Peer Reviews

 

This information is created to give you an update on what’s happening in peer reviews. It is intended as a quick heads up on the more common items being found on peer reviews, and may keep you from having these become problems on your peer review. We are members of the AICPA Governmental Audit Quality Center, and we encourage firms that do governmental audits to join this Center. Items in this memo are not authoritative, just our best guess as to how to handle these situations.

Clarified Auditing Standards are effective for periods ended on or after 12/15/12. Make sure you are familiar with these and the new reports in effect under these standards. These now affect all of us, and peer review checklists are based on these.

Governmental Audits & CPE If you do governmental (yellow book) audits (including yellow book Not-For-Profits) your reviewer is required to select one or more of these engagements for review. If you do Single Audits (Cir A-133), one of these must also be reviewed (can sometimes be combined with the yellow book engagement). Make sure you have the required 80hrs of A&A and meet the yellow book requirements. Also, make sure your last peer review has been made available to the public.

A-133 Audits are a required pick for peer review engagements. Congressional interest continues to increase, and these audits are being heavily scrutinized at all levels. Two additional checklists have been added for peer reviewers specifically for A-133 audits, and these checklists are provided to the FICPA peer review administrator. These are very detailed, so expect your A-133 audits to be reviewed in more detail than other audits. During our peer reviews, we will ask for copies of your workpapers to see how you selected the major programs to be audited and your specific risk assessment for the single audit. These workpapers will usually be submitted to the FICPA along with the review checklists. These engagements are being selected for oversight by the AICPA, who reviews all work papers, including yours.

In your documentation, you need to be clear between internal control testing of the financial and accounting systems and testing of internal controls over compliance. Many firms don’t recognize the difference, which is a problem. Call us if you’re confused by this.
Monitoring
If you perform audits, monitoring your practice is required by standards. This is still widely misunderstood. This means that you must have a method of monitoring your quality control system and engagements each year. As peer reviewers, we generally expect to see some checklists and disclosure checklists that were used to review some of your engagements that were not done as part of the engagement itself, i.e., checklists where you came back after the fact and reviewed selected engagements. Documentation is required; a brief memo saying you performed monitoring it is not enough; you should include notes, checklists, and memos of what was found and what corrective action was (or will be) taken. The AICPA and PPC both have some good practice aids for monitoring.

Independence (101-3) AICPA Ethics Interpretation 101-3, Performance of Nonattest Services is still being misunderstood by some firms, and is receiving renewed emphasis. If you do compilations for a client and also do their tax return, 101-3 applies, and you must document (in writing) your understanding with the firm and the documentation must include the items outlined in 101-3. Many firms, including ours, have elected to include this information in our new engagement letters. Reviewers expect to see some 101-3 documentation on each engagement selected for review. Important note: the new yellow book significantly increases the documentation requirements for yellow book audits; pay careful attention to these requirements and make sure you have the appropriate documentation; PPC has a good set of checklists for this. This checklist is in addition to the 101-3 checklist.
Note that the GAO has published guidance that the preparation of financial statements by the auditor is a significant threat to independence, and you must document how you overcome this. You will need to document the skills, knowledge, and experience of the specific person that will oversee this function. Use that additional PPC checklist!
Engagement Quality Control Reviews (EQCR) Under the new Quality Control Standards, firms must document their criteria for performing Engagement Quality Control Reviews (EQCR) in their quality control documents. Once the criteria are established, the firm must follow that criteria, and perform the EQCR on the engagements specified. These reviews must be completed prior to the engagement being released. Your reviewer should be able to determine which engagements must come under EQCRs by reading your quality control policies and procedures and will check to see if it was performed. In general, your EQCRs should include your more risky engagements, and not all engagements.

SSARS 21 is here, SSARS 19 is gone. This is for compilations and reviews. Your compilation letters, etc have changed again, so make sure you review the changes brought about by SSARS 21. Yes, for SSARS 19 you got written up for not including a title on your report letter; under SSARS 21, titles on compilation reports are not allowed. Go figure. SSARS 21 is now in effect, so make sure you are familiar with it. Failure to conform to SSARS 21 will likely cause a non-conforming engagement.

New SAS’s Firms are still struggling with understanding and implementing the some of the recent SAS’s.
SAS’s No. 104 through 111 concern the auditor’s risk assessment process and consideration of internal control. All audits are now expected to use the new risk assessment procedures; and if you did not, the engagement will likely have findings or deficiencies.
SAS 114 requires information about the auditor’s responsibility, the scope and time of the audit, and significant findings be communicated to those charged with governance, and that the communication be documented in writing. SAS 114 requires a pre audit communication and a post audit communication. Our firm has chosen to prepare a separate letter for each of these to satisfy the SAS 114 written documentation requirements. Examples of the SAS 114 letters are in the SAS, and PPC and other third party providers also have examples. Your engagement letter will not cover all of the items in the pre-audit SAS 114 communication; look at the example in PPC.
System walk-throughs are required by the new SAS’s, so your audit documentation should contain evidence of your transaction walk-through for each system reviewed for your audits. Please note: These are different from your system memos, as these walk-throughs are on specific transactions, and must be done each year.
Analytical Reviews. A preliminary and final analytical review is required on each audit, and you are required to document the auditor’s expectations during the preliminary analytical review. We see numerous cases where the expectations are not documented or the documentation was very weak.
Review of Adjusting Journal Entries. This is a required audit procedure and must be documented. You must document the journal entries you review; this is being missed by many.
Control Risk Assessed at lower than high - During your risk assessments, you normally assess inherent risk (IR), control risk (CR), and the risk of material misstatement (RMM) down to the assertion level for all significant audit areas. If you assess control risk as lower than high (e.g., moderate or low), you are required to test controls of this area to substantiate the risk is lower. Be careful with this risk assessment and make sure you test controls whenever you assess control risk as anything other than high. Call us if you are unsure.

Disclosures. These are some disclosures that are being missed by some firms:
Subsequent Event Disclosures (FASB ASC 450-20-50-9 and 10; 855-10-50-1 and 2). This requirement has been with us for several years now, but is being missed by many firms. The disclosure deals with a disclosure of management’s review of subsequent events. Even if no recognized subsequent events are discovered, the date through which subsequent events have been evaluated by management, and whether that date represents the date the financial statements were issued or were available to be issued must be disclosed.
Fair Value Disclosures (FASB ASC 820) Sometimes it’s clear that this disclosure is required, sometimes it’s not; this one is being debated by peer reviewers and auditors, but our firm includes a fair value disclosure in all of our full-disclosure financial statements. If you’re not sure it applies, we have some examples we’ve compiled that that you’re welcome to peruse.
Disclosure of Uncertain Tax Positions (FIN 48, ASC 740). The latest guidance on this is that this disclosure only needs to be made if the entity has an uncertain tax position. This includes the 3 year open audit period. This requirement incudes not-for-profits.
Out-of-Date Practice Aids. Don’t use them! This will almost always get you trouble.

You can find more details on each of these subjects on the internet and your professional publications. Feel free to
contact us if you have any questions.

 
Baggett, Reutimann &
Associates, CPAs, PA

6815 Dairy Road
Zephyrhills, FL 33542
Please feel free to contact us to inquire about our services or to schedule a new appointment. We look forward to hearing from you.

Tel: 1-813-788-2155