Business Strategy | Leadership / Management | Legislative / Regulatory

Peer review: A pillar of protecting public interest – don’t let it collapse

Editor’s note: The following article is reprinted with permission from the Pennsylvania CPA Journal, a publication of the Pennsylvania Institute of Certified Public Accountants   By Allison M. Henry, CPA   Significant challenges are confronting the AICPA’s peer review program that raise questions regarding the profession’s ability to continue its self-regulation. Ultimately, improvements need to be made in audit quality, and, due to significant regulatory pressures, the status quo is untenable. A variety of changes are being explored that could dramatically transform the current peer review program to a more rigorous practice monitoring system. 
   The AICPA’s peer review program began as a voluntary practice monitoring program in 1977, and it became a requirement in 1988 after it was approved by AICPA membership. Today, more than 28,000 firms are enrolled in the program, and state boards of accountancy in at least 52 licensing jurisdictions require firms with an accounting and auditing practice to undergo a peer review as a condition for licensure. Certain regulatory agencies, such as the Government Accountability Office, require peer review as a condition for performing audits of entities subject to their regulatory oversight.

   Heightened regulatory scrutiny underscores the importance of a rigorous peer review program. Ian Dingwall, chief accountant of the Employee Benefit Security Administration (EBSA), recently made comments at the National Association of State Boards of Accountancy (NASBA) Executive Directors conference that made clear that audit quality remains a concern. He noted that EBSA “has referred more than 800 cases of the most egregious work to the AICPA and about 200 to the state boards of accountancy when the firms were not AICPA members.”1 Many regulatory inspectors also refer cases to the AICPA or the state boards of accountancy. The referrals to the AICPA lead to ethics investigations that can result in a number of remedial or disciplinary actions. The state boards have the ability to impact an individual’s license to practice.   

A challenge to the profession’s peer review program is emerging. It is one that suggests PCAOB-registered firms are higher quality firms. Generally, only auditors of publicly traded entities and securities brokers are required to be registered with the PCAOB (via Sarbanes-Oxley legislation), but other organizations are beginning to require their auditors to be PCAOB-registered, including certain federal and state regulators, the federal office of personnel management, and the Commodity Futures Trading Commission (CFTC).2 To become PCAOB-registered, firms need only pay a fee; and not all PCAOB-registered firms are inspected by the PCAOB.

   It is imperative that the profession counteract the misperception of higher quality among PCAOB registrants by demonstrating the rigor of the AICPA peer review program. Only the commitment of high-quality CPA firms who have a vested interest in retaining this self-regulatory program can fight this inaccuracy.   

Key issues
One of the biggest concerns for the peer review program is the difference between the errors identified by the regulators and those identified by peer reviewers. For example, in a 2007 GAO National Statistical Sample Project3 conducted by the audit committee of the President’s Council on Integrity and Efficiency (PCIE), 51 percent of audits were deemed “not acceptable.” Recent peer review results show a more limited number of nonconforming engagements (11 percent nonconforming A-133 engagements). Similarly, the Department of Labor (DOL) consistently notes about a 33 percent error rate, whereas peer reviewers in 2012 identified a 6 percent nonconforming rate. The second broker-dealer PCAOB inspection results that were released in August 20134 were disconcerting: deficiencies were noted in 57 out of 60 audits, and independence was lacking in 22 out of 60 audits inspected. Too few broker-dealer audits were selected for peer review to provide a meaningful comparison. 
   Some practitioners are under the impression that the regulatory perspective focuses on areas that are immaterial. In the case where the regulators are financial statement users, their perspective cannot be ignored. Therefore, it is instructional to learn about the key ethics violations and peer review findings, and consider the areas that the regulators find problematic.5

   Problems on ERISA engagements

Confusion still exists over the scope and eligibility of a limited-scope audit. Some practitioners mistakenly believe that no work is involved with this kind of audit. Not so: all of the audit work that would be required in a full-scope audit is required in a limited-scope audit, with the exception of certain audit procedures related to the investment information. Additionally, according to Employee Retirement Income Security Act (ERISA) Section 103(a)(3)(c), a limited-scope audit is only available for plans holding investments that are prepared and certified by a bank or similar institution, or a regulated insurance company that is supervised and subject to examination by a federal or state agency. A proper certification is essential. 
   Other frequent practice problems include a lack of testing of the fair value of investments at the end of the year and at least some investment gains or losses on a full-scope audit; failure to test the participant data for accuracy and completeness; and improperly reducing or eliminating testing due to over-reliance on a service organization control report.   

The AICPA has a listing of the most frequent ethics violations on ERISA engagements that details the numerous practice problems encountered in connection with ethics investigations.6 Similar deficiencies are identified in the peer review process.7   

Furthermore, the DOL is in the midst of a statistical audit-quality study in which it will be selecting about 400 audits from the 2011 plan year for review. The results of the study, expected in fall 2014, will help practitioners better design audit procedures and materiality to address issues the DOL considers important. 
   Government and not-for-profit engagements
Referrals from regulators to the AICPA Professional Ethics Division are often initiated because of improper major program determination. Some practitioners mistakenly believe that if the engagement has been filed without being rejected by a federal agency, then nothing is wrong. This is completely inaccurate. Improper major program determination is frequently found through regulatory agency oversights. In many cases, due to the importance placed by the regulatory agencies on the major program determination, errors can result in a need to recall and correct audit reports and related audit testing. As a result, major program determination is a critical area. 
   Causes for missed major programs include using preliminary numbers without reconsidering the impact of adjustments; failure to use the correct OMB Circular A-133 compliance supplement to determine program clusters; incorrect risk assessment; and incorrect percentage of coverage due to inaccurate low-risk auditee determination.   

In addition to major program determination, other material deficiencies include failure to test at least some of the compliance requirements for the major programs identified; lack of documentation of understanding of internal controls over compliance that addresses the five elements of internal control (control environment, risk assessment, control activities, information and communication, and monitoring); use of an incorrect threshold for determining type A programs; and presentation problems on the Schedule of Federal Awards (SEFA). One frequent SEFA problem relates to presenting nonfederal funds on the SEFA. The guidance provided by the AICPA State and Local Audit Guide (AAG-SLA Section 7.24) specifically requires that the nonfederal funds be segregated from the federal awards and not be listed under the federal agencies or included in the total of federal awards, and that the title of the schedule be changed to reflect the nature of the awards. Another SEFA presentation problem stems from not providing the proper totals – such as not providing a total for program clusters, not providing a total for each federal program, among others.   Similar to the list for ERISA engagements, the AICPA has published frequent ethics violations found on government and not-for-profit engagements.8 Similar deficiencies are identified in the peer review process.9   

Practice quality tips

Consider risk when accepting an engagement. Practitioners that accept an engagement in a high-risk industry for the first time should consider consulting. Key questions should include the following:

  • Does the firm have the appropriate level of expertise? 
  • What are the applicable regulations? 
  • Is there an audit guide? 
  • Are there relevant continuing professional education courses that provide the industry fundamentals? 
  • Does the AICPA produce an industry-related audit risk alert that is relevant to the client’s business? 
  • Are external resources needed to ensure compliance? 

Having an engagement quality control review (EQCR) for high-risk engagements, or engagements in a practice area outside of the firm’s ordinary practice area, can be a great way to achieve high quality.   

Ultimately, many of the practice problems identified by regulators, peer reviewers, and professional ethics investigators relate to a lack of adequate audit documentation. Many practitioners try to rely on sign-offs on checklists to document the work performed. Given the varied accounting, financial reporting, internal control, and compliance systems that exist, no checklist can adequately explain the work performed on a particular engagement. Similarly, simply including schedules with check marks and no explanations is insufficient. Documentation needs to include the specific identifying characteristics of the items tested and the nature of the testing performed. Oral explanations do not represent sufficient support. If you are uncertain regarding the adequacy of your audit documentation, consider including a review of the adequacy of the audit documentation in the scope of an EQCR. 
   While attending a continuing professional education course is a perfect way to learn about the latest changes to the standards, it is important that you have a process in place for implementing changes to standards. The AICPA peer review checklists can help you double-check an engagement for compliance and can be used in connection with a pre-issuance or EQCR. The AICPA peer review materials also include a section on monitoring that can be used by smaller firms to document the monitoring of their firm’s quality control systems. 
   Peer review changes to address disparity

Recently redesigned checklists on employee benefit plan audits help reviewers focus on areas that the DOL finds significant.   

For A-133 engagements, new procedures have been implemented that require the peer review administering entity to review the major program determination for the A-133 engagements selected by the peer reviewer. These steps have helped to uncover key practice problems. 
   Furthermore, in January 2014 AICPA’s Peer Review Board approved a series of short-term initiatives designed to improve the quality of the peer review program. These initiatives include the following:

  • Enhancing the quality of peer reviewers to ensure ongoing competency, which may result in additional focused training and an exam. 
  • Focusing on emerging risk industries and areas of concern to assist peer reviewers and firms with key audit and industry risk areas, such as government pensions, ESOPS, and evaluating independence when performing nonattest services.
  • Revising the reporting model to improve the transparency of peer review results. 
  • Ensuring the completeness of the engagement population so that all firms that are required to have a peer review are properly enrolled in the peer review program and that the scope of the peer review includes all required engagements. 

The AICPA’s efforts with respect to ensuring the completeness of the engagement population have been extensive. Recently, the DOL provided the AICPA with a list of 4,918 firms and requested that the AICPA verify whether the firms were properly enrolled in AICPA’s peer review program. The list was compiled from Form 5500 filings for the 2011 plan year, and only included firms from states in which peer review was required for licensure in 2011. The AICPA reported preliminary findings back to the DOL that noted at least 144 firms that were not enrolled. The AICPA was unable to match hundreds of other firms for a variety of reasons (including firm mergers and dissolutions, name changes, and so on) and has been working through the list to try to locate these unmatched firms to verify compliance with peer review program requirements.   

The AICPA is using the firm listing provided by the DOL to verify that the nature and scope of the peer reviews for these firms are correct. This project is still in progress, but early results have been disappointing, with a number of firms not including employee benefit plans in the scope of their peer review. In many cases, where the scope of the review has been found to be insufficient, peer review reports have been recalled.   The AICPA performed a similar project on A-133 engagements, where it looked at 2011 data collection forms filed with the federal audit clearinghouse (FAC) and identified 213 firms that indicated that the type A threshold was $500,000 (generally it should be $300,000). The AICPA then checked the firm information against the list of firms enrolled in the peer review program and found that a number of firms were either not enrolled in the peer review program, had never been enrolled in peer review program, or had peer review with an insufficient scope. The FAC project resulted in 32 ethics cases, some resolved with significant findings. The AICPA updated this project with the 2013 filings and opened 23 ethics cases.   

The public nature of the A-133 and DOL filings make it easier to assess peer review program compliance and identify deficient work. As audit reports for A-133 audits are now required to be searchable, it will be easier to target deficient audit reports. The leveraging of technology to improve the peer review program will increase as the next phase of AICPA’s peer review program begins.   

Peer review in the future
On Aug. 7, the AICPA released a discussion paper, Enhancing Audit Quality: Plans and Perspectives for the U.S. CPA Profession, that addresses audit quality from a holistic approach including potential changes to the audit and quality control standards, additional implementation guidance, improvements to training programs based on the AICPA Future of Learning Task Force, revisions to the CPA Exam, enhanced ethics enforcement initiatives, considerations on improving compliance with the ethical requirements of competence and due professional care, and changes to the peer review program. The AICPA also has a task force that is evaluating the future of practice monitoring. Some of the ideas under consideration include using more real-time data, leveraging technology, ensuring completeness and consistency, and including randomness in the process. A concept paper exploring these various options is expected out this fall. This dialogue is a tremendous opportunity to create an improved practice monitoring system that supports and rewards higher quality accounting and audit practices. This effort will only succeed, though, with the input and support from firms interested in seeing higher quality results.   Footnotes

  1. NASBA State Board Report, March 2014.
  2. Sarah N. Lynch, “U.S. Regulator Warns on Audits’ Marketing Practices,”, March 17, 2014.

  5. AICPA Annual Report on Oversight of AICPA’s Peer Review Program.

Allison M. Henry, CPA, is vice president of professional and technical standards for the PICPA. She can be reached at


Bill Sheridan