[Revised with conforming changes for AICPA Statement on Quality Control Standards No. 7: A Firm's System of Quality Control, effective January 1, 2009 (Codified in QC 10)]
Quick Links: Continuing Professional Education
| Annual Internal Inspection Procedures
| Peer Review
| Firm Quality Control Policies and Procedures
Continuing Professional Education
Q1. If a staff level professional performs the entire ERISA audit, subject to a partner's review, is that individual considered an "individual managing ERISA employee benefit plan audit engagements" for purposes of the Center's CPE requirement?
. Yes. Individuals managing the audit engagement are professional employees who have either continuing responsibility for the overall planning and supervision of the engagement or the authority to determine that an engagement is complete subject to final partner approval, unless the partner in charge of the engagement assumes the role of manager on the engagement.
. Are all partners of member firms required to have 8 hours of benefit plan-specific CPE every three years?
. No. Only those partners who sign ERISA employee benefit plan audit opinions are required to meet the Center's 8-hour benefit plan-specific CPE requirement.
. Are partners who perform concurring partner reviews of ERISA employee benefit plan audits required to meet the Center's CPE requirement?
. No. Concurring partners are not required to have the 8 hours of benefit plan-specific CPE. However, concurring partners would be required to possess current knowledge, appropriate to their level of involvement in the engagement, of applicable professional standards, rules and regulations for ERISA employee benefit plan audits.
. Where can a firm find qualifying employee benefit plan courses to meet the Center's CPE requirement?
A4. AICPA offers two national employee benefit plans conferences each year, as well as various employee benefit plan related webcasts and self-study CPE courses. The EBPAQC also offers CPE for participating in the Center's Live Forums. For a listing of all AICPA conferences and courses, visit www.cpa2biz.com. In addition, several state societies offer conferences and self-study courses for employee benefit plan auditors. If you live in a state where no such courses are offered, you may wish to encourage your state society to develop such programs.
Back to top
Annual Internal Inspection Procedures
Q5. Will a firm's existing system of quality control satisfy this requirement?
In most cases, no. This requirement is intended to lead firms to do something extra in their system of quality control by focusing on the specific policies and procedures applicable to a firm's accounting and auditing practice for ERISA audits. Firms that do not have inspection procedures specific to their ERISA audit practice as a part of their normal monitoring procedures are required to implement such procedures.
Q6. What inspection procedures would a firm need to perform related to its ERISA audit practice?
The nature of inspection procedures will vary based on the firm's quality control policies and procedures and the effectiveness and results of other monitoring procedures. The adequacy of and compliance with a firm's system of quality control are evaluated by performing such inspection procedures as:
- Review of selected administrative and personnel records pertaining to the elements of quality control.
- Review of ERISA audit engagement working papers, reports, and clients' financial statements.
- Discussions with the firm's personnel.
- Summarization of the findings from the ERISA audit inspection procedures, at least annually, and consideration of the systemic causes of findings that indicate improvements are needed.
- Determination of any corrective actions to be taken or improvements to be made with respect to the specific ERISA audit engagements reviewed or the firm's quality control policies and procedures.
- Communication of the identified findings to appropriate firm personnel, including the designated partner in charge of the firm's ERISA audit practice.
Consideration of inspection findings by appropriate firm personnel who should also determine that any actions necessary, including necessary modifications to the system of quality control, are taken on a timely basis.
In Addition to the above procedures, the internal inspection should include reviewing the firm's compliance with Center membership requirements.
Q7. Do the internal inspection procedures need to be performed in the firm's peer review year?
A7. Yes. The inspection procedures must be performed in the firm's peer review year but may be modified to avoid duplicate engagement working paper, report, and clients' financial statement reviews. QC 10.119 states "…since the objective of a peer review is similar to that of inspection procedures, a firm's quality control policies and procedures may provide that a peer review conducted under standards established by the AICPA may substitute for the inspection of engagement working papers, reports, and clients' financial statements for some or all engagements for the period covered by the peer review." The firm's annual internal inspection in the firm's peer review year must also include other procedures addressing the matters listed in A6 above, including review of selected administrative and personnel records, discussions with the firm's personnel, and summarization of the findings from the ERISA audit review or inspection procedures, as well as reviewing the firm's compliance with the Center membership requirements.
Q8. How would a small firm with one audit partner or a sole practitioner satisfies the inspection requirement?
A8. In small firms qualified individuals (partners or managers) may inspect their own work (on a post issuance basis only), as long as the requirements of the AICPA's Quality Control Standards in QC Section 10, Paragraph 109 are met. That section states:
"To effectively monitor one's own compliance with the firm's policies and procedures, it is necessary that an individual be able to critically review his or her own performance, assess his or her own strengths and weaknesses, and maintain an attitude of continual improvement. Changes in conditions and in the environment within the firm (such as obtaining clients in an industry not previously serviced or significantly changing the size of the firm) may indicate the need to have quality control policies and procedures monitored by another qualified individual."
Alternatively, some firms may choose to engage an outside-qualified inspector either annually or on a periodic basis.
Q9. How should the firm select the ERISA audits to be inspected?
A9. The selection of engagements for inspection should be focused on the firm's ERISA practice only (that is, not influenced by the size of the ERISA practice in relation to the firm's entire audit practice.) The number of engagements selected for inspection should be sufficient to provide the inspector with a reasonable basis for concluding whether the firm's system of quality control for its ERISA auditing practice is properly designed, and whether it was being complied with during the year. Engagements selected for review should provide a reasonable cross section of the firm's ERISA auditing practice with emphasis on engagements that are considered to have higher risk. Examples of the factors to consider when selecting engagements to inspect are:
The number of practice offices selected for inspection should be sufficient to provide the inspector with a reasonable basis for concluding whether the firm's quality control policies and procedures for its ERISA auditing practice are adequately complied with throughout the firm. Greater emphasis should be placed on selecting those offices with higher risk. Factors to consider when selecting offices include:
Q10. Does the firm need to prepare a separate inspection report for the ERISA audits inspected?
A10. No. The firm may prepare a separate report on its inspection of ERISA engagements, or it may document the ERISA practice inspection scope and results in the firm's general monitoring/inspection documentation.
Q11. How long does a firm need to retain its reports on its inspection of ERISA engagements?
A11. The report and/or documentation should be retained for a period of time sufficient to enable those performing monitoring procedures and a peer review to evaluate the extent of the firm's compliance with its quality control policies and procedures.
Q12. Is there a checklist to help firms perform inspections?
A12. Yes. Firms may use the Peer Review Employee Benefit Plan Engagement Checklist to assist them in conducting the inspections. This checklist can be found on the AICPA Peer Review website at www.aicpa.org.
Q13. Can a firm hire its peer reviewer to perform its annual ERISA audit practice internal inspection?
A13. Per PRP Section 2000 (Peer Review Standards Interpretation) Section 21-2, a firm that is hired to perform the peer review may perform that firm's annual internal inspection, except in the year immediately preceding or during the peer review year.
Q14. At what point during the firm's fiscal year should the self inspection be performed?
A14. The self inspection may be performed at any time during the year. However, the firm must designate an annual self inspection period that is the same from year-to-year. For simplicity, the firm may wish to consider using its peer review year-end.
In determining its annual self inspection period, a firm also should be mindful of the related benefits provided by those inspections. Ideally, the self inspection would be performed prior to the benefit plan audit season each year, so that information learned from the self inspection may be applied in the current year audits.
Self inspections can provide important information about the composition of the firm's benefit plans practice, and should point out areas where the firm is deficient. Such information can help the firm more efficiently and effectively plan its ERISA audits, including determining timing of the engagements, staffing needs and availability, and necessary changes to audit plans and programs. It also may assist firms in determining staff training needs.
Q15. What plan year should be selected for the self inspection?
A15. The self inspection should be performed on the most recent plan year available.
Back to top
Q16. What peer review information has the Executive Committee determined should be available to the public?
A16. Center member firms must make publicly available information about their peer review as stipulated in Note 4 to the membership requirements.
Q17. How does a firm make the peer review information available to the public?
A17. Upon admission into the Center, if your firm is a member of the PCPS or your state society participates in the Facilitated State Board Access Program, certain peer review information already is in the AICPA's public file, so you don't need to do anything.
If your firm's peer review report is not posted by the state society or by PCPS, then, you will need to forward the required information. You should e-mail
the Center a copy of this information, which can be in the form of a Word or PDF file at or, if you prefer, fax it to us at 919-419-4772, within 30 days after joining the Center. Your files will be placed in the AICPA Peer Review Public File
Q18. If a peer reviewer's firm is not a member of the Center, is the Center member firm now required to hire a new firm that is a Center member to perform its peer review?
A18. Not necessarily, but it is suggested that you encourage your peer reviewer's firm to join the Center. The Center's membership requirement states that the employee benefit plan audits selected as part of the firm's peer review be reviewed by individuals employed by a Center member firm. This requirement is intended to ensure that the member of the peer review team who reviews your ERISA engagements has specialized knowledge of the auditing and reporting requirements for ERISA engagements. It is this individual who must be employed by a Center member firm. Accordingly, if the firm you engage to perform your peer review is not a Center member, it may be possible for that firm to add a team member who is employed by a Center member firm for the sole purpose of reviewing your ERISA engagements, subject to the existing AICPA peer review team approval procedures.
Q19. If a firm's peer review is due in the year the firm joins the Center and the firm has already engaged a firm that is not a member of the Center to perform the firm's peer review, does it have to find another firm to perform the peer review?
A19. No. This requirement is effective for peer reviews commencing after the firm has joined the Center. However, you should discuss with your peer review firm your firm's need to comply with the Center membership requirement and the alternatives to satisfying the requirement.
Q20. Where can a firm find a listing of Center member firms in its state that perform peer reviews?
Firm Quality Control Policies and Procedures
Q21. How does a firm satisfy the Center requirement to establish policies and procedures specific to the firm's ERISA employee benefit plan audit practice to comply with the applicable professional standards and Center membership requirements? (Requirement effective on or before December 31, 2004)
A21. The Center requirement to establish policies and procedures specific to the firm's ERISA employee benefit plan audit practice to comply with the applicable professional standards is consistent with AICPA Statement on Quality Control Standards No. 7: A Firm's System of Quality Control (QC 10), which broadly defines a system of quality control (QC System) as a "process to provide the firm with reasonable assurance that the firm and its personnel comply with applicable professional standards and applicable regulatory and legal requirements, and that the firm or engagement partners issue reports that are appropriate in the circumstances. A system of quality control consists of policies designed to achieve these objectives and the procedures necessary to implement and monitor compliance with those policies." The Center requirement applies this same general quality control standard at the ERISA plan audit level. The firm's auditing policies and procedures should specifically address ERISA plan audits, including the five elements of the general quality control standard as they relate to the firm's ERISA audit practice.
Q22. What are the six elements of the general quality control standard and how are they related to a firm's ERISA plan audit practice?
A22. Per QC 10.14, the policies and procedures should encompass the following six elements at the ERISA plan audit level:
1. Leadership responsibilities for quality within the firm (the "tone at the top"): The firm should promote an internal culture based on the recognition that quality is essential in performing engagements and should establish policies and procedures to support that culture. Such policies and procedures should require the firm's leadership (managing partner or board of managing partners, chief executive officer, or equivalent) to assume ultimate responsibility for the firm's system of quality control. For Center member firms, the firm's ERISA audit practice designated partner should assume ultimate responsibility for the quality of the firm's ERISA audits.
2. Relevant ethical requirements: The firm should establish policies and procedures designed to provide it with reasonable assurance that the firm and its personnel comply with relevant ethical requirements. The AICPA Code of Professional Conduct establishes the fundamental principles of professional ethics, which include:
- The public interest
- Objectivity and independence
- Due care
- Scope and nature of services
3. Acceptance and Continuance of Clients and Engagements: The firm should establish policies and procedures for the acceptance and continuance of client relationships and specific engagements, designed to provide the firm with reasonable assurance that it will undertake or continue relationships and engagements only where the firm:
- Has considered the integrity of the client, including the identity and business reputation of the client's principal owners, key management, related parties, and those charged with its governance, and the risks associated with providing professional services in the particular circumstances;
- Is competent to perform the engagement and has the capabilities and resources to do so; and
- Can comply with legal and ethical requirements.
The firm should obtain such information as it considers necessary in the circumstances before accepting an engagement with a new client, when deciding whether to continue an existing engagement, and when considering acceptance of a new engagement with an existing client.
4. Human Resources: The firm should establish policies and procedures designed to provide it with reasonable assurance that it has sufficient personnel with the capabilities, competence, and commitment to ethical principles necessary to:
- Perform its engagements in accordance with professional standards and regulatory and legal requirements, and
- Enable the firm to issue reports that are appropriate in the circumstances.
Such policies and procedures should address the following:
- Recruitment and hiring, if applicable;
- Determining capabilities and competencies;
- Assigning personnel to engagements, if applicable;
- Professional development; and
- Performance evaluation, compensation, and advancement
5. Engagement Performance: The firm should establish policies and procedures designed to provide it with reasonable assurance that engagements are consistently performed in accordance with professional standards and regulatory and legal requirements, and that the firm or the engagement partner issues reports that are appropriate in the circumstances. Required policies and procedures should address:
- Engagement performance,
- Supervision responsibilities, and
- Review responsibilities
6. Monitoring: The firm should establish policies and procedures designed to provide the firm and its engagement partners with reasonable assurance that the policies and procedures relating to the system of quality control are relevant, adequate, operating effectively, and complied with in practice. Such policies and procedures should:
- Include an ongoing consideration and evaluation of the firm's system of quality control to determine
The appropriateness of the design and
The effectiveness of the operation of the system of quality control.
- Assign responsibility for the monitoring process to a partner or partners or other persons with sufficient and appropriate experience and authority in the firm to assume that responsibility.
- Assign performance of monitoring of the firm's system of quality control to qualified individuals
The purpose of monitoring compliance with quality control policies and procedures is to provide an evaluation of:
- Adherence to professional standards and regulatory and legal requirements;
- Whether the quality control system has been appropriately designed and effectively implemented; and
- Whether the firm's quality control policies and procedures have been operating effectively, so that reports that are issued by the firm are appropriate in the circumstances
Q23. Are there any additional matters that must be encompassed by the firm's policies and procedures specific to the ERISA employee benefit plan audit practice?
A23. Yes. The firm should establish policies and procedures to comply with Center membership requirements, including:
Q24 . What quality control policies and procedures should ordinarily be addressed with regard to the competencies for the individual who is responsible for supervising an ERISA audit engagement and signing or authorizing an individual to sign the accountants report on such engagement (the practitioner-in-charge)?
- Designating an audit partner to have firm-wide responsibility for the quality of the firms ERISA employee benefit plan audit practice.
- Having all audit partners of the firm residing in the United States and eligible for AICPA membership be members of the AICPA.
- Establishing a program to ensure that all ERISA employee benefit plan audit engagement personnel possess current knowledge, appropriate to their level of involvement in the engagement, of applicable professional standards, rules and regulations for ERISA employee benefit plan audits; and minimum CPE requirements for an individual signing audit opinions and an individual managing ERISA employee benefit plan audit engagements.
- Performing annual internal inspection procedures that include a review of the firms ERISA employee benefit plan audit practice by individuals possessing current experience and knowledge of the accounting and auditing practices specific to ERISA employee benefit plan audits.
- Making publicly available information about its most recently accepted peer review as determined by the Executive Committee.
- Having its ERISA employee benefit plan audits selected as part of the firms peer review reviewed by individuals employed by a Center member firm.
Consistent with the general quality control standards (QC Section 10, paragraph .45), the firm's quality control policies and procedures should ordinarily address the following competencies for the practitioner-in-charge of an employee benefit plan audit engagement.
- Understanding of the role of a system of quality control and the Code of Professional Conduct—Practitioners-in-charge of an employee benefit plan audit engagement should possess an understanding of the role of a firm's system of quality control and the AICPA's Code of Professional Conduct, both of which play critical roles in assuring the integrity of the various kinds of accountant's reports.
- Understanding of the service to be performed—Practitioners-in-charge of an ERISA employee benefit plan engagement should possess an understanding of the performance, supervision, and reporting aspects of the engagement, which is normally gained through actual participation in an employee benefit plan audit.
- Technical proficiency—Practitioners-in-charge of an ERISA employee benefit plan audit engagement should possess an understanding of the applicable accounting and auditing professional standards including those standards directly related to the type of employee benefit plan and the kinds of transactions in which a plan engages.
- Familiarity with the industry—To the extent required by professional standards applicable to audits of ERISA employee benefit plans, practitioners-in-charge of an engagement should possess an understanding of the employee benefit plan industry. In performing an audit of financial statements, this understanding would include operating characteristics sufficient to identify areas of high or unusual risk associated with an engagement and to evaluate the reasonableness of industry specific estimates.
- Professional judgment—Practitioners-in-charge of an ERISA employee benefit plan engagement should possess skills that indicate sound professional judgment. In performing an audit of financial statements, such skills would typically include the ability to exercise professional skepticism and identify areas requiring special consideration including, for example, the evaluation of the reasonableness of estimates and representations made by management and the determination of the kind of report necessary in the circumstances.
- Understanding the organization's information technology systems— Practitioners-in-charge of an ERISA employee benefit plan audit engagement should have an understanding of how the organization is dependent on or enabled by information technologies; and the manner in which information systems are used to record and maintain financial information.
Q25. A firm has a comprehensive quality control policies and procedures document already in place. Is it necessary to amend the entire document to include specific wording covering the firm's ERISA practice, or is it acceptable to issue an addendum that addresses how the ERISA practice quality control will be achieved and how it interfaces with the firm's existing quality control document?
Either method would be acceptable. A firm may amend each section of its existing quality control document to address its ERISA employee benefit plan audit practice or, alternatively, it may issue an addendum that addresses how the ERISA practice quality control will be achieved and how it interfaces with the firm's existing quality control document. Whichever method is used, the firm should ensure the documented policies and procedures specific to the firm's ERISA employee benefit plan audit practice are adequate to comply with the applicable professional standards and Center membership requirements, as discussed above.