It has been three full years since the AICPA's mandatory practice monitoring program commenced, and many firms will be undergoing a second review during 1993. This is an appropriate time for firms enrolled in the Quality Review Program to consider what to expect during their second go around by reviewing both recent changes to the quality review program and the findings of past reviews. A discussion of these matters will also provide guidance to those firms who have yet to undergo their first quality review.

Some Background

The Program. Quality Review is an AICPA practice monitoring program designed to provide assurance to the public that CPA firms are performing accounting and auditing services in accordance with professional standards. It is a condition of membership in the AICPA that its members practice public accounting only in firms that are enrolled in the Quality Review program or the similar Peer Review program of the AICPA's Division for CPA Firms. In addition, some state licensing bodies require participation in a practice monitoring program as a condition for maintaining a license to offer services to the public.

There are two basic types of reviews, depending on whether the firm does audits or only reviews and compilations.

On-Site Reviews--Firms with Audit Engagements. An on-site quality review provides the reviewer with a reasonable basis for expressing an opinion on whether during the year under review the reviewed firm's system of quality control for its accounting and auditing practice met the objectives of quality control standards established by the AICPA and was being complied with to provide the reviewed firm with reasonable assurance of conforming with professional standards. Those quality control standards identify nine elements, which are presented in an accompanying sidebar.

To achieve the objectives of an on-site quality review, the reviewer is required to test administrative and personnel files; review selected engagements, including the relevant working paper files and reports; interview firm personnel; obtain other evidential matter, as appropriate; and communicate his or her conclusions to senior members of the reviewed firm at an exit conference.

Off-Site Reviews--Firms With Only Reviews and Compilations. On the other hand, the objective of an off-site quality review is to provide the reviewer with a reasonable basis for expressing limited assurance that the financial statements and related accountant's reports on the review and compilation engagements submitted for review do not depart in material respects from the requirements of professional standards. Off- site quality reviews are available only to firms that perform review or compilation engagements but perform no audits of historical or prospective financial information.

An off-site quality review consists of reading the historical or prospective financial statements submitted by the reviewed firm and the related accountant's review or compilation report, together with certain background information and representations provided by the reviewed firm. It does not include any review or testing of the firm's system of quality control. Accordingly it does not provide the reviewer with a basis for expressing any form of assurance on the firm's quality control policies and procedures for its accounting practice.

Types of Reports. For on-site reviews, reports on the system of quality control can be unqualified, qualified, or adverse. If the report is modified (either qualified or adverse), it must be accompanied by a letter of comments setting forth the deficiencies that led to the modification and recommendations for corrective and remedial action. A letter of comments is also issued with unqualified reports when the on- site reviewer notes less serious conditions in which he or she concludes there is more than a remote possibility that the firm would not conform with professional standards on accounting and auditing engagements. The reviewed firm submits a letter of response indicating the action it intends to take to correct the deficiencies noted in the letter of comments. Reports on off-site reviews may be unqualified, modified for significant departures from professional standards, modified for other departures, or adverse. Presently letters of comment are not prepared; but the reviewed firm prepares a letter of response setting forth the corrective action it intends to take whenever the off-site review report is other than unqualified.

Review Administration. For both on-site and off-site reviews, the reviewers' reports, letters of comment, workpapers, and the firms' letters of response are subject to a technical review by the administering entity--usually a participating state society of CPAs--and a report acceptance body, a group of CPAs formed by the administering entity.

Results. What have been the results of the program so far? According to statistics developed by the AICPA, of the 9,557 on-site quality reviews accepted as of July 22, 1992, 84% were unqualified, 14% were modified, and 2% were adverse. Of the 2,651 off-site reviews accepted, 81% were without significant departures, 17% were modified for significant matters, and 2% were adverse.

By far, most comments in prior on-site reviews relate to the supervision element of quality control and result from findings on engagement reviews. These findings have been discussed in various articles, training courses, and, most recently, the AICPA 1992 Audit Risk Alert, which summarized a number of "frequently recurring comments noted in peer and quality review letters of comment."

Audit Programs

One of the more serious findings concerned the absence of written audit programs. SAS 22, Planning and Supervision (AU Sec. 311), requires the auditor, in planning audits to prepare an appropriately tailored, written audit program. The audit program should set forth in reasonable detail the audit procedures the auditor believes are necessary to accomplish the objectives of the audit.

On a number of initial on-site quality reviews, the reviewers found that the firms had no policy requiring, nor were they using, written audit programs. This "automatically" resulted in a modified report on their review. Most practitioners should now be aware of the need for a written audit program to avoid a modified report. However, the standards also require the audit program be appropriately tailored and responsive to needs of the engagement based on the results of the planning considerations and procedures. This means, for example, that the audit program used for an audit of a construction contractor should be appropriately modified for that specialized industry. It also means that the audit program used for the audit of an entity where control risk is assessed at the maximum will be different from that used where control risk is assessed at less than the maximum. I believe that in subsequent reviews, reviewers will pay closer attention to these two points and will look to see how firms are modifying their audit programs for varying circumstances.

Internal Control

SAS 55, Consideration of the Internal Control Structure in a Financial Statement Audit (AU Sec. 319), was issued in April 1988. However, to give firms time to establish policies and procedures for implementation, it was effective for audits of financial statements for periods beginning on or after January 1, 1990. Therefore, firms that had their reviews during 1990 did not have to comply with this new standard.

SAS 55 requires the auditor to obtain and document a sufficient understanding of the three elements of an entity's internal control structure (the control environment, the accounting system, and control procedures) to plan the audit. The auditor must then assess control risk for the assertions embodied in the financial statements and document this assessment. These procedures are required even if the auditor assesses control risk at maximum for all financial statement assertions and plans an audit with a primarily substantive approach. Under the prior standard, in similar circumstances, the auditor simply had to document the reason for not relying on internal controls to reduce substantive testing. If the auditor intends to reduce substantive tests (i.e., control risk is assessed at below maximum) the auditor must perform tests of controls.

On initial quality reviews for periods after SAS 55 became effective, a frequent letter of comment finding was the lack of documentation of the firm's understanding of the internal control structure when control risk was assessed at maximum, but the reviewer was satisfied a sufficient understanding had been obtained to properly plan the audit. This finding generally did not result in a modified quality review report. SAS 55, however, has now been effective for two years. Furthermore, it is one of the few auditing standards that imposes specific documentation requirements. Therefore, I believe that in future reviews a firm's failure to have a policy requiring the documentation of its understanding of an entity's internal control structure may result in a modified quality review report. The decision to require modification will depend on the judgment of report acceptance bodies of each administering entity depending on the facts and circumstance of each review.

Other Documentation Deficiencies

Documentation deficiencies have been repeatedly noted in other areas. After disclosure and reporting deficiencies, the most common type of deficiency can be grouped under the general heading of documentation. SAS 41, Working Papers (AU Sec. 339), requires that workpapers "... be sufficient to show that the accounting records agree or reconcile with the financial statements or other information being reported on and that the standards of fieldwork have been observed."

It further requires that audit working papers ordinarily include documentation showing--

1. The work has been adequately planned and supervised;

2. A sufficient understanding of the internal control structure has been obtained to plan the audit and to determine the nature, timing, and extent of tests to be performed; and

3. The audit evidence obtained, the auditing procedures applied, and the testing performed have provided sufficient competent evidential matter to afford a reasonable basis for an opinion.

Applying this standard, reviewers noted recurring documentation deficiencies related to audit planning procedures, other general audit procedures, and audit procedures related to specific accounts.

Planning. During the planning stage, in addition to audit programs and internal control structure matters discussed earlier, a number of matters, judgments, and procedures must be considered by the auditor. The auditor has to consider matters affecting the industry in which the entity operates, such as governmental regulations and technological changes, and matters affecting the entity's business, such as types of products and services and contractual obligations. The auditor must also assess the risk of material misstatements in the financial statements resulting from violations of laws and regulations, errors, irregularities, and management misrepresentations. Finally, the auditor must make a preliminary judgment about materiality levels. Many practitioners incorrectly conclude that since they "book all adjusting entries," no such judgment is required. However, such a judgment is required to plan the nature, timing, and extent of audit procedures.

Many reviewers found deficiencies in the documentation of these matters, but in their letter of comments finding concluded "... through discussion with firm personnel, we satisfied ourselves that appropriate planning procedures had been performed."

General Audit Procedures. Other general audit procedures where documentation deficiencies have been noted relate to the performance of analytical procedures in the planning and final review stages, sampling considerations (selection and evaluation), reasonableness of accounting estimates made by management, going concern evaluations, and partner review of working papers, reports, and financial statements.

Specific Accounts. Documentation deficiencies of audit procedures related to specific accounts included failure to document alternative procedures for non-replies to accounts receivable confirmation requests, lower of cost or market tests for inventories, search for unrecorded liabilities, and tests of compliance with loan covenants. As with the audit planning procedures, the reviewers were generally able to conclude that adequate procedures were performed, but not documented.

SAS Specific Documentation Requirements. It is important to note that in addition to SAS 41 on working papers and SAS 55 on internal control, there are other SAS's which contain specific documentation requirements. They include the requirement to document oral communications to the audit committee, regarding illegal acts, reportable conditions in internal control structure, and other matters, as well as the requirement for written responses from the client's attorney concerning litigation, claims, and assessments and written representations from management. Surprisingly, during initial reviews, reviewers noted instances where firms failed to obtain client representation letters on audits. As with audit programs, if the firm did not have a policy that required obtaining representation letters on all audits and failed to obtain such letters, a modified quality review report was issued. This will probably continue to be the case. Furthermore, I believe, that deficiencies noted in compliance with the above specific documentation requirements may also result in a modified report.

Government Audit Standards. Firms conducting audits under Government Auditing Standards have additional documentation requirements to consider, including the need for "a written audit program cross- referenced to the working papers." In view of the increasing interest of regulators regarding the quality of audits and of practice monitoring programs, a documentation deficiency in a government audit engagement will continue to be considered a serious matter.

Effect on Future Reviews

If these documentation deficiencies continue and are found in subsequent reviews, will the reviewers continue to give the firm "the benefit of the doubt" and again conclude the procedures were performed but not documented, or will they conclude that the procedures were not performed? The latter, of course, has much more serious implications. It could lead the reviewer to regard the engagement involved to be substandard, (i.e., it was not performed in all material respects in accordance with generally accepted auditing standards). The firm would then have to consider whether it could continue to support its opinion or whether it must apply the omitted procedures. This could include performing additional field work should that be necessary as a basis for preparing the required documentation. Depending upon the other review findings, the matter could result in a modified quality review report.

Corrective Actions

Many of the above documentation deficiencies can be cured by developing or obtaining a comprehensive engagement planning and administration program or a general procedures audit program. A carefully completed program, with appropriate notations, can effectively and adequately document many general procedures. For example, a typical program step asks the auditor to consider if the results of other audit procedures raise a substantial doubt about the entity's ability to continue as a going concern. The auditor's sign-off with the notation "none identified" adequately documents the auditor's consideration of this matter.

The auditor's understanding of the internal control structure can be documented in a number of ways including the use of an internal control questionnaire, flowcharts, or memos. The control risk assessment can be documented by exception, i.e., by indicating that "except as noted, control risk is assessed at maximum for all financial statement assertions." This is especially effective in audits of small businesses. The article, "SAS 55 and the Small Business Engagement," in the January 1993 issue of The CPA Journal discusses this approach.

Compilations and Reviews

Statements on Standards for Accounting and Review Services (SSARS) do not contain any specific working paper requirements other than some very broad requirements for a review engagement.

In a review engagement, "...the accountant's working papers should describe:

a. The matters covered in the accountant's inquiry and analytical procedures, and

b. Unusual matters that the accountant considered during the performance of the review, including their disposition."

However, when reviewing a compilation engagement or a review engagement, the reviewer must determine whether the workpapers "...evidence compliance with professional standards." Despite the fact standardized forms and checklists are not required by SSARS, I believe that their use is the most efficient and cost effective way to conduct these engagements, with the side benefit of demonstrating compliance with professional standards for purposes of quality review.

In November 1992, SAARS 7, Omnibus Statement on Standards for Accounting and Review Services--1992, was issued and is effective for periods ending after December 15, 1993. Some of the important changes as a result of the statement are--

* To revise the wording of compilation and review reports;

* To require that the accountant obtain a representation letter from members of management for review engagements;

* To clarify the accountant's reporting responsibilities in compilation and review engagements when there is uncertainty about the entity's ability to continue as a going concern; and

* To clarify the accountant's responsibility to communicate errors and irregularities or illegal acts to management.

Beginning with the 1994 quality review year, both on-site and off-site reviewers will focus on compliance with the new statement.

Financial Statement Disclosures

As stated previously, the most frequent comments for on-site reviews concerned deficiencies in accountants' reports and in financial statement disclosures. Common report problems included failures to report on supplementary information, to report on all periods presented, to disclose the omission of disclosures in compiled financial statements, and to properly disclose financial statements were prepared on another comprehensive basis of accounting (OCBOA) other than GAAP.

While there have been instances of deficiencies in all areas of disclosures, there have been several recurring problem areas as follows:

* Inappropriate statement titles for OCBOA statements;

* Missing or incomplete related party disclosures;

* Failure to disclose concentration of credit risk;

* Missing or incomplete disclosure of lease commitments and rent expense;

* Failure to disclose five-year debt maturities;

* Absence of capital stock details;

* For the statement of cash flows, missing or incomplete disclosure of--

* Cash paid for interest and taxes where the indirect method is used;

* Policy for determining cash equivalents; and

* Non-cash activities.

Although not required by professional standards, the most effective way of ensuring financial statements contain all disclosures required by professional standards is through careful completion of a comprehensive report and disclosure checklist.

Off-site reviews revealed similar deficiencies in accountants' reports and financial statement disclosures.

Other Findings

Independence. A number of independence issues were raised, partially as a result of numerous ethics rulings over the last few years. Many of these relate to unpaid fees. With respect to unpaid fees, "... Independence of the member's firm is considered to be impaired if, when the report on the client's current year is issued, fees remain unpaid, whether billed or unbilled, for professional services |whether audit or non-audit provided more than one year prior to the date of the report."

Consultation. Reviewers often found that firms failed to consult with other professionals when called for or failed to document consultation when it took place. In addition, a number of firms had inadequate libraries that did not contain the latest version of the AICPA's professional standards, FASB pronouncements, or appropriate industry audit guides.

Professional Development. While most practitioners were in compliance with AICPA and state board CPE requirements, many had not taken sufficient accounting and auditing courses. Furthermore, some firms subject to Government Auditing Standards did not comply with the CPE requirements under those standards.

What's Different?

Effect of Prior Review. The most obvious change affecting firms undergoing their second review is that there will be, for the first time, a prior review to consider. The team captain checklist for on-site quality reviews includes the following:

"If the firm was previously reviewed, consider whether matters, if any, discussed in the firm's prior report, letter of comments, and response thereto require additional emphasis in the current review, and discuss these matters with the other members of the review team."

What is the impact of these matters? Some reviewers may feel that a deficiency noted in a prior review that is not corrected and is identified again during a subsequent review should result in more serious consequences for the reviewed firm. For example, should a deficiency that resulted in a finding in a letter of comment in a firm's first review result in a report modification if it is found again in a subsequent review? Except for the documentation and other issues discussed earlier, I believe the answers to this question are "not necessarily," and in many cases "no." The standards for evaluating and reporting on review findings have not changed. If the findings lead the reviewer to conclude the reviewed firm "has less than reasonable assurance of conforming with professional standards," a modified review report is called for. If the reviewer concludes a matter results in "more than a remote chance of not conforming with professional standards," the issue should be limited to inclusion in a letter of comments. Therefore, given the same set of circumstances, an item which resulted solely in a letter of comment finding in a prior review, should not result in a report modification in a subsequent review. However, the required corrective action, may change.

For example, in first-time reviews, a common letter of comment finding related to financial statement disclosure deficiencies that were "not of such significance as to make the financial statements misleading." The recommendation for improvement typically was for the firm "to amend its quality control policies and procedures for ensuring that client's financial statements include all relevant disclosures, such as by obtaining or developing comprehensive reporting and disclosure checklists." If the reviewer finds the same degree of disclosure deficiencies during the second review, despite the use of disclosure checklists, he or she will include this finding as a compliance failure in the letter of comments. However, the reviewer will probably recommend further corrective action such as a second partner review of the financial statements prior to issuance, if not already a firm policy. If the disclosure deficiencies are so significant or pervasive that they result in a modified report, the administering entity or report acceptance body will most likely require further corrective follow-up actions. In this example, participation in a continuing professional education course on financial statement disclosures with submission of proof of attendance might be required. Alternatively, or in addition, the firm might be required to submit corrected financial statements to the reviewer or allow the reviewer to revisit the firm within eighteen months to determine if the firm has taken the necessary corrective action. Furthermore, if the reviewer's findings are so severe they result in an adverse report for a firm undergoing a second review, an accelerated follow-up review may be required.

AICPA Changes. Since the Standards for Performing and Reporting on Quality Reviews were issued in 1989, the AICPA Quality Review Executive Committee has issued a number of interpretations to those standards. Perhaps the most significant of those is Interpretation No. 1--Reviews of Sole Practitioners Who Audit Historical or Prospective Financial Statements. The interpretation allows an "on-site quality review" to be conducted off-site by permitting the reviewed firm to bring the required files to the reviewer's office or to some other agreed upon location. When the standards were established, it was originally thought the procedures necessary to achieve the objectives of a review of a firm that performs audits could most practicably and cost effectively be performed during a visit to the reviewed firm.

However, many sole practitioners felt their reviews could be carried out at less cost if they were permitted to send the required files, reports, and other evidential matter to the reviewer. Such a review is now permitted, provided the reviewed firm is a sole practitioner with four or less staffers and the sole practitioner holds one or more meetings, by telephone or in person, with the reviewer to discuss various issues raised during the review.

In addition to the materials ordinarily sent to the reviewer prior to an on-site review, such as a completed quality control policies and procedures questionnaire and a list of accounting and auditing engagements, the practitioner must send the relevant working papers and reports on the engagements selected for review; all documentation related to independence issues (e.g. staff independence representations); documentation of outside consultation, if any, on accounting and auditing matters; a list of technical publications used as research materials; a list of accounting and auditing materials used as practice aids; and CPE records of the firm's CPAs.

This approach is optional. Therefore, the sole practitioner should discuss with the reviewer which method, on-site or off-site, is more efficient.

Another significant change in the Quality Review Program relates to reporting on a firm's failure to carry out an inspection. The AICPA Quality Review Executive Committee's initial policy for a finding in this area has now been changed. The current policy for reporting a finding that a firm did not perform an inspection before its initial review or between reviews, regardless of the size of the firm, is as follows:

* If other findings are relatively insignificant, discussion of the failure to perform an inspection should be limited to the exit conference.

* If other findings that did not result in a modified report should have been detected if the firm had performed an inspection, the matter should be reported in the letter of comments.

* If other findings result in a modified report and an inspection would have detected those deficiencies, the team captain should include inspection as one of the findings modifying the report.

Getting Ready For Your Second Review

There are a few basic things you can do in preparing for your firm's second review. First, read the report and letter of comments issued on your prior review and your letter of response. Make sure you have taken any corrective action you indicated you would take. You should also evaluate other comments the reviewer may have made during the review that were not significant enough at the time to include in a letter of comments. Are they more significant now?

Review and update your quality control document or update the quality control policies and procedures questionnaire that was prepared for the first review. Is it still adequate or are changes required?

Perform a comprehensive inspection. In addition to being a required element of quality control, if done properly it will give the firm an honest picture of its quality control system. The inspection should include compliance tests of the various elements of quality control as well as reviews of the files and reports of individual engagements. When making selections of engagements to review, I recommend that the firm pick its most troublesome and complex engagements. If those engagements are in order, chances are the firm's other engagements will be satisfactory. The AICPA Quality Review Program Manual contains a section entitled "Inspection Guidance." This manual also contains the engagement checklists and forms the reviewers complete during a quality review. If you use these forms to complete your inspection, there should be no surprises during your quality review. The AICPA offers a course entitled "How a Firm Can Perform an Effective and Efficient Internal Inspection," as well as other courses on preparing for a review.

Finally, consider whether any of the findings noted above apply to your practice. If they do, the time to take action is now.

ELEMENTS OF A SYSTEM OF QUALITY CONTROL

1. Independence--All personnel maintain independence to the extent required by the rules of conduct of the AICPA.

2. Assigning personnel to engagements--Personnel have the technical training and proficiency required in the circumstances.

3. Consultation--Personnel will seek assistance, when necessary, from competent and knowledgeable authorities.

4. Supervision--Work is performed in conformity with professional standards and the firm's standards of quality.

5. Hiring--Employees are competent, motivated and possess integrity.

6. Professional development--Staff are properly trained to fulfill their responsibilities.

7. Advancement--Personnel, at all levels of responsibility, have the qualifications necessary to handle the responsibilities involved.

8. Acceptance and continuance--The likelihood of association with a client whose management lacks integrity is minimized.

9. Inspection--The procedures relating to the other elements of the quality control system are being effectively applied.

Wayne Nast, CPA, is an officer/shareholder of the firm of Israeloff, Trattner & Co., P.C., Valley Stream, New York. He is a member of the Quality Review Oversight Committee of the NYSSCPA. The views expressed in the article are those of Mr. Nast and do not necessarily represent the views of the Oversight Committee.