SPECIAL REPORT

4 Ways to Avoid Audit and Attest Deficiencies

4 WAYS TO AVOID AUDIT AND ATTEST DEFICIENCIES 2

4 WAYS TO AVOID AUDIT AND ATTEST DEFICIENCIESMany avid hikers have learned the hard way that hiking on damp rocks can be dangerous, as the slightest bit of moisture on top of the rocks can leave hikers lying flat on their backs in the blink of an eye. So experienced hikers learn to take their time on slippery surfaces and proceed with caution. The same can be true for every audit and attest practice because there are several slippery surfaces that can definitely have unexpected consequences to your practice if not handled with caution and care. With busy season here, this special report is designed to point out some of the potential “wet rocks” that could be lurking on your audit and attest trail and help you navigate around or over them. These suggestions include the following:

1 Avoid falling on the same rocks that have caused others to fall

2 Look ahead and plan your steps carefully

3 Be especially cautious if you are on a new trail

4 Use the resources available to you

1 Avoid Falling on the Same Rocks that Have Caused Others to FallFirms that perform audit and attest engagements are required to have a peer review every three years. The AICPA takes the peer review findings and publishes the common deficiencies that were noted during recent peer reviews. In addition, we frequently have discussions throughout the year with peer reviewers about deficiencies noted in peer reviews. Being aware of the matters that tripped up other firms can help you and your firm avoid similar deficiencies. Accordingly, this section discusses some of the examples that are applicable to most audit engagements. In addition to those matters, the peer review findings published by the AICPA also identify deficiencies unique to firms practicing in specialized industries.

OBSERVATION: The most recent examples of peer review deficiencies, published by the AICPA in July 2016, cover audit engagements with year-ends between December 31, 2014, and March 31, 2016. Those deficiencies are summarized at aicpa.org/InterestAreas/PeerReview/Community/PeerReviewers/DownloadableDocuments/Matters-in-PR.pdf.

Perform and Document Planning Procedures. Failing to document and perform planning procedures is a common deficiency noted in peer reviews. Audit planning covers a wide range of activities, and compliance with auditing standards related to planning can pose problems for auditors. Some of the deficiencies noted in peer reviews relating to planning are discussed next.

4 WAYS TO AVOID AUDIT AND ATTEST DEFICIENCIES 3

Preliminary Analytical Procedures. Auditors didn’t adequately document preliminary analytical procedures. A simple sign-off of a program step isn’t enough; you need to include a workpaper in the engagement file documenting the procedures performed. In addition, explaining fluctuations between the prior year and the current year final balances during detail testing may not take the place of preliminary analytical procedures. Better preliminary analytical procedures could actually pave the way for a more effective and efficient audit plan.

Nonattest Services. When you perform nonattest services for attest clients, you have to comply with the requirements of ET 1.295 of the AICPA Code of Professional Conduct to remain independent. Nonattest services typically include tax return preparation, bookkeeping services (including financial statement preparation services) and consulting. To avoid a peer review matter when performing nonattest services, you need to ensure that your understanding with the client is established and documented in writing and all the requirements of ET 1.295 are met.

OBSERVATION: You also need to be careful in your audit documentation not to give the appearance of performing nonattest services when you haven’t been engaged to perform the service, especially when those services, if performed, would impair independence if the qualifying requirements aren’t met. Additionally, when performing multiple nonattest services for attest clients, you should evaluate whether the aggregate effect of those services results in a significant threat to independence that can’t be reduced to an acceptable level by applying safeguards.

Group Audit Standard. Peer reviewers often note that auditors fail to document consideration of the group audit standard when a component unit was audited. Under the auditing standards, consolidated financial statements are group financial statements, as are combined financial statements. Combined financial statements are often presented when companies are under common management. Frequently, auditors fail to identify that they are auditing component financial statements and need to comply with AU-C 600, Special Considerations — Audits of Group Financial Statements (Including the Work of Component Auditors).

Risk Assessment and Developing the Detailed Audit Plan. Common engagement performance deficiencies relate to performing risk assessment procedures, identifying risks and developing the detailed audit plan. Those deficiencies include a failure to perform or document the engagement team discussion regarding the susceptibility of the entity’s financial statements to misstatement due to error or fraud; document an understanding of internal control and document the assessment of risks, significant risks identified and the related controls and the overall responses to address the assessed risks of material misstatement.

You are required to perform certain procedures to assess the risk of material misstatement of the financial statements due to fraud. Besides the engagement team discussion about fraud risks, you need to perform and document inquiries with certain client personnel about the risks of fraud. To avoid a peer review matter when performing those inquiries, you should ensure that all of the required questions are covered and interviews are performed in a thoughtful manner to determine if there are any risks of material misstatement due to fraud. Be careful to ensure that there is linkage between the risks identified in planning, documentation of the planned audit approach and the procedures performed. For example, if during the discussion with the client about risks, the

4 WAYS TO AVOID AUDIT AND ATTEST DEFICIENCIES 4

controller expressed concerns about pressures placed on operating personnel to meet sales goals, you should design and perform additional audit procedures to address the risk of overstatement of revenue.

Another common deficiency noted by peer reviewers is a failure to tailor audit programs for a specific client. Standard audit programs and practice aids are wonderful timesavers, but they need to be tailored to the client’s industry and other specific circumstances. Additionally, you need to make sure you perform adequate tests in key audit areas.

OBSERVATION: The amount of testing that needs to be done is a matter of professional judgment. However, you would be expected to perform more extensive audit procedures in areas with larger balances and higher risks of material misstatement. In addition, you should avoid “conversational” auditing and inadvertent reliance on client explanations or computer-generated reports.

Accounting Errors. Peer review findings related to accounting issues often include matters such as the following:

■ Incorrectly classifying long-term debt.

■ Incorrectly accounting for a transaction, such as treating a capital lease as operating or making errors in accounting for a business combination. That’s most likely to occur if the client enters into significant new transactions or if there are new accounting standards effective for the engagement.

■ Improperly applying the basis of accounting. When the client uses a special purpose framework, such as the income tax basis, you should ensure that the balances in the financial statements and note descriptions are consistent with the basis of accounting being used.

OBSERVATION: For example, to avoid improper application of the accounting basis that is being reported on, you should make sure that (a) accruals are included in GAAP basis financial statements but not in pure cash basis financial statements, (b) the direct write-off method is used for losses on doubtful accounts in tax basis financial statements while an allowance is recorded in GAAP basis statements and (c) deferred income taxes are provided for in GAAP basis financial statements but not in cash basis statements.

Peer reviewers have also found errors in the cash flow statement. Those errors include misclassification of cash flows as operating, investing or financing; improper classification of items as cash equivalents or captions in cash flow statements that don’t tie to the balance sheet and income statement.

4 WAYS TO AVOID AUDIT AND ATTEST DEFICIENCIES 5

Disclosure Issues. Often disclosures of related party transactions, valuation allowances, debt terms and maturities, income tax matters and significant concentrations are omitted. Peer reviewers also find financial statement disclosures required by GAAP are incorrect or incomplete, with issues such as the following being noted:

■ Failing to disclose the date through which subsequent events were evaluated

■ Failing to appropriately disclose fair value hierarchy information related to investments in marketable securities or to disclose significant estimates

■ Failing to have audit documentation in the workpapers that supports disclosures or amounts in the statement of cash flows

■ Failing to disclose significant accounting policies (we prefer to make that disclosure in a separate summary of significant accounting policies preceding the notes or in the first note)

■ Failing to disclose noncash transactions or cash paid for interest and taxes

OBSERVATION: To prevent disclosure errors, we recommend using an up-to-date disclosure checklist. After going through the disclosure checklist, a final review of the financial statements will help determine if there is sufficient information for a user to understand important aspects of material amounts and transactions.

Reporting Mistakes. In the reporting area, a common deficiency noted in peer reviews is that an auditor’s report doesn’t conform to the auditing standards or contains other mistakes. Those deficiencies include the following:

■ Reports dated incorrectly. The report date, date of the management representation letter and date through which management evaluates subsequent events should all be the same. Peer reviewers also noted instances where the auditor’s report was dated earlier than the date sufficient appropriate audit evidence was obtained or all review procedures were completed.

■ Incorrect financial statement titles. The titles of the financial statements should match the titles listed in the auditor’s report and be appropriate for the type of entity. For example, a nonprofit entity typically provides a statement of activities rather than an income statement. In addition, titles of financial statements that are prepared using a special purpose framework should differ from GAAP basis titles so there’s no implication that the statements are prepared in accordance with GAAP.

■ Missing or incorrect report elements. You should not vary from the standard language of a report unless the report captures all of the required elements. In addition, the report should include the required headings and cover all of the periods presented by the financial statements.

■ Failure to disclose GAAP departures. A GAAP departure requires a qualified or adverse opinion, and you should disclose the departure in a separate paragraph of the report. Disclosure in the financial statements alone isn’t sufficient. Auditors should carefully draft the Basis for Qualified Opinion paragraph of the report to make sure it correctly and completely states the reasons for the opinion qualification.

■ Failure to appropriately report on supplementary information. Supplementary information needs to be segregated or clearly marked as supplementary. In addition, you should report on that information either in the auditor’s report on the financial statements or in a separate report.

4 WAYS TO AVOID AUDIT AND ATTEST DEFICIENCIES 6

OBSERVATION: If an engagement quality control review isn’t already being performed on the audit, a best practice is to have another auditor perform a cold review of the report and financial statements to check for common reporting mistakes, as well as grammatical errors. In addition, a reporting checklist may be used either to find reporting guidance relevant to a particular situation or as a quality control check on a draft report before it’s issued.

Other Items. Auditing deficiencies observed in peer reviews relating to performing further audit procedures include failing to observe inventory when the amount is material to the financial statements and a failure to perform sufficient procedures or adequately document the procedures to obtain assurance of fair value measurements. Additionally, peer reviewers have found instances when accounts receivable weren’t confirmed and the reasons for not confirming were either not documented or didn’t meet the exceptions for confirming accounts receivable in the auditing standards. Peer reviewers also noted that some auditors failed to communicate or failed to document required communications with those charged with governance.

Peer reviewers have also noticed deficiencies related to management representation letters. Matters included failure to:

■ Update the letter in conformity with the auditing standards requirements

■ Date the letter appropriately

■ Include appropriate financial statement periods

■ Include the required representations

Also, you should be careful when comparing balances to prior year amounts. The basis for an expectation should be audited and documented. If the expectation is the current year amount will be similar to the prior year, then the prior year amount is the expectation. However, if the expectation is that the amounts won’t be similar because of some known event, then the prior year balance should be adjusted for the known event (that is, the expectation should be developed) before making the comparison. For example, if you are analyzing current year salaries expense, the prior year balance would be adjusted for changes in headcount and salary increases to determine if the current year balance is reasonable.

Finally, peer reviewers have reported that there are failures to include audit documentation that contains sufficient competent evidence to support the firm’s opinion on the financial statements. You need to make sure that such documentation is included in the workpapers. As a reminder, all of the audit documentation needs to be wrapped up by the document completion date. In an electronic environment, that includes making sure that the trash folder is emptied and unfiled workpapers are either filed or deleted.

OBSERVATION: Based on a new question included in AICPA peer review checklists, peer reviewers will be focusing more intently on the quality control policies and procedures that firms use to ensure that their guidance and quality control materials (whether developed in-house or obtained from a third-party provider) remain reliable, relevant and current based on new professional pronouncements and whether those materials are suitable for the firm’s practice. The focus will include whether those materials are appropriately tailored for an industry and, if purchased from a third-party vendor, whether the latest edition of those materials are being used.

4 WAYS TO AVOID AUDIT AND ATTEST DEFICIENCIES 7

2 Look Ahead and Plan Your Steps CarefullyBefore going on a hike, it is important for hikers to plan their route. Then, throughout the hike they should also be looking ahead at the next several steps or a further distance if possible. Likewise, in an audit you should ensure that an appropriate amount of time is set aside to plan the audit engagement. Planning audits involves establishing the overall strategy for engagements and developing audit plans. The nature, timing and extent of audit planning vary with the size and complexity of the entity and with your understanding of the entity and its environment, including internal control. However, audit planning should always include a risk assessment process. Some of the risk assessment procedures performed as part of planning, such as inquiries and analytical procedures, may provide audit evidence about relevant assertions related to account balances, transaction classes or disclosures.

OBSERVATION: The risk assessment and audit plan should drive audit procedures. In many cases, however, the planning is out of sync with the actual work performed during the audit engagement. For example, risks are identified in planning but the procedures aren’t modified to respond to those risks or no risks are identified and the auditor performs unnecessary detailed testing in an area because that’s what was done in the prior year. If time isn’t invested in the planning part of an audit engagement, your audit team is destined to make the same mistakes that were made in the prior year since they will likely be following prior year workpapers to perform the current year audit procedures.

We know you can’t spend all of your time planning, but the planning needs to be done at an appropriate level to drive the engagement procedures. So invest the necessary time in planning.

4 WAYS TO AVOID AUDIT AND ATTEST DEFICIENCIES 8

3 Be Especially Cautious If You Are On a New TrailNew authoritative literature being issued is much like hiking on a new trail because there are new requirements that you need to learn, understand and apply to avoid being tripped up. Activity has been relatively quiet at the AICPA related to audit standards, with only two Statements on Auditing Standards having narrow impact being issued in the last two years. However, Statement on Standards for Attestation Engagements (SSAE) 18 was issued in April, and it includes significant changes for nontraditional engagements — such as agreed-upon procedures engagements and examinations. SSAE 18 will be effective for reports dated on or after May 1, 2017, so be prepared if this new literature will impact your attest engagements. Also be aware that this new literature will affect your engagement letters for those engagements in which the report is dated on or after May 1, 2017, even if the engagement letters are issued well before May 1, 2017. Thus, before beginning an attestation engagement, carefully consider when the report is expected to be issued.

For preparation, compilation and review engagements, SSARS 23, Omnibus Statement on Standards for Accounting and Review Services — 2016, was issued on October 25, 2016. Some of the provisions were effective immediately while others are effective for prospective information prepared on or after May 1, 2017, or compilation reports on prospective financial information dated on or after May 1, 2017. One of the provisions that is effective immediately is a change in the standard language for reporting on reviewed financial statements accompanied by supplementary information.

OBSERVATION: In addition, we’re still seeing compilation or review reports being issued that weren’t updated for SSARS 21, Statements on Standards for Accounting and Review Services: Clarification and Recodification, which was effective for periods ending on or after December 15, 2015.

On the accounting trail, the FASB has been very active. In the last 18 months alone, the FASB has issued approximately 30 new Accounting Standards Updates (ASUs). Some of these ASUs have focused on simplifying accounting and reporting matters for nonpublic entities. In addition to considering pronouncements that are effective this year, the FASB in particular has issued several significant standards that have delayed effective dates, such as the ASUs on revenue recognition and the one on leases. While those standards don’t apply to audits this year, you need to learn at

4 WAYS TO AVOID AUDIT AND ATTEST DEFICIENCIES 9

least the main provisions of the ASUs so that you can start assessing their effect on your clients. You may want to start considering the clients that will be most impacted by the new standards, such as clients with significant operating lease commitments (especially if they have debt with covenants that might not be met if a large liability is recorded on the balance sheet) and industries with complex contracts with customers that will be most affected by the revenue recognition standard.

OBSERVATION: Auditors should also consider activity at the GASB, PCAOB and SEC if their firms practice in those areas.

4 Use the Resources Available to YouJust like experienced hikers who often choose to wear high-quality hiking shoes or boots and use hiking poles to provide support and balance, if you provide audit and attest services, you should use the appropriate resources that are available to you. Some of our suggestions follow.

Related Resources

PPC’S GUIDE TO AUDITS OF NONPUBLIC COMPANIES PPC’s Guide to Audits of Nonpublic Companies provides the industry leading audit approach for nonpublic commercial entities that is thorough, yet practical; effective, yet efficient. It includes the planning tools you need to identify risks and helps you select appropriate audit procedures to respond to those risks. The Guide provides an approach that is easily implemented, whether you have a large audit practice or perform only a few audits.

Learn More.

4 WAYS TO AVOID AUDIT AND ATTEST DEFICIENCIES 10

PPC’S GUIDE TO QUALITY CONTROL

PPC’s Guide to Quality Control provides the overarching policies and procedures that the quality control checklists, programs and practice aids in PPC’s Audit and Accounting Guides support. This Guide provides a comprehensive approach for designing and implementing a quality control system that complies with all of the quality control standards and at the same time is practical and cost-effective for firms of all sizes. The Guide also includes a peer review chapter to provide all the information you need to go through the peer review process and pass peer review.

Learn More.

PPC’S GUIDE TO AUDITOR’S REPORTS PPC’s Guide to Auditor’s Reports contains a unique blend of practical solutions and authoritative references that takes a “how-to” approach to many of the reporting problems encountered in audit engagements. It illustrates and explains more than 275 auditor’s reports common to nonpublic companies. Each report has references to authoritative literature plus comprehensive narratives that expand on authoritative guidance and anticipate many of the potential problems encountered in drafting an auditor’s report.

Learn More.

PPC’S GUIDE TO NONTRADITIONAL ENGAGEMENTS PPC’s Guide to Nontraditional Engagements gives you everything you need to perform the most requested specialized services, such as agreed-upon procedures, engagements to report on specified elements, attestation engagements and other engagements that fall outside your traditional practice. It provides comprehensive discussions of the professional standards that apply to each type of engagement and a complete set of practice aids, including engagement letters, management representation letters and procedures and reporting checklists.

Learn More.

PPC’S GUIDE TO COMPILATION AND REVIEW ENGAGEMENTS PPC’s Guide to Compilation and Review Engagements contains hundreds of practice aids, sample reports, sample disclosures and financial statements to help you perform your engagements correctly and with maximum efficiency. These timesaving tools also help you stay in compliance with professional standards and peer review requirements.

Learn More.

CHECKPOINT ENGAGE™ In a constantly changing audit landscape, there’s a new way to achieve the efficiency, accuracy and consistency needed to stay afloat. Thomson Reuters Checkpoint Engage is a fully integrated online audit solution. We’ve enhanced our trusted, risk-based engagement process while ensuring version control and staff access are issues of the past.

Learn More.

4 WAYS TO AVOID AUDIT AND ATTEST DEFICIENCIES 11

SMART PRACTICE AIDS® AUDIT SUITE

SMART Practice Aids Audit Suite is an innovative suite of products designed with the audit and accounting professional’s workflow in mind to enable you to work more efficiently and effectively. This dynamic automation of expert content in an unparalleled breadth of specialized industries is unmatched in the industry and used by tens of thousands of practitioners nationwide.

Learn More.

CHECKPOINT LEARNING® Checkpoint Learning provides the highest quality continuing professional education from the Tax & Accounting business of Thomson Reuters. Build your CPE plan from on-location, online and print options with hundreds of titles including hot topics and in-depth specialty learning.

Learn More.

T-600986 12-2016 DGM

Visit tax.tr.com

CONTACT US...For more information, visit tax.tr.com or call 800.950.1216.

About Thomson Reuters®

Thomson Reuters is the world’s leading source of news and information for professional markets. Our customers rely on us to deliver the intelligence, technology and expertise they need to find trusted answers. The business has operated in more than 100 countries for more than 100 years. Thomson Reuters shares are listed on the Toronto and New York Stock Exchanges.

For more information, visit tr.com.

About Thomson Reuters Checkpoint®

Thomson Reuters Checkpoint is the industry leader in providing intelligent information to tax and accounting professionals — including expert research, guidance, cutting-edge technology and tools, learning and news in a variety of formats. With our respected content including PPC, RIA, WG&L, EBIA and Quickfinder, Checkpoint is relied on by thousands of professionals around the world to understand complex information, make informed decisions and use knowledge more efficiently.

97 of the Top 100 U.S. Law Firms, 99 of the Fortune 100 and all of the Top 100 U.S. CPA Firms trust Thomson Reuters Checkpoint to help them make the right decisions for their business.