Peer review: No need to panic
April 18, 2019
By G. Alan Long, CPA, CITP, CGMA
The thought of having a firm’s peer review tends to strike panic in the hearts of CPAs. This should not be the case. Peer Review is a remedial process. A lot of folks have said that peer review has become punitive. I disagree with that statement – remediation, though sometimes unpleasant, is not punitive. I remember as a child, when my dad was providing teaching moments (and requiring me to repeat a chore I had not performed appropriately), his remediation seemed to be punitive. As an adult, I realize he was helping me understand what I had not done correctly. As a proud profession, we want to maintain self-regulation; to do so, we must have a strong practice monitoring program that shows us where we have misunderstood the application of professional standards and requires us to rectify accordingly.
The Department of Labor (DOL) study, performed over three years ago, revealed non-conforming engagements to be 39 percent of the population the DOL reviewed. Concerned with the non-conforming rate of this study and an earlier quality study performed on Single Audits (which showed an even higher rate of non-conformity), the AICPA Peer Review Board (PRB) launched its enhanced oversight program on must-select engagements (primarily employee benefit plan and governmental audits) to validate the non-conformity rates revealed by the regulator studies. The practitioners who performed these enhanced oversights were recognized subject matter experts. The results of the oversights performed validated the Federal studies, indicating a non-conforming rate of 43 percent. This led to the AICPA’s Enhancing Audit Quality (EAQ) initiative.
Peer Review is an integral part of this initiative. As a result, peer reviewers are facing greater scrutiny on the work they perform and are being oversighted at a higher rate through the continuing enhanced oversight program. Required reviewer training has also been enhanced significantly. This is good for the profession, as it is raising the performance level of all reviewers as well as providing consistent application of the peer review process, thereby increasing the likelihood that firms fully understand and implement professional standards. This is what is expected of a self-regulated profession; with the ultimate goal of all firms to be conducting engagement in accordance with professional standards, thereby serving the public interest.
One area the enhanced oversight process has revealed where peer reviewers have not performed as effectively as desired is in identifying noncompliance with the documentation standards. It was observed that reviewers were giving credit when a required audit procedure had not been documented (and possibly not performed). As an example, firms were frequently found to fail to document eligibility testing in employee benefit plan audits. When questioned, firm personnel would point to a sign-off on the audit program and (sometimes) orally provide greater detail of the procedures they had performed. Professional standards, of course, require documentation such that an experienced auditor, with no connection to the audit, is able to understand; the nature, timing and extent of the procedures performed, the results and evidence obtained, and the significant findings, issues and professional judgments. Some would say what is important is that the “work was done” – that documentation is secondary. Though there is logic to this argument, as professionals we are required to comply with professional standards, which includes adequate documentation. Not to mention, if you should find yourself being sued, it will not be pleasant (or possible) to explain to a jury why you failed to comply with standards. Clearly, when peer reviewers were not holding firms accountable in this area, they were not serving the firms’ interests.
The enhanced oversight initiative has also revealed an area where there is broad misunderstand of professional standards – risk assessment. Despite being around for over ten years, these standards are broadly misunderstood. For example, firms are frequently failing to link planned procedures with the risk assessed. In addition, firms are regularly defaulting to a substantive audit approach without performing a proper risk assessment, such as by documenting an assessed risk of material misstatement as low but performing all audit procedures as if risk had been assessed as high. Even more troublesome, firms have assessed control risk as other than high but have failed to test controls sufficient to validate a lower risk assessment. Unfortunately, these misunderstandings extend very broadly, including reviewers and providers of practice aids. The PRB has launched a special initiative to address this misunderstanding of the standards, including focused training for peer reviewers. So, expect your next peer review to pay particular attention to this area. You would be well served by going to the EAQ area of the AICPA website (https://www.aicpa.org/eaq.html) for resources to assist you to improve your practice in this area.
Due to these types of findings now being brought to the attention of reviewers, and reviewers being held accountable if they fail to properly bring them to the attention of firms, many believe the program has become punitive. Remediation of engagements that were not performed in accordance with standards does feel punitive, but it is actually educational in that it is teaching firms how to perform and document the engagements in accordance with standards.
As a profession, we want to maintain peer review as an integral part of the profession’s self-regulation. In order to achieve this goal, the peer review program must remain robust and viable in its mission. A peer reviewer’s job is not to “see how much they can find that is wrong.” Rather, a peer reviewer should identify areas where the firm as failed to apply (or misapplied) professional standards, documenting such in their workpapers, and recommending appropriate remediation. So when a peer reviewer presents a “matter for further consideration” or “finding for further consideration” form to you, they are just doing their job to better educate you and members of your firm.
The AICPA publishes its Annual Report on Oversight each year, which contains the most prevalent areas of non-compliance encountered by peer reviewers. This data comes from peer reviews performed in the previous year. It would serve you well to review this document on an annual basis to identify potential areas of improvement in your firm.
In addition to assisting firms in remediating non-compliance issues, a peer review can be a great learning experience in other ways. You should select a peer reviewer who provides value added service along with the peer review. Such a reviewer doesn’t just get the firm through the compliance part of the review; he or she will also bring best practice suggestions to the firm in many areas. These suggestions could be related to accounting and auditing but may also be in such areas as software solutions and how firms are tackling hiring challenges. Always look for this quality in your peer reviewer as they can be a valuable resource to your firm in many areas.
About the author: G. Alan Long, CPA, CITP, CGMA is the managing member of Baldwin CPAs. Long can be reached at firstname.lastname@example.org.