By Duncan Will, CPA, ABV, CFE, CFF, Loss Prevention Manager and Accounting & Auditing Specialist – CAMICO
Plaintiffs and their legal counsel often leverage noncompliance with professional standards to strengthen cases in support of allegations of harm caused by accountants. This article highlights risk management implications of recent professional standards and offers risk management tips regarding established standards governing financial statement services.
Neither the Auditing Standards Board (“ASB”) nor the Accounting and Review Services Committee (“ARSC”) have issued a standard since spring of 2022 other than pronouncements1 providing special considerations for audits of group financial statements and clarifying spring 2022 pronouncements, but the AICPA’s standard setting bodies were extremely prolific in the preceding years. In recognition of the pandemic, standard setters delayed many of the pronouncements’ effective dates to permit the profession and clients to prepare for their adoption, but many have not used the additional time afforded them and are now faced with an onslaught of pronouncements either already in effect or soon to be effective.
"Many firms altruistically are prioritizing their clients’ needs since the standards don’t become effective until December 2025, but complacency could have you playing catch up, failing your peer review, or worse."
The ASB issued three standards in spring 2022 – two statements on Quality Management Standards (No. 1, A Firm’s System of Quality Management and No.2, Engagement Quality Reviews) and Statement on Auditing Standards No. 146 (SAS No. 146, Quality Management for an Engagement Conducted in Accordance with Generally Accepted Auditing Standards) (collectively, “SQMS”) and the ARSC concurrently released SSARS No. 26, Quality Management for an Engagement Conducted in Accordance with Statements on Standards for Accounting and Review Services.
These four standards (“the QM Standards”) impact CPA firms, not their clients. As such, many firms altruistically are prioritizing their clients’ needs since the standards don’t become effective until December 2025, but complacency could have you playing catch up, failing your peer review, or worse. Don’t waste time. The hiatus by the ASB and ARSC from issuing standards were conscious decisions to permit firms the time to implement Quality Management Systems unique to their firm’s specific characteristics and needs. CAMICO is encouraging policyholders to make the time and prioritize studying the standards, consider their implications, identify individuals to lead the initiative, and plan how best to successfully implement the standards.
"The QM Standards mark a paradigm shift for the profession as firms will now need to establish risk assessment processes."
The QM Standards mark a paradigm shift for the profession as firms will now need to establish risk assessment processes. The multifaceted risk assessment processes will require firms to establish quality objectives2they deem necessary to achieve and sustain their systems of quality control, identify, and assess risks to achieving their quality objectives, and then design and implement responses to those “quality risks.”3 As they did with the QM Standards predecessor, the Quality Control Standards, the AICPA has released a wealth of content to assist firms with this transition and will provide illustrative examples. BUT those examples will not be viable alternatives to investing the time to understand the new standards, assess your firms existing processes and develop a personalized system that meshes your firm’s unique characteristics with the QM Standards’ eight interrelated components (risk assessment, governance and leadership, relevant ethical requirements, acceptance and continuance, engagement performance, resources, information and communication, and monitoring and remediation).
Recent standards of note
Above is a table of recent pronouncements with color-coded effective dates distinguishing those already effective, those soon to be effective, and the QM Standards addressed earlier.
This article is not intended to be a substitute for studying and becoming familiar with the standards. Instead, it is intended to provide tips to implement effectively and efficiently each of the standards and thereby reduce your firm’s risk exposure from claims alleging you did not meet the standard of care.
SAS 142, Audit Evidence
Risk management tips:
- Document having considered the sufficiency and appropriateness of audit evidence, as it is the combination of the two that determine the persuasiveness of the evidence.4
- Retain evidence that corroborates and evidence that contradicts evidence obtained.5
- Document the application of professional skepticism in your assessment of the reliability of responses to inquiries and information obtained from management and those charged with governance.6
SAS 142 does not require auditors to document having evaluated the relevance and reliability of all audit evidence, but if in doubt … document.
SAS 142 is effective for periods that ended after December 14, 2022.
SAS 143, Auditing Accounting Estimates and Related Disclosures
Risk management tips:
- Recognize and focus on the interrelation of accounting estimates and risk assessment when planning and performing audits. Ask and answer the question: What would I focus upon if I needed to complete my audit in one day? This process will draw your attention to the risks. Then document:
- Risk assessment procedures;
- Assessment of the risks of material misstatement;
- Responses to those assessed risks (more audit procedures are required to address higher risk of material misstatement);
- Contemplated disclosures related to these estimates; and
- Areas of possible management bias and additional procedures contemplated to address that susceptibility (information with a higher susceptibility to management bias is less reliable)
- Take advantage of the scalability contemplated by this SAS. When, in your judgment, uncertainty, complexity, and subjectivity are low, reduce your risk assessment procedures and further audit procedures and document your reasoning for doing so.
- Document having concluded whether the accounting estimates and related disclosures are reasonable in relation to the financial reporting framework based upon the procedures performed and evidence obtained.
Please note the theme…embrace AU-C 230, Audit Documentation, and document each of these steps.
SAS 143 is effective for audits of financial statements for periods ending after Dec. 14, 2023.
SAS 145, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement
The Risk Assessment Suite of Standards (SAS No. 104 – 111) were issued in 2006. In response to peer reviewers noting a profession-wide misunderstanding of those standards (the leading source of matters for further consideration by peer reviewers), the AICPA’s Peer Review Board felt compelled to call for a peer review cycle moratorium which has since expired. The ASB used this window of time to develop and release this SAS to clarify and enhance aspects regarding identification and assessment of risks of material misstatement.
“Risk assessment” is a phrase with heightened import and prominence in the profession as it is the cornerstone of this SAS and is the foundation for Quality Management as firms are to perform risk assessments to identify quality risks within their systems of quality management.7
Risk management tips:
- Purchase the AICPA’s Risk Assessment in a Financial Statement Audit Guide [available as an E book]. The Guide provides guidance on how to perform risk assessments when auditing financial statements under SAS 145.
- Document the assessment of inherent risks and control risks for each relevant assertion.
- Document the risk assessment procedures you performed for each component of your audit client’s system of internal control.
- Document having assessed control risk at the “maximum level” when identified controls are either (1) not designed effectively or implemented or (2) you have not tested them for operating effectiveness. (Being properly designed is not sufficient)
- Document having assessed and identified controls over significant risks,8 journal entries, areas you plan to test, and significant accounts.
- Document having assessed and identified risks arising from the use of information technology and related general IT controls.
- Document having performed the SAS’s new “stand-back” requirement evidencing you have evaluated the completeness of your identification of significant classes of transactions, account balances, and disclosures.
- Document your consideration of the interrelationship between SAS 142, Audit Evidence, and this SAS. The higher on the spectrum of inherent risk9 a risk is assessed, the more persuasive your audit evidence must be.
- Document considerations specific to smaller, less complex entities. (The SAS incorporates guidance designed for these entities)10
- Although agnostic as to the system of internal control adopted by an entity, the SAS now incorporates each of COSO’s five components, each of COSO’s 17 Principles, and many of COSO’s Points of Focus. CAMICO recommends firms invest in and become familiar with COSO’s 2013 Internal Control — Integrated Framework, paying particular attention to the Framework’s 77 Points of Focus.
Guidance regarding noncompliance with laws and regulations became effective June 30, 2023.
SAS 147, Inquiries of the Predecessor Auditor Regarding Fraud and Noncompliance with Laws and Regulations
This SAS incorporates the requirements of an interpretation entitled Responding to Noncompliance With Laws and Regulations11 adopted by the Professional Ethics Executive Committee (PEEC) at its February 2022 meeting. The focus is on auditors’ inquiries of predecessor auditors about matters that will assist auditors in determining whether to accept engagements. In doing so, SAS 147 narrowly revised extant auditing standards to require an auditor, once management authorizes the predecessor auditor to respond to inquiries from the auditor, to inquire of their predecessors regarding identified or suspected fraud and matters involving noncompliance with laws and regulations (NOCLAR). Predecessors are to timely respond to successor auditor inquiries and/or clearly state if their responses are limited. The SAS also clarifies that once engagements are accepted, auditors are to document inquiries of predecessors and the fruit of those inquiries.
"Consider including language in your engagement letters, regardless of service, stating that client acceptance is contingent upon a satisfactory discussion with the predecessor."
Neither the PEEC nor the ASB chose to permit predecessor accountants to voluntarily share their NOCLAR concerns without their former client’s consent unless mandated by law or regulation.
Auditors are now required to inquire of their predecessors regarding identified or suspected fraud and NOCLAR.
Risk management tips:
- Consider adopting comparable policies for all new client acceptances, regardless of service. The Preamble to the Code of Conduct states that CPAs have responsibilities to the public, clients, and colleagues. Regrettably, the Code of Conduct has never delineated the responsibilities to colleagues. CAMICO encourages CPAs to treat colleagues (e.g., predecessor and successor accountants) the way they would wish to be treated if their roles were reversed. Of course, in compliance with the Confidential Client Information Rule,12 accountants would first need to obtain their client’s consent (although not mandated by professional standards, get the consent in writing).
- Consider including language in your engagement letters, regardless of service, stating that client acceptance is contingent upon a satisfactory discussion with the predecessor.
If faced with financial statement engagement or reporting issues, policyholders are encouraged to contact CAMICO’s Loss Prevention department at 1.800.652.1772 or lp@camico.com, to describe their issue, and request assistance from CAMICO’s A&A hotline.
We appreciate the support of CAMICO as one of our INCPAS Partners. Their contributions enable us to continue offering valuable content, resources and opportunities to our members in the accounting profession.
1 SAS No. 148,
Amendment to AU-C Section 935, reflects the application of generally accepted auditing standards (GAAS) to a compliance audits. SAS No. 149,
Special Considerations – Audits of Group Financial Statements (Including the Work of Component Auditors and Audits of Referred-to Auditors, and SQMS No. 3,
Amendments to QM Sections 10 and 20.
2 SQMS No. 1, ⁋17 defines quality objectives as desired outcomes in relation to the components of the system of quality management to be achieved by the firm.
3 SQMS No. 1, ⁋17 defines a quality risk as a risk with a reasonable possibility of occurring and individually, or in combination with other risks, adversely affecting the achievement of one or more quality objectives.
4 AU-C 200, ⁋A.34
5 AU-C 200, ⁋A.20
6 AU-C 200, ⁋A.24
7 AU-C 200, ⁋A.20
8 AU-C 315.12, definition
9 AU-C 315
10 AU-C 315. ⁋A12 and A.26
11 1 ET 1.180.010
12 ET 1.700.001