About the Panelists
Beverly Bahlmann, CA(SA), deputy director at the IAASB; Bob Dohrer, CPA, CGMA, chief auditor at the AICPA; Shawn P. O’Brien, CPA, senior consultant for business development in the AuditWatch Group of Thomson Reuters; and Kirsten Vosen, CPA, audit partner in charge of private company matters at Deloitte & Touche LLP, were the panelists. Susan Jones, CPA, director of the global solutions group at KPMG LLP, moderated the panel. The following is an edited and condensed summary of the panel discussion. The views expressed are the panelists’ own personal views and not necessarily those of their employers or those employers’ boards, management, or staff.
Jones opened the panel by asking what the source of the problem with the scalability of standards is: “Is it because the standards are just too hard or too complex for smaller entities? Is it that practitioners don’t know how to scale the standards, depending on the size of the client? Or is it just that the writing in the standards is complex and people don’t understand them?”
Vosen replied that the issue is more with the complexity of entities than their size. “You can have very, very small entities that can be extremely complex, and you can have large entities that are very straightforward,” she said, adding that a critical first step was to step back and think clearly about the differences between PCAOB and AICPA standards. A risk-based approach was also important, Vosen said, noting that Deloitte spent “quite a bit of time …working on tools, templates to empower our people to a very, very thoughtful risk assessment process.”
O’Brien then shared his belief that the standards are scalable, but only if practitioners understand them well enough. “They don’t know how to adjust or tweak the standards to make them do the same thing you do for General Electric as you would for a family-owned business. … We need to make some auditor judgment and not view these standards as a bunch of forms and checklists.”
ISA 315 and Scalability
Jones then asked Bahlmann about International Standard on Accounting (ISA) 315, which deals explicitly with risk assessment, audit planning, and “translating” standards to individual circumstances. Bahlmann began by saying that the project set principles-based standards for a broad range of entities, in terms of both size and complexity. Based on feedback during the exposure process, she said, the IAASB added “a lot more specificity within the requirements … we’ve really tried to focus in the requirements on what needs to be done.” She also said that commenters were particularly concerned with how to scale the standards up.
The “why” of the requirements was also an important part of making the standards scalable, Bahlmann said. “Why do you have to understand all the components of internal control, in particular for small audits where you want to take a substantive approach? We’ve explained that the control environment is the foundation of the audit; if that doesn’t work, there’s a lot of other stuff within the audit that won’t work. Why do you have to understand monitoring? Why do you have to understand risk assessment? Again, that helps you identify some of your financial statement risks. And then obviously that all leads into the responses to those various risks.”
Dohrer then spoke from an AICPA perspective, saying, “When we talk to people about our standards, a lot of times we get a reaction that it must be easier for the AICPA to deal with this because we only set standards for private companies. It couldn’t be further from the truth, and at times I think it’s even more difficult because some of the public companies are not as complex as some of the private companies that we do.” He added that regulators “need to get a better handle on how our standards are actually consumed and used. … Typically, auditors aren’t going to the PDF files or the bound books. If you go to a digital mentality, the standards no longer take on this context of being long or complex, necessarily, if the information is tagged so that whoever is using the standard can simply retrieve the information that’s appropriate electronically.”
Vosen said that Deloitte has found the learning process to be critical. “Understanding how the design and implementation really drives how you design the substantive response to a particular risk allows them to sit back and think, ‘Oh, this is why I’m doing what I’m doing.’ … If you’re just buried in forms and templates without providing the backdrop within the standards, it’s difficult to know how to execute the audit appropriately.”
Dohrer then mentioned how frequently the AICPA hears about the need for nonauthoritative implementation and practice guidance in conjunction with principles-based standards that rely on auditor judgment. “For a lot of people, if you give them the freedom to use their judgment, they want some guidance to help them exercise that judgment,” he said. “And the issue that I have about nonauthoritative guidance is that it’s really good if you agree with it, and if you don’t agree with it, it’s just nonauthoritative. It sets you up as a standards setter for a very difficult position.”
Serving Smaller Companies’ Needs
The next topic was nonaudit services for small companies. Jones explained that while many companies have statutory requirements for audits of small companies, the United States does not. “Are there services or combinations of services that we can offer that can fill that space that are not audits, and are firms doing that?” she asked. Vosen replied that the important thing about such engagements is to work with the client and understand its needs. “We can have the most streamlined approach to an audit process, but if a client, particularly a smaller client, isn’t ready for an audit, it can become a very painful process,” she said.
“For a lot of people, if you give them the freedom to use their judgment, they want some guidance to help them exercise that judgment,” Dohrer said.
O’Brien added that he becomes concerned when financial statement users mainly look for a document with a CPA signature as a kind of stamp of approval. Vosen agreed, saying, “We don’t want them to take it for more than it actually is. … We don’t want to oversell what a review is, or undersell the burden of prepping for one.” Dohrer then noted that the AICPA had finalized a new, more flexible standard on agreed-upon procedures (AUP) engagements. “We hope it’ll add some flexibility and be better used going forward,” he said.
Jones then asked whether separate standards for less complex entities was a viable solution, to which Bahlmann noted that many jurisdictions are setting their own standards rather than hewing to a uniform standard, which creates “a bit of a fracturing of what an audit is and may lead to differences in audit quality.” Bahlmann said that the IAASB asked in a consultation paper issued in 2019 whether users and preparers are looking for separate rather than scalable standards. “I think we were hoping that somebody would give us the magic pill, but it all came back mixed,” she said. Based on that feedback, she said, a working group has been formed to look at solutions, including possible revision of all ISAs. In the meantime, she said, “I think people have started to recognize that maybe a quick fix is a separate standard.” The IAASB plans to make recommendations in the first half of 2020.
Bahlmann also spoke about the pitfalls of short standards, saying that if they contain too little information, “nobody’s going to know what to do with it. So you’ve got this lovely principle-based short standard, but how do you actually do an audit?” Dohrer added that he is skeptical about separate standards as a solution, expressing reservations about having a multiplicity of standards defining the term “audit” differently. Instead, he suggested, there may be room for “a level of assurance or another engagement somewhere between a review and an audit that would satisfy the needs of, for example, community bankers who just want the ‘basic audit procedures’ done.” The AICPA has commissioned academic research to explore this idea, he said.
Dohrer mentioned the “reasonable assurance” standard for audits, which Vosen noted would become confusing with multiple standards each defining an audit differently, both to auditors and to users of financial statements. O’Brien opined that the process still comes down to application of the standards and, ultimately, scaling them to the client. “Vosen added that Deloitte has developed process-level workbooks that contain what she called “thoughtful questions that auditors can ask to understand the process, because not all entities are going to have narratives or flowcharts.”
Dohrer also noted that the AICPA’s enhancing audit quality initiative discovered “somewhere north of 40% of peer-reviewed audit engagements being classified as nonconforming due to inappropriate or inadequate risk assessment under AUC 315.” He continued to note “a very small percentage concluding that there was a problem with the financial statements. It made us step back and ask ourselves, well, what are those auditors doing then that are in that nonconforming for risk assessment but the financial statements have been audited and they’re pretty good?” Jones asked whether the auditors in these cases lacked understanding of their clients’ risks or if the risks were just not documented. Dohrer replied that he leans toward lack of documentation. “It’s a little retail shop on Main Street,” he said. “In year eight of your audit, how much risk assessment is there really left?”
Jones then asked Vosen for her opinion on how much complexity two sets of methodologies would add to the audit process. Vosen noted that the same entity might require different methodologies in different years. “It could be a real challenge to ensure you’re using the right standard at the right time,” she said.
Jones then took questions from the audience. The first question asked for a definition of “less complex entity.” Dohrer noted the confusion of size with complexity, saying that his experience with U.K. and European definitions of “small-to-medium enterprise” led to situations where “it made me shudder sometimes to see companies that met those criteria having that audit approach used, because the criteria really weren’t driving to the complexity at all.” Vosen agreed, saying, “You can’t just bucket audits strictly by size because you miss the point of risk assessment and tailoring your response to the particular risk at hand.”
Bahlmann added that, if the IAASB took the separate standards route, it would not prescribe which entities should use which standard. “We would describe what we would think a less complex entity would be using qualitative characteristics,” she said. “We would then leave it to individual jurisdictions to think about who would use it.” She also talked about the threshold between the standards, saying the IAASB would like to avoid a situation where one complex transaction pushes an entity into using the standards for more complex entities.
Jones then shared an audience question about the potential new engagement level between a review and an audit. Dohrer noted that there is always potential confusion if a new type of service is added, saying that transparency will be a key element. “If you’re going from a review and an audit scenario to something in between,” he said, “those reports can’t say it’s an audit, and have got to describe how it’s different.” There was also a question about the AICPA’s new agreed-upon procedures standard, which allows for a general-use AUP report. Dohrer said that transparency applies here as well. “It does require that the report indicates who agreed to the procedures to be performed, and that they’re fit for the purpose,” he said.
The final audience question dealt with the AICPA’s requirement for auditors to perform standard procedures if an account is material, regardless of whether there are risks at the assertion level that have been identified. “How is this scalable is this requirement?” Jones asked. Dohrer explained that this provision is “a backstop to make sure that the auditor is doing work on relevant assertions for material accounts, because we recognize that risk assessment is an imperfect science, and risk assessment is subject to judgment.” Bahlmann agreed, noting that the IAASB has two different requirements to this effect. “In a perfect world, if we all did a perfect risk assessment, we wouldn’t need either,” she said. “But it’s not a perfect world.”