Managing the Risks of Recent Professional Standards

Insightful lessons can be learned by reviewing professional liability issues. With this in mind, Gallagher Affinity provides this column for your review. For more information about liability issues, contact Irene Walton at irene_walton@ajg.com.

When it comes to allegations of harm caused by accountants, plaintiffs and their legal counsel often leverage noncompliance with professional standards to strengthen their case. This article highlights recent professional standards and offers a few risk management tips.

Neither the Auditing Standards Board (ASB) nor the Accounting and Review Services Committee (ARSC) have issued a standard since the spring of 2022.

The AICPA’s standard-setting bodies, however, were extremely prolific in the preceding years. In recognition of the COVID-19 pandemic, however, standard setters delayed many effective dates to permit the profession and clients to prepare for their adoption. Those who delayed now face an onslaught of pronouncements either already in effect or soon to be effective.

In spring 2022, the ASB issued two Quality Management Standards (No. 1, A Firm’s System of Quality Management, and No. 2, Engagement Quality Reviews) as well as Statement on Auditing Standards No. 146, Quality Management for an Engagement Conducted in Accordance with Generally Accepted Auditing Standards (collectively SQMS). The ARSC concurrently released SSARS No. 26, Quality Management for an Engagement Conducted in Accordance with Statements on Standards for Accounting and Review Services.

These four quality management standards (QM standards) impact CPA firms, not their clients. Many firms tend to prioritize their clients’ needs since the standards don’t become effective until December 2025, but extended complacency could have them failing a peer review, or worse.

The QM standards mark a paradigm shift for the profession as firms will need to establish risk assessment processes. The risk assessment processes will require firms to establish quality objectives they deem necessary to achieve and sustain their systems of quality control, identify and assess risks to achieving their quality objectives, and then design and implement responses to those “quality risks.” The AICPA released a wealth of content to assist firms with this transition, but there is no substitute to investing the time in understanding the new standards, assessing your existing processes, and developing a personalized system that meshes with the QM standards’ eight components (risk assessment, governance and leadership, relevant ethical requirements, acceptance and continuance, engagement performance, resources, information and communication, and monitoring and remediation).

The table below includes recent pronouncements, distinguishing those already effective (red), those soon to be effective (yellow), and the QM standards addressed earlier (green).

This article is intended to provide tips to help you efficiently implement each of the standards and thereby reduce some risk exposure.

SAS 142 Tips

Be sure to document your having considered both the sufficiency and appropriateness of audit evidence, as it is the combination of the two that determines the persuasiveness of the evidence. Also, retain information that corroborates and contradicts evidence obtained. Document the application of professional skepticism in your assessment of the reliability of responses to inquiries and information obtained from management and those charged with governance.¹

SAS 142 does not require auditors to document having evaluated the relevance and reliability of all audit evidence, but if in doubt, document.

SAS 143 Tips

Recognize the interrelation of accounting estimates and risk assessment when planning and performing audits. Ask and answer, “What would I focus on if I needed to complete my audit in one day?” Then document the following:

• Risk assessment procedures.
• Assessment of the risks of material misstatement.
• Responses to the assessed risks.
• Contemplated disclosures related to the estimates.
• Areas of possible management bias and additional procedures contemplated to address that susceptibility.

Take advantage of the scalability contemplated by this SAS. When, in your judgment, uncertainty, complexity, and subjectivity are low, reduce your risk assessment procedures and document your reasoning.

If concluding the accounting estimates and related disclosures are reasonable in relation to the financial reporting framework based upon the procedures performed and evidence obtained, be sure to document your reasoning.

SAS 145 Tips

The ASB developed and released SAS 145 to clarify and enhance aspects regarding identification and assessment of risks of material misstatement.

“Risk assessment” is a phrase that is at the foundation of quality management as firms are to perform risk assessments to identify risks within their systems of quality management:²

• Review AICPA’s Risk Assessment in a Financial Statement Audit Guide, which shows how to perform risk assessments when auditing financial statements under SAS 145.
• Document the assessment of inherent risks and control risks for each relevant assertion.
• Document the risk assessment procedures you performed for each component of your audit client’s system of internal control.
• Document having assessed control risk at the “maximum level” when identified controls are either not designed effectively or implemented or you have not tested them for operating effectiveness. (Being properly designed is not sufficient.)
• Document having assessed and identified controls over significant risks, journal entries, areas you plan to test, and significant accounts.³
• Document having assessed and identified risks arising from the use of information technology and related general IT controls.
• Document having performed the SAS’s new “stand-back” requirement, evidencing you have evaluated the completeness of your identification of significant classes of transactions, account balances, and disclosures.
• Document your consideration of the interrelationship between SAS 142 and SAS 145. The higher on the spectrum of inherent risk⁴ a risk is assessed, the more persuasive your audit evidence must be.
• Document considerations specific to smaller, less-complex entities. The SAS incorporates guidance designed for these entities.⁵
• Although agnostic as to the system of internal control adopted by an entity, the SAS incorporates each of COSO’s five components, each of COSO’s 17 principles, and many of COSO’s points of focus. Become familiar with COSO’s 2013 Internal Control – Integrated Framework, paying particular attention to the framework’s 77 points of focus.

Guidance regarding noncompliance with laws and regulations became effective June 30, 2023.

SAS 147 Tips

SAS 147 incorporates the requirements of an interpretation titled Responding to Noncompliance with Laws and Regulations⁶ adopted by the Professional Ethics Executive Committee (PEEC) at its February 2022 meeting. The focus is on auditors’ inquiries of predecessor auditors about matters that will assist in determining whether to accept an engagement. In doing so, SAS 147 narrowly revises existing auditing standards to require an auditor, once management authorizes the predecessor auditor to respond to inquiries from the auditor, to inquire of their predecessors regarding identified or suspected fraud and matters involving noncompliance with laws and regulations (NOCLAR). Predecessors are to timely respond to successor auditor inquiries and/or clearly state if their responses are limited. The SAS also clarifies that once engagements are accepted, auditors are to document inquiries of predecessors and the fruit of those inquiries.

Neither the PEEC nor the ASB chose to permit predecessor accountants to voluntarily share NOCLAR concerns without their former client’s consent unless mandated by law or regulation. Now, auditors are required to inquire of their predecessors regarding identified or suspected fraud and NOCLAR.

In doing so, consider adopting comparable policies for all new client acceptances, regardless of service. The preamble to the AICPA Code of Conduct states that CPAs have responsibilities to the public, clients, and colleagues. The Code has never delineated the responsibilities to colleagues. CPAs should treat colleagues (e.g., predecessor and successor accountants) the way they would wish to be treated if their roles were reversed. Of course, in compliance with the Confidential Client Information Rule,⁷ accountants would first need to obtain their client’s consent. Although not mandated by professional standards, get the consent in writing.

Also, consider including language in engagement letters, regardless of the service provided, stating that client acceptance is contingent upon a satisfactory discussion with the predecessor. 

¹ AU-C 200, para. A.34; AU-C 200, para. A.20; and AU-C 200, para. A.24.
² AU-C 200, para. A.20.
³ AU-C 315.12, definition.
⁴ AU-C 315.
⁵ AU-C 315. Para. A12 and A.26.
⁶ ET 1.180.010.
⁷ ET 1.700.001.

Duncan B. Will, CPA, ABV, CFF, CFE, is a loss prevention manager and accounting and auditing specialist with CAMICO. He can be reached at dwill@camico.com.