Author: dsp64

SAS 145 Audit Risk Assessment

Posted on by dsp64

Information Technology

This blog is about a particular topic of SAS 145, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement, which largely stays hidden in plain sight. That topic is audit risk assessment related to information technology (“IT”). Risks related to IT are often (intentionally) overlooked. It’s problematic because some auditors don’t exactly feel IT-empowered, myself included. And even though IT requirements have been there for some time now, we find that SAS 145 has given it particular emphasis, perhaps to draw our attention to its importance. It will be no surprise if IT risk assessment is a target for peer review engagements in 2024 and several years after.

SAS 145 requires auditors to consider IT controls that address risks of material misstatement at the assertion level. The standard breaks this down to 1) the risk of use of IT and 2) the general IT controls that address those risks.

In the codification of auditing standards, AU-C Glossary – Glossary of Terms defines the two related aspects of IT risk assessment as follows:

  • Risks arising from the use of IT. Susceptibility of information-processing controls to ineffective design or operation, or risks to the integrity of information in the entity’s information system, due to ineffective design or operation of controls in the entity’s IT processes.
  • General IT controls. Controls over the entity’s IT processes that support the continued proper operation of the IT environment, including the continued effective functioning of information-processing controls and the integrity of information in the entity’s information system.

Risks arising from the use of IT

Some IT systems inherently have more risk than other systems. Canned software for which the company cannot access the source code is inherently less risky than larger, more complex, internally developed systems subject to source code modifications.

Interfacing applications inherently have more risk of material misstatement than packages that integrate the various applications.

A partial list of risks arising from the use of IT are:

  • Miscalculations: Coding errors could cause miscalculations of the financial data.
  • Unauthorized Access: Weak controls related to data entry or bugs in the system could compromise the financial data.
  • Data Loss or Corruption: System crashes, cyberattacks, and other failures could lead to the loss of critical financial data.
  • Failure to Update Software: Old versions of accounting software could lead to a host of risks, such as security and compatibility issues
  • Limited Data Backup and Recovery. Again, this could lead to the loss of critical financial data.

Electronic Spreadsheet Risk of Use

A particular IT category inherently prone to greater risk of material misstatements is the use of electronic spreadsheets, such as Excel.

Here are two examples of risks arising from the use of IT as it relates to electronic spreadsheets:

  • Example 1: Material Misstatement of Construction Revenue. An Excel spreadsheet is a type of IT tool. Many contractors use it to calculate the percentage-of-completion revenue measurement of individual construction contracts. Such spreadsheets may contain numerous contracts rolled over from period to period. Contract information is often imported from the job activity ledgers, but some companies may manually input the data. The calculations are complex and data intensive.
  • Example 2: Material Misstatement of Accrued Loss on Uncompleted Contracts. Certain contractors also use Excel to pull takeoffs from specs and drawings. The takeoff information is summarized in Excel, and formulas and perhaps pivot tables are used to create a summarized bid for a prospective construction project.

The risks arising from the use of IT associated with Excel in the above two examples are extensive. It includes potential design and operation errors, such as incorrect cell formulas, cells not being protected whereby formulas can be accidentally or intentionally deleted, manual input errors, and human misunderstanding of Excel functionality.

For the first example, there is a significant risk of a material misstatement of construction revenue. The relevant assertions primarily affected by this significant risk of a material misstatement are accuracy and occurrence.

In the second example, there is a significant risk of material misstatement due to the potential failure to record the total amount of the accrued loss on the contract obtained (because, at inception, the bidding error was not discovered by management). The relevant assertions primarily affected by this significant risk of a material misstatement are accuracy and completeness.

General IT Controls

Here is a list of broad general IT controls (not all-inclusive) that auditors should be aware of:

  • Logical Access Controls: Ensure proper access rights and permissions are assigned to appropriate users based on their roles.
  • Change Management: Ensures that software, hardware, and configuration changes are approved and monitored.
  • Data Backup and Recovery: Regularly back up critical data and test the recovery process.
  • Network Security Management: Implement firewalls, intrusion detection systems, and secure network architecture.
  • User Authentication: Use robust authentication methods (e.g., multi-factor authentication) to verify user identities.
  • Physical Security: Safeguard physical access to servers, data centers, and other IT infrastructure.
  • Security Awareness Training: A formalized program to educate employees about security best practices.

Now, here’s the thing that you do not want to miss. General IT controls that address a significant risk of material misstatement arising from the use of IT are subject to design and implementation testing.

For the sake of bringing it all together, general IT controls that address the risk of the use of IT related to electronic spreadsheets (and are subject to design and implementation testing) are:

  • Logical access controls (restrictions as to who can use the worksheet)
  • Change management (controls over who can change the formulas and other functionality of the spreadsheets)
  • Data backup and recovery (always important to make sure these are in place)

Since the above general IT controls address significant risks of a material misstatement from the use of IT (i.e., electronic spreadsheets) to calculate construction revenue and the accrued losses on uncompleted contracts, the auditor should evaluate the design of those identified controls and determine if such controls have been implemented. This evaluation and determination are customarily done through narratives (perhaps internal control questionnaires) and walkthroughs.

Proposed Franchise Tax TN HB 1893 and SB 2103

Posted on by dsp64

Proposed Franchise Tax Would Generate Significant Refund Opportunities

Current Tennessee Franchise and Excise Tax law requires that entities (corporations, subchapter S corporations, limited liability companies, professional limited liability companies, registered limited liability partnerships, professional registered limited liability partnerships, limited partnerships, cooperatives, joint-stock associations, business trusts, regulated investment companies, REITs, state-chartered or national banks, and state-chartered or federally chartered savings and loan associations) pay a Franchise Tax equal to 25 cents of every $100 of the greater of the entities Total Net Worth or Total Real & Tangible Personal Property.

Example of an actual client:
  1. Total net worth Schedule F1, Line 5…………………………….-304,227
  2. Total real and tangible personal property, Sch. G……………5,456,297
  3. Franchise tax (25 cents per $100 on the greater)…………………13,641

In a nutshell, these bills, if passed into law, would change the present law and remove the alternative tangible/realty property base from the Tennessee franchise tax (basically Schedule G). Additionally, the bills would require the payment of refunds for open years for taxpayers who paid on the tangible property base. The bills provide that the refund amount would be limited to the difference in tax between what was paid on the tangible/real property base and what would have been paid using the apportioned net worth base. In this example, the entire amount.

Right now, “open” years would include 2020, meaning the taxpayer could potentially apply for five years’ worth of refunds. If these bills are passed this year, as expected, the taxpayer will have until December 31, 2024, to file for 2020 before it drops off of the statute of limitations.

The refund is subject to the following provisions:

(1) The refund must be claimed within three years from December 31 of the year in which the payment was made or within any period covered by an extension permitted by existing law;

(2) The claim for refund, including information necessary to determine the proper amount due, must be filed on a form prescribed by the commissioner exclusively for the purpose of seeking a refund pursuant to this bill and must not include a claim for refund on any other basis. A claim on any other basis must be filed separately under existing law. The commissioner is also authorized to refund, under this bill, a claim timely filed under existing law and filed before January 1, 2024, that alleges that the franchise tax in the franchise tax law of 1999 or any provision of the franchise tax law of 1999, is unconstitutional by failing the internal consistency test. The commissioner is not authorized to make a refund under this bill unless a claim is filed;

(3) As used in this bill, “tax actually paid” includes any credits applied on the return. Credits must be reinstated but not paid as a refund;

(4) This bill does not prevent the commissioner from auditing the refund claim, appropriately adjusting or denying the claim, or auditing the amount of tax otherwise due under the franchise tax law of 1999 within the applicable statute of limitations;

(5) A refund due under this bill must first be used to offset any outstanding tax liabilities and is subject to the report of debts requirements in existing law;

(6) A denial of a refund claimed under this bill is subject to the remedies provided in existing law regarding taxpayer remedies for disputed taxes.

(7) Interest at the rate established by determination of rate of interest under the Internal Revenue Code for a large corporate overpayment in the amount of the federal short-term rate plus five-tenths of a percentage point must be added to the amount refunded under this bill beginning 90 days from the date the commissioner receives the refund claim and proper proof to verify that the refund or credit is due and payable; and

(8) Attorneys’ fees must not be added to the amount of refund due.

This will significantly impact you, our clients, and our workload to get those refunds back for you. We will be keeping a watchful eye on how this develops.

The Secret 280A Deduction

Posted on by dsp64

Holding Business Meetings for Your Business at Your Personal Residence

In the ordinary course of business, some companies, due to their structure, are required by law to hold meetings for their entities. Others hold meetings for a variety of purposes, including educational workshops, Christmas parties, or even regular staff meetings.

Tax Code Section 280A contains provisions allowing a business owner to conduct regular meetings at his or her residence.

Traditionally, business meetings are held on office premises or rented spaces such as a Board Room at a Hotel or Conference Center. The expense of conducting these meetings in an outside venue can be significant, with the national average cost approaching $1,500 per day. This cost is based upon accommodating the Officers, Stockholders, Directors, Managers, Principals, Members, and Employees while providing two meals, break expenses, audio-visual and internet access support, etc. However, self-employed owners are specifically excluded.

In Nashville, costs range from $1,800 to $2,000 per day for comparable facilities.

These expenses are tax deductible for your business but are not considered taxable income on your personal return under Tax Code Section 280A.

Whether these meetings are a requirement by law for your practice or other purposes, these meetings can and should be conducted at your home.

However, your business entity must have principals, directors, or board members to qualify for the tax deduction. This means your business entity must be organized as something more than a sole proprietorship, such as an LLC, PLLC, S-Corporation, C-Corporation, or partnership.

There are certain requirements for conducting these business meetings. While each entity will have its specific Agenda items to cover and determining the meeting frequency will be a personal decision, certain topics should be covered annually, semi-annually, and· every time a meeting is held. There may also be a need to conduct Special Meetings to adopt resolutions, change practice direction, adopt a new program of significant impact, re-finance for strategic purposes, expend or commit a material practice resource, or make significant personnel or ownership adjustments.

Under Code Section 280, you can rent your home up to 14 days per year without having to recognize personal income. This could cover up to 12 monthly sessions plus a Semi-Annual and Annual meeting if you so desire. The scenario for the rental is as follows:

As a business owner, you would rent from you, the homeowner, the Fair Market Value of area meeting space for up to 14 days per year. The total you spend as the business owner is written off as rental expenses, while this same income to you as the homeowner is non-taxable rental income.
Taking the lower Nashville area figure of $1,800 per meeting, your business would spend $25,200 for 14 meetings. The estimated potential tax savings for your business to conduct these required meetings could be up to $9,324, with no tax due on the $25,200 paid to you for renting your home.

There are specific requirements for conducting these business meetings. If this is of interest to you, we would be happy to guide you through the process to make your meetings run smoothly, comply with all regulations, and maintain deductibility over the course of a year.

Remember, you must maintain the correct documentation.

SAS 145 Audit Risk Assessment

Posted on by dsp64

Just a Bit More

Well, let’s add a bit more about SAS 145, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement. And let’s do it in a question-and-answer format. This SAS is enormous – it’s over 250 pages long. Those in public accounting must understand its implications since understanding the entity, environment, and financial statement risks is the heart and soul of financial audits. An understanding of the risk of misstatements is what drives the remainder of the audit engagement. So, with that being said, let’s begin.

  1. Is SAS 145 principle-based, and is the methodology neutral?

    Yes. The standard is principle and does not prescribe a particular way to accomplish the objectives. Accordingly, much is open to the auditor’s experience and professional judgment.

  2. Are there some specific vital concepts that must be understood to wrap your head around SAS 145?

    Yes. Here are the ones that you must understand. Some are familiar concepts from the previous standard, and some are new.

    Assertions -These are representations made by the entity’s management (explicit or otherwise) about amounts and disclosures in their financial statements.

    Inherent Risk -SAS 145 states that inherent risk is the susceptibility of an assertion to a material misstatement. Inherent risk is determined before consideration of the entity’s control risk. The standard lists some inherent risk factors to be considered.

    Control Risk -The risk that a potential misstatement in an assertion won’t be timely prevented or detected and corrected by the internal control system.

    Relevant Assertion – An assertion with an identified risk of material misstatement (also known as a RMM).

    Risk of a Material Misstatement – A RMM exists when there is a reasonable possibility of a material misstatement occurring. A RMM combines a reasonable possibility of occurrence and a reasonable possibility that if a misstatement occurs, it will be material. Said another way, a RMM means it’s reasonably possible that a misstatement can happen, and if it does, it’s reasonably possible it will be material.

    Significant Class of Transactions, Account Balance, or Disclosure -It’s an audit area with at least one relevant assertion and, therefore, a significant audit area.

    Identified Risk – An identified risk is another name for a RMM – except the risk of a misstatement has been specifically identified. It’s a known RMM.

    Spectrum of Inherent Risk – The spectrum of inherent risk is the extent to which inherent risk varies – i.e., inherently from low to high risk.

    Significant Risk – A significant risk is an identified risk of material misstatement at the higher end of the spectrum of inherent risk. In other words, it is a RMM on steroids.

    Identified Controls – Identified controls are controls for which SAS 145 requires the auditor to evaluate the design and determine the implementation using procedures beyond inquiry.

  3. As a result of risk assessment, should every audit program be tailored to address the identified risks?

    Yes. The primary purpose of risk assessment is to design procedures to address the risk identified. An unmodified one-size-fits-all audit program is suspect. It gives the impression that little thought was given to the linkage of identified risks to procedures that address those risks. Accordingly, unmodified programs may be a peer review finding.

  4. Are all material accounts considered a RMM?

    No. A risk of material misstatement exists when:

    • There is a reasonable possibility of a misstatement occurring, and
    • There is a reasonable possibility it would be material if it did occur.

    In other words, RMM equals Occurrence + Magnitude. Therefore, an account can be material but not have a RMM when there is no reasonable possibility of a misstatement, or if there is a reasonable possibility of a misstatement, there is no reasonable possibility it would be material.

  5. What does reasonable possibility mean?

    Reasonable possibility means there is more than a remote chance of happening. It is based on inherent risk only, without regard to internal controls. Inherent risk is king.

  6. How does “reasonable possibility” align within GAAP’s risk progression?

    Reasonable possibility is a low threshold. It progresses as follows:

    Remote -> Reasonable possibility > More Likely Than Not > Probable > Reasonably certain.

    Therefore, the risk of a material misstatement is only slightly more than a remote risk. It’s a low threshold.

  7. So, inherent risk is king? What are some of the inherent risk factors to be considered?

    • Size, volume, and composition of items
    • Susceptibility of theft or fraud
    • Complexity
    • Subjectivity
    • Uncertainty
    • Changes in business environment, operations, and personnel.

  8. Why are relevant assertions important?

    Remember, a relevant assertion has a RMM attached to it. A significant audit area has at least one relevant assertion and, therefore, at least one risk of a material misstatement. Why is this important? Because substantive procedures must be applied to this area. Limited procedures are insufficient.

  9. Must you assess inherent risk and control risk for each account and each assertion?

    • No. However, you must assess inherent risk and control risk for each identified RMM at the assertion level.

  10. If, as a matter of policy, an auditor assesses all control risks at maximum risk under SAS 145, must the combined RMM have the same assessment as the inherent risk assessment?

    Yes. It’s the math. If control risk is assessed at 100%, and inherent risk is assessed at 50%, then the combined risk, mathematically, must equal 50%. (1.0 x .5 = .5 or 50%.)

  11. What is so significant about a significant risk?

    Remember, a significant risk is a risk on steroids. It is located at the upper end of the spectrum of inherent risk. Therefore, the auditor must:

    • Evaluate the design of the control (often done with narratives) and
    • Determine if the control has been implemented (often done by walk-throughs.)

Corporate Transparency Act

Posted on by dsp64

An Important Heads Up

  1. What is the Corporate Transparency Act?

    The Corporate Transparency Act authorizes the Financial Crimes Enforcement Network to collect certain identifying information about the beneficial owners and company applicants. The Act applies to domestic corporations, LLCs, and any entity created by the Secretary of State (or similar office) in any state or tribal jurisdiction, as well as foreign entities registered to do business in any state or tribal jurisdiction.

  2. Who Must Report?

    • All domestic corporations, LLCs, and other entities created by filing with a Secretary of State or similar office
    • All foreign corporations, LLCs, and other entities created under the laws of foreign countries and registered in any state or tribal jurisdiction to do business.

  3. Who is Exempt from Reporting?

    There are several entities exempt from reporting, including but not limited to:

    • Large Operating Company

      • A large operating company is an entity that:
        • Employs more than 20 full-time employees (30+ hours per week)
        • Conducts operations at a physical office within the United States
        • Filed a US federal income tax or information return for the previous year with more than $5,000,000 in gross receipts or sales, net of returns and allowances, excluding gross receipts or sales from sources outside the United States.
      • Tax-exempt entity (described in Sec. 501(c) and exempt from tax under Sec. 501(a) of the IRC)
      • Inactive entity (as defined)
      • Securities reporting issuer
      • Governmental authority
      • Bank
      • Credit union
      • Depository institution holding company
      • Money services business
      • Broker or dealer in securities
      • Securities exchange or clearing agency
      • Other Exchange Act registered entity
      • Investment company or investment adviser
      • Venture capital fund adviser
      • Insurance company
      • State-licensed insurance producer
      • Commodity Exchange Act registered entity
      • Accounting firm (if registered in accordance with Sec. 102 of the Sarbanes-Oxley Act of 2002)
      • Public utility
      • Financial market utility
      • Pooled investment vehicle
      • Entity assisting a tax-exempt entity
      • Subsidiary of certain exempt-from-reporting entities

  4. What Must be Reported?

    Beneficial owners must be reported. A beneficial owner is any individual who owns or controls at least 25% of the ownership interest or, directly or indirectly, exercises substantial control over the reporting company. The individual has substantial control if any of the following apply:

    • Serves as a senior officer of the reporting company
    • Has authority to appoint or remove any senior officer or majority of the directors
    • Directs, determines, or has substantial influence over important decisions, including:
      • Nature, scope, and attributes of the business
      • Reorganization, dissolution, or merger
      • Major expenditures or investments, issuance of equity, debt, operating budget
      • Selection or termination of business lines or ventures or geographic focus
      • Compensation and incentives for senior officers
      • Entry into or termination of significant contracts
      • Amendments to governance documents
    • Has any other form of substantial control over the reporting company

    Company applicants must be reported. Company applicants may be:

    • Individuals who directly file the document that creates the reporting company
    • Individuals who are primarily responsible for directing or controlling the filing of those documents.

  5. Where is the Information Reported?

    The information is reported on the Financial Crimes Enforcement Network and can be found at https://fincen.gov/boi. The website also provides a large amount of other helpful information.

  6. When is Reporting Required?

    • Companies created or registered with a Secretary of State or similar office before January 1, 2024, must report beneficial owner information between January 1, 2024 and December 31, 2024. Company applicant information is not required to be reported.
    • Companies created or registered with a Secretary of State or similar office on or after January 1, 2024, must report beneficial owner information and company applicant information within 90 days of creation or registration.
    • ALERT: In certain situations, reporting must be updated.

  7. Why Report?

    If the requirements are met, reporting is required. Failure to do so can result in substantial civil and criminal penalties.

    The Act’s intent is to help prevent illicit activity such as money laundering, financing of terrorism, tax evasion, fraud, and other illegal activity. It also promotes corporate transparency and accountability.

This blog does not cover all aspects of the Corporate Transparency Act. Please see the official documentation or consult a legal professional for more detailed information. It is highly recommended that companies seek legal advice for assistance and help in understanding and complying with these requirements.

Audit Risk Assessment Scalability

Posted on by dsp64

Where Less Can Be Better

We first addressed SAS 145, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement in our November 2021 blog. Two years later, the requirements are bearing down on us. SAS 145 is effective for audits of financial statements for periods ending on or after December 15, 2023. In other words, (for most of us) starting with our calendar year 2023 audits.

Audit risk assessment has long been a bane to the small practitioner, especially those whose practice consists primarily of perhaps smaller, less complicated audits. Some practitioners expressed concern that the standard contained concepts challenging to grasp and apply. Some felt that the cost of complying with the standard far outweighed the benefits. Others saw a formal risk assessment as beneficial to more complicated audits but only busywork for the less complex audits where risks were apparent going in. These negative views toward a standard-based risk assessment led to bastardizations of the process, such as:

  • The assigning of the risk assessment to newly minted staff accountants who had limited (or no) knowledge of the industry, the client, and risk assessment in general,
  • Doing the audit in reverse by diving head-first into substantive testing. Only at the tail-end of the audit would attention be given to a form-driven risk assessment limited by the diminishing remaining time allocated to fieldwork,
  • Performing the risk assessment without modifying the standardized audit program to address the significant risk identified. In other words, just going through the motions,
  • Rolling forward the prior year’s risk assessment with limited client inquiries, insufficient professional skepticism, and substandard documentation.

What Has SAS 145 Done For Us?

No Exemptions for Less Complex Audits. The standard does not exempt less complex audits from the risk assessment standard. To do so would be degrading to professional audits under generally accepted auditing standards. Risk must always be identified and addressed for an audit to be efficient and meaningful. However, it does incorporate scalability options into the standard.

Scalability – One Size Does Not Fit All. The standard provides guidance on the concept of scalability. It clarifies that the application of the standard can be designed to fit less complicated companies. In other words, auditor judgment should be used to match the standard’s requirements to the company’s complexity. The work can be scaled down and simplified to fit less complex entities. One size does not fit all. Accordingly, scalability, when understood in large part, addresses concerns expressed by auditors of less complicated entities.

Additionally, scalability is described in great detail in the AICPA’s Audit and Accounting Guide Risk Assessment in a Financial Statement Audit, updated to January 2023, to conform to SAS 145. It has numerous examples (“Scalability Scenario”) that explore the risk assessment requirements of SAS 145 to fit a less complex audit. It compares this to what would be done on a more complex audit. It is suggested that observation and inspection may often be used to obtain audit evidence to conform to the standard’s requirements for less complicated audits.

So, there is hope. The audit risk assessment is critical, but it is not intended to eat our lunch.

It is important to remember that size alone does not equal complexity. A company can be huge, yet due to the nature of its industry and limited use of advanced technology, not be considered complex. Therefore, audit risk assessment procedures can be scaled down. On the other hand, a small company in specific industries can be very complex. It may have several revenue streams and rely heavily on complex information technology. Accordingly, the risk assessment approach would be more demanding.

Getting Things in the Right Order

Understanding the reasons and necessity for a robust audit risk assessment (scalable when appropriate) places the audit procedures in the proper order. And here they are:

  1. Plan the audit. Planning includes several procedures, including preliminary analytics, brainstorming, establishing planning materiality, and risk assessment procedures.
  2. Tailor the audit program to address the identified risks.
  3. Perform substantive procedures to obtain audit evidence that reduces those risks to an acceptable level.
  4. Issue an appropriate report consistent with the audit evidence obtained.

Some Other New Requirements

SAS 145, in addition to new guidance on scalability, also provides the following new requirements:

  • Separately assess inherent risk and control risk for each relevant assertion
  • A requirement to assess control risk at maximum if controls are not to be tested for operating effectiveness
  • A requirement that if the control risk (CR)is set at the maximum level (high), then the risk assessment for risk of a material misstatement (RMM) must be the same as the risk assessment for inherent risk (IR).

    For example, if control risk is assessed as “high” and inherent risk is assessed as “low,” then the RMM must also be assessed as “low” – the same as inherent risk.

  • A “stand-back” requirement
  • A revised definition of significant risk and how to identify and assess such risks.
  • A requirement to evaluate the design and implementation of general IT controls.

Peer Review Focus

Undoubtedly, risk assessment will continue to be a peer review focus in 2024 and beyond. Risk assessment has been a challenging audit area and a continuing focus of the AICPA initiative to improve audit quality.

The New Quality Management Standards

Posted on by dsp64

Did I Hear Someone Say Risk Assessment?

In 2022, the AICPA issued four new quality management standards, as follows:

  • Statement on Quality Management Standards (SQMS) No. 1 – A Firm’s System of Quality Management;
  • SQMS No. 2 – Engagement Quality Reviews;
  • Statement on Auditing Standards (SAS) No. 146 – Quality Management for an Engagement Conducted in Accordance With Generally Accepted Auditing Standards; and
  • Statement on Standards for Accounting and Review Services (SSARS) No. 26 – Quality Management for an Engagement Conducted in Accordance With Statements for Accounting and Review Services.

Effective Dates. The quality management systems compliance with SQMS No. 1 must be designed and implemented by December 15, 2025. The quality management system evaluation required by paragraphs 54-55 of SQMS No. 1 must be performed within one year following December 15, 2025.

SQMS No. 2 is effective for audits or reviews of financial statements for periods beginning on or after December 15, 2025, and other engagements in the firm’s accounting and auditing practice beginning on or after December 15, 2025.

SAS No. 146 becomes effective for audits of financial statements for periods beginning on or after December 15, 2025.

SSARS No. 26 becomes effective for engagements performed for periods beginning on or after December 15, 2025.

Who Do the New Standards Affect? The new standards apply to every firm that does engagements under SASs, SSARSs, and SSAEs. It also applies to audit and attestation engagements performed under Government Auditing Standards. However, it does not apply to audits of government organizations.

SQMS No. 1 – A Firm’s System of Quality Management. SQMS 1 will supersede Statement on Quality Control Standards No. 8 (SQCS No. 8) on December 15, 2025.

SQMS No. 1 represents a significant change in how CPA firms manage quality. It will take considerable time and effort to implement fully. Thus, the reason for what may appear to be a long time-line before the effective date.

Under the current QAS system, CPA firms must have a quality control system in place, but there are no specific requirements for what the system must include or how it must be implemented. It is more principles-based. SQMS No. 1, on the other hand, sets out specific requirements for designing and implementing a quality management system. CPA firms must significantly change their quality control systems to comply with SQMS No. 1, and a word of caution – it may take more time than you may think.

As stated in SQMS No. 1: “(t)he objective of the firm is to design, implement, and operate a system of quality management for engagements performed by the firm in its accounting and auditing practice that provides the firm with reasonable assurance that

a. the firm and its personnel fulfill their responsibilities in accordance with professional standards and applicable legal and regulatory requirements and conduct engagements in accordance with such standards and requirements, and
b. engagement reports issued by the firm are appropriate in the circumstances.”

To give you an idea of the approach taken in SQMS No. 1, here are some of the changes and approaches:

  • SQMS No.1 will address eight components of quality instead of the current six areas under SQCS No. 8. Those eight areas are:
    1. The firm’s risk assessment process (Surprise! New area),
    2. Governance and leadership,
    3. Relevant ethical requirements,
    4. Acceptance and continuance of client relationships and specific engagements,
    5. Engagement performance,
    6. Resources,
    7. Information and communication (new area),
    8. The monitoring and remediation process.

  • The new risk-based approach (sound familiar?) requires:
    1. That quality objectives be established,
    2. Quality risks are identified and assessed to design and implement appropriate responses.

    Fortunately, the risk-based approach is scalable based on the design and formality of the system.

  • As stated in SQMS No. 1, the new information and communication component requires:
    1. An information system that “identifies, captures, processes, and maintains relevant and reliable information that supports the system of quality management, whether from internal or external sources.”
    2. The firm culture values the exchange of information with the firm and one another,
    3. “Relevant and reliable information is exchanged throughout the firm and with engagement teams…”
    4. “Relevant and reliable information is communicated to external parties…”

  • The system of quality management must be evaluated annually, even during the peer review year. So gone will be the days of assessing the system two out of three years.

SQMS No. 2 – Engagement Quality Reviews. This standard discusses the appointment and eligibility of the engagement quality reviewer (EQR) and the EQR’s responsibilities.

An engagement quality review is necessary under the standard when it is required by law or regulation and when the firm determines it is an appropriate response to one or more quality risks identified in the risk assessment. Additionally, an engagement quality review is scalable based on the nature and circumstances of the engagement or the entity.

As in the current standard, the EQR cannot be an engagement team member.

Stay tuned. There is more coming on this topic.

ASC Topic 326 – Current Expected Credit Losses

Posted on by dsp64

Give Credit Where Credit is Due

For the non-public, non-financial sector, it took a while for the new standard on credit losses to get here. But it’s here now and breathing down our necks with a vengeance. CECL (pronounced cecil) was issued by the FASB in 2016. For the non-financial sector, it’s somewhat of a wolf in sheep’s clothing. Not that it was intended to be that way, but it just is. So beware. It’s a peer review “gotcha” event. As the song says, “Things ain’t what they used to be.” This article will address some CECL issues in a question-and-answer format.

  1. When was CECL’s (ASC 326) effective for non-public companies?

    ASC 326 was effective for all non-public companies for fiscal years beginning after December 15, 2022, including interim periods within those fiscal years. So, in other words, it is effective for calendar year 2023 financial statements, including interim financial statements that begin in 2023.

    The interim financial statement’s effective date for non-public companies is a change from the customary practice of the FASB. Usually, for private companies, new standards are effective for interim financial statements the year after it is effective for the annual financial statements. When the original pronouncement was issued in 2016, that’s how it was – the interim financial statement’s effective date was a year later. However, this decision was later reversed by the FASB in an ASU released in 2018. This change may have flown under the radar screen for many busy accountants.

  2. To whom does CECL apply?

    While the standard was primarily directed to financial institutions like banks and credit unions, it also applies to non-financial institutions. That includes construction companies, manufacturing companies, and non-profit entities, to name a few. However, as discussed in the next question, the standard does scope out specific areas.

  3. So, what is CECL, and which financial assets does it apply to?

    CECL stands for “current expected credit losses” related to financial instruments. The key phrase is “current expected.” The standard intends to inform the financial statement user what credit losses (bad debts) the company currently (upfront) expects to incur on its financial assets over the contractual life of those assets (the future). Generally, the standard applies to financial assets carried at amortized cost and includes:

    • Cash equivalents
    • Trade receivable
    • Contract assets (such as underbillings and retainage receivables)
    • Loans receivable/Notes receivable
    • Loans to officers and employees
    • Investment in debt securities held-to-maturity
    • A lessor’s receivables from sales-type or direct financing leases

    Notably, the following financial assets are not within the scope of CECL:

    • Receivables between entities under common control (see following two paragraphs)
    • Equity securities
    • Loans made to participants by defined contribution employee benefit plans
    • Pledge receivables of a not-for-profit organization
    • Lessor receivables from operating leases
    • Other financial assets measured at fair value through net income
    • Securities available-for-sale (though ASC 326-30 did make targeted changes to this area related to CECL)

    The AICPA’s Center for Plain English Accounting report for August 16, 2023, observed that “(T)he scope exception in FASB ASC 326-20-15-3f is for loans and receivables between “entities” under common control and makes no mention of “individuals.” Therefore, it is not clear based on the omissions in the plain language whether individuals (natural persons) such as a controlling shareholder are within the scope exception for CECL in FASB ASC 326-20-15-3f.”

    However, the article further states: “FASB staff has indicated that the scope exception for entities under common control also applies to natural persons (i.e., controlling shareholder) within a common control group. We should note that the scope exception for common control entities would NOT extend to an (sic) loan to an unrelated officer of one of the entities who did not hold a controlling financial interest.”

  4. What is the difference between the legacy standard and ASC 326?

    The former standard used an “incurred loss” methodology to recognize credit losses if it was deemed probable to be uncollectible. While probable is not defined, many practitioners consider probable equal to or greater than a 75% threshold. The collection loss had to be incurred and probable under the previous standard to be recognized.

    The new accounting standard’s model is designed to be forward-looking and considers the entire contractual life of a financial instrument. Moreover, it significantly reduces the threshold for recognizing credit losses. Under ASC 326, a credit loss can be recognized on financial assets, such as a class of trade receivables, at the asset’s inception, even if the likelihood of a loss is considered remote. CECL mandates that management consider expected credit losses throughout the entire life of a group of financial assets, regardless of the absence of any current signs of trouble. Accordingly, under CECL, losses are expected to be recognized sooner than losses were under legacy GAAP.

    Key takeaway: The loss recognition is forward-looking over the contractual life of the financial instrument, recognized at the asset’s inception, and the loss recognition threshold is considerably lower than previous GAAP.

  5. Does ASC 326 specify a particular way to estimate current expected credit losses?

    No. The standard is principle-based. The particular methodology used to arrive at the expected loss at the origination or acquisition date of the financial instrument is management’s decision. In a broad sense, the standard requires that the company base its estimate on:

    • Relevant information about past events, such as historical loss experiences,
    • Current conditions,
    • Reasonable and supportable forecasts.
    • For periods when the company cannot obtain supportable forecasts for expected credit losses, it may revert to historical loss information.

    ASC 326-20-30-7 states, in part, that “(A)n entity shall consider relevant qualitative and quantitative factors that relate to the environment in which the entity operates and are specific to the borrower(s).”

    Additionally, as stated in the AICPA’s Center for Plain English Accounting report, same date given above, “…CECL requires measurement of the expected credit loss even if that risk of loss is remote, regardless of the method applied to estimate the credit losses.”

  6. Can an entity ever have an expected credit loss of zero?

    It’s possible. But in most cases, it’s unlikely or even rare. The standard permits a zero credit loss in narrow situations where the expectation of not being paid is zero, even if a technical default were to occur. An example would be U.S. treasury securities guaranteed by the good faith and credit of the U.S. government, which can also print currency to retire the debt.

  7. Does ASC 326 require additional disclosure?

    As you probably expect, the answer is yes.

    On the balance sheet, there is a requirement to separately present the allowance for credit losses for financial assets measured at amortized cost, such as trade receivables, contract assets, and loans receivable. Also, investments in available-for-sale debt securities carried at fair value must present both amortized cost and allowance for credit losses parenthetically on the balance sheet.

    There are many required disclosures to achieve the stated objectives of ASC 326. For example, ASC 326 requires a roll-forward of the allowance for credit loss accounts. We suggest having your disclosure checklist for non-public companies readily available for reference as you draft the disclosures for financial instruments.

In summary, ASC 326, the credit loss standard, has a broad scope encompassing financial institutions and non-financial companies, including entities like construction firms. It applies to a wide array of financial assets measured at amortized cost, including items like trade receivables and contract assets. Notably, the threshold for recognizing credit losses has shifted from probable to remote, and this new standard mandates a forward-looking estimation of credit losses. It’s important to note that the new standard does not apply to specific financial instruments that are excluded, such as receivables between entities under common control or between companies and majority owners who are natural persons, in my opinion. Additionally, recognition is only required for amounts and disclosures considered material.

AIs Impact on the Accounting Industry

Posted on by dsp64

Brace for Impact

Tech entrepreneur Mark Cuban stated in recent years that artificial intelligence (AI) will dominate the landscape of the business world, so much so that entire industries could be relegated to near obsolescence.

One such industry he mentioned happens to be near and dear to our hearts: the 7,000-year-old accounting industry. After taking a few deep pulls from my handy hyperventilation bag, it got me thinking: is that truly possible? Far be it from me to spit in the face of the “experts,” but the accounting industry as a viable employment option will most decidedly not be disappearing any time soon. Will AI change our industry? Undoubtedly, and with great benefit to us and our clients, assuming we allow it.

AI has already entered our space in numerous manifestations, freeing up accountants at all levels to engage clients better and offer the expert advice we are hired to dispense. Here are some ways the accounting industry has benefitted and will continue to benefit from AI:

Easy access to financial information – most, if not all, accounting systems now have the ability to integrate data from various financial institutions and products, both historical and real-time. This allows for up-to-the-minute reporting, benefiting management and internal/external accounting staff in decision-making and forecasting. As Matt Bontrager, founder of Bookkeeping Blueprint writes in Entrepreneur, “…analyzing historical data, industry benchmarks and market trends, AI-powered systems can offer tailored recommendations and insights based on a business’s specific goals and objectives.”

Security – you know those texts you get from your bank when there is “suspicious activity?” That’s AI working for you. Our systems now have the tools to analyze patterns and red-flag irregularities. Incorporating AI systems into accounting software has dramatically enhanced fraud detection at the personal and business level, giving accountants another tool to protect the integrity of their financial information. Rather than going line-by-line through a general ledger and losing our minds in the process, we can utilize the tools AI provides to seek out oddities that may save a company some severe distress.

Improved audit efficiency – looking at the first two items above, it’s not a long leap to see that AI also benefits the auditing side of the accounting industry. Being able to set parameters and quickly search through a data set for anomalies has reduced time spent on various audit procedures compared to audits of years past. Similarly, having access to real-time client financial data allows for more efficient procedures around subsequent events (e.g., disbursements and receipts subsequent to year-end). In an article for becker.com, Jim Eicher noted, “As a result of big data and streamlined auditing, accountants are able to execute predictive and prescriptive financial analytics for their clients, which can make their clients’ financial processes more efficient, accurate and profitable. Centralized access to vast amounts of data previously dispersed across individual spreadsheets, PCs, mainframes and servers will promote faster, more efficient client audits.”

This small sample of how AI can assist accountants in their roles should inject at least a small dose of confidence in the sustainability of the accounting industry. AI should not be considered a monster coming to destroy our livelihoods; it should be viewed as a tool to make ourselves more valuable to our clients than we ever have. It’s already dramatically impacted our daily routines, even going unnoticed as we weave through newly implemented software or hidden in an update.

Accountants, however, can’t just sit back and let AI do all the work. We will need to study and understand the assistance it can provide. Resources abound related to AI. Whether taking one of the many AI-related CPE courses available or simply researching and garnering the knowledge on your own, it behooves accountants long-term to dive into this new world headfirst and learn how to harness its power.

Before long, if not already, the client will expect their accountant to offer advice and guidance related to AI tools that can benefit their business. Advancements in AI will most certainly lead to the more mundane and monotonous bookkeeping tasks being automated. As a result, greater opportunities will open for those in the industry to develop their soft skills developing strategies and truly advise their clients.

Cuban’s prediction of AI dramatically changing the business world’s landscape appears very much on point. However, where this takes respective industries remains to be seen. History has proven time and again that the future is nothing if not unpredictable, and only that change will be a constant. How this all plays out long-term will be determined later. Still, with some willingness to adapt and learn the capabilities AI offers our industry, we can continue to help our clients and ourselves sustain continued success for the foreseeable future.

ASC 606-Revenue Recognition-Uninstalled Materials

Posted on by dsp64

Living in a Material World

We’ve worked with the revenue recognition standard under ASC 606, Revenue from Contracts with Customers, for a few years now. How’s it going? Pretty good? Well, now may be an excellent time to reexamine a somewhat dubious but significant area of the standard.

This article will examine revenue recognition for materials cost related to a construction contract. Specifically, we will discuss critical factors that impact how a contractor who uses the cost-to-cost input method recognizes revenue associated with uninstalled materials.

The FASB has an underlying concern that cost-to-cost revenue recognition could result in an overstatement of revenue. ASC 606-10-55-21 points out a potential shortcoming of the cost-to-cost method input method. There may not be a direct relationship between the cost charged to the contract (the input) and the transfer of control of goods or services to the customer, resulting in an overstatement of revenue. For example, significant uninstalled materials charged to job cost may not be indicative of progress toward project completion and thus result in an overstatement of revenue.

It’s a Matter of Control. ASC 606-10-25-23 states that entities (contractors) recognize revenue as it satisfies performance obligations by transferring a promised good or service (i.e., an asset) to the customer. It further states that assets are transferred when (or as) the customer obtains control of the asset.

Under ASC 606, depending on when control of the materials passes to the customer, uninstalled materials are accounted for and presented in one of three ways:

  1. When Control has not Passed. Generic uninstalled materials, even those transferred or delivered directly to the job site, for which control has not been transferred to the customer, should be accounted for as inventory on the contractor’s balance sheet in accordance with ASC 330. Contract revenue (including profit) and cost are not recognized if control has not passed to the customer.
  2. When Control has Transferred, but Materials Not Installed. When control of the uninstalled materials (located in the contractor’s shop or at the job site) has passed to the customer, but the materials remain uninstalled, the contractor may recognize contract revenue, but only to the extent of the cost of the materials. No profit can be recognized before installation. ASC 606-10-55-21suggests that such an adjustment to the cost-to-cost input method may be required in the following circumstance:
    • When a cost incurred is not proportionate to the entity’s progress in satisfying the performance obligation. In those circumstances, the best depiction of the entity’s performance may be to adjust the input method to recognize revenue only to the extent of that cost incurred. For example, a faithful depiction of an entity’s performance might be to recognize revenue at an amount equal to the cost of a good used to satisfy a performance obligation if the entity expects at contract inception that all of the following conditions would be met:
      1. The good is not distinct.
      2. The customer is expected to obtain control of the good significantly before receiving the services related to the good.
      3. The cost of the transferred good is significant relative to the total expected costs to completely satisfy the performance obligation.
      4. The entity procures the good from a third party and is not significantly involved in designing and manufacturing the good.

    An excellent example of how to account for uninstalled materials when control of the materials has passed to the contract owner is found at Example 19- ASC 606-10-55-187 through 192.

  3. Control has Transferred, and Materials are Installed. The contractor may include the cost of the materials in the input method and fully recognize the cost and revenue, including profit.

Transfer of Control. ASC 606-10-25-25 states that:

(c)ontrol of an asset refers to the ability to direct the use of, and obtain substantially all of the remaining benefits from, the asset.

When, exactly, does control of materials transfer to the customer? Unfortunately, there is no simple answer. Like many things in life, the answer is maybe yes, maybe no, it ain’t necessarily so.

In short, control of the materials transfers to the customer when ownership transfers to the customer. And in our federalistic system, property ownership laws vary from state to state. It varies and is, therefore, complicated. Depending on the jurisdiction, ownership of the materials may transfer upon delivery to the job site; the transfer may be upon billing the materials, or the ownership transfer may be upon collection of the billing. And lien laws come into play that may determine the point when material ownership transfers from the contractor to the customer. The contract itself may stipulate when the transfer of ownership happens. Sorry, there is no boilerplate black-letter answer. Nevertheless, to properly recognize and account for revenue, it is essential to understand at what point ownership of the materials passes to the customer.

Because of this complexity, you should only travel this path when required. That is when doing so is necessary because it significantly affects revenue measurement which may not be indicative of progress toward project completion.

What About Material Designed and Manufactured by the Contractor?

Such materials should be charged directly to contract costs, and revenue (including all profit) should be recognized using standard cost-to-cost percentage of completion computations.

What About General Contractors or Prime Contractors?

Even general or prime contractors may find they are not exempt from the rules related to uninstalled materials. If the general or prime contractor has subcontractors with significant uninstalled materials whose costs are then billed to the general or prime contractor, those pay items may have to be excluded from their percentage of completion calculation in the manner discussed above.

Show Buttons
Hide Buttons