* Missing/Outdated Quality Control Documentation: Have a quality control document in place. The document should be communicated throughout the linn and (given the changing standards environment revised within the last three years. The AICPA has a helpful tool kit at www.calrpa.org/AICPAprhit.
* Incomplete Independence Documentation: Signed independence forms should exist for all staff and perdiem staff. Forms should include a Firm's Qitality Control Document section that they have read and understand.
* Incomplete Client Listings: California had to re-perform more than 70 peer reviews because firms neglected to list all client engagements. Ensure client listings are complete. The AICPA is testing the firm's client list with ERISA and other agencies to ensure completeness. Insufficient Evidence of Firm Monitoring Procedures: Maintain appropriate documentation regarding
the firm's annual monitoring process. A best practice is to utilize the AiCPA peer review checklists for audits, reviews and compilations. Members of the engagement team being reviewed are not the ones who should be completing those checklists and stall' should present engagement findings to everyone else. Practice improvement areas should be identified and the overall process should be documented.
Regarding audit engagements, some recommendations and areas of heightened scrutiny during peer review include:
* Review ihe financial statement for errors, especially ihe areas of report, disclosures and headers and footers.
* Ensure engagement letters are signed and contain current language requirements.
* Verily representation letters are signed, coverall periods presented in the financial statements and contain current language requirements.
* Confirm requisite legal letters have been obtained or verify sufficient documentation exists as in why legal letters were unnecessary.
* Ensure necessary audit confirmations are obtained or confirm sufficient documentation exists supporting why confirmations were unnecessary.
* Verify that an internal control letter exists or document why it was unnecessary.
* Review documentation of required communications with those charged with client governance (e.g. a Governance Letter) for completeness and accuracy.
* Ensure that sufficient risk assessment documentation exists.
* Check that appropriate walkthroughs have been performed and documented.
* Confirm thai fraud discussions involved at least three persons. Conversely, document why less than three people participated, and how other staff learned of and contributed to the fraud risk assessment process.
* Verify necessary audit expectations have been documented.
* Check that preliminary analytical procedures include a comparison to industry and discussions with management.
* Ensure final analytical procedures have been performed and documented.
* Consider utilizing comprehensive audit programs developed by a third-parly provider that have been previously peer reviewed. Peer reviewers must review all internally developed audit programs/systems.
Most peer reviewers will be looking lor the following, which can be documented in a review memorandum:
* Financial statement errors especially in the review report, financial statement notes, headers and foolers);
* A signed engagement letter with current required language;
* A signed representation letter containing currently required language and covering periods presented in financial statements;
* Documentation of fraud discussion with management;
* Documented review expectations;
* Analytical procedures including a comparison to industry and documentation of discussions with management; and
* The application or absence of third party provider review and disclosure programs.
An ounce of prevention can make lor a happy reviewer and a happy firm.
Guidance on Making Your Peer Reviewer--and Yourself--Happy
Mark F. Wille, CPA is former chair of the CalC PA Accounting Principles and Auditing Standards Committee, chair of the Audit Oversight Committee for the County of Orange and an auditing and accounting instructor. You can reach him at email@example.com.