The inspection process is a critical part of any audit firm’s accounting and auditing quality control (QC) system. The lack of precise guidance in the QC standards of both the AICPA and the PCAOB for determining the appropriate scope of a firm’s required internal QC inspections leads many firms to emulate the scope of their peer reviews, which is governed by strict requirements and close oversight. This results in overkill, thus causing talented professionals to expend more time than may be warranted in the circumstances. This article is intended to point out how and where firms can make their QC inspection processes more efficient.
What Do the Standards Say?
A close review of the QC standards and the applicable supplemental membership requirements of the AICPA’s Governmental and Employee Benefit Plan (EBP) Audit Quality Centers (collectively, the AQCs) shows that there is considerable room for risk-based judgment as to the appropriate scope of inspections based on an individual firm’s circumstances, and that there is no need for internal inspections to meet the scope requirements applicable to peer reviews. For example, there is no language in the AICPA’s QC standards that appears to require that 1) successive inspection periods must be continuous and unbroken, 2) the engagements selected for inspection be representative of the firm’s A&A practice, 3) all engagement partners must be covered in each inspection, or 4) the population of engagements subject to selection be complete or representative. There is also no requirement in the QC standards of either the AICPA or the PCAOB to include in an inspection all types of A&A engagements that would be subject to a peer review.
Moreover, although other requirements might apply in some circumstances, and any judgment that inspections should be conducted less frequently than annually is subject to challenge and therefore risky, there is no language in the AICPA’s QC standards that explicitly requires annual inspections. Section 10.52a requires only “periodic” inspections, while PCAOB QC section 30.06 requires reporting results of inspection procedures annually, thereby implying that such procedures must be performed, at least to some extent, every year. There is one exception: Both AICPA QC sections 10.A70 and .A71 and PCAOB QC section 30.12 explicitly enable a firm to forego some or all of its internal inspection procedures for the period covered by a peer review or a PCAOB inspection. It is, in fact, common for large multioffice firms to cycle all but its largest offices for inspection activity less than annually.
The inspection of selected engagements, however, is only one of many elements or features of a QC inspection. Moreover, these inspection procedures may also be performed on a cyclical basis (AICPA QC section 10A.A68; the PCAOB standard is silent on this point, but does not prohibit it). Certain procedures should be performed in addition to engagement inspections, but none are individually required in any given period (AICPA QC sections 10A.A64–.A65 and PCAOB QC section 30.06). Therefore, judgment may be applied, using risk considerations, to determining when and to what extent any nonengagement inspection procedures need be performed during any cycle, such as over three years.
Accordingly, subject to a few exceptions, the QC standards permit firms substantial leeway to use risk-based judgments to set the scope of their internal quality control inspections with regard to both the selection of individual engagements and the nature and extent of other inspection procedures.
The foregoing notwithstanding, the membership requirements of both the Governmental and Employee Benefit AQCs mandate annual selection and inspection of engagements representative of the firm’s audits in each covered practice area “considering the number and different types” of governmental/employee benefit plan audits. Nevertheless, it is not evident that this language was intended to require selection of one of each type of audit each year.
How Should Inspection Scope Be Determined?
It is not necessary to achieve any inspection objective in terms of number of hours charged, as typically guides peer reviewers in their selection of engagements. So how should a firm decide how many engagements, and which ones, to inspect? The nature, timing, and extent (i.e., the scope) of internal QC inspection procedures to be employed by a firm may depend, in part, on cost-benefit considerations and the historical results of both internal and regulatory inspections—for example, by a peer reviewer, the PCAOB, or other governmental agency—and the existence and previously tested effectiveness of other QC policies, including monitoring (AICPA QC sections 10A.A68 and PCAOB QC section 30.05).
If a firm’s auditing and accounting engagement quality has historically and consistently been high, as evidenced in the results of its prior internal inspections, peer reviews, and PCAOB and other regulatory inspections, firms ought to consider availing themselves of the foregoing inspection scope streamlining opportunities where judgmental discretion is permitted, and prioritizing audit engagement selections by applying risk factors such as those listed, with no particular priority in the Exhibit. The author suggests that engagements exhibiting these risk factor characteristics be identified by surveying the engagement partners at least annually.
EXHIBIT
Suggested Risk Factors for Prioritizing Engagement Selections for Inspection
It is also necessary to inspect nonaudit engagements based on risk considerations during any inspection cycle when such engagements are identified. For example, one might select an engagement 1) to examine prospective financial information or any other assertion pursuant to the Statements on Standards for Attestation Engagements, 2) to issue a comfort letter, or 3) to perform agreed-upon procedures or any other nonaudit attest service, particularly whenever a significant investment decision based on results or other significant user reliance on the report is expected. Selecting at least one nonaudit engagement that presents no identifiable risks, such as a compilation (with selection priority to full-disclosure presentations), any agreed-upon procedures, or an engagement to review prospective or pro forma financial information, might likewise be advisable.