For many companies, an audit is a necessary part of business operations. For others, however, it is not, and such businesses are increasingly declining the service. The authors posit that the accretion of requirements over the decades has added cost but failed to provide commensurate value for those businesses that have a choice on whether to engage an auditor. They suggest reevaluating procedures and requirements with the goal of a simpler, better, less expensive audit.
FASB is trying to simplify GAAP and financial disclosures, while the AICPA appears to be adding to audit requirements in the name of improving quality. We believe that auditors should take this opportunity to reevaluate our approach to auditing and the changes to it over the last century. Many requirements have been added; few, if any, have been eliminated. Greater efficiency demands a different approach. Our view is based upon our experience, both as auditors and auditees, and conversations with other professionals. Consider the following developments:
- CPA firms have seen their tax and consulting practices grow while their attest activities, at least those not legally required, have declined. Furthermore, fees collected on audits have lower recovery rates than tax and other work.
- Over the years, many requirements have been added to audits, including meetings, correspondence, procedures, and documentation. Not surprisingly, time charges to perform these audits have also increased.
- The Internet and smartphones have created a whole new set of potential efficiencies that have been adopted in many industries, but which the auditing profession is either ignoring or outright rejecting.
- There has been a significant reduction in audits of small U.S. subsidiaries of foreign companies, with whatever auditing may be required by the parent’s auditors conducted overseas.
- CPA firms say that competition is fierce in audit fee pricing, but not tax work pricing.
- Medium-sized accounting firms are finding that their senior audit partners want to retire, but their senior tax partners do not.
The profession has so encumbered auditing with concepts imposed by regulatory authorities that the costs of audits have risen out of line with the benefits. For example, one of us had a client who owned several small businesses for which, until recently, we did annual audits. As the cost of the audits grew, he shifted them to reviews; now, we do nothing but tax returns. When asked, he said that the audit gave him comfort that someone outside of his office looked to make sure the bank accounts reconciled, the receivables were fairly stated, and all liabilities were recorded. As the cost of an audit kept rising, however, the benefit no longer justified the cost. Not surprisingly, banks have shifted their expectations for loans from audits to reviews, to compilations, and finally to Schedule L of a tax return.
None of the additional requirements, taken in isolation, are inappropriate or expensive; however, new procedures accumulate without any concomitant reduction. If auditors do not find a way to control the costs of audits, the profession will come under attack for excessive costs.
A Return To Basics In Auditing
The profession needs to go back to basics. People pay auditors to perform audits for a variety of reasons:
- For public companies, because the Securities Acts require audits
- For pension plans, because ERISA requires audits
- For government-funded programs, because the Yellow Book requires audits
- For not-for-profits, because state laws require audits
- For private companies, because owners want assurance that the financial statements are correct and that operations are functioning reasonably
- For certain other entities, because the parties receiving financial information from the audited company require it. Such parties include lenders, landlords, business partners, vendors, and customers, all with special and limited needs.
The model is generally “one size fits all”; auditors must perform all procedures required by Generally Accepted Auditing Standards (GAAS), whether or not the procedures are useful under the circumstances. The SEC, the PCAOB, ERISA, and the Yellow Book add additional steps, but nothing eliminates any.
In the private sector, demand for audits has continued where required by various laws. As the cost of audits continues to grow, demand might develop to eliminate some requirements. The public company sector is already starting to object to such costs. This is not a new issue (see the article “Have We Created Financial Statement Disclosure Overload?,” The CPA Journal, vol. 77, no. 11, November 2007). In 2012, Congress passed the JOBS act to reduce SEC reporting requirements for new companies, and currently is considering several bills proposed to ease the compliance load on small companies. But large public company filings have tended to get longer over recent years. An article in the Wall Street Journal (“The 109,894-Word Annual Report,” by Vipal Monga and Emily Chasan, June 2, 2015)” noted that 10-K filings have become so long that even the CFOs that produce them don’t think that average investors will read through them.
The time has come to evaluate the cost-effectiveness of auditing procedures and improve efficiency, in order to reduce audit costs.
Reevaluating Traditional Procedures
Auditors still use “snail mail” to send and receive confirmations. A staff person makes a list, arranges for preparation of the forms, mails the forms, sorts the responses, sends second requests, and processes the results. Furthermore, the majority of our clients’ customers do not respond to accounts receivable confirmations. Banks, in contrast, already have the information electronically. Consumers now check their personal bank balances by going online; why can’t auditors do that to confirm client balances? Software packages that automate part of the process are available. This area should be explored for efficiencies.
Physical inventory observations.
Observations are a fairly weak tool for auditors. Defrauding an auditor on an inventory observation is quite simple. In addition, almost all businesses now have online contemporaneous systems to keep track of inventories. Is sending out accountants to physically count stock really useful?
Review of internal control.
Audit standards require that auditors review the system of internal control and document our review. Because small clients have minimal systems, the evaluation almost always reveals a lack of segregation of duties, a lack of budgeting, inadequate monthly reporting, no monitoring, and so on. As auditors almost always conduct a complete substantive audit for smaller companies, what is the purpose of the review of internal controls?
Reevaluating Newer Procedures
SAS 114/115 letters before and after the audit.
The letter required before the audit starts is intended to tell those charged with governance what their responsibilities are and some of the audit results. Since this is already covered in the engagement letter, the letter of representations, and the audit report, this letter is redundant. The letter after the audit describes certain procedures and contains “adjustments that would not have been located except for the audit.” We have yet to find a client who takes an interest in such adjustments, unless we make a point of suggesting better bookkeeping. Prior to this requirement, when auditors believed that an issue was significant, they would make it without the SAS 114 letter. These letters accomplish very little.
All audits now require planning before the audit starts, including a planning meeting, an analytic review of the preliminary trial balances, and documentation of the planning process. Is it useful, especially when there has been significant continuity on an audit from year to year, to spend hours documenting this process and filling out forms?
Pre-audit analytic review.
Analyzing the financial statements before planning an audit might make sense in a large, structured audit. With a smaller company, however, such analytic review consists of calling the client and asking, “What’s new and what’s happening?” When auditing smaller public companies, we have found that a review of the quarterly filing will suffice. Taking a trial balance, inserting it in the workpapers, and saying nothing is new is a waste of time.
Audit risk evaluation.
GAAS (Codification of Statements on Auditing Standards paragraph AU-C315) requires a designation of the assertions and a risk evaluation of each significant amount. Much of the guidance is an attempt to describe mechanically the thought process of an audit. Most auditors do this instinctively without a need to evaluate whether the auditing of a balance is intended to evaluate its existence, completeness, accuracy, valuation, cutoff, rights, or obligations; therefore, the documentation of such is not necessary. The risk evaluation covers control, inherent, and detection risks. Inherent risk is almost always at a medium level, except for cash, where inherent risk is always high. In a small company, with the large risk of management override, control risk is always high, and auditors almost always perform a complete substantive audit. There is no need for workpapers to repeat or document this, and therefore the evaluation should be eliminated.
Audit planning meeting.
Such a meeting—getting the staff together, discussing the client, reminding them to be skeptical, and looking for indicators of financial fraud—is time consuming. Worse, it is redundant for any employee who has been on the engagement before and inadequate for any staff new to the engagement. Such statements would be more useful at a training session once or twice a year, but are unnecessary before each and every audit.
COSO’s internal control framework and evaluation.
The COSO internal control requirements have a conceptual bias toward large companies. Small companies with proper monitoring systems are rare, if not nonexistent. Auditors must now rate each client’s observance with these requirements. A company’s internal requirements may be minimal, however, based upon management’s perception of need.
Evaluation of illegal activities by a client.
This requirement was created by Congress to ensure enforcement of laws where governmental prosecutors were unable to be effective. It is inappropriate to make such a requirement of auditors who do not have the training to determine what is legal or the ability to rectify an illegal procedure. We believe that this evaluation should apply only to audits of public companies and those required under Yellow Book audits.
Individual auditors cannot reduce the disclosure requirements issues by FASB; however, many are making it worse.
Financial statement fraud evaluations of client structures.
Since an auditor is generally talking to management about their financial statements, having a conversation about fraud makes no sense. When auditors meet with audit committees to inform them that there is a risk of fraud, their eyes generally glaze over. Similarly, in cases of absentee ownership, a client’s response will most likely be, “Yes, that is why I hired you.” We believe that this procedure should also apply only to audits of public companies and those required for Yellow Book audits.
Audit committee meetings.
We have been at many audit committee meetings, as an auditor, a member, and as chairman of the audit committee, and we can attest that they are quite boring. The auditors generally hand out a report and then go over it line by line. These meetings have no purpose that cannot be achieved by just reading the report.
Documentation of workpapers.
SOX includes a requirement that the workpapers be documented, to ensure that a knowledgeable auditor unrelated to the audit can follow which procedures were conducted. I do not understand why such matters need to be in the workpapers. There are some areas where a verbal explanation by engagement personnel is more appropriate.
Defining the audit as not part of internal control.
A client that retains a firm to perform an audit frequently knows that their controls are weak and intends to cover the weakness with the audit. This is an appropriate response to a business issue. In truth, even if it is not “internal,” the audit is a part of controls.
Note disclosure has become excessive to an almost intolerable extent. Of course, individual auditors cannot reduce the disclosure requirements issues by FASB; however, many are making it worse. For example, do clients really need 1) a description that bank accounts greater than $250,000 are not insured, 2) statements that the company has never lost money on a bank account, 3) a description of the accounting for Type 1, Type 2 and Type 3 investments that provides no useful clarification for the lay person, or 4) a lengthy description of the issues of uncertain tax positions for clients that do not have any? Disclosures such as these go beyond the requirements of the professional literature, are needlessly expensive, and should be eliminated.
Follow-up for post—balance sheet events.
GAAP and auditing standards require certain events occurring after the balance sheet date to be recorded as of the balance sheet date. This requirement has resulted in a slew of procedures that need to be performed. A boilerplate disclaimer, “Events occurring after the balance sheet date have not been incorporated in the financial statements,” would eliminate a lot of nonproductive work.
Auditing of estimates and appraisals.
The auditing literature has produced 35 pages on auditing an estimate and 27 on using the work of a specialist. Both the SEC and PCAOB have commented on the inadequacy of certain auditors’ procedures in this area. GAAP in the area of intangibles has created a whole appraising industry that, at great effort and cost, allocates a purchase price to intangible assets and evaluates them annually thereafter. These matters are basically a good guess, but significant outside fees and audit time are now devoted to documenting just how good a guess they are. This issue also applies, although perhaps to a lesser extent, to the evaluation of financial instruments, mineral reserves, environmental cleanup costs, future pension costs, and other issues.
Quality control standards.
The auditing literature has also produced 60 pages of quality control standards promulgated by the AICPA and enforced by peer reviewers and the PCAOB. Firms dutifully apply these standards and annually monitor them to provide assurance. The quality control standards require written policies, documentation that the policies are being followed, and annual inspections to ensure that the policies and documentation are in place. Do these requirements really improve the reliability of audits? Is it a good use of time to review these procedures annually?
Dating of reports.
The simple dating of reports has become a complicated procedure. One must coordinate the final audit procedures, update the legal letter and the letter of representations, issue the report, and conduct internal processes. A delay in any of these means that other steps have to be repeated. Hours would be saved by not requiring coordination, without substantially reducing the reliability of financial statements.
Use of programs and checklists.
Smaller audit firms have shifted to using purchased checklists, audit programs, and requirements. These are lengthy documents that require much time to read and understand; too often, the result is that the procedures are “not applicable.” In my experience, auditors say that they use these purchased programs and checklists so that they do not have to worry about peer reviewers. In reality, the use of these purchased programs and checklists wastes time. It would be far better for firms to draft their own materials and ensure that they are relevant.
Peer review requirements.
While the peer review requirements have resulted in a major improvement in the quality and reliability of attestation reports, firms have overreacted to the peer review regimen. Auditors carefully perform many irrelevant procedures because “the peer reviewers require them.” As the PCAOB evaluates auditing standards, it may be time to consider not applying these requirements to audits of private companies, in the same way that certain accounting standards are being reconsidered for private companies and small and medium-sized entities.
Audit Effectiveness Is the Goal
Any general discussion of auditing always leads to the question of audit effectiveness; that is, what effect does any change have on “audit quality” ? We define improvements in audit quality as follows:
- A reduction of failed audits, that is, audits where there was a material error not detected by the auditor; and
- A reduction in the number and substance of audit deficiencies detected by the PCAOB inspections, peer review examinations, and SEC-required restatements and complaints.
The issue here is highly subjective, as there are no facts to go on. According to conventional wisdom, the best evidence of failed audits is the level of litigation one sees in the newspapers. While such litigation appears to have decreased, much of it is actually caused by economic issues rather than audit failures. Having studied the periodic reports of the PCAOB and SEC litigation releases, we are unconvinced that quantitative changes in litigation, PCAOB inspections, or SEC actions are good evidence of underlying substantive issues. We do not believe that increasing the number of audit procedures and requirements has improved audit effectiveness.
Making Auditing Exciting Again
None of the procedures discussed above is, in itself, unreasonable or excessive. We propose that the requirements discussed above do not reduce audit risk when followed and that reducing such requirements would enable auditors, especially at the staff level, to focus on the nuts and bolts of making sure the assets exist and are properly valued and that the liabilities are recorded. We believe that the totality of the procedures results in: 1) staff training on the procedures, 2) staff manuals describing the procedures, 3) staff time completing these procedures, 4) partner time making sure the procedures are completed appropriately, and 5) monitoring time, both internal and external, to provide assurance that all of these standards have been followed.
We believe that we have shifted the emphasis in the audit process away from learning and understanding business to filling out checklists. This has made auditing boring. When we were young professionals, the chance to go to a client, learn something about the business, meet some new people, and understand another bookkeeping system were all very exciting. Today, we try to tell young staff that learning about business is what makes being an auditor interesting. But they are tied up in completing forms, a boring activity that they come to see as an auditor’s primary responsibility. By eliminating some of these requirements, we believe we can not only reduce fees—we can also create a happier staff.