Better (12 years) late than never

September 4, 2018  |  Faye Hayhurst, CPA

Better (12 years) late than never

This just in: Effective Oct. 1, 2018, peer reviewers will be applying new guidance approved by the AICPA Peer Review Board in August. The new guidance affects how peer reviewers will look at a firm’s compliance with audit risk assessment standards in AU-C 315 and 330.

The suite of audit risk assessment standards was effective for audits of financial statements for periods beginning on or after Dec. 15, 2006. Nearly 12 years later, some firms are still not applying the standards correctly.

At the recent AICPA Peer Review Conference, those in attendance were informally surveyed on what percentage of the firms they review continue to struggle with risk assessment. Hands were raised at 10 percent, 20 percent, 30 percent -- all the way up to 50 percent!

What’s the problem?

  • Documentation, specifically with the consideration of risk, how the audit steps will be tailored to address the risk and clear linkage to the workpapers that provide support.
  • Incorrect belief by some CPAs that consideration of the risks of material misstatement at the audit assertion level is optional, even for significant audit areas.
  • Improper use of third party practice aids related to risk assessment.

The Auditing Standards Board has stated that if an auditor fails to comply with the requirements of AU-C 315 or 330, then the objectives of these standards would not be met, and the audit would not be conducted in accordance with GAAS. Noncompliance will likely lead to engagements being judged to be nonconforming with professional standards. This is the standard peer reviewers will be applying.

Examples that could lead to nonconforming engagements:

  • Failure to identify or document the identified risks of material misstatement (RMM), including any significant risks.
  • Failure to assess or document the assessment of risk at both the relevant assertion level and the financial statement level.
  • Failure to perform or document the performance of procedures that address identified significant risks, or failure to perform anything beyond “basic” procedures when the basic procedures don’t address the RMM.
  • Failure to properly document the firm’s identification and assessment of the RMMs and response thereto.
  • Failure to evaluate the design and implementation of controls relevant to the audit.

How will a nonconforming engagement affect the outcome of the peer review? If the failure to comply with risk assessment standards is determined to be:

  1. Isolated [not present on other engagements], the reviewer will prepare a matter for further consideration (MFC).
  2. Systemic [present on multiple engagements], the reviewer will prepare a finding for further consideration (FFC) and an implementation plan will be prescribed.
  3. Systemic, and there are other deficiencies or significant deficiencies noted, then the failure will be considered a deficiency and corrective action will be required.

Stressed at the conference was that proper risk assessment is not about completing checklists; it’s about documenting knowledge, thought process and judgments, and then showing clearly how those affected the audit performed.

If your firm is guilty of sloppy or inadequate risk assessment and documentation, don’t expect your peer reviewer to let it slide on the firm’s next review. While the best time to properly implement the standards was 12 years ago, the second-best time is now.

Additional resources and self-study educational opportunities

Surgent’s Identifying and Evaluating Audit Risk
(Audit Skills Training – Level 3)(Self-Study)  |  3 CPE

Surgent’s Properly Identifying, Evaluating, and Documenting Results of Presumed Risk Assessment Audit Procedures
(Self-Study)  |  2 CPE

Topics: Peer Review

Faye Hayhurst, CPA

Faye Hayhurst is the MNCPA director of finance and administration. She is committed to using numbers to tell relevant stories, although she also employs words, charts and occasionally clothing to communicate a message. While some have questioned her about the pressures of being the CPA for the MNCPA, Faye considers presenting financial information to fellow CPAs a dream job. Outside of storytelling with numbers, Faye enjoys directing her church's handbell choir, visiting national parks and other scenic places, and checking out the chocolate products at Trader Joe's. Faye can be reached at 952-885-5540 or

Posts by this author