May 2, 2021

Successfully Preparing For Year-End Audits of Privately-Held Clients

Year-end is typically a busy time for external auditors, even without the added stress of the COVID-19 pandemic. But as most CPA firms know, the hectic atmosphere is not a reason to neglect a highly-developed, measured, methodical year-end audit strategy plan.

In addition to meeting a CPA firm’s quality control standards, audit engagements are subject to a peer review or outside monitoring process — and a peer review report with a rating of pass with deficiencies, or fail, may shake the core confidence of a CPA firm’s leadership, clients and the public interest. Collemi Consulting professionals have been called in when CPA firms have encountered negative peer review results, and we’ve been asked to address some commonly cited matters.
To begin with, a well-crafted audit will address and satisfy the following issues:


  • Common peer review challenges
  • Audit planning and supervision
  • Audit risk and risk assessment procedures
  • Obtaining and documenting an understanding of the audit client and its environment, including its internal controls
  • Materiality considerations
  • Linking audit procedures to mitigate the risks identified and reach audit conclusions
  • Required auditor communications


The auditor’s overall objective when conducting a risk-based approach to audits of financial statements is to provide reasonable assurance that the financial statements, as a whole, are free from material misstatement, enabling the auditor to express an opinion on whether the financial statements are prepared, in all material respects, in accordance with accounting principles generally accepted in the United States of America (U.S. GAAP).


Avoidance of Common Peer Review Issues
Frequently cited mishaps with respect to risk assessment include:

  • Failure to link the substantive procedures performed to the results of the risk assessment
  • Audit procedures not linked to the client’s financial statement and relevant assertion-level risks for significant classes of transactions, account balances, or disclosures
  • Designing audit procedures with little regard for the results of that assessment as required by AU-C 315, Understanding the Entity and its Environment and Assessing Risks of Material Misstatements.


Risk Assessment Shortcomings

Peer reviewers often cite shortcomings in auditors’ understanding of the entity and its control environment. This includes a failure to understand the entity’s internal controls. When conducting your risk assessment, it’s useful to remember that your assessment will generally be more effective at the start of the engagement, and that internal control procedures may be performed before the risk assessment document is completed. The auditor, however, is not required to test internal controls unless mandated under certain circumstances.


Other critical points to keep in mind include the importance of having strong audit workpaper documentation; and that the risk assessment process is an iterative one: repetition in order to generate a sequence of outcomes. Also, the AICPA Professional Standards have changed over the last decade due to the issuance of the suite of risk assessment standards and Clarity requirements.


Please note that practice aids are no substitute for understanding the Professional Standards. Although auditors are only required to document their understanding of the factors that help them draw conclusions, auditors are still responsible for maintaining adequate documentation, and it’s their responsibility to meet Professional Standards.


Audit Documentation Dilemmas

Audit documentation is defined as “the record of audit procedures performed, relevant audit evidence obtained, and conclusions the auditor reached.” Audit documentation should be sufficient to enable an “experienced auditor” — one who is independent and competent enough to challenge the engagement team’s procedures and conclusions — to understand such characteristics as the nature, timing, and extent of the audit, the results of the audit procedures performed, and any significant findings or issues.


Properly executed, audit workpaper documentation can stand on its own without any verbal explanation by the auditor if it answers the 5 “W” and 1 “H” questions: Who?, What?, When?, Where?, Why?, How?


Audit documentation serves as:

  • Evidence that the audit was properly planned and performed in accordance with auditing standards generally accepted in the United States of America (U.S. GAAS) and Evidence of the auditor’s basis for a conclusion


To further increase audit quality, audit documentation should provide sufficient and appropriate evidence that:

  • Risk assessment procedures were performed
  • There was appropriate response to address the risk of misstatement at the financial statement level
  • The nature, timing and extent of audit procedures performed were adequate for the engagement
  • There was linkage of those procedures with the assessed risks
  • The results of the audit procedures
  • Conclusions reached
  • Significant risks were reasonably considered


Audit workpapers should also reflect justification for any departures from presumptively mandatory requirements. They should also identify individuals who performed the work, when it was completed, the person who reviewed the work, and the date and extent of the review.


Audit workpaper documentation should also identify characteristics of the specific items tested, and discuss significant findings or issues with management or those charged with governance. Any information that contradicted or was inconsistent with the final conclusion on a significant audit finding or issue that was addressed should also be documented.


Don’t Forget About Litigation Attorneys

Over the years we’ve worked with litigation attorneys who have shared some “flash points” with us about notes and other workpaper matters that can come back and haunt the auditor. To be on the safe side, these are some real-life phrases and other items that should not make an appearance in your audit workpaper files:

  • Extraneous remarks or irrelevant memoranda, like “the client’s books are a complete mess” or “these expenses seem questionable”
  • Auditor statements that discredit their own work: “close enough for government work”
  • Personal files containing memos, schedules, and other matters related to an engagement
  • Superseded or outdated workpapers


Elements of properly prepared workpaper files include: initialing and dating each audit program step, signing off any audit program step as not applicable “N/A,” or as not considered necessary “N/C/N”, followed by an explanation. Any “Open Items Lists” should be reviewed and any conclusions regarding unique issues should be thoroughly documented. Additionally, time budgets explaining any overages and underages should be maintained, and the completion date should be documented. Professional Standards require that workpapers should be retained for a minimum of five years from the report release date — although practice, legal, regulatory, or other factors may dictate a longer retention period.


Don’t Forget Your Independence

The AICPA Code of Professional Conduct requires auditors to be independent in both fact and appearance. Auditor independence issues can be classified into four high-level areas:

  • Financial interest
  • Family relationship
  • Management function
  • Management decision making


In order to perform permissible non-attest services, the audit client must first agree to:

  • Make all management decisions and perform all management responsibilities
  • Designate an individual with suitable skills, knowledge, and/or experience, preferably within senior-level of management, to oversee the performance of the non-attest services
  • Evaluate the adequacy and results of the non-attest services
  • Accept responsibility for the results of the non-attest services
  • Establish and maintain internal controls, including monitoring ongoing activities


Auditors should exercise caution when it comes to certain “independence” matters that can raise red flags about their independence in a peer review or litigation matter. Some areas include:


  • Providing multiple non-attest work products
  • Significant concentration of revenue coming from one audit client
  • Taking on management responsibilities
  • Providing consultation that goes beyond routine advice
  • Inadvertently engaging in other non-compliance activities like performing non-attest services for a company before it becomes an attest client; loaning staff members to an attest client; certain mergers or purchase of a CPA firm; employment of, or association with, an attest client; performing attest services for a client with unpaid fees; and engaging a client employee


Other red-flag issues include financial interests in an attest client and their affiliates, the adequacy of fees being charged, and the existence of group audits.

Learn More
Looking up at a group of tall buildings with a blue sky in the background.

The Siren Song of Private Equity Acquisitions

By Jennifer Ruf April 30, 2025
The wave of mergers and acquisitions in the accounting industry over the past five years or so shows no sign of abating as small and mid-size public accounting firms seek to gain the size that lets them invest in new technology and recruitment, and gain other advantages of economies of scale. While there are lots of arguments to be made in favor of joining forces with other CPA firms, it’s still a fraught process with many potential hurdles. And it’s not just other public accounting firms doing the merging and acquiring. The private equity firms that have been rolling up small and mid-size CPA firms into larger ones come with plenty of benefits, notably the ability to make the investments needed to compete at a time when automation and artificial intelligence (AI) are bringing a sea change into the accounting business, and competitors are getting bigger. But they also come with their own baggage, such as questions of conflicts of interest and compliance with the auditor independence rules, as well as a focus on the more profitable tax and advisory service side of the firms. The money from an acquisition can be enticing, but it’s important to go into it knowing that there’s a price to be paid for it, and what that price is. And how to go about paying it if you do decide to join forces with a private equity firm. Private equity pros Private equity firms have been competing to invest in large public accounting firms, but also to buy out and roll up small and mid-size firms for two core reasons. One is a steady and predictable revenue stream, particularly on the audit side, which is very enticing to them. The other is the revenue potential of expanding the more lucrative tax and consulting side of the business. But they also see the opportunity to grow the CPA firms and make them more profitable by investing in things like staff training, recruitment and cutting edge technology like AI that can transform the accuracy and efficiency of audit processes. And, of course, strategic acquisitions that can further strengthen the business. Another thing they can do is centralize certain auditing tasks like data processing or routine testing, even moving it offshore for cost efficiency. This can give the core auditing team more time for the deep dive and the ability to focus on more value-added services. Private equity cons On the con side, the focus on consulting can lead to the auditing quality side being given less priority for investment and growth. With a focus on short-term profit, private equity funding can come with pressure to focus attention on the higher margin consulting side of the business. Private equity firms are often eager to scale up the tax and consulting sides of the business, to the point of sometimes creating an alternative practice structure (APS) by investing in or acquiring just those parts of a firm and leaving the audit side, with its need for independence and smaller margins, alone. Which calls into question the benefits of a private equity investment, at least on the auditing side of the business. Then there’s the threat to auditor independence of having an owner or partner with a large portfolio of companies like tech firms that can provide other services to audit clients. And even when there is no actual threat, these perceived conflicts of interest can be a red flag to audit regulators and standard-setters. Private equity questions When you’re looking at an investment or acquisition by private equity there are questions to be asked that aren’t always obvious, or at least that don’t have simple answers. It’s easy enough to start a conversation about auditor independence and the appearance of impairment or conflicts of interest with the auditing side of the business, but it’s also easy enough to promise that these issues won’t be a problem. You have to be aware of the other types of services that they're planning to provide to that same client, because that could have an impact on whether or not you can perform the audit or the review work that you’re doing without violating the AICPA’s Code of Professional Conduct. That’s particularly true with small CPA firms focused on the auditing side of the business instead of consulting, which will suddenly find themselves paired with a large and aggressive tax and consulting business. But whatever size your practice is, you’ll have to update policies and procedures and be cognizant of the need to create an infrastructure that acknowledges the potential conflicts that come with a private equity firm’s offer. Collemi Consulting leverages nearly three decades of experience to provide trusted technical accounting and auditing expertise when you need it the most. We regularly work with CPA firm leadership to help them reduce risk and maximize efficiencies. 

Testing of Non-Standard Journal Entries to Identify Questionable Transactions

By Jennifer Ruf March 24, 2025
As audit season is in high gear, it’s important for auditors to step back and plan how they are going to audit a client’s books and records. What are the red flags you’re looking for when it comes time to throw open the books and look through a huge swath of journal entries to pluck out the ones that are questionable, and need to be questioned? First off, it’s important to understand how journal entries are created at the company being audited. For an auditor, that means looking at the internal control environment to understand how a journal entry is created: Who’s authorized to create one and who can create one. You have to understand the process. How does it start and how is the entry eventually recorded onto the financial reporting system? Once you know that, you can determine whether someone can come in and override the system, or if someone can pretend to be someone else and start recording journal entries onto the system. That will help you figure out what to look for to decide what entries to pull out and ask management to get back up information to support and validate those entries. Finding the needle The key here is not to just go through the mechanics, but to really go through the exercise so you can determine if management is playing games in the recording of those transactions. You have to be able to get comfortable with that, and that means you need to be able to document what you’re looking for. Because what the auditor is really doing is looking for a “needle in the haystack”, to identify the transactions that don’t look right, that don’t make sense in the ordinary course of business. For example, if the business is not open on weekends, are transactions being posted on a Saturday or Sunday, or even on holidays? If you see rounded numbers or accounts that are seldom used, those can be red flags as well. Sometimes it can be as simple as asking managers and others like accounting, data entry and IT personnel if they’ve observed any unusual accounting entries. Depending on the size of the company and scope of the work, you might need to use computerized audit software program — some of them with AI built in — that can scan the entries to identify anomalies. Red flags When an auditor is looking for evidence of management override of controls, they can look for some of these 12 red flags indicators: ● Top-side entries ● Entries made to unrelated, unusual or seldom-used accounts ● Entries made by individuals who typically don't make entries. ● Entries recorded at the end of the period ● Post-closing entries with no explanations ● Entries made before or during the preparation of financial statements with no account numbers ● Entries that contain rounded numbers or a consistent ending number ● Entries processed outside the normal course of business ● Accounts that contain transactions that are complex or unusual in nature ● Accounts that contain significant estimates and period-end adjustments ● Accounts that have been prone to errors in the past ● Accounts that contain intercompany transactions When testing non-standard journal entries and other adjustments, you should look for documentary evidence indicating that they were properly supported and approved by management. Finally, remember that while most fraudulent entries are made at the end of a reporting period, you shouldn't ignore the rest of the year  Collemi Consulting leverages nearly three decades of experience to provide trusted technical accounting and auditing expertise when you need it the most. We regularly work with CPA firm leadership to help them reduce risk and maximize efficiencies. To schedule an appointment, contact us at (732) 792-6101.

It’s Time For Year-End Audits

December 20, 2024
Are you prepared?
A woman's hands holding a microphone

Shake It Off

December 9, 2024
Conquer your fear of public speaking and present like a pro
More Posts