Keeping Audit Processes and Standards in Check
Even before the COVID-19 pandemic, audit quality was improving for the better, and it will continue to evolve. While the pandemic showed auditors and companies alike that virtual audits are a viable option, aligning those new operating practices with a thorough understanding of new auditing standards will help ensure accuracy in the audit process going forward.
With many businesses wanting or needing to do almost everything remotely, setting up virtual auditing capabilities and remote working conditions for staff during the pandemic was a must for auditors looking to not only retain clients but staff as well. “Many organizations have afforded their employees the opportunity to work remotely,” explained Brad Muniz, CPA, CGMA, member of the firm and director of accounting and auditing at SobelCo. But while working remotely has greatly enhanced employee satisfaction, he said it has also, “potentially opened the door to weakness in the control environment.” He added that particularly where those organizations had not adopted a Committee of Sponsoring Organizations of the Treadway Commission (COSO) control environment, they “have relied upon controls that could only be performed in person.”
Auditors, he said, have identified that organizations have not updated/modified their controls to properly mitigate the weaknesses in the environment. “Due to many distractions, organizations have not performed their own risk assessment of their control environment,” he added.
Internal controls are precisely what Laura Crowley, CPA, a partner at Citrin Cooperman, also said needs to be watched in a post-COVID environment. “The biggest challenge I have observed post-COVID is that, with the talent shortage, some clients do not have the resources they need to maintain a robust system of internal control over financial reporting,” she said. “My observation is that systems of internal control have been adapted to meet the current need; some individuals involved in the internal control process may be lifting a heavier workload than usual. Auditors need to remain skeptical in assessing the control environment and be alert for signs of weakness in the control environment.”
Salvatore Collemi, CPA, managing member of Collemi Consulting and Advisory Services, LLC, agreed, noting the pandemic has left many businesses with a shortage of key staff. “What’s still posing a problem is that not everybody’s back to full operation. Many businesses are missing key personnel — whether they’re not onsite or they have been let go.”
With companies’ staff taking on multiple roles, this can lead to an increase in fraud risk. According to Collemi, “A lot of businesses are back up and running but they are not 100 percent. They don’t have proper segregation of duties.” He added, “They are having internal control challenges. Auditors and accountants have to be careful not to downplay that risk in this environment.”
Modernizing Risk Assessment
In continuing to improve audit quality, the American Institute of CPAs (AICPA) Auditing Standards Board (ASB) and its Accounting and Review Services Committee teamed up in June to develop four new quality management standards that represent a modern approach to risk assessment and audit quality. The new standards, which are effective Dec. 15, 2025, are scalable, reflect changes in technology and incorporate the increased use of external service providers.
The standards, according to the AICPA, “clarify and improve existing quality management processes.” They include:
- A new risk-based approach focused on quality management tailored to the firm’s circumstances
- Revised components of the system of quality management, including information and communication
- More robust leadership and governance requirements
- An enhanced monitoring and remediation process
- Requirements for networks and service providers
Recent ASB standards were designed to assist with assessing control risk and make the standards more adaptable to modern auditing practices. For example, the ASB’s Statement on Auditing Standards (SAS) No. 145, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement, goes into effect for audits of financial statements on or after Dec. 15, 2023. Included in this standard is a revision of the definition of significant risk; a new requirement to separately assess inherent risk and control risk; guidance on the use of information technology and general IT controls; guidance on maintaining professional skepticism; and a new “stand-back” requirement regarding the completeness of disclosures.
Crowley noted that SAS 145 does not represent a significant change in approach, but it clarifies certain aspects of the risk assessment process that auditors follow. “While enhancing and clarifying standards so that there is more consistency and a deeper understanding by auditors of the objectives of the standards, standard setters should remain cognizant of the need to allow room for auditor judgement in these areas,” she added.
Adoption is Key
Difficulties remain, however, in getting clients and organizations to thoroughly adopt these and other standards. “Nearly 20 years ago, the AICPA issued a suite of risk assessment standards. Since then, the results of peer reviews continue to indicate that firms struggle with properly documenting and understanding the environment, assessing risk of material misstatement and aligning audit procedures to those assessed risks,” explained Muniz.
He added that, as part of the audit process, companies are required to consider and report, if applicable, significant deficiencies or material weaknesses in internal controls. However, companies have experienced “significant pushback from management when a deficiency or weakness is identified and reported,” he said. “Too often, management would rather receive a ‘good report card’ than understand and correct the potential issues.”
Other standards changes have been necessary to increase transparency. For example, SAS 134, Auditor Reporting and Amendments, including Amendments Addressing Disclosures in the Audit of Financial Statements, required a new audit report (including layout) and revised communication with governance. The standard, which went into effect Dec. 15, 2021, also changed the audit report for employee benefit audits and eliminated the “limited scope” concept, noted Muniz. “Too often, peer reviews have identified firms not properly adopting recently effective guidance. Findings like this could result in a peer review rating of pass with deficiency or a fail, in addition to eroding the confidence of the users of the financial statements.”
Results from a recent AICPA survey on audit quality reiterated that organizations need to improve documentation but also noted the need to incorporate a top-down approach. The survey of more than 1,000 CPA firms reported that the following factors are most important for a high-quality audit:
- Leadership — ultimate responsibility and accountability for the system of quality management resides with the firm’s managing partner/CEO
- Acceptance and continuance — the firm performs a risk assessment on all engagements
- Human resources — the firm has established reasonable deadlines
- Engagement performance — the engagement partners or other senior members of the engagement team review significant working papers
- Monitoring — the firm monitors CPE for all professional staff
While Crowley was not surprised by the AICPA survey findings, she explained, “Firms recognized that a robust system of quality control leads to better-qualityaudits and also improves efficiency. Engagements where quality is built in from upfront vetting of potential issues to assigning an appropriately experienced team run smoother from the start and reduce issues later in the engagement.”
Added Muniz, “While we have been conditioned to be told what we are doing wrong in audits, it is beneficial that the AICPA has altered the Quality Control Standards communication. This will better direct practitioners to focus on the design of their system from the outset.”