CPAs who perform audits for a variety of clients under multiple sets of standards need to tailor their work to different types of circumstances. The audit plan for a public company engagement under PCAOB standards will be different from the plan for a private company engagement performed in accordance with generally accepted auditing standards (GAAS). Based on the client’s size, complexity, industry, and other factors, there also is a lot of variation even within public company or private company auditing. This engagement-specific variability requires customized scaling of planning and procedures that relies on a well-conducted risk assessment, according to Kirsten Vosen, CPA, a partner in Deloitte & Touche LLP’s National Office Audit and Assurance Group-Private Company Matters in Minneapolis.
Vosen recently explained in a telephone interview with the Journal of Accountancy the process her firm uses to scale its audit work to fit each client. Best practices described by Vosen included:
1. Focus on the specific client
“Scalability is all a matter of understanding your client,” Vosen said. “You can’t necessarily just jump from client to client without pausing and being very thoughtful about the preliminary and planning phases of the audit.”
The work and preparation begin prior to the substantive phase of the audit and include a careful deliberation in drafting the engagement letter and by the engagement team in planning its audit. According to Vosen, the preparation upfront ensures that the engagement starts with a proper focus on the client, tailoring the engagement to the specific needs of the client, and the significant risks involved.
“Make sure you’re measured in your approach,” Vosen said. “Hours spent at the onset with an appropriate and thoughtful risk assessment can save you many, many hours at the back end.”
2. Remember that communication is crucial
An engagement’s team regular communication with management and those charged with governance helps ensure that risks identified during the audit are properly addressed, Vosen said. If there’s a need to change an audit’s scope or evaluation of a particular account, that can be worked out promptly as long as the lines of communication are kept open.
3. Continue risk assessment throughout the engagement
It’s very important that the risk assessment be a thoughtful process and that it continue to gather evidence throughout the engagement, Vosen said. A focus on detail helps ensure that the audit is appropriately scaled and tailored to the individual client. Such a focus also helps save time during the engagement’s later stages.
“It’s always important to remember that risk assessment is an iterative process. It’s continual, and the engagement team really needs to constantly be aware of that,” Vosen said. “As facts and circumstances evolve throughout the engagement process, is there a change to the risk assessment?”
It’s also important for the engagement partner to work closely with the engagement team in the evaluation of new evidence. This helps ensure that any risks that may be associated with the new evidence are properly weighed.
4. Don’t lose sight of internal controls
“You have to understand the clients’ various business and financial processes — such as the handling of customer orders and receipts or payments to suppliers — to inform your risk assessment,” Vosen said. “It is important to support your substantive approach and identify potential risk of material misstatement to the audit by understanding how your clients process transactions. You can plan an appropriate audit response. Doing that upfront in conjunction with the risk assessment and planning of substantive procedures is critically important.”
The engagement team’s risk assessment also requires a firm grasp of the relevant internal controls for identified risks of material misstatements.
Vosen cited an engagement team’s test of the design and implementation of a client’s cash reconciliation process as an example of how a risk of material misstatement should be addressed. If the client’s reconciliation process doesn’t call for one person to perform the reconciliation and a second person to review the reconciliations, then the engagement team needs to consider how that might impact the auditors’ substantive response to the risk presented. The client’s explanation of its reconciliation process and the auditors’ test of the implementation of that control will be important factors in the engagement team’s evaluation of the risk involved and the design of the auditors’ substantive response.
The engagement team’s reaction to the issues identified and the client’s response to the questions posed by the engagement team should come back to the initial risk assessment performed at the start of the audit.
“Understanding internal controls — as they relate to your potential risks of material misstatement early on in the audit phases — helps you appropriately design a substantive response,” Vosen said. “It doesn’t mean you can’t do an audit if some of the basic controls are not there, it just has an impact on how you plan your substantive response to that risk.”
It’s possible that all the engagement team may need to do to address issues uncovered during the audit that affects risk is increase the number of transactions that are tested. However, it may mean designing a different substantive response altogether.
“You need to have a measured response,” Vosen said. “It doesn’t mean I can’t audit the cash balances that are recorded in the general ledger. I just need to design my substantive response accordingly.”
5. Review the risk assessment again when concluding and reporting
When the audit is over, the engagement team is ready to communicate its findings with management, partners, or company directors.
“That’s when we stand back and ensure that all of the evidence that we’ve gathered is responsive to our risk assessment and we have the appropriate evidence to conclude,” Vosen said. “If the areas of significant risk that we communicated early on in that process to those charged with governance have changed, we should update those charged with governance to bring them through the audit process with us.”