Peer review findings in audits of not-for-profits: What auditors need to know
August 1, 2023
Experts suggest ways to prevent common problems such as inadequate planning and risk assessment and insufficient documentation.
Peer reviews improve the quality of services that firms and individuals provide by ensuring auditors comply with professional standards when designing systems of quality control and performing their work. Peer review comments can be useful to auditors in making improvements to avoid deficient audits.
“Change is always happening, including new professional standards auditors must comply with each year,” said Chris Stanz, CPA, managing principal, national assurance at CliftonLarsonAllen LLP. “A firm’s system of quality control, when designed effectively, can help auditors keep up with the changes and meet the requirements of professional standards as the work is being conducted.”
The following are some of the most common findings in peer reviews of not-for-profit (NFP) audits from Jan. 1, 2021, to Oct. 31, 2022, and ways auditors can prevent them.
There were a number of findings covering all aspects of administering engagements, including issues with human resources and compliance with standards, including the following:
“The firm accepted an engagement in a new industry and did not obtain adequate education to obtain appropriate expertise to complete the engagement in accordance with standards. The firm did not comply with CPE requirements of Government Auditing Standards.”
“Firm personnel and the reviewer assigned did not possess adequate professional training to perform GAGAS [generally accepted government auditing standards] audits.”
Experts’ commentary and recommendations
“On-the-job training during the pandemic was difficult, including how to consistently train hybrid workers and new staff,” said Andrew Prather, CPA, shareholder and quality control director at Clark Nuber.
“Firms everywhere have been stretched thin in the area of staffing, including lack of experience, the need for proper training and supervision, and an environment of constantly changing accounting and auditing standards,” said Brian Archambeault, CPA, partner, quality delivery at Crowe. “The pandemic created a nightmare because COVID-19 relief funding resulted in thousands more single audits. There were higher risks resulting from not enough experienced auditors available and new programs, the requirements kept changing, and the Office of Management and Budget (OMB) did not issue the compliance supplements and addenda needed by auditors on a timely basis.”
Stanz offered a recommendation: “Each year, as we complete our inspection process and peer review process, we summarize and communicate not only the common peer review findings and our internal observations but also specific action items we expect from the engagement teams. We then provide resources to assist them in properly executing these actions. This includes revisiting our templates, work programs, practice aids, and learning curriculum to improve the articulation of certain concepts and contribute to better execution on engagements.”
“Out-of-date work programs and/or disclosure checklists were used.”
“The firm did not sufficiently perform audit planning to consider and document items required by the professional standards, including preliminary analytical procedures, understanding of controls, walk-throughs, materiality, consideration … of related parties, the effect of fraud risk factors when designing audit procedures, IT controls and related reliance or lack thereof, and assessment of the risk of material misstatement.”
“New client considerations were not documented, including communications with a predecessor auditor, because the client did not complete practice aids related to acceptance of a new engagement, as required by quality control policies and procedures.”
“The engagement letter did not include all the required elements.”
“Not documenting independence using the conceptual framework required by Government Auditing Standards,” “Threats to independence should be documented, and appropriate safeguards applied to reduce the threats to an acceptable level,” and “The firm failed to consider the cumulative effect of all nonaudit services.”
“The auditor did not properly date the audit report,” and “The auditor’s opinion omitted required wording.”
“The representation letter did not include the appropriate financial statement periods; required representations of the entity’s ability to continue as a going concern; and federal awards representations.”
“The audit workpapers did not reflect proper Engagement Quality Control Review procedures.”
“The firm had not had a peer review within the three-year period prior to the audit performed under Government Auditing Standards.”
Experts’ commentary and recommendations
“If a firm has a clear audit methodology, including the workpapers to use, it helps with issues of lack of industry expertise and using out-of-date programs and checklists,” Prather said. He recommended the use of standard workpapers and third-party practice aids and then tailoring them to engagements. His firm has a standard workflow for various types of correspondence for the audit team to use with current templates.
Angie Hillestad, CPA, CGMA, partner at Eide Bailly, agrees. “We noted a number of years ago it was really clear staff did not know the level of documentation of procedures performed to include in workpapers, that just a tick mark was not enough, so we initiated training at different levels to address documentation.” Through training and methodology changes, her firm addressed changes in the auditing standards, like changes in audit report formats and going concern assessments, including what needed to be documented, and added customized steps to standard programs and practice aids.
“There are unique GAGAS requirements for nonaudit services, including the presumption that preparation of financial statements creates a significant threat,” Archambeault said. “This is common because clients do not have the expertise, so clear documentation is needed about what the auditor is doing. It is not sufficient to say, ‘We assisted in the preparation, but it was not a significant threat.’ There are additional questions to answer, and there needs to be a separate workpaper to document the nonaudit services performed and whether any are financial statement preparation or accounting assistance. I have had countless conversations with peer reviewers about this.” His firm has provided staff with training in this area every year since the 2018 Yellow Book was issued. In addition, if there is a significant threat, there is a requirement for someone outside of audit to review and approve the related procedures.
AUDIT PLANNING AND RISK ASSESSMENT
The benefits of planning include compliance with professional standards, more efficient engagements, and reduced professional liability risk. Peer review findings in this area included:
“The firm did not sufficiently perform audit planning to consider and document items required by professional standards, including preliminary analytical procedures, understanding of controls, walk-throughs, determination of materiality, consideration of effects of related parties, IT controls and related reliance or lack thereof, assessment of the risk of material misstatement, and not producing audit programs for the most significant cycles.”
“There was no evidence of brainstorming and no documentation of understanding of the entity. There were no audit programs for planning ...”
“The practice aids were incorrectly followed due to a misunderstanding of the risk assessment requirements mandating assessing risk at both the financial statement and relevant assertion levels for all audit areas that apply to the audit,” and “All inherent risks were assessed as low.”
Experts’ commentary and recommendations
“The risk assessment standards call for auditors to document their understanding of internal controls, evaluate the design and operation of internal controls, and then perform further procedures,” Archam-beault said. “Materiality is a judgment area, so it is important to fully document what was considered.”
Prather said, “Failing to comply with auditing standards in the areas of internal controls and risk assessment is a firm-level audit practice issue. Firms have not established a consistent audit methodology for all audits that addresses issues noted in peer review findings.”
Planning issues can be related to insufficient partner involvement. “There can be failures in linking the risks identified and documented in the planning phase to the testing of relevant assertions, with the procedures not making it all the way through the various practice aids used in the audit,” Hillestad said.
Prather agrees. “Many firms are not yet on board despite the risk assessment standards being out there for a while now.” He notes auditors may fill out the necessary workpapers without sufficient thought or a complete understanding of inherent risks, or misconceptions about what low/moderate/high risk means to the audit procedures and documentation.
Stanz said, “At a high level, the concept of a risk-based audit approach seems simplistic, but the ability to sift through information gathered for a particular client — and use it to articulate specific audit risks that may exist — is not always easy. Often, all the pieces are sitting within the engagement file but may not have been linked sufficiently to adequately complete and display the puzzle.” She said firms can simplify the risk assessment process through the design and use of audit templates and practice aids, along with targeted learning to help auditors through the process.
Insufficient documentation represents a failure to comply with generally accepted auditing standards and is not unique to NFP audits. “A pervasive issue for all audits is in many situations, it is not clear whether procedures were performed and how conclusions were reached, especially in areas subject to auditor judgment,” Archambeault said.
There were a significant number of peer review findings about documentation, related to all aspects of the audit, including the following:
“Audit documentation was not sufficient to enable an to the audit to understand the nature, timing, and extent of procedures performed; results of procedures performed; audit evidence obtained; and significant findings or issues arising during the audit, conclusions reached thereon, and significant professional judgments made in reaching those conclusions.”
“Professional standards require that an understanding of related-party relationships and transactions and their effect on the likelihood of risk of material misstatement be documented … procedures performed were not clearly cross-referenced to audit procedures.”
“No evidence of brainstorming and no documentation of understanding of the entity.”
“It is important audit documentation relating to dual-purpose tests separately identify tests performed on internal control over compliance and tests performed on compliance, along with results of those tests.”
“Documentation of testing did not include procedures applied for some of management’s estimates.”
“Unrecorded misstatements were not summarized at the end of the audit engagement.”
“Audit file was missing working papers or had working papers that were not completed,” and “The firm did not complete all forms, checklists, or questionnaires, and no guidelines for the form and content of working papers was established. The systemic cause was not fully understanding audit documentation standards.”
“The firm’s quality control document requires use of a disclosure checklist and engagement quality control review for all audits and reviews, but these were not completed.”
“Auditors failed to perform or adequately document:
- Compliance with fraud risk considerations;
- Analytical procedures in planning or final stages of the audit;
- The determination that uncorrected misstatements were not material, either individually or in the aggregate, to the financial statements;
- Group audit considerations;
- Beginning balance procedures for new clients;
- Successor auditor procedures;
- Use of a specialist;
- Whether any material weaknesses or significant deficiencies in internal control should be communicated with those charged with governance;
- Subsequent events procedures performed;
- Supervision and review.”
Experts’ commentary and recommendations
“This is an area where we are coaching our staff on what is required by the standards,” Prather said.
Stanz said, “Firms should continue to refine their processes and templates with the goal of creating a consistent, standardized method to perform and document the work that can be executed efficiently and effectively by everyone. Well-designed templates that contain practical application tips can take the guesswork out and enable all required elements to be included in the workpapers.”
UNIFORM GUIDANCE SINGLE AUDITS
There continues to be increased peer review scrutiny in this area. “Areas specific to a single audit environment — independence, CPE, sampling application, testing compliance and internal controls over compliance, compliance requirements specific to each program, and evaluating and reporting findings — can be challenging to apply,” Stanz said. “Even a small misstep during planning and execution of the engagement can lead to nonconformity.”
Following are peer review comments on documentation in single audits:
“The audit documentation did not provide evidence of:
- Compliance testing, including tests of transactions and other audit procedures sufficient to support an opinion on compliance for each major program; and tests for each of the applicable compliance requirements that have a direct and material effect on the major program;
- Sufficient procedures performed to determine whether the schedule of expenditures of federal awards (SEFA) is presented fairly in all material respects in relation to the financial statements as a whole;
- Auditor’s determination that the entity was able to reconcile amounts in the SEFA to amounts in the general ledger and financial statements;
- Auditor’s proper completion of appropriate portions of the data collection form (DCF) that summarize audit results, findings, and questioned costs; and cross-checked DCF information with the SEFA, audit findings, and corrective action plan; and
- Auditor’s consideration of the impact if the auditee did not include findings related to the financial statements in the corrective action plan and summary schedule of prior audit findings, required to be reported in accordance with Government Auditing Standards.
- “Not documenting why an applicable compliance requirement is not applicable.”
“I see a lot in our engagements and peer review engagements that auditors will attempt to document a compliance requirement determination, like ‘no subrecipients,’ but with no documentation of how they determined it or indicating only that they are relying on client inquiry, which is not sufficient,” Hillestad said. “We look for very specific documentation on the specific procedures performed.”
Other peer review findings related to single audits included the following:
“The firm accepted a compliance audit under the Uniform Guidance and had no previous experience conducting compliance audits under the Uniform Guidance.”
“Using the incorrect Compliance Supplement.”
“Compliance requirements that could have a direct and material effect on each major program were not adequately documented, a compliance audit plan was not developed, internal controls over compliance were not tested, risk of material noncompliance was not documented, and compliance tests were not performed for all applicable requirements.”
“Evaluation of controls for compliance requirements noted as appliable to the entity’s major program on the matrix were not documented; neither were they noted as not being significant to the entity.”
“The auditor did not specifically assess and document risk of material noncompliance with each major program’s compliance requirements occurring due to fraud.”
“Formal communication with those charged with governance did not report control deficiencies identified by the auditor.”
Experts’ commentary and recommendations
“Compliance auditing is different and, while larger firms have specialists handling these audits, many smaller firms do not and lack experience,” Archambeault said. “The requirements to plan to achieve a low level of control risk for major programs and to test controls for operating effectiveness are not required for financial statement audits, and failing to test controls for operating effectiveness in a single audit can be an audit failure.”
Stanz said, “The influx of new programs and funding during the pandemic made it challenging to stay abreast of general and program-specific requirements. Before performing these audits, auditors should make sure they have the skills, time, and resources to stay current with requirements of professional standards and all recent developments to adequately complete the work.”
“There are so many potholes,” Prather said. “A challenging area that requires more judgment in single audits is that a material instance of noncompliance is not the same as a material error in the financial statements.” He recommended practitioners new to single audits, especially in small firms, familiarize themselves with the Uniform Guidance, OMB Compliance Supplements, AICPA Audit Guide, and the COSO framework, and join the AICPA Governmental Audit Quality Center to access their resources and webinars.
“We developed workpaper templates a number of years ago that mirror compliance supplement requirements and suggested internal control testing to address single audit issues and findings,” Hillestad said. “We also data-mined past major programs our firm tested and developed testing workpaper templates specific to major programs.” These changes, along with regular training, help drive consistency in procedures and documentation and help staff make decisions.
NOT-FOR-PROFIT AUDITS NOT SUBJECT TO GAGAS
Challenging areas for auditors of NFPs that can result in peer review findings include the following:
- Whether the NFP is subject to FASB or GASB standards. “Although amounts in the financial statements may not change, financial statement line items and titles will be different,” Hillestad said.
- Adoption and implementation of new accounting standards and assessing whether NFPs are “public entities” because they are conduit bond obligors for publicly traded debt.
- Revenue recognition under FASB ASC Topic 606, Revenue From Contracts With Customers; Topic 958, Not-For-Profit Entities; and Accounting Standards Update (ASU) 2018-08, Not-for-Profit Entities (Topic 958): Clarifying the Scope and the Accounting Guidance for Contributions Received and Contributions Made. “This is a complicated area under the accounting guidance, so audit procedures should address what the client received and when, with documentation about what guidance was applied,” Prather said.
- Financial statement presentation under ASU 2016-14, Not-for-Profit Entities (Topic 958): Presentation of Financial Statements of Notfor- Profit Entities. “A lot of financial statements were noncompliant in the beginning and, while this has improved, it can still be an issue,” Archambeault said.
- Consolidation. “Entities may have to apply either for-profit or not-for-profit GAAP, and it is important to understand the nature of the transaction to determine whether to consolidate,” Prather said. The AICPA Audit and Accounting Guide Not-for-Profit Entities includes specific guidance for the unique considerations.
- Going concern. “There were unique circumstances as a result of COVID-19 as donations decreased and events were canceled, and some organizations got government relief funding that has now dried up,” Prather said. “These issues will continue to be relevant. Auditors need to evaluate management’s business plan and have going concern documentation in each audit even if there is no need for changes to the audit report or financial statement disclosure.”
ADDRESSING PEER REVIEW FINDINGS
Overall, staff training to raise awareness of auditing standards and firm policy and more consistent quality control processes within firms are ways for firms of all sizes to address the peer review findings noted. “A lot of findings result because people are overwhelmed and overworked, with the need to do more as standards change,” Archambeault said.
Hillestad said, “Our internal inspection team uses the AICPA Peer Review checklists and adds comments and observations to them, so our engagement teams know what issues cause noncompliance with professional standards or firm policy. We use them to identify nonconforming engagements and for our root-cause analysis.”
About the author
Maria L. Murphy, CPA, is a senior content management analyst, Accounting & Auditing Products for Wolters Kluwer Tax & Accounting North America, and a freelance writer based in North Carolina. To comment on this article or to suggest an idea for another article, email
[Source: Journal of Accountancy]