Category Archives for "Auditing"

SSAE 18: The Clarified Attestation Standards

By Charles Hall | Auditing

SSAE 18 is effective on May 1, 2017, and changes the Attestation Standards.

Do you issue any attestation reports such as agreed upon procedures? If yes, then be aware of the recent changes from the Auditing Standards Board (ASB). The ASB has clarified the Attestation Standards. The ASB did the same with the audit standards a few years ago; that change resulted in the AU-C (clarity) designations for audit standards.

The re-write of the Attestation Standards culminated in the April 2016 issuance of SSAE 18.

SSAE 18 supersedes all Attestation Standards other than:

• AT section 701, Management’s Discussion and Analysis (MD&A). AT section 701 will not be clarified because practitioners rarely perform attestation engagements to report on MD&A; it will be retained in the attestation standards in its current form. AT section 701 has been renumbered as AT-C section 395.

Also be aware that AT section 501 An Examination of an Entity’s Internal Control Over Financial Reporting That is Integrated With An Audit of Financial Statements was moved to the auditing standards as Statement on Auditing Standards (SAS) No. 130, as An Audit of Internal Control Over Financial Reporting That is Integrated With An Audit of Financial Statements.

Just as the ASB did with the audit clarity standards, a “-C” is added to the clarified Attestation Standards. So the clarified attestation standards are identified as AT-C. The clarified standards are written using ASB’s clarity conventions, including:

• Objectives for each chapter
• Definitions in each chapter
• Separating requirements from application and explanatory material
• Using various formatting techniques such as bulleted lists to enhance readability
• When applicable, including additional considerations for governmental entities or smaller less complex entities

Attestation Levels of Service

The clarified standards provide for the following types of attestation services:

Service	AT-C Section	Report Type
Examination	205	Opinion
Review	210	Conclusion
Agreed Upon Procedures	215	Findings

Sample report excerpts follow:

Examination Report on Subject Matter; Unmodified Opinion

In our opinion, the schedule of investment returns of ABC Company for the year ended December 31, 2020, is presented in accordance with the ABC criteria set forth in Note 1 in all material respects.

Review Report on Subject Matter; Unmodified Conclusion

Based on our review, we are not aware of any material modifications that should be made to the accompanying schedule of investment returns of ABC Company for the year ended December 31, 2020, in order for it to be in accordance with XYZ criteria set forth in Note 1.

Agreed-Upon Procedures Report

We obtained the accounts receivable subsidiary ledger as of June 30, 2017, from Topaz, Inc. We compared all customer account balances in the aged trial balance (exhibit B) as of June 30, 2017, to the balances shown in the accounts receivable subsidiary ledger.

We found no exceptions as a result of the procedure.

New SSAE 18 Requirements

In addition to clarifying (restructuring) the attestation standards, SSAE 18 also:

• Separates the review engagement procedures and reporting requirements from those of examination engagements (and highlights the similarities of reviews performed under the SSAEs and those performed under Statements on Standards for Accounting and Review Services [SSARS])
• Requires the practitioner to request a written representation letter in all attestation engagements (the pre-clarity standards only required representation letters for certain engagements)
• Changes the existing requirements related to scope limitations, indicating that based on the practitioner’s assessment of the effect of the scope limitation, the practitioner should express a qualified opinion, disclaim an opinion, or withdraw from the engagement
• Eliminated compilations of prospective financial information from the attestation standards (the Accounting and Review Services Committee issued SSARS 23 to cover this service)

SSAE 18 Effective Date

The guidance in SSAE No. 18 is effective for practitioners’ reports dated on or after May 1, 2017.

For a full copy of SSAE No. 18, click here.

See may article regarding SSAE 19, Agreed Upon Procedures Engagements. 

AICPA Code of Conduct

By Charles Hall | Auditing , Preparation, Compilation & Review

In this post, I provide information about accessing the AICPA Code of Conduct and the Plain English Guide to Independence.

Are you a CPA looking for answers to independence or other ethical questions? Below, you’ll see two handy AICPA resources:

• AICPA Code of Professional Conduct
• Plain English Guide to Independence

AICPA Code of Professional Conduct

The AICPA provides online access to the Code of Conduct. You can also download a PDF copy here (this PDF covers all standards issued through August 31, 2016).

Online access is free, and users are able to save searches and bookmark content.

The Code is organized into three parts:

1. Public practice
2. Members in Business
3. All other members (including those who are in between jobs or retired)

The Code includes a threats and safeguards framework. CPAs should identify threats and then consider safeguards to mitigate those threats. The CPAs can proceed with the engagement if threats–after considering safeguards–are at an acceptance level.

Plain English Guide to Independence

As the Quality Control partner for our firm, I receive quite a few questions about ethical issues (mainly about independence). Nine out of ten times I find the answers to those questions in the AICPA’s Plain English Guide to Independence. I download this guide and keep it handy. When I need to research an issue, I open the document and perform word searches. If you aren’t already using this resource, I highly recommend it. 

See my article CPA’s Ethics: Four Questions for Better Decisions.

Omitting the MD&A in Governments

By Charles Hall | Auditing , Local Governments

Omitting the MD&A in governments is not common, but it does occur.

According to AU-C 730, the auditor’s report on the financial statements should include an other-matter paragraph that refers to the required supplementary information (RSI). In governmental financial statements, the management, discussion, and analysis (MD&A) is considered RSI. Though the MD&A is “required” supplementary information, governments can–strangely enough–exclude it from the financial statements.

Omitting the MD&A – Effect on an Audit Opinion

If the required supplementary information is omitted, the auditor should include an other-matter paragraph in the opinion such as the following:

Management has omitted the management, discussion, and analysis that accounting principles generally accepted in the United States of America require to be presented to supplement the basic financial statements. Such missing information, although not a part of the basic financial statements, is required by the Governmental Accounting Standards Board, who considers it to be an essential part of financial reporting for placing the basic financial statements in an appropriate operational, economic, or historical context. Our opinion on the basic financial statements is not affected by this missing information.

Notice the omission of the MD&A does not affect the opinion rendered (in other words, it does not result in a modified report).

RSI Audit Standard

AU-C 730 is the audit standard for required supplementary information. Click here for an overview of the supplementary information audit standards. The former supplementary information standards were SASs 118, 119 and 120; those standards are now–under the Clarity Standards–AU-C sections 720, 725, and 730.

Omitting the MD&A – Effect on a Compilation Report

The MD&A is sometimes omitted in financial statements subject to a compilation report. 

In compilation reports, the relevant language when omitting the MD&A is as follows:

Management has omitted the management, discussion and analysis that accounting principles generally accepted in the United States of America require to be presented to supplement the basic financial statements. Such missing information, although not a part of the basic financial statements, is required by the Governmental Accounting Standards Board which considers it to be an essential part of financial reporting and for placing the basic financial statements in an appropriate operational, economic, or historical context. 

Confirmation of Receivables: Is It Required?

By Charles Hall | Auditing

When is the confirmation of receivables required?

Confirmation of Receivables is Usually Required

AU-C 330 paragraph 20 states the following:

The auditor should use external confirmation procedures for accounts receivable, except when one or more of the following is applicable:

1. The overall account balance is immaterial.
2. External confirmation procedures for accounts receivable would be ineffective.
3. The auditor’s assessed level of risk of material misstatement at the relevant assertion level is low, and the other planned substantive procedures address the assessed risk. In many situations, the use of external confirmation procedures for accounts receivable and the performance of other substantive procedures are necessary to reduce the assessed risk of material misstatement to an acceptably low level.

If receivables are material and confirmation procedures will be effective, then confirmations must be sent. (Normally, the existence assertion related to receivables is moderate to high. So, 3. above is not in play.)

When are Confirmations Ineffective?

AU-C 330.A56 states:

External confirmation procedures may be ineffective when based on prior years’ audit experience or experience with similar entities:

• response rates to properly designed confirmation requests will be inadequate; or
• responses are known or expected to be unreliable.

If the auditor has experienced poor response rates to properly designed confirmation requests in prior audits, the auditor may instead consider changing the manner in which the confirmation process is performed, with the objective of increasing the response rates or may consider obtaining audit evidence from other sources.

Alternative Procedures When Confirmations are not Sent

What audit procedure should be performed if confirmations are not sent? Usually, the auditor will examine cash collections after the period-end. Care must be taken to ensure that the subsequent collections examined relate to receivables that existed at period-end and not to sales occurring after period-end.

Required Documentation When Confirmations are not Sent

AU-C 330.31 states that “the auditor should include in the audit documentation the basis for any determination not to use external confirmation procedures for accounts receivable when the account balance is material.” So, it is not sufficient to simply state that the use of confirmations is ineffective. We should state that we tried to confirm receivables in a prior year without effective results or that we tried to confirm receivables for clients in a similar industry, but without effective results.

The auditor should include a memo to the file or add comments on the receivables work paper explaining why confirmations were not sent.

See my post: Auditing Receivables and Revenues.

Group Audit Standards Applicability: One Firm

By Charles Hall | Auditing

Do the group audit standards apply when one firm audits all of the entities comprising a consolidated whole?

Yes.

You say, “confusing.” I say, “I agree.”

The confusion–at least for me–lies in the pre-clarity auditing standard, AU 543, Part of Audit Performed by Other Independent Auditors, which focused on who was performing the audit. The clarity standard, AU-C 600 Special Considerations — Audits of Group Financial Statements, focuses on what is being audited. The word group (as applied to the group audit standards) does not mean more than one auditor.

Regarding applicability (of the group audit standards), we look at the entities and business activities being audited rather than how many audit firms are involved. We used to focus on the interaction with other auditors; now we focus on the risks associated with the group financial statements.

Group Audit Standards When There is Only One Audit Firm

The AICPA’s Technical Questions and Answers (8800.24) says the following about the applicability of AU-C Section 600 (Audits of Group Financial Statements) when only one engagement team is involved:

Inquiry—Company X consolidates the operations of Entity A. The same group engagement team that audits Company X also audits Entity A. Because only one engagement team is involved, does AU-C section 600 apply? If so, what does AU-C Section 600 require that is not already covered by other auditing standards?

Reply—AU-C section 600 applies to all audits of group financial statements, which are financial statements that contain more than one component. In the circumstances when the same engagement team audits all components of the group, the considerations addressed in AU-C Section 600 that relate to component auditors are not relevant. However, considerations addressed in AU-C section 600, such as understanding the components; identifying components that are significant due to individual financial significance and the significant risk of material misstatement; determining component materiality; understanding the consolidation process; and addressing the risks, including aggregation risk, of material misstatement in the group financial statements; are relevant in all group audits.

What does this mean?

If your firm audits consolidated financial statements, then the group audit standards apply, and you do need to comply with certain provisions (even though your firm audits all entities included in the consolidation). Consequently, you have some additional documentation requirements. Your audit file should contain the following documentation:

• Your understanding of the components
• Your identification of significant components (due to financial significance or risk)
• Component materiality
• Your understanding of the consolidation process
• How you plan to address the identified risk of material misstatement (including aggregation risk)

Group Financial Statements

What are group financial statements? They are statements that include the financial information of more than one component.

Here are examples of components:

• Subsidiaries
• Geographical locations
• Divisions
• Investments (equity method)
• Products or services
• Component units of a state or local government

You can see from these examples of components, the concept of group financial statements is broader than that of consolidated or combined financial statements.

The idea behind the group audit standards is to highlight the risk of material misstatement whether at the group level or a lower level. If for example, a component is not financially significant but it has particularly risky assets (e.g., derivatives), then the group audit standards direct our attention here.

Examples of When Group Audit Standards are Applicable

Here are examples of when the group audit standards are in play:

• Consolidated subsidiary
• Combined financial statements due to common control
• Investment accounted for using the equity method
• Consolidated affiliate (due to variable-interest considerations)

Notice we made no mention of other auditors in these examples. It is possible that another firm may audit a subsidiary (for example), but this factor is not the determinant of when the group audit standards apply.