The purpose of the Practice Review Program is to protect the public through assessing firms’ and practitioners’ compliance with professional standards, and by taking appropriate follow-up or remedial action in cases of non-compliance. The Practice Review Program further protects the public by providing an educational experience to firms.
The focus on the program in the past year has continued to be on integrating all remaining legacy firms into the CPABC Practice Review Program. To assist with the transition to the new Canadian Standard on Review Engagements, CSRE 2400, the public practice department, in the November 2017 edition of Public Practice News & Views, provided guidance on the key areas for which additional documentation will be expected. In addition, practice review officers have been reminding firms of the impending changes during their practice reviews.
Practice Review Results
For the 2017-2018 inspection year, 995 public practice offices were reviewed with an overall pass rate of 90%. Of the total 995 reviews completed, 485 of the offices perform assurance work and the remaining 510 offices do not perform any assurance engagements.
For the 485 offices which perform assurance engagements:
- 79% were assessed by the committee as either meeting requirements or meeting requirements with an acceptable action plan from the office;
- 21% were assessed by the committee as not meeting requirements and thereby requiring a re-inspection of the office, of which 14% were also required to have a supervised practice.
Of the 510 offices which do not perform any assurance engagements:
- 99% were assessed by the committee as either meeting requirements or meeting requirements with an acceptable action plan from the office; and
- 1% were assessed by the committee as not meeting requirements and thereby requiring a re-inspection of the office.
Included in the inspections of the 995 offices were re-inspections of 84 offices. For those re-inspections:
- 76% were assessed by the committee as either meeting requirements or meeting requirements with an acceptable action plan from the office; and
- 24% were assessed by the committee as not meeting requirements and thereby requiring a re-inspection of the office, of which 71% were also required to have a supervised practice; and 4% resulted in a referral of the firm to the investigation committee.
Factors Considered by Practice Inspection Committee
In determining the action to be taken following an inspection, particularly if the firm was assessed as not meeting requirements for a second consecutive time, the Public Practice Committee’s considerations include, but are not limited to:
- the degree to which the requirements of the practice inspection program have been met;
- the nature and severity of any identified deficiencies;
- the adequacy of the firm’s action plan and/or analysis for restatement and commitment towards rectification of issues identified;
- the cooperation of the member/firm and commitment towards improving overall firm quality;
- public interest; and
- on a re-inspection, the results of the previous inspection of the member/firm and the degree to which the member/firm addressed deficiencies identified in the initial inspection.
For the firms assessed as not meeting the standards of the Practice Review Program, there were two notable findings:
- Many firms performed engagements outside the core area of their practice or in an area where they did not have substantial previous experience. Examples include a firm that primarily does tax work performing its first review engagement, or a firm that focuses on not-for-profit clients performing an audit of a private enterprise.
- A significant number of firms were assessed as not meeting the requirements of the practice review program due to insufficient or inconsistent documentation. Typically, firms would fill in checklists using “Y” or “N”, with no other explanations of work performed or the results obtained.
Areas of Focus for Practitioners
In our inspections, we have found that poor documentation is a major contributor to deficiencies arising on audit engagements.
If sufficient appropriate evidence necessary to support the audit opinion is not well documented, the audit is not conducted in accordance with auditing standards and the auditor does not have a basis to support the opinion. In order to obtain sufficient appropriate evidence to support an audit opinion, a practitioner must comply with CAS 230 Audit Documentation. Audit documentation that meets the requirements of CAS 230 provides:
- evidence of the basis for a conclusion about the achievement of the auditor’s overall objectives; and
- evidence that the audit was planned and performed in accordance with CAS and applicable legal and regulatory requirements.
The standard requires that audit documentation be sufficient to enable an experienced auditor to understand:
- the nature, timing and extent of the procedures performed;
- the results of the procedures performed and the audit evidence obtained; and
- significant matters arising during the audit, the conclusions reached thereon, and significant professional judgements made in reaching those conclusions.
One area where documentation is very important is audit planning. If an audit team has been completing an audit plan on the basis of “same as last year”, the team might be missing changes that have occurred in a client’s operations, which could then result in insufficient audit procedures being performed to address risks arising from these changes. Throughout an audit engagement, one key issue that frequently arises is that practitioners often mistakenly consider that the sign-off on an audit program without an explanation or supporting documentation as evidence of the work having been done.
For example, an audit client has one long-term receivable and the balance is material to the financial statements. The auditor tested the receivable for existence, rights and valuation and the results were:
- no significant findings or issues were noted; and
- no significant judgements were made.
The audit program is signed as follows:
Test receivable for existence, rights and valuation
Completed no exceptions
FR Jun 3, 17
There is a conclusion that states: “The audit evidence obtained is sufficient and appropriate to reduce the risk of material misstatement to an acceptably low level.” A file reviewer has also signed off and dated the working paper.
If the adequacy of this level of documentation were compared to the requirements of CAS 230, we would conclude as follows:
CAS 230 Requirements
The nature and extent of the procedures
This requirement has not been met. While we know which assertions the auditor tested, we have no idea what the auditor did to test them.
The timing of the procedures
This requirement has been met by the signoff and date of signoff by the preparer and reviewer.
The results of the procedures
This requirement has been met by the comment - “no exceptions”.
The audit evidence obtained
This requirement has not been met as we have no information about the evidence obtained.
Significant matters arising or judgements made
The conclusion provides the result of the judgement made (i.e., that the audit evidence is sufficient).
While audit programs are useful to facilitate the completion of audit procedures, signing off a step in an audit program with “completed no exceptions” will rarely constitute sufficient documentation about the nature, timing and extent of procedures performed, the evidence obtained or the results of the procedures.
Similarly, signing off an audit step with a “yes” or “completed”, in the absence of further explanation or working papers, will rarely constitute sufficient documentation of the nature, timing and extent of procedures performed, the evidence obtained or the results of the procedures.
If a note were added to the program specifying the work done, such as “Agreed balance to the long-term receivable agreement; checked the client’s interest calculation; traced receipts during the year to the bank statements; recalculated receivable amount and confirmed amount with debtor”, the requirements of CAS 230 would have been met.
When there is more than one item to be tested, it is better to record in a separate schedule the characteristics of the items tested. Documentation should show, at a minimum, the purpose of the test, the items tested, the characteristics being tested, the result of each test and the conclusion drawn upon completion.
- For a detailed test of entity-generated purchase orders, the auditor may identify the documents selected for testing by their dates and unique purchase order numbers.
- For a procedure requiring selection or review of all items over a specific amount from a given population, the auditor may record the scope of the procedure and identify the population (for example, all repairs and maintenance expense entries over a specified amount from the ledger).
- For a procedure requiring inquiries of specific entity personnel, the auditor would record the response received together with the dates of the inquiries and the names and job designations of the entity personnel.
- For a procedure requiring systematic sampling from a population of documents, the auditor may identify the documents selected by recording their source, the starting point and the sampling interval (for example, a systematic sample of shipping reports selected from the shipping log for the period from April 1 to September 30, starting with report number 12345 and selecting every 125th report).
- For an observation procedure, the auditor may record the process or matter being observed, the relevant individuals, their respective responsibilities, and where and when the observation was carried out.
- For the procedures for journal entry testing, the auditor would document which journal entries have the highest risk of material misstatement. These could be due to the timing of the entry, the person that prepared the entry, the dollar value of the entry or some other criteria identified by the auditor from their risk analysis.
- For control testing, the testing should indicate the assertions being tested, the control tested and the design of the test that would ensure that sufficient appropriate evidence as to the operating effectiveness of the relevant controls are obtained.
High-quality working papers will always have sufficient information to allow the audit tests to be easily re-performed by someone not familiar with the audit client.
An important factor in determining the nature and extent of audit documentation is the degree of professional judgement exercised in performing the work and evaluating the results. Documentation of judgements made, where significant, serves to reinforce their quality and explain the auditor’s conclusions.
Evidence obtained through discussions with management
The auditor’s discussions with management, including explanations arising from those discussions, should be documented. It does not help a file reviewer when the response to a question is “I discussed this with management.”
Professional skepticism should be applied and corroborating evidence obtained to support any explanations received from management. For example, when an explanation derives from inquiries of management, corroborating evidence should always be obtained to support the explanation received.
Additional areas where audit deficiencies were identified:
- Lack of documentation of fraud risk factors as part of the assessment of the risks of material misstatement within audit planning. This was particularly identified as an issue in audits of smaller entities and not-for-profit organizations.
- Insufficient documentation and/or execution of substantive audit procedures on material classes of transactions and account balances in the following key areas:
- accounts payable completeness and cut-off;
- payroll completeness, accuracy and cut-off;
- revenue, particularly for long-term contracts and transactions with multiple elements;
- expense completeness and cut-off;
- accounts receivable valuation;
- collectability of loans receivable, particularly from related companies;
- classification of preferred shares as debt or equity;
- inventory count procedures and valuation;
- related party transactions;
- contingencies, particularly with respect to review of legal expenses and consideration of confirmations;
- journal entry testing;
- subsequent events review; and
- going concern analysis.
- Communication with those charged with governance did not include one or more of the following items (or, in some cases, there was no communication with those charged with governance):
- the auditor’s responsibilities in relation to the financial statement audit;
- an overview of the planned scope and timing of the audit;
- the written representations that the auditor is requesting from management;
- significant matters arising from the audit that were discussed, or subject to correspondence with management; and
- other matters arising from the audit that are significant to the oversight of the financial reporting process.
II. Review Engagements
As with audit engagements, one of the key drivers behind the reportable deficiencies raised during inspections is insufficient documentation of review engagements. Many responses received from firms include comments that matters were discussed with the client but had not been documented.
CSRE 2400, Engagements to Review Historical Financial Statements, is effective for periods ended on or after December 14, 2017 and early adoption was not permitted. This standard sets out areas where an enhanced level of documentation is required for review engagements, particularly around the practitioner’s understanding of the entity and its accounting systems and the identification of areas in the financial statements where material misstatements are likely to arise.
Documentation requirements for a review engagement under CSRE 2400 are specifically addressed in paragraphs 104-107 of the standard. In particular, documentation should be sufficient for an experienced practitioner, having no previous connection with the engagement, to understand:
- the nature, timing, and extent of the procedures performed (including who performed the work and the date it was completed, and who reviewed the work and the date and extent of the review);
- the results obtained from the procedures performed and the practitioner’s conclusions arising from those procedures; and
- significant matters arising during the engagement, the practitioner’s conclusions and significant professional judgements made to reach those conclusions.
The primary areas where documentation and/or performance of review engagements procedures were insufficient are as follows:
- inter-relationship/comparison of revenues, expenses, gross margin, operating ratios and balance sheet items;
- cut-off of accounts payable and enquiries for any unrecorded liabilities;
- completeness of payroll and related accruals;
- inventory valuation, client’s count procedures and cut-off, especially when there is a risk that some items are slow moving;
- valuation and classification of accounts receivable, particularly when there are related party balances;
- sales cut-off, particularly when an entity is a contractor or would use the percentage of completion method to recognize revenue;
- evidence of work performed to determine if the entity’s classification of preferred shares as either debt or equity was appropriate; and
- discussions with management and performance of additional procedures regarding any potential contingencies, commitments and subsequent events.
Additional common review deficiencies are as follows:
- the written representation from management was not effective as of the date of the review engagement report; and
- no assessment was documented regarding independence and the acceptance/continuance of an engagement.
III. Financial Statements
When insufficient work is performed in audit or review engagements, there can also be issues in the related financial statement disclosures. As an example, one of the most common financial statement deficiencies is when an entity’s significant accounting policy includes a template revenue recognition note. The note is frequently not customized to the entity’s actual operations due to the firm having insufficient knowledge of these operations, as it did not obtain an understanding of the entity’s operations during the planning stage of its engagement.
Another very common deficiency is missing disclosure in related party transactions, particularly with respect to describing the relationship between the parties and the nature of the transactions. This missing disclosure is often a result of insufficient assurance procedures performed relating to these transactions.
Additional common financial statement deficiencies are as follows:
- debt obligations due on demand, frequently including related party debt, inappropriately classified as long-term debt;
- inappropriate classification of preferred shares that were not issued under a qualified tax planning arrangement. For preferred shares issued under a qualified tax planning arrangement, disclosure was often incomplete;
- long-term debt often had missing elements of disclosure, particularly in relation to maturity dates, interest rates and repayment terms. Furthermore, entities did not disclose the carrying value of assets pledged as security for liabilities;
- the note disclosure for income taxes was often missing or incomplete; and
- missing disclosure of significant risks arising from financial instruments – disclosure of the nature and extent of financial instruments, and credit risk, interest rate risk, currency risk and fair value, if considered a significant risk for the entity.
IV. Quality Control Policies and Procedures
Many firms that perform assurance engagements use one of the standardized Quality Assurance Manual (QAM) templates as the basis for documenting their quality control policies and procedures. While such templates are a useful starting point, they should be tailored to meet the firm’s requirements and actual practices, while remaining compliant with the requirements of CSQC 1, Quality Control for Firms that Perform Audits and Reviews of Financial Statements, and Other Assurance Engagements.
An important area that is frequently not tailored is the firm’s criteria for when an Engagement Quality Control Reviewer (EQCR) should be used. A firm should always ensure that it understands its areas of experience and the risk of its engagements in order to appropriately manage that risk.
Many firms are still not performing cyclical monitoring appropriately, or at all. Cyclical monitoring involves having an individual with appropriate expertise, who was not part of the engagement team, inspect at least one assurance file for each engagement partner. This is a way to get a fresh set of eyes on a file to identify any potential issues, and it is strongly advised to have this cyclical monitoring performed at least one year before a firm’s practice review. Please note that a practice review by CPABC does not satisfy the cyclical monitoring requirement.
V. Compilation and Tax Engagements
Most firms often include working papers in their files to provide support that the information in the Notice to Reader financial statements is not false or misleading. Issues have been encountered when working papers included in files contained conflicting figures or additional information that had not been addressed or resolved. When firms have no supporting documentation whatsoever for a Notice to Reader set of financial statements, the file would not meet the requirements of the practice review program.
Tax engagements encountered issues due to a lack of knowledge of compliance procedures, such as adherence to client’s filing deadlines, lack of retention of key documents, and not obtaining signed T183s from a client when the returns were e-filed.
Additional common deficiencies are as follows:
- lack of documentation for an accountant’s consideration and assessment of independence, especially if bookkeeping services were provided;
- the financial statements contained notes that explicitly referred to GAAP;
- the statement of business activities and/or the statement of rental income in the T1 and/or the schedule 100 and 125 in the T2 did not include tax disclaimers indicating that the information was prepared solely for income tax purposes without audit or review from information provided by the taxpayer; and
- no documentation within the file regarding foreign assets or income.
VI. Action Plans
Firms are often asked to submit an action plan to the Public Practice Committee in response to the reportable deficiencies raised during the inspection. The intent is to allow firms to proactively communicate to the committee the actions they plan to take in order to address the reportable deficiencies. The committee’s expectation is that the actions set out in a firm’s plan will be incorporated into the firm’s quality control procedures.
Firms may choose to use the action plan template provided by CPABC in the Practice Review section of the CPABC website. It covers how the firm plans to address each deficiency, identification of root causes of deficiencies and what actions are proposed to address the causes identified. Some actions which might be taken include ensuring appropriate professional development is taken by partners and staff, updating checklists used within the firm for any changes in accounting or assurance standards, and increasing the supervision of teams performing assurance work. In addition, the firm is also required to describe how it will address each of the individual deficiencies identified.
When the committee evaluates whether an action plan is considered satisfactory, it assesses whether the firm appears to be taking the deficiencies seriously and the plan appropriately addresses the issues raised. If the committee deems an action plan to be unsatisfactory, it is often because the deficiencies raised in the inspection report have not been adequately addressed or even acknowledged. If action plans are assessed as unsatisfactory, the committee may recommend that a firm have a follow-up inspection when one was not initially required. If a firm that was already recommended to have a follow-up inspection submits an unsatisfactory action plan, the committee may recommend additional consequences, such as requiring a supervised practice or restricting the firm from accepting new engagements.
Before submitting an action plan, it is strongly advised that the CPA Canada Handbook requirements referred to in each deficiency are reviewed carefully to ensure that the response is appropriate.
If the firm believes that unwarranted deficiencies were raised by the inspector, copies of relevant supporting documentation should be included as part of the submission. If the deficiency relates to lack of documentation, supporting documentation must be supplied in order to evaluate whether the firm’s position is justified and removal of the deficiency warranted.
VII. Analysis for Restatement
When a practice review officer has identified a potential material error, there will be an additional recommendation that the firm perform an analysis to determine if there is a need to retract and reissue the financial statements. Firms are reminded that this analysis must be prepared in accordance with the relevant section(s) of the CPA Canada Handbook, with reference to appropriate supporting documents. A firm is responsible for ensuring that it consults or engages external specialists, if necessary, and particularly if it does not believe it is able to prepare an appropriate analysis on its own.
Similar to the action plan, the analysis for restatement is also provided to the committee, who evaluates it to determine whether the analysis is satisfactory. An unsatisfactory analysis for restatement would result in similar additional consequences as unsatisfactory action plans, and also a requirement from the committee that the firm engage an external supervisor and/or EQCR, at its own expense, to assist in preparation of the analysis and in any subsequent restatement and reissuance procedures.
In addition to the CPA Canada Handbooks on accounting and assurance standards, which can be found at Knotia and are free for all CPA Canada members, there are many other resources available at no charge to members.
One such resource is the CPABC Advisory Services team, where members can get informal help in interpreting the CPA Code of Professional Conduct, bylaws and regulations, the CPA Canada Handbooks, and guidance on various practice management issues. Advisory Services also provides useful articles and resource materials in Public Practice News & Views, which is published monthly in eNews and available on the CPABC website at the Public Practice News & Views Knowledge Base.
Two other good resources are the CPA Canada website and the Financial Reporting & Assurance Standards Canada website. These websites contain useful guidance on all the Canadian accounting frameworks and assurance standards, along with information on emerging issues and discussions on proposed new standards.
Should you have questions and/or require more information on any of the above, please contact Alexandra Lea, Director of Practice Review, at firstname.lastname@example.org.