did you know that the AICPA Code of Professional Conduct requires members to “inform the client…that the member may use a third-party service provider”?

The rule is designed to prevent members from “disclosing confidential client information to a third-party service provider” without the client’s knowledge. It is preferable to make this communication in writing.

If the client objects to the member’s use of the third-party service provider, he or she should:

  • Not use the third-party service provider, or
  • Decline to perform the engagement

Here’s the rule [I bolded certain words below]:

ET Section 1.150.040

Use of a Third-Party Service Provider

.01 When a member uses a third- party service provider to assist the member in providing professional services, threats to compliance with the “Integrity and Objectivity Rule” [1.100.001] may exist.

.02 Clients might not have an expectation that a member would use a third- party service provider to assist the member in providing the professional services. Therefore, before disclosing confidential client information to a third-party service provider, the member should inform the client, preferably in writing, that the member may use a third-party service provider. If the client objects to the member’s use of a third-party service provider, the member either should not use the third-party service provider to perform the professional services or should decline to perform the engagement.

.03 A member is not required to inform the client when he or she uses a third- party service provider to provide administrative support services to the member (for example, record storage, software application hosting, or authorized e-file tax transmittal services).

Tracking SSARS 21 Financial Statement Preparation Engagements

Our firm just performed a SSARS 21 financial statement preparation engagement. Since the preparation service is a new type of engagement, we needed a new billing code. Why?

Our firm is subject to peer review, so our SSARS 21 preparation engagements will be subject to inspection. The new preparation service is a separate engagement, just as compilations and reviews are. When your peer review is performed, you will need to provide the peer reviewer with a summary of how many preparation engagements you have performed, just as you presently do for compilation engagements. So firms should separately track their SSARS 21 preparation engagements.

Note: Firms that perform only SSARS 21 preparation engagements are not subject to peer review, per AICPA rules. Some state boards of accountancy may require a peer review even though the AICPA does not.

Action Tip: Consider how your firm will track SSARS 21 preparation engagements.


CPE in 10-Minute Increments: Nano-Learning

NASBA’s April 2015 newsletter included an article about Nano-Learning, also called Micro-Learning. It appears a move is afoot to change how CPAs receive continuing education, a move from hours-at-a-time to smaller increments. This makes sense to me. Making CPAs sit through 8-hour sessions is brutal, and I’m not sure how much we learn (after a few hours). As I tell my CPE audiences, “the mind can only absorb what the behind can endure.”

Here’s an excerpt from the NASBA newsletter:

As of last month, CPAs from Ohio and Maryland can fulfill their CPE requirements in 10-minute increments.

On March 3, it was announced that the Maryland State Board of Public Accountancy unanimously passed new CPE regulations that allow for course content to be delivered in 10-minute increments (known as “nano-learning” or “micro-learning”).

And on March 12, the Ohio Society of CPAs (OSCPA) launched Quick Byte, a series of courses packaged to deliver information in 10-minute modules. Quick Byte is the first CPE curricula developed by a state CPA association, and the first program under one hour to qualify for CPA continuing education in Ohio.

I think you’ll see more states move to this model over time.

Think about how this will work: You’re working on an audit, and you run into an issue for which you need information. You take a 10-minute CPE class related to the issue. In addition to receiving the CPE credit, you obtain an understanding of the issue at hand. Two birds with one stone–good idea. Information received as you need it–again, a good idea.