News & Insights
Completing Peer Review Engagement Profiles
July 2nd, 2024
|
Peer Review
Completing engagement profiles for the engagements selected in your firm’s peer review is a critically important step which gives the reviewer an outline of key engagement details, such as non-attest services provided, risk assessment information, and the experience of the audit team. Peer reviewers use this information to help plan for the review of the engagement, that in part can help identify key audit areas or potential risks of material misstatement.
You should carefully review the information in your profile before submitting it to the peer reviewer, as an accurately and comprehensively completed profile can help reduce questions from the peer reviewer and allow them to focus on the important areas of peer review. Here are a few tips when completing and reviewing engagement profiles:
- Engagement profiles should be completed by someone with sufficient knowledge of the engagement (such as the engagement manager or partner).
- Profiles can be completed shortly after the firm receives the engagement selections from the peer reviewer. Giving your firm ample time to complete the profiles will help reduce any errors, inconsistent or insufficient information.
- For engagements subject to Government Auditing Standards, ensure the following (as applicable):
- Provide detailed explanations on what the audit firm does to mitigate any identified significant threats,
- Include clear documentation on the assessment of skills, knowledge and experience of individuals designated to oversee nonaudit services,
- Double check that the major program determination worksheet is complete,
- Respond to all questions related to the low-risk assessment of Type A programs or high-risk assessment of Type B programs,
- Check that the total amount shown for federal assistance expended agrees to the total on the major program determination worksheet,
- Check that program clustering was done correctly; engage assistance if needed, and
- Not use practice aids as a final response to profile questions.
- While the practice aids do provide helpful documentation, they do not include all details needed for reviewers to assess the GAS engagement.
- In general, your responses should include detailed answers to the questions and components thereof versus workpaper references.
SOC 2® Examination engagements
The December 2022 Peer Reviewer alert discussed unique risks to consider when selecting SOC engagements for review. Similarly, those risks impact review of the engagements themselves.
The following discusses how the new SOC 2 peer review checklist (the checklist) can be used to consider the risks identified in the December 2022 Peer Reviewer alert at the engagement level.
Risk: Service auditors may over rely on the information provided by the SOC 2 tools without adequately testing whether the tool operates as intended and whether the information is complete and accurate for their purposes.
Common NFP financial statement errors
aicpa-cima.com/resources/article/common-financial-statement-errors-for-new-standards
The AICPA Not-for-Profit Section Advisory Council and staff have developed this list to serve as a nonauthoritative illustration of some financial statement errors commonly found in small- and medium-sized not-for-profit entities (NFPs), grouped by financial statement type.
Evolving AICPA tax standards
The AICPA Statements on Standards for Tax Services (SSTS) serve as the ethical framework for tax professionals and are enforceable tax standards for AICPA members.
The AICPA’s Tax Executive Committee (TEC) reviewed and adopted updates to the SSTSs with an effective date of Jan. 1, 2024. The SSTS were revised to better reflect the issues and needs of today’s members and to ensure that high ethical standards are maintained to support the public’s view that CPAs are the premier providers of tax services.
The revised tax standards included reorganizing the standards by type of work performed and three new standards on data protection, reliance on tools and representation of clients before taxing authorities.
Response: This risk is specifically addressed in the checklist by step AT227: Did the service auditor evaluate procedures performed by the service organization to determine whether information produced or generated by third-party applications and/or tools (including software automation tools) is accurate and complete? [SG 3.140–.143].
This may be relevant, for example, if management relies upon the SOC 2 tool for designing and maintaining monitoring controls. The peer reviewer may consider whether the service auditor evaluated management’s validation of the monitoring tool configurations.
Risk: Service auditors whose clients (service organizations) use SOC 2 tools appear to believe that the use of such tools somehow eliminates or reduces their performance and reporting responsibilities under professional standards.
Response: The checklist enables the peer reviewer to verify that the service auditor has performed the examination in accordance with professional standards. For example:
- AT128 includes consideration of the appropriateness of the service commitments and system requirements identified by management;
- AT202 presents procedures that are typically performed to obtain evidence about the system description (the service auditor is expected to perform a combination of the listed procedures) and AT312-328 present factors that should be considered when evaluating whether the description is in accordance with the description criteria;
- AT136 addresses the service auditor’s risk assessment (this is separate from management’s risk assessment which is considered in AT209) and AT210 presents procedures that are typically performed to obtain evidence about the design of controls;
- AT229 requires more than inquiry alone to provide sufficient appropriate evidence of the operating effectiveness of controls, AT223 discusses timing of tests of controls and AT228 discuss the method for selecting items to be sampled.
The peer reviewer should consider whether the CPA has been engaged solely for the purpose of signing the report without adequate involvement in the engagement. This may become apparent when documenting CPA and non-CPA hours in the engagement profile and relevant attestation experience of the team. Additionally, this should be considered when completing:
- AT115 addressing the engagement partner’s responsibility for ensuring the engagement team has the appropriate capabilities and competence; and
- AT267 addressing appropriate involvement by the engagement partner as the job progressed.
Risk: SOC 2 tools are often marketed to start up organizations led by managements that do not have expertise in IT security. Among other concerns, management may lack the requisite knowledge and skills to make decisions about the organization’s risks and control activities necessary to mitigate those risks – those decisions are often made by consultants that work for the tool providers.
Response: Multiple steps in the checklist prompt the peer reviewer to evaluate whether the service auditor has considered whether management has the requisite skills and knowledge to make decisions about the organization’s risk and control activities necessary to mitigate those risks. This includes:
- AT119-120 discuss management’s having a reasonable basis for its assertion;
- AT209 and 211 discuss management’s risk assessment and controls in place to address those risks.
This may be relevant, for example, if the automation vendor defined the control activities. The peer reviewer may expect the service auditor to document their consideration of whether management has a reasonable basis for its assertion related to control design.
In some situations, the peer reviewer may conclude that the vendor is operating as a management’s specialist and would expect the service auditor to have documented the procedures performed to evaluate the specialist (AT122). This may be relevant, for example, if the automation vendor drafted the system description.
Risk: Some SOC 2 tool providers have a “related” CPA firm that provides the audit based on the SOC 2 information generated by the SOC 2 tool. Depending on how the tool is used by the service organization (e.g., whether the tool becomes part of the service organization’s internal controls), there may be a self-review threat that cannot be mitigated to an acceptable level.(1)
Response: In the discussion of nonattest services in AT 109, the checklist specifically notes the importance of determining whether the service auditor assisted the service organization with the design, implementation, or integration of any governance, risk, and compliance (GRC) or automation tool(s). If so, the service auditor should assess whether self-review and management participation threats to the service auditor’s independence exist.
If any of the following conditions are met regarding the SOC 2 tool provider and the “related” CPA firm, the tool provider’s work with respect to the SOC tool would be evaluated as if done by the CPA firm:(2)
1) The CPA firm or any of its members individually or acting together have a controlling interest in the SOC 2 tool provider(3);
2) The CPA Firm and the SOC 2 tool provider are considered network firms;(4) or,
3) The SOC 2 tool provider’s operating, financial, or accounting policies can be controlled by any covered member or more than one covered member acting together(5). This means that the SOC 2 tool provider would need to comply with ethical requirements such as independence, commissions, and referral fees. These considerations would be documented as part of ATT109.
In addition, independence may be required when the CPA Firm and the SOC 2 tool provider are in an alternative practice structure(6).
Even when individuals in a firm, either individually or collectively, do not have a controlling interest in the SOC 2 tool provider, independence would be impaired if the member provided prohibited nonattest services to the attest client through the SOC 2 tool provider(7).
If a relationship exists between the CPA firm and the SOC 2 tool provider that is not enumerated above, a member should apply the conceptual framework approach keeping in mind that independence should be in fact and in appearance(8).
Risk: Some SOC 2 tool providers enter into business relationships with CPA firms that will provide the SOC 2 audit. This raises concerns about whether such firms are meeting ethical requirements around marketing and advertising.
Response: The checklist contains a section on ethical requirements. The peer reviewer should be familiar with specific requirements within the code of conduct related to marketing and advertising. This can be documented as part of ATT108.
Risk: Some audit organizations identified on SOC 2 tool providers’ websites do not appear to be licensed CPA firms. Most state boards of accountancy require attestation engagements, including SOC 2 examinations, to be performed by licensed CPA firms.
Response: Although non-CPA firms are not subject to peer review, there have been situations where SOC 2 tool providers enter into business relationships where an engagement is performed by a non-CPA firm and a CPA is engaged solely for the purpose of signing the report without other participation in the engagement. The peer reviewer should be aware of this possibility when reviewing individual SOC engagements, particularly when completing the engagement profile and documenting AT115 (engagement partner responsibilities) and AT267 (involvement of the engagement partner as the job progresses).
[1] The AICPA Code of Professional Conduct interpretation Information Systems Design, Implementation or Integration (ET Section 1.295.145) provides additional information regarding information system services that cannot be provided without impairing independence.
[2] Information Systems Services (1.295.145)
[3] Ownership of a Separate Business (1.810.010)
[4] Network and Network Firms (1.220.010)
[5] Covered member (0.400.14)
[6] Alternative Practice Structures (1.220.020)
[7] Ownership of a Separate Business (1.810.010.03)
[8] Conceptual Framework for Independence (1.210.010)
If you have any questions about completing peer review engagement profiles or the specific profiles that can be completed, please reach out to our Peer Review team by contacting maner@manercpa.com or by calling us at 517-323-7500.