The U.S. Department of Labor (DOL) report on the failure rate of employee benefit plan (EBP) audits put a fine point on the issues of audit quality and practice monitoring, but those issues aren't new ones to experts at the American Institute of CPAs (AICPA). Changes to practice monitoring, both through the peer review process and outside of it, are coming, and the AICPA and the VSCPA want to ensure your firm is prepared.
That's the point of the “Practice Monitoring of the Future” session at this week's 45th Annual Virginia Accounting & Auditing Conference, taking place this week at the Hotel Roanoke & Conference Center and the Fairview Park Marriott Hotel in Falls Church. (A third iteration of the conference is scheduled for November at the Founders Inn in Virginia Beach.) AICPA experts James Brackens, CPA (a VSCPA member) and Rick Reeder, CPA, are leading the session with the goal of showing attendees how to make the necessary improvements to their firm's controls.
“We always struggle in these topics,” said Reeder, a partner at Reeder & Associates in Tampa, Fla., and a former chair of the AICPA Peer Review Board. “What we’re trying to do here is to make them understand why this really matters to their practice — not just from a theoretical, overarching approach, but why it matters to the quality of their practice. Why they should care about it as a firm and not just when the peer reviewer comes in the door.”
- Continuous analytical evaluation of engagement performance
- Human review when system-identified concerns are raised
- Involvement of external monitors when necessary
- Periodic inspection of system integrity
- Oversight of the system's operating effectiveness
That includes both internal and external monitoring of firm activities. In other words, it's not just about catching problems through peer review. It's about being nimble and observant enough to identify issues before they become a major problem. And it's about not biting off more than you or your firm can chew.
“To put it bluntly, I want them to understand that you need to audit effectively, and it’s hard to do,” Brackens said. “It’s not easy. It’s not something you can pick up and do just because clients ask you to do it and you need to do it as a favor or to retain the client. It takes a real dedication to do it right, and there significant consequences to doing it wrong.”
One major part to that dedication is buy-in from a firm's partners and executives. Without the proper “tone at the top,” any quality control policy, no matter how thoughtfully crafted, is doomed to fail.
“You have policies internally. Travel policies, things that you’re supposed to follow,” Brackens said. “If the CEO ignores them and employees saw that they weren’t following the policies, how do you think the staff will react in following the policies? They don’t exist. You have to have the partners in the firm expressing the critical importance that the audit is performed correctly. We aren’t worried about the time budget being an hour and burying a problem because it would take longer to investigate.”
Of course, in an ideal scenario, those problems wouldn't crop up in the first place. Firms would only take on engagements that fall into the firm's professional focus area. That was a major issue identified in the DOL audit quality report — deficiency rates increased in firms that performed fewer EBP audits, to the tune of a 76 percent deficiency rate for firms that only audit one or two plans.
The best way to prevent such issues is for those firms to not take on EBP audits in the first place, leaving them to firms with more experience in the area.
“The tips and tools and the quality control systems that we’re trying to make sure all firms have in place — that, theoretically, should prevent you from just being a dabbler,” Reeder said. “Through your client acceptance policies, are you properly educated in that industry? Do you have the resources and tools to be able to perform an effective audit?”
A good starting point for those tools is available with the AICPA’s Private Companies Practice Section (PCPS). Firms can download scalable resources and learn best practices, then tailor them for their own practice.
“Each firm is different, but this is at least giving them ideas for implementing them in a small-firm environment,” Reeder said. “Ideas for client acceptance policies, for engagement and quality control reviews, for self-monitoring of engagements. We’re also giving them some tips and ideas for what those policies should be and how they’re properly documented and communicated.”
Right now, most of the AICPA's ideas reside in the realm of the hypothetical. The concept paper solicits feedback from firms and practitioners, with the goal of molding the recommendations into something firms will embrace.
The early-stage recommendations will be tested in a pilot program. Later stages, including potential mandatory adoption and a dashboard for real-time analysis of quality-related performance metrics, are up for discussion.
“We’re rolling it out in phases, and the first phase is nothing but an internal tool. It’s not a concept of a way-far future thing, even though it can sound like George Orwell,” Brackens said. “But the first phase is purely an internal tool to help firms in their monitoring. Everything else is a concept that may not evolve the way it’s in there.
“It is a concept to stimulate thinking. But part of that thinking is the concept that we can build this tool now, with firms and their own internal monitoring, and there’s nothing scary about it. Nobody will see it but the firm.”
He added: “No matter how you look at it, it comes down to developing a good system of quality control and monitoring it.”