Do you ever wonder if the CPA firm your organization decides to use has the right type of experience when going through the engagement process? Well, one question you can ask is the last time the CPA firm went through the AICPA peer review program. In this post, we will discuss what an AICPA peer review is, what the peer review process looks like, whether the peer review is mandatory, and how to find out if a CPA has recently completed a peer review.
What is an AICPA Peer Review?
The AICPA has provisioned a number of professional standards that CPA firms are required to abide by. One of those includes peer review standards. This standard requires that members of the AICPA who practice within the public accounting profession are required to work for a firm as a partner or employee who has registered with an organization that has an approved monitoring program. As part of this monitoring program, the CPA must be reviewed by a CPA firm independent of the firm being reviewed to determine whether the services they provide are indeed in accordance with AICPA requirements. The firm completing the review is called the administering entity (EA).
In general, the peer review process is meant to monitor whether a firm is providing accounting and audit services in accordance with AICPA guidance and requirements. Additionally, it’s meant to elevate the occupation and provide users of accounting and audit services assurance that they are provided reports that are useful.
What is the Peer Review Process?
Once every three years, audit firms are required to go through the AICPA peer review process. Depending on the type of services the CPA firm will determine the type of peer review received. The options include System Reviews or Engagement Reviews. System Reviews will be our main focus in this post as it pertains to firms that perform engagements under Statements on Standards for Attestation Engagements (SSAEs) which are the standards that cover attestations such as SOC 1, SOC 2, and HIPAA reporting. Firms that perform examinations of service organizations are considered must select engagement and at least one of each must be chosen for review as part of the peer review process.
Once the engagements have been selected for review, the peer reviewer completes their assessment using a peer review checklist. Assessments include the following steps:
- Review reports and supporting documentation and work papers – Behind each report are work papers and evidence to support the opinion presented within a report. The peer review program requires the peer reviewer to review the documentation to determine whether the auditor’s conclusion is reasonable and justifiable.
- Interview select personnel – Personnel are interviewed as a way to make a determination if they have the right type of expertise to complete the audit and provide users a report in which they can place reliance.
- Review personnel files – The peer reviewer reviews a person’s files to determine whether they are still in good standing with any professional organizations. (I.e. CPA).
- Review firm representations – Reviews completed by the peer reviewer require management to provide a Letter of Representation. Similar to any attestation examination, this letter is signed by management and attests that the information provided was complete and accurate.
Reviews are meant to help the reviewer understand if audit procedures were done in accordance with guidance such as SSAE 18 in the case of SOC audits and if the supporting personnel have the right type of experience to provide that type of accounting or audit service.
Once the review is completed, the final step is for the peer reviewer to provide their report with any findings. If the reviewer finds the firm to be in conformity with the monitoring program they will receive a pass and this indicates that the firm followed standards when performing services. If a firm does not receive a pass, they are required to remediate and possibly re-issue reports as soon as possible to become compliant.
Engagement Reviews follow a similar process but the focus of these peer reviews is to determine whether specific engagements such as financial statements were completed in accordance with applicable standards.
Is a Peer Review Mandatory?
While it depends on the type of services provided, if a firm is providing services in the public account industry, the answer is yes. All firms performing attestation services among others as mentioned above are required to be peer reviewed once every three years.
Are All Engagements Reviewed By the Peer Review Team?
No, peer reviews focus on a subset of engagements that occur during a certain period of time. As mentioned above, a subset of examinations are considered must picks and at least one of these engagements must be selected as part of the peer review. These include engagements performed under the following:
- Government Auditing Standards
- Audits of employee benefit plans
- Audits of depository institutions (with assets of $500 million or greater)
- Audits of carrying broker-dealers
- Examinations of service organizations (SOC 1 and SOC 2 engagements)
That is because these examinations are considered higher risk.
Additionally, there may be times when certain engagements need to be excluded from the list of engagements that can be chosen for review. Generally, this is because an organization is going through litigation at the time of review, or the organization that is the subject of the report does not provide their permission. If this is the case, the CPA firm is required to receive special permission to exclude those engagements.
How Can I Find if a Firm Has Passed a Peer Review?
The AICPA has provided a website available for public use to search and determine when a firm was last peer reviewed and whether a firm has a passing peer review grade. Once you get to the website, you will need to go to the “Public File Search” tab to complete the search. From here, the form allows you to add either the firm name or their firm number. Additionally, to further narrow the results, you can add the firm’s city and state. Once you find the firm in question, you can select that line item and it will display the period covered by the peer review, peer review acceptance date, and the report grade.
Peer Review Summary
The AICPA peer review program was created as a way of checking in with audit firms to determine whether or not they are meeting professional standards. The program as a whole is meant to elevate the information coming out of CPA firms in which stakeholders often place reliance. If your organization requires the services provided by an accounting or audit firm, this can be a helpful post in having one additional check before engagement occurs.
If you have additional questions about peer reviews or our audit process, please feel free to contact Linford & Co. Our team of highly experienced auditors specializes in a variety of third-party audit engagements, including SOC 1 and SOC 2, HIPAA compliance audits, HITRUST assessments, and more.
Jaclyn Finney started her career as an auditor in 2009. She started with Linford & Co., LLP. in 2016 and is a partner with the firm. She is a CISA with a special focus on SOC, HITRUST, FedRAMP and royalty examinations. Jaclyn works with her clients to provide a process that meets the needs of each customer and generates a tailored report that is useful to the client and the users of the report.