Auditors performing financial statement audits are already aware of the Public Company Accounting Oversight Board (PCAOB) auditing standard AS 3101, The Auditor’s Report on an Audit of Financial Statements When the Auditor Expresses an Unqualified Opinion effective for audits of fiscal years ending on or after December 15, 2017.
Within this standard are the requirements related to critical audit matters, paragraphs .11-.17, that are effective for all fiscal audits ending on or after June 30, 2019, for companies meeting the PCAOB’s definition of a large accelerated filer. For all other companies subject to the PCAOB, the effective date is fiscal years ending on or after December 15, 2020. So, the standard and requirements within it have been effective for quite some time.
Why bother talking about it now? Well, has anyone considered how services provided by a subservice organization could be critical to the user organization’s financial statements and have the potential to impact the financial statements resulting in a critical audit matter?
What Is a Critical Audit Matter?
Let’s revisit the concept of a critical audit matter for a few moments. AS 3101 defines in paragraph .11, “A critical audit matter is any matter arising from the audit of the financial statements that was communicated or required to be communicated to the audit committee and that: (1) relates to accounts or disclosures that are material to the financial statements and (2) involved especially challenging, subjective, or complex auditor judgment. Critical audit matters are not a substitute for the auditor’s departure from an unqualified opinion (i.e., a qualified opinion, adverse opinion, or disclaimer of opinion on the financial statements as described in AS 3105).”
Audit matters deemed to be critical audit matters needing to be reported are those that are most meaningful to the users of the financial statements. The user auditor, as part of the process of determining if an item is a critical audit matter, will identify and document the principle considerations that led to the conclusion.
AS 3101, paragraph .12 identifies the factors to consider when determining if an item amounts to a critical audit matter:
- “The auditor’s assessment of the risks of material misstatement, including significant risks;
- The degree of auditor judgment related to areas in the financial statements that involved the application of significant judgment or estimation by management, including estimates with significant measurement uncertainty;
- The nature and timing of significant unusual transactions and the extent of audit effort and judgment related to these transactions;
- The degree of auditor subjectivity in applying audit procedures to address the matter or in evaluating the results of those procedures;
- The nature and extent of audit effort required to address the matter, including the extent of specialized skill or knowledge needed or the nature of consultations outside the engagement team regarding the matter; and
- The nature of audit evidence obtained regarding the matter.”
These factors are common considerations an auditor will make when performing different audits such as a financial statement audit, SOC 1, or SOC 2 to name a few. It is the extent of each factor that is the determining factor if an item is elevated to a critical audit matter.
The objective of this article, though, is not to discuss all the aspects of a critical audit matter. It is to apply the concept to service organizations.
Criticality of Services Provided by a Service Organization
Do service organizations really provide services that may be critical to a user organization’s financial statements? The answer is an emphatic “Yes!” A user organization may outsource the processing or operations of a critical business function, critical IT function, or supporting IT infrastructure to a service organization. Examples include:
- Payroll processing
- Benefits management
- The IT infrastructure that the business operations run on.
- Utilizing an application created and managed by an outside vendor versus using an in-house application.
- Daily management and operational processing of activity for a critical business line, etc.
AT-C Section 320, Reporting on an Examination of Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting, effective for service auditor’s reports dated on or after May 1, 2017, addresses this criticality concept and provides a method for examining and reporting on the critical controls that a service organization provides. This is commonly known as a SOC 1 report.
User auditors will obtain the SOC 1 report from their client and consider the scope of the audit and content of the report in relation to the audit procedures performed for the financial statement audit. The results of the SOC 1 examination are considered in relation to the impact on the financial statement accounts that the scope of the SOC 1 examination relates to.
Exceptions & Qualifications in SOC 1 Reports
The tests of the design and operating effectiveness of controls defined in a SOC 1 examination can result in exceptions being identified in relation to a particular control or controls tested. These audit exceptions are disclosed in the SOC 1 report. These exceptions, depending upon their level of criticality and impact on the related control(s), will be listed as exceptions in relation to the impacted control(s). If the impact on the related control(s) is great enough, it can lead to a qualified report opinion for the area where the exceptions are being reported.
As a refresher, a qualified opinion means that either the internal controls were not designed (SOC Report Type I or II) or operating (Type II only) effectively for one or more control objectives identified in the SOC 1 report. “A qualified opinion means that the user organization and the user auditor cannot place reliance on the controls supporting a particular area at the service organization.”
Individuals who have read a SOC 1 report are familiar with this concept. The question to ask is “Can a number of exceptions or a qualified opinion in a SOC 1 report result in a critical audit matter or contribute to the components culminating in a critical audit matter?” The answer is “yes” based on the ability to meet these components of the definition of a critical audit matter as defined earlier in the article:
- “relates to accounts or disclosures that are material to the financial statements” and
- “involved especially challenging, subjective, or complex auditor judgment.”
The analysis to determine if something meets the definition of a critical audit matter and is elevated to the level of a critical audit matter is the responsibility of the user auditor performing the financial statement audit for its client. The user auditor must evaluate the results in the SOC 1 report in conjunction with evaluating the related controls at its client, the impact of the accounts that roll into the financial statements, and the overall impact on the financial statements.
A user auditor can, as part of their analysis, go back to the service auditor to gain more information regarding the report exception(s) or qualification(s) so as to increase their understanding of the scope and results of the work performed. The user audit may also request the service auditor to perform agreed-upon procedures at the service organization in relation to the scope of the exception(s) or qualification(s), or perform such procedures themselves.
Conclusion
Critical audit matters, as defined in AS 3101, can originate from exceptions reported in a SOC 1 report or a qualification to the SOC 1 report opinion. AS 3101 specifically defines the components of a critical audit matter. The user auditor, the auditor performing the financial statement audit, will determine if any exceptions or qualifications in the SOC 1 report meet the definition of a critical audit matter. It is the responsibility of the service auditor to support inquiries or requests from the user auditor during this process.
For any additional questions surrounding this article, or if you would like to learn more about the different audit services provided by Linford, please contact us.
Lois started with Linford & Co., LLP in 2020. She began her career in 1990 and has spent her career working in public accounting at Ernst & Young and in the industry focusing on SOC 1 and SOC 2 and other audit activities, ethics & compliance, governance, and privacy. At Linford, Lois specializes in SOC 1, SOC 2, HIPAA, ISO, and CMMC audits. Lois’ goal is to collaboratively serve her clients to provide a valuable and accurate product that meets the needs of her clients and their customers all while adhering to professional standards.