A Solid Foundation: Auditing Construction Contractors

A Solid Foundation: Auditing Construction Contractors
By Melissa Hoffmann Lajara
Posted on 8/28/08

NEW YORK -- It’s been a year since eight statements on auditing standards—together known as the “risk assessment standards”—changed how auditors audit.

The AICPA’s Auditing Standards Board adopted its Statements on Auditing Standards Nos. 104–111 in 2006 to “emphasize the importance of returning to the basics of good auditing procedure” -- also putting a number of new responsibilities on the shoulders of auditors.

In addition to codification of standard procedures, the regulations required that auditors gain a deeper understanding of the entity and its environment, perform a more rigorous assessment of the risk of material misstatement and link audit procedures to the risk of material misstatement.

One major challenge, according to Construction Contractors Committee Chair Stephen J. Mannhaupt, was gaining an understanding of what those changes meant in the step-by-step audit process.

“There was definitely a learning curve,” he said.

At the Construction Contractors Accounting, Consulting and Taxation Conference on Aug. 14 at the New York Helmsley Hotel in Manhattan, Mannhaupt detailed a few of the major changes for auditors of contractors.

“A ‘conversation audit’ is no longer sufficient,” he said. “[Auditors] are doing much more than we were doing in the past.”

In addition:

Planning meetings are now mandatory.
Documentation requirements have increased, and it must illustrate an auditor’s understanding of the entity being examined and its associated risks.
There is a focus on ensuring inclusion of all pertinent and material information.

But first, he said, it’s essential to understand the “true intent” of the standards.

“It wasn’t truly about going in and testing internal controls, but gaining a better understanding of those controls,” he said. “Each contractor is different.”

An auditor must demonstrate an “understanding of the entity, its risks and how you’re going to perform procedures to deal with these risks,” Mannhaupt said. “A lot of the time, work is being done but not documented and linked to risk assessment.”

The Audit

An audit is not a test of the contractor’s internal controls, but rather a test to see “if these controls are really in place and working,” Mannhaupt said.

In order to ascertain that, he said, an auditor must do a “walk-through” in which certain information is gathered: Who prepared reports? Who reviewed them? Who ultimately signs off? How exactly are transactions recorded? An auditor should also have conversations with project managers and other important individuals.

Of course, many contractors are small, “mom-and-pop-type” operations, Mannhaupt said, “with one bookkeeper and the owner approving all information.”

An auditor, he said, may believe such a situation would mean there are no internal controls in place.

But that’s not true, having the owner’s signature on every transaction “is a control in itself,” said Mannhaupt.

A revision of the traditional auditing approach for contractors is also necessary, he said, as many auditors are conditioned to use “high risk” as a default position.

“Moving from this approach to the new risk-based approach represented a huge cultural shift for some, especially as it related to documenting and testing internal control,” Mannhaupt said.

“In the past you would come into an audit, beat up the balance sheet … assess risk as maximum and jump into procedures,” he said. But the risk assessment standards now prohibit an auditor to default to a maximum level of control risk.

Inherent Risk

In deciding how to approach an audit, Mannhaupt said an auditor should consider the “inherent risk” imbued in a business aspect or transaction.

“For example,” he told the attendees, “I have a cup made of glass that I’m going to leave on the table. There’s a good chance it’s going to fall. That’s risky.” But what if he hired a team to surround the table and keep an eye on the glass to ensure it doesn’t fall?

“Inherently, it’s still risky,” he said, “but I have controls.” And using a plastic cup rather than a glass would further reduce that inherent risk.

An auditor, “needs to specifically state the inherent risk is low, Mannhaupt said. “Linking it all together and saying why we did it is the most important thing here.”

Time is Money

Another major challenge may also be the most obvious: the need for managers to spend more time reinforcing internal controls and preparing for an audit.

“It really required a lot more time from that partner-level individual to have planning meetings and disseminate information to staff,” Mannhaupt said. “Administratively, the risk assessment standards took more out of the firm than what was anticipated.”

Increased audit fees also have taken a toll on clients, Mannhaupt said.

Clients should take several steps prior to the audit, he said, including:

a reassessment of the internal control environment and documentation of key process and control points within those processes;
time for key accounting personnel to be available to answer the auditor’s questions; and
the preparation of any additional documentation requested by the auditor.

As far as the auditors are concerned, Mannhaupt said that, in addition to the extra time each client requires, time for training is also necessary. He recommended a “firm-wide approach,” gaining knowledge from one engagement to another.

Society member Marilyn J. Shapiro, who for eight years has been a member of the internal audit department at New York Presbyterian Hospital, encouraged fellow auditors in the room to learn the new approach.

“It will increase your enjoyment of auditing to know clients on a more important, valuable level,” she said. “This is the way to go.”

Other Conference Highlights

The conference covered all aspects of construction contracting accounting, from taxes and insurance, to software and banking.

A federal tax update for construction industry CPAs was provided by Anthony F. Dannible, a member of the Society’s Closely Held and S Corporations Committee, and a state-level tax update was offered by Mark S. Klein of Hodgson Russ.

Insurance -- specifically worker’s compensation -- was discussed by Bonnie Brook, president of Stephenson & Brook Worker’s Compensation Risk Management Company.

Stephen H. Berardi, vice chair of the Society’s Construction Contractors Committee, gave a presentation highlighting the industry’s unique characteristics, including the tendency of contracting businesses to be family-owned or small businesses, rather than chains or corporations. He also gave a detailed discussion of contracts. Accounting software was reviewed by Robert J. Murray, president of GCM Systems, and the day’s events ended with a session on banking concerns given by Michael Gallina of Northeast Community Bank.

Melissa Hoffmann Lajara, Associate Editor, can be reached at mlajara@nysscpa.org.