Communicating Internal Control Related Matters Identified in an Audit AU-C Section 265—Part 2

Determining Reportable Control Deficiencies 

According to AU-C Section 265, only significant deficiencies and material weaknesses are required to be included in the internal control communication letter.  Significant deficiencies and material weaknesses arise from risks of material misstatements.  For small audits, risks of material misstatements are primarily the absence of key controls at the entity level, either in design or in operation. For larger entities with more accounting personnel, key controls will exist at both the entity and activity levels. An identified risk of material misstatement will be reported to management in the internal control letter, even though it may have been corrected.

To facilitate the risk assessment process, and the ultimate reporting of significant deficiencies and material weaknesses, it is imperative key controls be identified and evaluated during the planning and risk assessment phases of an audit.  Based on internal control documentation, identified risks will impact the development of cost-beneficial audit strategies, the audit plan (program) and the internal control communication letter. 

Reporting Deficiencies in Subsequent Years

For some smaller clients, changes in accounting policies and procedures are slow.  Employees that lack necessary qualifications to make accounting or internal control decisions, no free time to design and administer internal controls improvements and lack of understanding of the importance of internal controls, among other reasons, can hinder reception of an auditor’s suggestions for improving internal controls.

In these situations, section AU-C 265 requires reporting significant weaknesses and material weaknesses until management takes appropriate corrective action. If an auditor’s attempts to help a client improve are not acknowledged or acted on, or if the recommendations to correct deficiencies are not considered practical by management, the suggestions must be communicated in the letter each year after the first.

Suggestions that may fall into this area are:

• Significant deficiencies

o       Management’s expertise for selecting and applying accounting principles is lacking

o       No designed or operating anti-fraud programs

o       No controls over unusual or extraordinary transactions

o       No controls over monthly or annual closing in the financial reporting process

• Material weaknesses

o       Ineffective governance over controls and reporting

o       Material misstatements requiring adjustment

o       Identification of any management fraud

o       Management’s failure to assess the effects of previous deficiencies and take action or decide not to take action

o       A large number of control deficiencies indicating a weak control environment

Illustrative Internal Control Communication Letter

To: Don West, President

Always Best Corporation

In planning and performing our audit of the financial statements of Always Best Corporation (the "Corporation") as of and for the year ended December 31, 2015, in accordance with auditing standards generally accepted in the United States of America, we considered the Corporation's internal control over financial reporting (internal control) as a basis for designing audit procedures that are appropriate in the circumstances for the purpose of expressing our opinion on the financial statements, but not for the purpose of expressing an opinion on the effectiveness of the Corporation's internal control. Accordingly, we do not express an opinion on the effectiveness of the Corporation's internal control.

Our consideration of internal control was for the limited purpose described in the preceding paragraph and was not designed to identify all deficiencies in internal control that might be material weaknesses or material weaknesses or significant deficiencies and therefore, material weaknesses or material weaknesses or significant deficiencies may exist that were not identified. However, as discussed below, we identified certain deficiencies in internal control that we consider to be material weaknesses or significant deficiencies.

A deficiency in internal control exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent, or detect and correct, misstatements on a timely basis. A material weakness is a deficiency, or a combination of deficiencies, in internal control, such that there is a reasonable possibility that a material misstatement of the entity's financial statements will not be prevented, or detected and corrected, on a timely basis.

We consider the following deficiencies in the Corporation's internal control to be material weaknesses (actual letter descriptions would be specific and describe potential effects):

o       Ineffective governance over controls and reporting

o       Material misstatements requiring adjustment

o       Identification of any management fraud

o       Management’s failure to assess the effects of previous deficiencies and take action or decide not to take action

o       A large number of control deficiencies indicating a weak control environment

A significant deficiency is a deficiency, or a combination of deficiencies, in internal control that is less severe than a material weakness, yet important enough to merit attention by those charged with governance. We consider the following deficiencies in the Company's internal control to be significant deficiencies (actual letter descriptions would be specific and describe potential effects):

o       Management’s expertise for selecting and applying accounting principles is lacking

o       No designed or operating anti-fraud programs

o       No controls over unusual or extraordinary transactions

o       No controls over monthly or annual closing in the financial reporting process

(When only significant deficiencies are being communicated, a statement would be added indicating none of the significant deficiencies are material weaknesses.)

This communication is intended solely for the information and use of management and the board of directors of Always Best Corporation.

Largess Ottiter & Co., CPAs

Anywhere, USA

March 15, 2016 (The letter should be issued within 60 days of the report release date, which is the final date for completing and locking down engagement files.)

My exclusive presentations of webcasts on CPE Credit.com and self-study courses covering various applications of auditing standards can be accessed by clicking the appropriate box on the left side of my home page, www.cpafirmsupport.com. Registered users on my website receive a 20% discount on CPE materials presented by myself and numerous other authors on a variety of professional topics.

My assistance in CPA firm quality control consulting, audit planning and peer review preparation can be obtained by sending an email using the “Contact Us” tab on my home page.

Communicating Internal Control Related Matters Identified in an Audit AU-C Section 265,—Part 1

Objective of the Auditor

The objective of the auditor is to appropriately communicate to those charged with governance and management significant deficiencies in internal control that the auditor has identified during the audit and that, in the auditor’s professional judgment, is of sufficient importance to merit attention by governance and management persons.

Definitions

Deficiency in internal control—a deficiency in internal control exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent, or detect and correct, misstatements on a timely basis.

A deficiency in design exists when a control necessary to meet the control objective is missing or an existing control is not properly designed so that, even if the control operates as designed, the control objective would not be met.

A deficiency in operation exists when a properly designed control does not operate as designed or when the person performing the control does not possess the necessary authority or competence to perform the control effectively.

Material weakness—a deficiency or a combination of deficiencies, in internal control, such that there is a reasonable possibility that a material misstatement of the entity’s financial statements will not be prevented, or detected and corrected, on a timely basis.

Significant deficiency--a deficiency, or a combination of deficiencies, in internal control that is less severe than a material weakness yet important enough to merit attention by those charged with governance.

Illustrative Letters

This SAS contains illustrative written communications which can be downloaded from www.aicpa.org :

·      Exhibit A: Illustrative Written Communication

·      Exhibit B: Illustrative No Material Weakness Communication

·      Exhibit C: Examples of Circumstances That May Be Deficiencies, Significant Deficiencies, or Material Weaknesses

Practical Note:

Internal control is always relevant to the nature, size and complexity of a reporting entity.  Therefore, so should be the contents of the internal control communication letter.  Smaller entities will ordinarily have more informal control activities performed by one or a few individuals.  For smaller entities, key controls performed at the entity level will ordinarily have the most pervasive effects for preventing errors or fraud from occurring and going undetected.

Evaluating Control Deficiencies

Consideration of the magnitude of a potential deficiency and whether there is a reasonable possibility that controls will not prevent, detect or correct it is necessary to determine its severity.

The magnitude of a deficiency is related to financial statement amounts or totals of transactions considering both volume and activity.

A reasonable possibility of preventing, detecting or correcting a potential misstatement is affected by risk factors that could cause a misstatement of an account balance.  Those risk factors include:

• Nature of accounts, transactions classes and relevant assertions involved—the risk inherent in the information can be significant or not.
• Susceptibility of loss or fraud of related asset or liability—ease of misappropriation or misstatement will affect risk.
• Ability to determine the amount involved—the subjectivity, complexity or amount of judgment required may increase risk.
• Offsetting controls—they may or may not prevent, detect or correct misstatements.
• Relationship to other deficiencies—the number of deficiencies could increase the risk of misstatement.
• Future effects of the deficiency—probable changes in size of the entity, volume of transactions, increases or decreases in personnel and other factors may increase or decrease risk.

Deficiencies affecting the same account, transaction, disclosure, assertion or component of internal controls should be considered together to determine significant deficiencies or material weaknesses.  Offsetting or compensating controls may limit the severity of a deficiency, but tests of controls or more extensive systems walk-through procedures must be performed to evaluate their operating effectiveness. 

Following is a list of situations that may result in control deficiencies, significant deficiencies, or material weaknesses:

·      Inadequate or insufficient design of internal control over:

o       Financial statement preparation.

o       Significant transactions or account balances.

o       The control environment.

o       Segregation of duties among personnel.

o       Information processing.

o       Hiring qualified personnel.

·      Properly designed controls that are not operated properly for:

o       A significant transaction, process or account.

o       Producing complete and accurate reports.

o       Safeguarding assets.

o       Reconciliation of subsidiary ledgers.

o       Preventing management override of controls.

Some deficiencies that are commonly considered at least significant deficiencies and must be separately identified in the letter:

·      The absence of anti-fraud programs.

·      No controls over non-routine transactions are operating.

·      No controls over the use of accounting principles.

·      No controls over general ledger accounting activities and the financial reporting process.

Certain circumstances are always indicative of material weaknesses, which must be separately identified in the letter:

• Any fraud by senior management, regardless of amount.
• Prior period restatements due to error or fraud.
• An auditor’s identification of a material misstatement that was not detected by controls.  These usually will result in proposed journal entries.
• Ineffective governance over financial reporting and internal control.

If the circumstance is determined not to be a material weakness, the auditor must consider what “prudent officials” would conclude in the same circumstances.  In a seminar on fraud in Miami, participants were asked what standard they use to determine if a fraud occurred.  A participant responded his standard was the Miami Herald (local newspaper) standard!  In other words, what a newspaper reporter might define as fraud could differ from audit standards.  What a prudent official might define as a material weakness could be different than an auditor’s definition!

Part 2 will discuss other issues from AU-C Section 265.

My exclusive presentation of webcasts on CPE Credit.com and self-study courses covering various applications of auditing standards can be accessed by clicking the appropriate box on the left side of my home page, www.cpafirmsupport.com. Registered users on my website receive a 20% discount on CPE materials presented by myself and numerous other authors on a variety of professional topics.

My assistance in CPA firm quality control consulting, audit planning and peer review preparation can be obtained by sending an email using the “Contact Us” tab on my home page.

Clarified Auditing Standard--Consideration of Laws and Regulations (AU-C 250)

SAS Consideration of Laws and Regulations in an Audit of Financial Statements supersedes SAS No. 54, Illegal Acts by Clients (AICPA, Professional Standards, vol. 1, AU sec. 317).

Effect of Laws and Regulations

The impact of laws and regulations on financial statements varies considerably and the applicable laws and regulations constitute the legal and regulatory framework of an entity.

Some laws or regulations have provisions with a direct effect on the financial statements because they determine the reported amounts and disclosures required in an entity’s financial statements. Other laws or regulations are to be complied with by management, or set the provisions under which the entity is allowed to conduct its business, but do not have a direct effect on an entity’s financial statements.

Some entities operate in heavily regulated industries (such as banks and chemical companies) while others are subject only to the many laws and regulations that relate generally to the operating aspects of the business (such as those related to occupational safety and health and equal employment opportunity).

Noncompliance with laws and regulations may result in fines, litigation, or other consequences for the entity that may have a material effect on the financial statements.

Responsibility for Compliance with Laws and Regulations

Responsibility of Management:

Management’s responsibility, with the oversight of those charged with governance, is to ensure that the entity’s operations are conducted in accordance with the provisions of laws and regulations, including compliance with the provisions of laws and regulations that determine the reported amounts and disclosures in an entity’s financial statements. 

Responsibility of the Auditor:

The requirements in this SAS are designed to assist the auditor in identifying material misstatement of the financial statements due to noncompliance with laws and regulations. The auditor is not responsible for preventing noncompliance and cannot be expected to detect noncompliance with all laws and regulations.

The auditor is responsible for obtaining reasonable assurance that the financial statements as a whole are free from material misstatement, whether caused by fraud or error. The auditor is responsible for taking into account the applicable legal and regulatory framework during the planning and execution of the audit procedures. 

In the context of laws and regulations, the potential effects of inherent limitations on the auditor’s ability to detect material misstatements are greater for the following reasons:

·      Many laws and regulations (relating principally to the operating aspects of an entity) typically do not affect the financial statements and are not captured by the entity’s information systems relevant to financial reporting.

·      Noncompliance may involve acts designed to conceal it, such as collusion, forgery, deliberate failure to record transactions, management override of controls, or intentional misrepresentations made to the auditor.

·      Whether an act constitutes noncompliance is ultimately a matter for legal determination, such as by a court of law. 

This SAS distinguishes the auditor’s responsibilities in relation to compliance with the following two categories of laws and regulations that may have a material effect on the financial statements of the company:

1.      The provisions of those laws and regulations generally recognized to have a direct effect on the determination of material amounts and disclosures in the financial statements, such as tax and pension laws and regulations.

2.      The provisions of other laws and regulations that do not have a direct effect on the determination of the amounts and disclosures in the financial statements but compliance with which may be:

a.       fundamental to the operating aspects of the business, or

b.      fundamental to an entity’s ability to continue its business, or  necessary for the entity to avoid material penalties (for example, compliance with the terms of an operating license, regulatory solvency requirements, or environmental regulations). 

Differing requirements are specified for each of the previously mentioned categories of laws and regulations:

1.      The auditor’s responsibility for direct effect laws and regulations is to obtain sufficient appropriate audit evidence regarding material amounts and disclosures in the financial statements that are determined by the provisions of those laws and regulations.

2.      The auditor’s responsibility for indirect effect laws and regulations is limited to performing specified audit procedures that may identify noncompliance with those laws and regulations that may have a material effect on the financial statements. 

The auditor is required to remain alert to the possibility that other audit procedures applied for the purpose of forming an opinion on financial statements may bring instances of identified or suspected noncompliance with laws and regulations to the auditor’s attention. 

Practical Note: This SAS requires determination and consideration of direct and indirect laws and regulations during the planning and performance phases of an audit engagement. A section of a planning document, as well as other documentation created during engagement performance, should include evidence of compliance with these requirements.

Reference to the sources of requirements of applicable direct and indirect laws and regulations, as well as any necessary computations demonstrating compliance, should be included in engagement documentation. In the case of pension costs or income taxes for example, calculations supporting recorded amounts should be included.  When non-compliance of indirect effect laws and regulations is discovered, calculations of any penalty amounts should be included.

My exclusive presentation of webcasts on CPE Credit.com and self-study courses covering various applications of auditing standards can be accessed by clicking the appropriate box on the left side of my home page, www.cpafirmsupport.com. Registered users on my website receive a 20% discount on CPE materials presented by myself and numerous other authors on a variety of professional topics.

My assistance in CPA firm quality control consulting, audit planning and peer review preparation can be obtained by sending an email using the “Contact Us” tab on my home page.

Clarified Auditing Standard--Consideration of Fraud in a Financial Statement Audit, Part 2 (AU-C 240)

In the first part of this article, key requirements of the standard were summarized.  This second part will discuss application issues pertinent to today’s audit practice, including the identification and assessment of risks of material misstatement due to fraud, auditors’ responses, the evaluation of evidence, communications with management and persons charged with governance and audit documentation of these issues.

Identifying and Assessing Potential Fraud Risks

As it is with risk of material misstatement due to error, auditors must identify and assess potential fraud risks at the financial statement and assertion levels throughout an engagement. Because there is a required presumption fraud exists in revenue recognition, an auditor must evaluate which types of revenues, transactions or assertions cause such risks. Revenues can be overstated by recording transactions before revenue is earned or by recording fictitious revenues. Assessed risks related to revenue recognition should be considered significant and an entity’s related internal control system should be evaluated.  When the internal control system for revenues is not appropriately designed and operated, other audit responses will be necessary.

Audit Responses to Assessed Fraud Risks

Overall responses to assessed fraud risks include assigning personnel to the engagement, or to sections of the engagement, that have knowledge and experience commensurate with the degree of risk. Particular attention should be paid to subjective measurements and large, unusual and complex transactions throughout the reporting period, particularly during the last month of the period.

In responding to other assessed risks of fraudulent financial reporting and misappropriation at the financial statement and assertion levels, the auditor may also incorporate more unpredictability in the nature, extent and timing of auditing procedures. While lower limits for individually significant items are derived from calculations of performance materiality or tolerable misstatement, higher risk factors will result in lower limits, thereby requiring 100% audit of more individually significant items to mitigate the risks. Numerous other responses to assessed risks at the assertion levels are outlined in Appendix B to AU-C 240.

Evaluating Evidence

When misstatements are discovered throughout the audit, the auditor should determine if they possibly indicate fraud. When fraud is indicated, the auditor should qualitatively evaluate the impact and previous determination of materiality levels, the integrity of management and employees and the validity and reliability of management representations.

If management is involved or collusion is suspected, the audit strategy and audit plan should be re-evaluated and additional substantive procedures performed as necessary.  If sufficient additional evidence cannot be obtained, the auditor should consider the possibility of withdrawal from the engagement under applicable laws or regulations.

Communications with Management and Persons Charged with Governance

When a fraud has been identified or evidence has been gathered that indicates a fraud may exist, the auditor should communicate the circumstances to management or persons charged with governance, at least one level above the level of the fraud or suspected fraud. In a partnership or LLC when a partner is suspected of perpetrating the fraud for example, other partners or persons charged with governance should be informed of the matters. The same would be true when officers or management persons are suspected in other for-profit and non-profit organizations.

Audit Documentation

In addition to the evidence requirements in AU-C 315 (to be discussed in a later article) engagement documentation should include:

·      Decisions reached regarding potential fraud risks in the engagement team planning and brainstorming meeting.  This documentation would normally be part of a Planning Document.

·      Identified and assessed fraud risks of material misstatement and the linking of overall and specific audit responses at both the financial statement and assertion levels.  This documentation should include the results of those audit responses and auditor decisions regarding their findings, including those designed to address the risk of management override of controls..

·      The communications about fraud to management and persons charged with governance, their responses and the auditor’s resulting actions.

·      The circumstances of the engagement that have overcome the presumption that there is risk of material misstatement due to error or fraud, along with the auditor’s reasoning about those circumstances.

My exclusive presentation of webcasts on CPE Credit.com and self-study courses covering various applications of auditing standards can be accessed by clicking the appropriate box on the left side of my home page, www.cpafirmsupport.com. Registered users on my website receive a 20% discount on CPE materials presented by myself and numerous other authors on a variety of professional topics. My assistance in CPA firm quality control consulting, audit planning and peer review preparation can be obtained by sending an email using the “Contact Us” tab on my home page.

Clarified Auditing Standard--Consideration of Fraud in a Financial Statement Audit (AU-C 240)

While fraud issues have been considered by auditors for many decades, and while this statement is a redraft of SAS No. 99, opportunities for perpetrating fraud using technology and other means still abound.  In this first part of two articles, key requirements of the statement will be discussed.  The second part will discuss application issues pertinent to today’s world of audits.

Considered along with material misstatement due to error, fraud can cause misstatements from fraudulent financial reporting and from misappropriation of assets.  Management and those charged with governance have the primary responsibility for the prevention and detection of these frauds.

Auditor Responsibilities

Normally, the risk of not detecting material misstatements due to fraud is higher than not detecting misstatements due to error. This may occur because perpetrators of fraud may use carefully designed methods of forgery, transactions recording and misstatements.  In addition, collusion among several persons may be used to conceal the fraud. The risk of management fraud not being detected is usually greater than employee fraud because management has a greater opportunity to override internal controls and manipulate accounting information.

Professional Skepticism

Defined in the basic objectives of the Clarified Auditing Standards, professional skepticism is:

“An attitude that includes a questioning mind, being alert to conditions that may indicate possible misstatement due to fraud or error, and a critical assessment of audit evidence.”  

Risk of material misstatement at the financial statement and assertion levels will affect the degree of the auditor’s professional skepticism.  While an auditor will always maintain professional skepticism, higher assessed levels of risk of material misstatement should result in higher levels of professional skepticism.  For example, when risk of material misstatement is high, an auditor should request supporting documentation to corroborate management’s responses to inquiries.

Engagement Team Discussion

In the engagement team’s planning and brainstorming meeting, the engagement leader (partner, sole practitioner, etc.) should facilitate a discussion about possible misrepresentation of financial information and misappropriation of assets. The engagement team should hold this discussion by disregarding beliefs and knowledge of the honesty and integrity of entity management and employees.  Particularly for recurring audits, familiarity with the honesty and integrity of reporting entity personnel may cause an auditor’s professional skepticism to inadvertently decrease. Complying with the specific requirements of this statement, and a CPA firm’s quality control system, will provide safeguards to prevent this possibility.

Some of the matters that should be discussed at the engagement team meeting include:

·      All internal and external factors that could be part of the “fraud triangle:”

§         Incentives and pressures to commit fraud.

§         Opportunities to perpetrate fraud.

§         Rationalizations for committing fraud.

·      Possibilities and risk of management override of controls.

·      Circumstances that might cause management to manage, manipulate or misstate financial information.

·      How professional skepticism should be maintained during the audit and how team members should respond to assessed levels of risk of material misstatement.

Fraud Risk Assessment Procedures

Discussions with management and others included in the auditor’s risk assessment procedures may include:

·      Management’s internal control risk assessment and monitoring processes.

·      Management’s communication with persons charged with governance regarding risk assessment, monitoring and any planned corrective actions.

·      Management’s communication of business practices and ethical behavior to employees.

·      Management’s and persons charged with governance knowledge of alleged, suspected or actual fraud.

·      Persons charged with governance oversight of management’s processes and internal controls for identifying and responding the risks of fraud.

·      Results of the auditor’s analytical procedures and any unusual or unexpected relationships that may be indicative of fraud.

Part 2 of this article will discuss further the identification and assessment of risks of material misstatement due to fraud, auditor’s responses, the evaluation of evidence, communications with management and persons charged with governance and audit documentation of these issues.

My exclusive presentation of webcasts on CPE Credit.com and self-study courses covering various applications of auditing standards can be accessed by clicking the appropriate box on the left side of my home page, www.cpafirmsupport.com. Registered users on my website receive a 20% discount on CPE materials presented by myself and numerous other authors on a variety of professional topics. My assistance in CPA firm quality control consulting, audit planning and peer review preparation can be obtained by sending an email using the “Contact Us” tab on my home page.

Clarified Auditing Standard--Audit Engagement Quality Control

System of Quality Control and the Role of Engagement Teams

QC Section 10, A Firm’s System of Quality Control, contains quality systems, policies and procedures that are the responsibilities of entities performing attest engagements.  Engagement teams have the responsibility to implement quality control procedures relevant to attest engagements.  Under this Statement, among other requirements, audit engagement teams must comply with independence requirements in a firm’s quality control system.

Leadership Responsibilities

An engagement leader (partner, sole practitioner, shareholder, etc.) has overall responsibility for audit engagement quality. Other members of the engagement team may be relied upon to carry out aspects of a firm’s quality control system.

Relevant Ethical Requirements

Throughout an engagement, the engagement leader and other members of the engagement team must remain alert for potential non-compliance with relevant ethical requirements and take appropriate action if non-compliance occurs.

The engagement leader should identify and evaluate information for the firm and any network firms that create threats to independence.  In such cases appropriate safeguards should be applied or, if safeguards do not eliminate the threat, withdraw from the engagement.

Acceptance and Continuance of Clients and Engagements

The engagement leader is responsible for determining proper quality control procedures have been performed when accepting new clients or performing new engagements for existing clients.  A quality control system requirement for many years, a client evaluation can be a first line of defense against serving clients with less than acceptable integrity.  In fact, this evaluation should provide information that will affect the assessed level of risk at the financial statement level.  Information gathered during this evaluation regarding the integrity of management, potential going-concern problems and use of the financial statements, among other matters, is referred to as “business risk” in the Statement.

Assignment of Engagement Teams

All members of the team should have appropriate competence and capabilities to properly conduct and report on the engagement. A practical rule is to assign team members to an engagement and specific responsibilities when the have experience commensurate with assessed levels of risk.  When this rule can’t be followed, the engagement leader will be required to provide more, and more frequent, supervision throughout the engagement.

Engagement Performance

The engagement leader has responsibility for the direction, supervision, performance and review of the engagement. The leader should be actively involved from the beginning of the engagement and throughout its performance and completion.  Engagement documentation should contain evidence of this involvement. This documentation may consist of an engagement review checklist, evidence on electronic file trees and/or individual working papers, or clear description of time charges entered into a firm’s time and billing system.

Consultation

The engagement leader is responsible for appropriate consultation being performed by the engagement team regarding difficult or contentious matters.

Engagement Quality Control Review

When firm policies indicate a quality control review is required, the engagement leader should appoint a reviewer, discuss significant findings or issues with the reviewer and release the auditor’s report only when the review if completed.  The reviewer should perform an evaluation of significant judgments made and conclusions reached by the engagement team. A reviewer will discuss findings or issues with the engagement leader, read the financial statements and report, review selected documentation and determine the auditor’s report is appropriate.

The results of the quality control review, and the results of the firm’s most recent monitoring process, should be considered by the engagement leader in completing the engagement.

Documentation

Specific audit engagement documentation should include:

·      Identification and resolution of relevant ethical requirements.

·      Client acceptance and continuance evaluations.

·      The nature of consultations and conclusions reached.

·      The procedures performed and the results of the engagement quality control review.

Practical Note:

A major impact of this pronouncement relates to SQCS No. 8 (QC 10).  This standard emphasizes the importance of integrating quality control policies and procedures into engagement performance.  Such quality control elements as leadership involvement, client acceptance and continuance decision-making and consultations must be documented in engagement files. The AICPA’s practice aid, Establishing and Maintaining a System of Quality Control for a CPA Firm’s Accounting and Auditing Practice, contains illustrative policies and procedures for various size firms, including sole practitioners. This Practice Aid is currently available free from the AICPA (www.aicpa.org).

My exclusive presentation of webcasts on CPE Credit.com and self-study courses covering various applications of auditing standards can be accessed by clicking the appropriate box on the left side of my home page, www.cpafirmsupport.com. Registered users on my website receive a 20% discount on CPE materials presented by myself and numerous other authors on a variety of professional topics. My assistance in CPA firm quality control consulting, audit planning and peer review preparation can be obtained by sending an email using the “Contact Us” tab on my home page.

Clarified Auditing Standard--Terms of Engagement, Part 2 (AU-C 210)

In my last article, the objectives and content of engagement letters was discussed.  Following are some additional issues from AU-C Section 210 and a discussion of planning issues that an engagement leader may wish to discuss with management and/or persons charged with governance when the engagement letter is delivered.

As a reminder, the auditor’s objective is to accept an audit engagement for a new or existing audit client only when the basis upon which it is to be performed has been agreed upon through:

·      Establishing whether the preconditions for an audit are present and

·      Confirming that a common understanding of the terms of the audit engagement exists between the auditor and management and, when appropriate, those charged with governance.

Preconditions for an audit include the use by management of an acceptable financial reporting framework in the preparation of the financial statements and the agreement of management and, when appropriate, those charged with governance, to the premise on which an audit is conducted.

Additional Issues in Engagement Letters

·      Initial audits, including reaudit engagements –Covers steps the auditor should take before accepting an engagement for an initial audit (or a reaudit engagement) including requesting:

o       Management to authorize the predecessor auditor to respond fully to the auditor’s inquiries regarding matters that will assist the auditor in determining whether to accept the engagement.

§         Should management refuse to authorize the predecessor auditor to respond, or limits the response, the auditor should inquire about the reasons and consider the implications of that refusal in deciding whether to accept the engagement.

§         The auditor should evaluate the predecessor auditor’s response, or consider the implications if the predecessor auditor provides no response or a limited response, in determining whether to accept the engagement.

·      Recurring Audits –Covers requirements in assessing whether circumstances require the terms of the audit engagement to be revised. 

o       Acceptance of a change in the terms of the audit engagement--Covers the auditor’s consideration of changes to the terms of the audit engagement when no reasonable justification for doing so exists.

§         If the terms of the audit engagement are changed by agreement, the auditor and management should agree on and document the new terms of the engagement in an engagement letter or other suitable form of written agreement.

o       If the auditor concludes that no reasonable justification for a change of the terms of the audit engagement exists and is not permitted by management to continue the original audit engagement, the auditor should:

§         Withdraw from the audit engagement when possible under applicable law or regulation.

§         Communicate the circumstances to those charged with governance, and

§         Determine whether any obligation, legal, contractual, or otherwise, exists to report the circumstances to other parties, such as owners, or regulators.

·      Additional considerations in engagement acceptance

o       Auditor’s report prescribed by law or regulation

§         If law or regulation prescribes a specific layout, form, or wording of the auditor’s report that significantly differs from the requirements of GAAS, the auditor should evaluate:

ü      Whether users might misunderstand the auditor’s report and, if so,

ü      Whether the auditor would be permitted to reword the prescribed form to be in accordance with the requirements of GAAS or attach a separate report.

§         If the auditor determines that rewording the prescribed form or attaching a separate report would not be permitted or would not mitigate the risk of users misunderstanding the auditor’s report,

ü      The auditor should not accept the audit engagement unless the auditor is required by law or regulation to do so.

ü      When audit performed in accordance with such law or regulation does not comply with GAAS, the auditor should not include any reference to the audit having been performed in accordance with GAAS within the auditor’s report.

Practical Note

Because an engagement letter forms a contract between the reporting entity and the auditor, and because both parties to the contract must understand its contents for it to be valid, the letter should be delivered by the engagement leader or partner.  In addition to the contents of the letter, other important planning considerations should be discussed and documented when the letter is delivered. Following are some specific items that should be discussed:

·      Reach an understanding about the nature of the engagement, as well as client and CPA firm responsibilities.

·      Discuss management’s responsibilities for selecting the most appropriate financial reporting framework, designing and maintaining internal control systems and preparing financial statements and footnotes.

·      Discuss current client issues, including any affects of economic climate.

·      Request management to contact the predecessor auditor (if prior period statements were audited) to obtain permission for review of the prior year audit documentation or discuss the necessary additional audit procedures applicable to opening balances.

·      Make fraud inquiries.

·      Arrange for proper workspace.

·      Arrange for client assistance.

·      Finalize dates for interim and year end fieldwork.

·      Discuss target dates.

·      Discuss range of audit fees and affects of variables (problems, no client assistance, etc.).

·      Document discussions in partner participation memo.

·      Discuss financial statements and footnotes. If possible, prepare a rough draft or block out financial statements and footnotes for discussion.

My exclusive presentation of webcasts and self-study courses covering various applications of auditing standards can be accessed by clicking the appropriate box on the left side of my home page, www.cpafirmsupport.com. Registered users on my website receive a 20% discount on CPE materials presented by myself and numerous other authors on a variety of professional topics. My assistance in CPA firm quality control consulting, audit planning and peer review preparation can be obtained by sending an email using the “Contact Us” tab on my home page.