Updated November 17, 2022

In the past, companies and tax-exempt organizations often relied on accountants from their audit firms to assist in reconciling accounts, preparing the adjusting journal entries, and writing financial statements. Smaller organizations often lacked the level of accounting sophistication necessary to carry out these tasks. Relying on the audit firm often made sense from the perspective of efficiency and cost containment.

New requirements by the American Institute of Certified Public Accountants (AICPA) and a host of related regulatory guidance issued by the Securities and Exchange Commission (SEC), the General Accounting Office (GAO, and the U.S. Department of Labor (DOL) have prompted an increased focus on auditor independence over the last decade. These days, the standards generally restrict the non-attest services like tax or consulting services that auditors may perform and the circumstances under which those services may be allowed. The increased regulations serve to muddy an already often-misunderstood set of expectations.

What Auditors Do

The outside, independent auditor is engaged to render an opinion on whether a company’s financial statements are presented fairly, in all material respects, in accordance with financial reporting framework. The audit provides users such as donors, lenders and investors with an enhanced degree of confidence in the financial statements. An audit conducted in accordance with GAAS and relevant ethical requirements enables the auditor to form that opinion.

To form the opinion, the auditor takes a risk-based approach to gather appropriate and sufficient evidence and observes, tests, compares, and confirms until gaining reasonable assurance. The auditor then forms an opinion about whether the financial statements are free of material misstatement, whether due to fraud or error.

Some of the more important auditing procedures include:

  • Inquiring of management and others to gain an understanding of the organization itself
  • Identifying and communicating significant risks
  • Concluding whether there are conditions or events, considered in the aggregate, that raise substantial doubt about the entity’s ability to continue as a going concern for a reasonable period of time.

At the completion of the audit, the auditor may also offer objective advice for improving financial reporting and internal controls to maximize a company’s performance and efficiency.

Effective December 15, 2021, the Auditing Standards Board issued Statement of Auditing Standards 134 Auditor Reporting and Amendments, Including Amendments Addressing Disclosures in the Audit of Financial Statements. This standard was intended to overhaul the presentation of the independent auditor’s report and aims to enhance the communicative value and relevance of the report. The standard also introduces the concept of communicating “Key Audit Matters” (KAMs) within the independent auditor’s report. KAMs allow the auditor to disclose the most important things identified in the audit and note them on the face of the report. Ultimately this allows for audit reports to be customized for individual entities. It is important to note that an auditor can only disclose KAMs when specifically engaged to do so.

What Auditors Do Not Do

For a clear picture of the role of external auditors, it helps to understand what you should not expect auditors to do. The emphasis is on “independent.” Many people are surprised to learn that auditors do not take responsibility for the financial statements on which they form an opinion. The responsibility for financial statement presentation lies squarely in the hands of the entity being audited.

Auditors are not a part of management, which means the auditor will not:

  • Authorize, execute, or consummate transactions on behalf of a client;
  • Prepare or make changes to source documents;
  • Assume custody of client assets, including maintenance of bank accounts;
  • Establish or maintain internal controls, including the performance of ongoing monitoring activities for a client;
  • Supervise client employees performing normal recurring activities;
  • Report to the board of directors on behalf of management;
  • Serve as a client’s stock or escrow agent or general counsel;
  • Sign payroll tax returns on behalf of the client;
  • Approve vendor invoices for payment;
  • Design a client’s financial management system or make modifications to source code underlying that system; or
  • Hire or terminate employees.

This list is not all-inclusive. In short, the auditor may not assume the role and duties of management. In practical terms, there are a number of tasks you should not expect your auditor to perform:

  • Analyzing or reconciling accounts;
  • “Closing the books”;
  • Preparing confirmations for mailing;
  • Selecting accounting policies or procedures;
  • Preparing financial statements or footnote disclosures;
  • Determining estimates included in financial statements;
  • Determining restrictions of assets;
  • Establishing the value of assets and liabilities;
  • Maintaining client permanent records, including loan documents, leases, contracts and other legal documents;
  • Preparing or maintaining minutes of board of directors meetings;
  • Establishing account coding or classifications;
  • Determining retirement plan contributions;
  • Implementing corrective action plans;
  • Preparing an entity for audit; or
  • Preparation of the Statement of Functional Expense.

Management’s Responsibilities in an Audit

The words, “The financial statements are the responsibility of management,” appear prominently in an auditor’s communications, including the audit report. Management’s responsibility is the underlying foundation on which audits are conducted. Simply put, without management having responsibility for the financial statements, the demarcation line that determines the auditor’s independence and objectivity regarding the client and the audit engagement would not be as clear.

It is important for a company’s management to understand exactly what an audit includes as well as the role of the auditor. The auditor’s responsibility is to express an independent, objective opinion on the financial statements of a company. This opinion is given in accordance with auditing standards that require the auditors to plan certain procedures and report on the results of the audit, while considering the representations, assertions, and responsibility of management for the financial statements.

As one of their required procedures, auditors ask management to communicate management’s responsibility for the financial statements to the auditor in a representation letter. The auditor concludes the engagement by using those same words regarding management’s responsibility in the first paragraph of the auditor’s report.

Auditors cannot require management to do anything or to make any representation. However, to conclude the audit with the hope of a “clean” unmodified opinion issued by the auditor, management  must assume responsibility for the financial statements.

Auditing standards are very clear that management has the following responsibilities fundamental to the conduct of an audit:

  • To prepare and present the financial statements in accordance with an applicable financial reporting framework, including the design, implementation, and maintenance of internal controls relevant to the preparation and presentation of financial statements that are free from material misstatements, whether from error or fraud.
  • To provide the auditor with the following information:
    • All records, documentation, and other matters relevant to the preparation and presentation of the financial statements;
    • Any additional information the auditor may request from management; and
    • Unrestricted access to those within the organization if the auditor determines it necessary to obtain audit evidence objectivity.

It is not uncommon for the auditor to make suggestions about the form and content of the financial statements, or even assist management by drafting them, in whole or in part, based on information provided by management. In those situations, management’s responsibility for the financial statements does not diminish or change. Furthermore, auditors can advise on implementation of new Accounting Standard Updates (ASUs) as long as management has the proper skills, knowledge, and experience (SKE) to take responsibility for non-attest services. For example, ASU 2019-01, Leases (Topic 842) is effective for fiscal years beginning after December 15, 2021. The standard changes the accounting treatment for operating leases and involves a complex calculation to recognize a lease asset and lease liability at the present value of the lease payments in the Statement of Financial Position.

In addition to findings, the management letter may contain recommendations for management ranging from segregation of duties to addressing possible cybersecurity risk. Addressing these recommendations in a timely manner will safeguard operations and ensure the organization is applying industry best practices.

Risk management is an area often highlighted in the presentation of audit findings to the board of directors. Below are two areas that auditors often recommend for further review. To be proactive ahead of the next audit, organizations should review these areas to avoid possible findings.

Cybersecurity

During the audit, the auditor may observe risk to the organization related to IT policies and procedures and recommend a separate cyber audit. The scope of a cyber or cybersecurity audit focuses on internal IT infrastructure, external infrastructure, framework benchmarking, penetration testing, and more.

Learn more about cybersecurity audits.

Fraud Risk

Fraudulent activity is on the rise and every organization is at risk. Implementing new technology, reliance on third-party vendors, and necessary changes to internal control structures all provide opportunities for fraud. It is more important than ever for organizations to remain proactive in preventing fraudulent activity through effective management of fraud-related risks and implementation of anti-fraud controls.

Learn more about preventing fraud risk.

Contact

For more on audit best practices, including the implementation of new ASUs, visit GRF’s resource center or contact us for assistance.

Contact Us

GRF Partner Amy Boland

Amy Boland, CPA
Partner and Director, Audit
aboland@grfcpa.com
301-951-9090