QUESTIONS AND ANSWERS ABOUT
THE AICPA PEER REVIEW PROGRAM
February 2024
i
Browse by Section
• Peer Review Enrollment Requirements
• General Information
• Information for Firms Enrolled in the AICPA Peer Review Program
• Choosing a Peer Reviewer (Review Team)
• Preparing for the Review
• Having the Review
• Types of Reports
• Peer Review Committee Consideration and Acceptance
• Implementation Plans and Corrective Actions
• Cooperation with the AICPA Peer Review Program
• Firms That Perform Examinations of Service Organizations
• Interested in Becoming a Peer Reviewer
Table of Contents
INTRODUCTION 1
PEER REVIEW ENROLLMENT REQUIREMENTS 1
What is the AICPA’s practice monitoring requirement? 1
Does my firm have to enroll in a peer review program if it does not have an accounting and
auditing practice? 2
Does my firm have to enroll in a peer review program if the only engagements it performs are
engagements to prepare financial statements under AR-C section 70? 3
Do individuals who are practicing outside of the U.S. have to enroll in a peer review program?
3
Who administers a CPA firm’s peer review? 3
When should my firm enroll in the AICPA Peer Review Program? 4
How can my firm enroll in the AICPA Peer Review Program? 4
Once enrolled, when should my firm expect to have its first peer review? 4
Can my firm change its peer review year-end? 5
GENERAL INFORMATION 5
What are the types of peer reviews? 5
What is a System Review? 5
What is an Engagement Review? 6
How can I find out more about the peer review process? 6
Will information obtained and reported about my peer review be confidential? 6
ii
What is Facilitated State Board Access (FSBA) and how might it affect access to information
about my firm’s peer review? 7
INFORMATION FOR FIRMS ENROLLED IN THE AICPA PEER REVIEW PROGRAM 8
How do I schedule my peer review? 8
Can I have an Engagement Review if my firm has only one audit? 8
What happens when there is a change in my firm’s practice regarding the types of
engagements performed? 9
What is the impact on my firm’s peer review when my firm completes its first audit
engagement after the completion of my Engagement Review? 9
How much will my peer review cost? 10
How can I reduce the costs of my peer review? 10
Can my review be performed somewhere besides my firm’s office? 11
Is my firm required to have a quality control document? 11
Is my firm required to provide copies of individual or firm licenses or registrations to the peer
reviewer? 11
What is a written representation letter? 12
If my firm will undergo a change in firm structure due to a firm name change, dissolution,
merger or purchase/sale, who do I notify about this change and how does it affect my peer
review? 13
What if my firm has received communications relating to allegations or investigations in the
conduct of accounting, auditing or attestation engagements from regulatory, monitoring or
enforcement bodies? 13
How do I determine whether my firm is part of a network? 14
CHOOSING A PEER REVIEWER (REVIEW TEAM) 14
How are review teams assembled to conduct my peer review? 14
What questions should I ask when selecting a reviewer to perform my firm’s review? 15
When should I reach out to potential reviewers to schedule my peer review? 16
How can I find a list of firms interested in performing peer reviews? 17
Who is responsible for making sure the review team is qualified to perform my firm’s peer
review? 17
PREPARING FOR THE REVIEW 18
How should I prepare for my review? 18
When should my firm’s peer review be finished? 18
What if my firm cannot finish its review by the due date? 18
What if my firm’s peer review documents are not submitted to the administering entity by the
due date? 19
What period should my firm’s peer review cover? 19
What if my client does not want their financial information reviewed by the peer reviewer? 20
iii
What is a scope limitation? 20
If my firm is enrolled in the AICPA Peer Review Program, are engagements of employee
benefit plans subject to peer review? 21
When should I contact my System Review team captain and what will he or she want from
me? 22
How should my firm prepare for a subsequent peer review? 23
HAVING THE REVIEW 23
How are engagements selected for a System Review? 23
How are engagements selected for an Engagement Review? 24
TYPES OF REPORTS 25
What types of peer review reports are issued on System Reviews? 25
What types of peer review reports are issued on Engagement Reviews? 26
My firm received an FFC for pervasive issues with complying with the risk assessment
standards (AU-C 315 and 330) on my last peer review. Can I expect similar treatment on my
current peer review? 26
PEER REVIEW COMMITTEE CONSIDERATION AND ACCEPTANCE 27
When are the results of my peer review communicated to me? 27
Who is responsible for submitting review documents to the administering entity? 28
What happens if deficiencies are found by my peer reviewer? 28
What if I don’t agree with the peer reviewer’s conclusions? 28
Can my peer review acceptance letter be withheld until peer review administrative fees are
paid? 29
When are the results of my peer review available for publication? 30
How can I obtain a copy of my firm’s latest peer review report? 30
When is my peer review complete? 30
When would further action(s) be required? 30
What could cause my peer review report to be recalled and what are my responsibilities after
it has been recalled? 30
What happens if it is discovered that a firm that has historically signed “no A&A” affirmations
has been performing engagements subject to peer review? 31
What happens if after my firm’s review is accepted, it is discovered that my firm failed to
include all engagements in its engagement listing provided to the reviewer? 32
What is an implementation plan? 33
What is a corrective action? 33
IMPLEMENTATION PLANS AND CORRECTIVE ACTIONS 34
What happens if I don’t complete the implementation plan? 34
What happens if I don’t complete the corrective action(s)? 34
iv
Can my firm receive both a corrective action and an implementation plan related to the same
peer review? 35
What are some suggested actions that may be required related to a pass with deficiency(ies)
or fail peer review report? 35
What are allowable plans that may be required related to a Finding for Further Consideration?
35
How do the corrective action and implementation plan affect my ability to publicize the results
of my peer review? 35
Should my firm expect an implementation plan for every FFC? 35
Allowable Implementation Plans: System Reviews (PRC 420 Exhibit C) 36
Suggested Corrective Actions: System Reviews (PRC 420 Exhibit D) 37
Allowable Implementation Plans: Engagement Reviews (PRC 420 Exhibit A) 38
Suggested Corrective Actions: Engagement Reviews (PRC 420 Exhibit B) 38
COOPERATION WITH THE AICPA PEER REVIEW PROGRAM 39
What if my firm chooses not to cooperate with the AICPA Peer Review Program? 39
Under what circumstances may a firm’s enrollment be dropped? 39
Under what circumstances may a firm’s enrollment be terminated? 40
Can my firm resign from the AICPA Peer Review Program at any time? 41
If my firm is terminated from the AICPA Peer Review Program, how does the firm get
reenrolled? 41
FIRMS THAT PERFORM EXAMINATIONS 42
OF SERVICE ORGANIZATIONS 42
What are the characteristics of SOC for Service Organizations engagements? 43
I’m having difficulty finding a review team member with appropriate SOC experience. What
are my options? 44
INTERESTED IN BECOMING A PEER REVIEWER 45
What are the benefits of being a peer reviewer? 45
What are the qualifications necessary to become a reviewer? 45
How do I become a peer reviewer? 46
Where can I find more information regarding the training requirements for peer reviewers? 46
APPENDIX A 47
System Review or Engagement Review Determination 47
APPENDIX B 48
Reviewer Qualifications 48
Team Captain or Review Captain 49
Other Peer Reviewer or Reviewing Firm Qualification Considerations 50
APPENDIX C 51
1
QUESTIONS & ANSWERS ABOUT
THE AICPA PEER REVIEW PROGRAM
INTRODUCTION
This question and answer document provides information about the AICPA Peer Review
Program. Included within this document are peer review questions commonly asked by
firms undergoing peer reviews. It will assist those firms to understand requirements
related to peer review and provide other general information and resources about peer
review.
In addition to this document and the resources mentioned, firms can access the peer
review training or the resources web page for additional courses and materials that can
better assist them with preparing for their peer reviews and understanding the peer review
program and process.
Clarified Peer Review Standards (the Standards) can be accessed through Clarified Peer
Review Standards.
Access free Practice Aids Establishing and Maintaining a System of Quality Control for a
CPA Firm’s Accounting and Auditing Practice: aicpa.org/qc4me
Access information regarding the quality management standards as well as news and
resources related to those standards:
aicpa-cima.com/topic/audit-assurance/quality-management
PRIMA
This document contains many references to the Peer Review Integrated Management
Application (PRIMA) system and parts of the peer review process that need to be
completed in PRIMA. PRIMA Help contains an extensive catalog of instructional videos
and articles that describe how to complete these processes within PRIMA. PRIMA Help
can be accessed by clicking on the question mark image in the upper right corner of the
PRIMA Home Page.
Contact us if you have questions about the peer review program!
Back to top
PEER REVIEW ENROLLMENT REQUIREMENTS
What is the AICPA’s practice monitoring requirement?
In order to be admitted or to retain their membership in the AICPA, members of the AICPA
who are engaged in the practice of public accounting in the United States or its territories
are required to be practicing as partners or employees of firms enrolled in an Institute
approved practice monitoring program or, if practicing in firms not eligible to enroll, are
themselves enrolled in such a program:
2
• If the services performed by such a firm or individual are within the scope of the
AICPA’s practice monitoring Standards and
• The firm or individual issues reports purporting to be in accordance with AICPA
professional standards.
Depending on how a CPA firm is legally organized, its partner(s) could have other names,
such as shareholder, member or proprietor.
A member can meet the requirement if his or her firm is enrolled in the AICPA Peer
Review Program (Program).
Firms are required to have their review administered by the National Peer Review
Committee (NPRC) if they meet any of the following criteria:
a. The firm performed or played a substantial role in (as used by the Public Company
Accounting Oversight Board (PCAOB)) an engagement under PCAOB standards
with a period-end during the peer review year.
b. The firm is a provider of quality control materials (QCM) (or affiliated with a provider
of QCM) that are used by firms that it peer reviews.
Firms that are not required to have their review administered by the NPRC may choose
to do so. However, such firms are subject to the NPRC’s administrative fee structure and
should familiarize themselves with that structure prior to making such a decision.
Back to top
Does my firm have to enroll in a peer review program if it does not have an
accounting and auditing practice?
If a firm does not perform services that include issuing reports purporting to be in
accordance with AICPA professional standards, it is not required to enroll in a practice
monitoring program. Firms should consult with their State Board of Accountancy (SBOA)
to determine if the SBOA rules require enrollment in a practice monitoring program even
if your firm does not perform services that include issuing reports.
For purposes of the AICPA Standards for Performing and Reporting on Peer Reviews
(Standards), an accounting and auditing practice is defined as all of a CPA firm’s
engagements performed under the Statements on Auditing Standards (SASs),
Statements on Standards for Accounting and Review Services (SSARSs)*, Statements
on Standards for Attestation Engagements (SSAEs), Government Auditing Standards
(the Yellow Book) issued by the U.S. Government Accountability Office (GAO) and
engagements under PCAOB standards. Engagements covered in the scope of the
Program are those included in the firm’s accounting and auditing practice that are not
subject to PCAOB permanent inspection.
* SSARSs that provide an exemption from those standards in certain situations are excluded from
the definition of an accounting and auditing practice for peer review purposes.
3
Back to top
Does my firm have to enroll in a peer review program if the only engagements it
performs are engagements to prepare financial statements under AR-C section
70?
For purposes of complying with AICPA membership requirements, a firm that only
performs engagements to prepare financial statements under AR-C section 70 is not
required to enroll in a peer review program. For firms already enrolled in the Program,
engagements to prepare financial statements would fall within the scope of peer review.
Independent of AICPA requirements, please note that some SBOAs require firms that
only perform these engagements to enroll in peer review as a licensing requirement. You
should check with the SBOA(s) where you perform such engagements to determine
whether you need to enroll in peer review.
Back to top
Do individuals who are practicing outside of the U.S. have to enroll in a peer
review program?
Individuals practicing in firms outside of the United States or its territories are exempt from
the AICPA practice monitoring program requirement until they return to the United States
or its territories. Please check with your SBOA or other regulatory peer review
requirements as some may require you to have a peer review in this circumstance.
Back to top
Who administers a CPA firm’s peer review?
The Program is administered in cooperation with a state CPA society, group of state CPA
societies and the AICPA Peer Review Board’s (PRB’s) NPRC that elect to participate as
administering entities (AEs). When a CPA firm is enrolled in the Program, its peer review
will be administered by the AE in the state in which the CPA firm’s main office is located
(or, if that state CPA society has elected not to participate, by another AE) or the NPRC.
The PRB approves all AEs.
Firms are required to have their review administered by the NPRC if they meet any of the
following criteria:
a. The firm performed or played a substantial role in (as used by the PCAOB) an
engagement under PCAOB standards with a period-end during the peer review
year.
b. The firm is a provider of QCM (or affiliated with a provider of QCM) that are used
by firms that it peer reviews.
Back to top
4
When should my firm enroll in the AICPA Peer Review Program?
When an individual becomes an AICPA member, and the services provided by his or her
firm (or individual) fall within the scope of the AICPA’s practice monitoring standards, and
the firm (or individual) issues reports purporting to be in accordance with AICPA
Professional Standards, the firm should enroll in the Program by the report date of the
initial engagement.
Back to top
How can my firm enroll in the AICPA Peer Review Program?
A firm should log in to PRIMA and submit its enrollment information. For information on
how to log in to PRIMA, see Getting Started in PRIMA on aicpa.org. By enrolling, a firm
agrees to have a peer review of its accounting and auditing practice once every three
years subsequent to its initial peer review. A firm’s initial review is ordinarily due 18
months from the date it enrolled (or should have enrolled) in the Program. A firm seeking
to enroll in the Program should be in compliance with the Council resolution concerning
form of organization (see AICPA, Professional Standards, ET Appendix B).
Back to top
Once enrolled, when should my firm expect to have its first peer review?
A firm's due date for its initial peer review is ordinarily 18 months from the date it enrolled
in the Program, or should have enrolled, whichever date is earlier.
A firm's subsequent peer review ordinarily has a due date of three years and six months
from the year-end of the previous review. Firms should also check with their SBOA for
any peer review requirements.
In determining the appropriate due date, the firm’s AE will consider the firm’s (or
individual’s) practice, the year-ends of their engagements, the report dates of their
engagements, when the engagements were performed and the number and type of
engagements to be encompassed in the review.
If a firm resigns from the Program and subsequently performs an engagement that
requires a peer review within three years and six months of its prior peer review year-end,
the firm should reenroll in the Program. The due date for the firm’s current review is the
later of the due date originally assigned or 90 days after reenrolling.
If a firm resigns from the Program and subsequently performs an engagement that
requires peer review after its next due date has passed, the firm’s current peer review is
due 18 months from the year-end of the engagement (for financial forecasts, projections,
and agreed upon procedures 18 months from the date of report).
Back to top
5
Can my firm change its peer review year-end?
A firm is expected to maintain the same year-end on subsequent peer reviews.
Circumstances may arise that may cause a firm to want to change its year-end. For
instance, the nature of the firm’s practice may change, or the firm may reevaluate their
current year-end and determine that a different year-end is more practical. In such
situations, a firm may change its year-end only with prior, written approval of the AE.
Back to top
GENERAL INFORMATION
What are the types of peer reviews?
There are two types of peer reviews - System and Engagement. System Reviews focus
on a firm’s system of quality control, and Engagement Reviews focus on work performed
on selected engagements.
Refer to Appendix A for a chart that illustrates which types of engagements require a firm
to have a System Review instead of an Engagement Review.
Back to top
What is a System Review?
A System Review is designed to provide a peer reviewer with a reasonable basis for
expressing an opinion on whether, during the year under review:
a. The reviewed firm’s system of quality control for its accounting and auditing
practice has been designed in accordance with quality control standards
established by the AICPA and
b. The reviewed firm’s quality control policies and procedures were being complied
with to provide the firm with reasonable assurance of performing and reporting in
conformity with applicable professional standards in all material respects.
This type of review is for firms that perform engagements in accordance with the
Statements on Auditing Standards (SASs,) the Government Auditing Standards (Yellow
Book), examinations under the Statements on Standards for Attestation Engagements
(SSAEs) or audit and examination engagements under the PCAOB standards.
Example procedures in a System Review include, but are not limited to:
• interviewing firm personnel,
• examining CPE records,
• examining outside consultations regarding A&A matters,
• examining independence representations and
• testing a reasonable cross-section of the firm’s engagements with a focus on high-
6
risk engagements and significant risk areas.
The scope of the peer review does not encompass other segments of a CPA practice,
such as tax services or management advisory services, except to the extent they are
associated with financial statements, such as reviews of tax provisions and accruals
contained in financial statements.
Back to top
What is an Engagement Review?
The objective of an Engagement Review is to evaluate whether engagements submitted
for review are performed and reported on in conformity with applicable professional
standards in all material respects.
Enrolled firms are eligible to have Engagement Reviews under the following
circumstances:
• The highest level of service does not require a System Review
• Performed under the SSARSs/SSAEs or is another attestation engagement under
PCAOB standards
An Engagement Review consists of reading the financial statements or information
submitted by the reviewed firm and the accountant’s report thereon, together with the
applicable documentation required by professional standards.
An Engagement Review does not provide the review captain with a basis for expressing
any form of assurance on the firm’s system of quality control for its accounting practice.
However, firms eligible for an Engagement Review may elect to have a System Review.
Back to top
How can I find out more about the peer review process?
The AICPA Peer Review web site contains links to resources for peer reviewers, CPA
firms and the public.
In addition, several sections of the AICPA Peer Review Program Manual are available
online at no charge.
Refer to Appendix C for links to available resources.
Back to top
Will information obtained and reported about my peer review be confidential?
A peer review should be conducted in compliance with the confidentiality requirements
set forth in the AICPA Code of Professional Conduct. Information concerning the
reviewed firm or any of its clients or personnel that is obtained as a consequence of the
review is confidential. Peer reviewers may not disclose such information to anyone who
7
is not involved in performing the review or administering the Program or use such
information in any way not related to meeting the objectives of the Program. Also, no
reviewer(s) will have contact with clients of your firm.
The Standards provide for the following information to be disclosed about a firm’s peer
review:
a. The firm’s name and address,
b. The firm’s enrollment in the Program,
c. The date of acceptance and the period covered by the firm’s most recently
accepted peer review and
d. If applicable, whether the firm’s enrollment in the Program has been dropped or
terminated.
Neither the AE nor the AICPA shall make the results of the review available to the public,
except as authorized or permitted by the firm under the following conditions:
• A firm may be a voluntary member of one of the AICPA’s audit quality centers or
sections that has a membership requirement such that certain peer review
documents be open to public inspection.
• A firm may elect not to opt out of the program’s process for voluntary disclosure of
peer review results to SBOAs where the firm’s main office is located.
• A firm may voluntarily instruct their AE to make the peer review results or other
relevant peer review information available to certain other SBOAs.
In such cases, the reviewed firm can allow its peer review results or certain peer review
documents to be made available to the public or to specific entities, such as a SBOA.
In certain instances, these documents may be found in the AICPA’s Public File, which
also contains peer review documents of firms that are PCPS members or those that
voluntarily request to have their peer review documents publicly available.
Back to top
What is Facilitated State Board Access (FSBA) and how might it affect access to
information about my firm’s peer review?
FSBA is a process the AICPA created to help keep up with the evolving changes in the
business and regulatory environments and to address the demand for greater peer review
transparency. This process is intended to create a nationally uniform system through
which CPA firms can satisfy state board or licensing body peer review information
submission requirements, increase transparency and retain control over their peer review
results. The AICPA and CPA state societies are working together to allow this process to
become the primary means by which all SBOAs obtain peer review results. Over time,
this process will help to make submission of your firm’s peer review information easier.
Depending on your state’s requirements, laws and regulations, your firm may have the
option to opt out of this process. Contact your AE for information regarding FSBA
requirements and the submission process for your SBOA.
8
Back to top
INFORMATION FOR FIRMS ENROLLED IN THE AICPA PEER REVIEW PROGRAM
How do I schedule my peer review?
If your firm enrolls in peer review and indicates that it performs services and issues reports
that are within the scope of the AICPA’s practice monitoring program, the firm’s peer
review contact will be notified of the firm’s due date for its peer review.
This notification will occur approximately seven months prior to your review’s due date.
At that time, each firm will be asked to complete its peer review information and
scheduling forms within PRIMA. These forms ask for certain background information of
the firm, such as, but not limited to:
1. Whether the firm has an accounting, auditing or attestation practice as defined in
the Standards,
2. The areas in which the firm practices and any industries in which over 10 percent
of the firm's auditing practice hours are concentrated,
3. Whether the firm performs any audits through a joint venture or partnership
arrangement,
4. The anticipated timing of the review and
5. The team captain/review captain selected to perform the review, if your firm
chooses to select its own review team formed by qualifying firms.
The firm will be asked to provide this information in PRIMA.
During the scheduling process, the team captain will be asked to provide information
regarding the rest of the review team, if applicable. This information should be provided
as soon as reasonably possible, to ensure that the chosen reviewers are qualified and
are approved by the AE so that the scheduling process can be completed. If modifications
to the review team are necessary, they should be communicated to the AE as soon as
they are known.
Back to top
Can I have an Engagement Review if my firm has only one audit?
No. You must have a System Review even if your firm only performs one audit. The
purpose of an audit is to give assurance to third parties. Because of that third-party
reliance, state regulators allow these services to be performed by CPAs only. As such,
the profession has a responsibility to ensure that a CPA firm that performs even one audit
has an adequate system of quality control over its accounting and auditing practice. Such
assurance can only be obtained by reviewing the system of quality control, your firm’s
compliance with that system and by reviewing engagement working papers along with
the report and financial statements. Refer to Appendix A for a chart that illustrates the
engagements that require firms to have a System Review instead of an Engagement
9
Review. Performance of even one of these services would subject your firm to the
applicable type of peer review.
Back to top
What happens when there is a change in my firm’s practice regarding the types of
engagements performed?
You should update the firm’s enrollment information within PRIMA so that the appropriate
type (System or Engagement Review) and the timing of your next peer review can be
determined. See GENERAL INFORMATION for the types of engagements or services
applicable to System or Engagement Reviews. If your firm has been engaged to perform
one or more audit engagements or other engagements that might prompt a System
Review, you should include the number of engagements it has been engaged to perform.
If your firm ceases to perform audit engagements, you should also update the firm’s
enrollment within PRIMA.
Back to top
What is the impact on my firm’s peer review when my firm completes its first
audit engagement after the completion of my Engagement Review?
When a firm, subsequent to the year-end of its Engagement Review, performs an
engagement that would have required the firm to have a System Review, the firm should
(a) immediately notify the AE by updating its enrollment information within PRIMA and (b)
undergo a System Review. Refer to Appendix A for a chart that illustrates which
engagements require firms to have a System Review instead of an Engagement Review.
Performance of even one of these services would subject your firm to the applicable type
of peer review. In this situation, the System Review will ordinarily be due 18 months from
the year-end of the engagement (for financial forecasts, projections and agreed upon
procedures 18 months from the date of report) requiring a System Review or by the firm’s
next scheduled due date, whichever is earlier. However, the AE will consider the firm’s
practice, the year-ends of engagements and when the procedures were performed, and
the number of engagements to be encompassed in the review, as well its judgment, to
determine the appropriate year-end and due date. Firms that fail to immediately inform
the AE of the performance of such an engagement will be required to participate in a
System Review with a peer review year-end that covers the engagement. A firm’s
subsequent peer review ordinarily will be due three years and six months from this peer
review year-end.
The firm should consult with its AE or AICPA staff in the following situation to determine
if the firm will be required to undergo a System Review:
• If the firm is scheduled for an Engagement Review that has not yet commenced
and will issue a report that will make the firm subject to a System Review
Back to top
10
How much will my peer review cost?
The direct cost of a System Review will vary depending on firm size/region, number of
engagements/partners/offices and nature of your firm’s accounting and auditing practice.
Firms with audits in various specialized, complex or high-risk industries, such as banking,
governmental and employee benefit plans will normally pay more than a firm with the
same number of audits that are all in one industry or in lower risk areas. There may be
other factors that influence the cost of a System Review including the design of and
compliance with the firm’s quality control system.
There are also the indirect costs of getting ready for a review that vary based on the
condition of your firm’s existing system of quality control. Many firms are concerned about
these non-chargeable hours. However, if the system of quality control is suitable for your
firm’s practice, the preparation cost should be minimal. If, on the other hand, your firm
finds the opposite is true, it should consider the time well spent since making needed
changes should result in your firm providing better services to its clients, and, in most
cases, providing those services more efficiently.
The estimated cost of an Engagement Review will vary based on the size of the practice
and the number of owners responsible for the issuance of review, compilation and
attestation engagement reports as well as preparation engagements.
The cost also varies based on the type of peer review and peer review team selected to
perform the review. In addition to the review costs that will be incurred every three years,
firms may also pay an annual administrative fee to the AE to cover the costs of running
the program and, in some states, in the review year, fees for scheduling the review and
evaluating the results of the review. For additional cost information, contact your AE.
Finally, firms that are enrolled in the Program and perform engagements requiring the
firm to undergo a System Review are required to pay a national peer review administrative
fee to the AICPA for each year in which they perform such engagements. The fee varies
based on the number of CPAs employed by a firm and will be used to support the
Program’s new and ongoing initiatives to drive audit quality.
Back to top
How can I reduce the costs of my peer review?
The best way to reduce costs is to provide complete, accurate information to the
reviewer(s) early enough, such as 30 to 40 days before the review is set to begin, so it
can be completed by the review due date. Firms that are committed to establishing,
maintaining and improving the quality of their accounting and audit practice tend to have
more efficient peer reviews. Prepare for the review early by making sure everyone in your
firm understands the importance of performing engagements in accordance with
professional standards, and properly documenting engagement planning issues, key
procedures and conclusions. If procedures are properly documented and effectively
organized, it will improve the reviewer’s ability to evaluate what was done without waiting
for engagement staff to recall what they did from memory and should result in less time
to complete the review. In addition, a properly designed environment of quality control
11
and adherence thereto also results in less time devoted to discussing and responding to
matters, findings and deficiencies.
Back to top
Can my review be performed somewhere besides my firm’s office?
There is no requirement for the peer review to be performed at your firm’s office. The peer
reviewer may perform the System or Engagement review remotely.
Back to top
Is my firm required to have a quality control document?
In accordance with Statements on Quality Control Standards (SQCS) No. 8, A Firm’s
System of Quality Control, all firms are required to document their policies and procedures
related to their system of quality control for their accounting and auditing practice. The
extent of the documentation will depend on the size, structure and nature of the firm’s
practice. Documentation may be as simple as a checklist of the firm’s policies and
procedures or as extensive as practice manuals.
The quality control document that is in effect during the peer review year should be
provided to the peer review team.
When establishing and maintaining its system of quality control, sole practitioners and
small to medium-sized firms can also download the practice aids: aicpa.org/qc4me.
Back to top
Is my firm required to provide copies of individual or firm licenses or
registrations to the peer reviewer?
Yes. As a part of a System or Engagement Review, reviewers will make inquiries of your
firm to determine if your firm and its personnel are appropriately licensed as required by
the SBOAs in the state(s) in which your firm and its personnel practice. Your firm should
also submit written representations from the firm’s management indicating compliance
with such required rules and regulations. If your firm is aware of any situation whereby
you are not in compliance with the rules and regulations of the SBOAs or other regulatory
bodies, they should tailor the representation letter to provide information on the areas of
noncompliance.
To support these responses and representations, a reviewer is required to verify:
• The practice unit license (firm license) in the state in which the practice unit is
domiciled (main office is located)
• Individual (personnel) licenses in the state in which the individual primarily
practices public accounting
o For System Reviews, for a sample of appropriate personnel
12
o For Engagement Reviews, for appropriate personnel on engagements
selected
The reviewer will verify the license by requiring your firm to provide documentation from
the licensing authority that the license is appropriate and active during the peer review
year, and through the earlier of reviewed engagements’ issuance dates or the date of
peer review fieldwork. Acceptable documentation includes an original/copy of the license,
print-out from an online license verification system, correspondence from the licensing
authority or other reasonable alternative documentation. The reviewer’s judgment may
be needed to determine what alternative documentation is reasonable.
It is your firm’s responsibility to have understood and complied with its licensing
requirements. Therefore, you should be prepared to respond to the reviewer’s inquiries
and requests for documentation. This is also important for out-of-state firms and individual
licenses when licensing requirements may be more difficult to identify and understand.
When the reviewer deems it appropriate to test out-of-state licenses, your firm is expected
to provide documentation supporting its compliance with, or approach to, out-of-state
licensing requirements. AICPA online CPA mobility provisions may be used to assist the
reviewer in evaluating the firm’s approach to firm and individual out-of-state licensing.
Back to top
What is a written representation letter?
The team captain or review captain obtains written representations from management of
the reviewed firm to describe matters significant to the peer review in order to assist in
the planning and performance of and the reporting on the peer review.
The firm is required to make specific representations (see Exhibit A of PR-C
section 310 .16 and PR-C section 320 .16 ) ) but is not prohibited from making additional
representations. It also may tailor the representation letter as it deems appropriate, as
long as the minimum applicable representations are made to the team captain or review
captain.
The written representations should be addressed to the team captain or review captain
performing the review and be dated the same date as the peer review report which is
usually the date of the exit conference.
The written representations should be signed by individual members of management
whom the team captain, review captain or the AE believes are responsible for and
knowledgeable about, directly or through others in the firm, the matters covered in the
representations, the firm, and its system of quality control. Such members of management
normally include the managing partner and partner in charge of the firm’s system of quality
control.
The reviewing firm and the AE will retain the representation letter until your firm’s
subsequent peer review has been completed. Your firm will be required to submit the
representation letter from the prior review to your peer reviewer in the subsequent peer
13
review.
Additionally, with the firm’s explicit permission, a firm’s written representation letter may
be provided to the AICPA Professional Ethics Division, when there is evidence of an open
ethics investigation.
Back to top
If my firm will undergo a change in firm structure due to a firm name change,
dissolution, merger or purchase/sale, who do I notify about this change and how
does it affect my peer review?
Your firm should contact your AE immediately upon such change. The firm should obtain
a Firm Structure Change Form, complete the applicable section and return the form to
your AE. The AE will submit this form to the AICPA Peer Review Team once all pertinent
information has been received and the form is complete. AICPA staff will determine how
this change will affect your firm’s peer review based on the information provided on the
form and notify your firm of the status.
Back to top
What if my firm has received communications relating to allegations or
investigations in the conduct of accounting, auditing or attestation engagements
from regulatory, monitoring or enforcement bodies?
The reviewed firm should inform the reviewer of communications or summary of
communications from regulatory, monitoring or enforcement bodies relating to allegations
or investigations of deficiencies in the conduct of an accounting, audit or attestation
engagement performed and reported on by the firm, whether the matter relates to the firm
or its personnel, within the three years preceding the firm’s current peer review year-end
and through the date of the exit conference. The information should be in sufficient detail
to consider its effect on the scope of the peer review. In addition, the firm should be able
to submit the actual documentation to the reviewer in those circumstances that the
reviewer deems appropriate. The reviewed firm is not required to submit confidential
documents to the reviewer but should be able to discuss the relevant matters and answer
the reviewer’s questions.
AICPA Peer Review Staff are frequently copied on communications relating to allegations
or investigations from regulatory bodies, such as the Department of Labor or Federal or
State Inspector General’s Offices, sent to or by the AICPA Professional Ethics Division.
Staff will provide copies of these communications to a firm’s peer reviewer if the firm
named in the referral is currently undergoing a peer review. Additionally, a copy will be
provided to a firm’s managing partner and peer review contact. Recipients of required
corrective action letters from the AICPA Professional Ethics Division will be required to
submit evidence that the letter was provided to their firm’s managing partner.
It is also expected that the reviewer and the firm will discuss notifications of restrictions
or limitations on the firm’s or its personnel’s ability to practice public accounting by
14
regulatory, monitoring or enforcement bodies within three years preceding the current
peer review year-end.
The reviewed firm should tailor its representation letter to the team/review captain to
reflect these situations as it deems appropriate.
The peer reviewer and reviewing firm should also notify the relevant AE of any of these
communications relating to allegations or investigations from regulatory, monitoring or
enforcement bodies in the conduct of accounting, audit or attestation engagements
performed by the reviewer. The notifications should occur prior to the peer reviewer or
reviewing firm’s being engaged to perform a peer review, or immediately (if after
engaged). The objective of the reviewer or reviewing firm informing the relevant AE or
AICPA technical staff (as applicable) of such allegations or investigations, limitations or
restrictions, or both, is to enhance the program’s oversight process, which includes
ensuring that peer reviewers and reviewing firms are appropriately qualified to perform
reviews.
Back to top
How do I determine whether my firm is part of a network?
Refer to the Frequently Asked Questions and Sample Case Studies for Implementing
Network Firm Guidance which was developed by the AICPA Professional Ethics group or
contact them directly at [email protected].
Back to top
CHOOSING A PEER REVIEWER (REVIEW TEAM)
How are review teams assembled to conduct my peer review?
The team or review captain will assemble a review team of one or more individuals
depending on the size and nature of your firm’s practice and other factors. The captain
will ensure that all team members possess the necessary qualifications and
competencies to perform assigned responsibilities and that team members are
adequately supervised. All members of the review team will be approved by the AE prior
to the commencement of the peer review.
You may choose the type of review team you would like to conduct your firm’s peer
review.
For any type of review, you have at least two options:
• Firm-On-Firm Review
You hire another qualified CPA firm to conduct the review. This option gives you a
degree of personal assurance that the reviewer’s qualifications fit your firm’s needs.
It also gives you more control over the cost of the review.
15
• Association Review
You ask the association to which your firm belongs to assist in forming a review team.
That association must be authorized by the PRB to assist in the formation of such
review teams.
For Engagement Reviews, besides the two options listed above, there is a third option:
• Committee-Appointed Review Team (CART) Review
For Engagement Reviews in certain states, you may ask the AE to assemble the
review team. Once a team is selected, the AE prepares an engagement letter that
includes an estimate of the number of hours it will take to perform the review and the
reviewer’s billing rates. Billing rates are set by the AE, not by the reviewer. You are
not required to accept reviewers that your AE selects. This option is not available from
all AEs.
Before agreeing to perform a peer review, a reviewer should do the following:
a. Obtain and consider information about the firm to be reviewed, including size,
nature of practice, industry specializations, and levels of service.
b. Assess the reviewer’s own capability and availability to perform the peer review.
c. Consider the review due date to account for adequate time to assess appropriate
responses.
d. Consider the need for additional reviewers with appropriate levels of expertise and
experience to perform the review.
e. Consider the need for individuals with expertise in specialized areas to assist in a
consulting capacity.
Reviewers should not have contact with any client of the reviewed firm in connection with
the peer review without prior approval of the firm and client.
Back to top
What questions should I ask when selecting a reviewer to perform my firm’s
review?
A firm should perform due diligence procedures when selecting and assessing its peer
reviewer, much like the procedures performed when hiring and periodically evaluating a
new employee.
A firm should hire a reviewer who possesses:
• Skills in accounting, auditing and quality control matters,
• Experience in peer reviews,
• Knowledge of the peer review program, and
• A strong belief in improving firm quality.
Examples of questions you should ask when selecting a reviewer include, but are not
limited to:
16
1. How many reviews has the reviewer performed?
2. How much experience does the reviewer have in the industries in which my firm
performs?
3. Will the reviewer be able to complete the review on time, allowing me enough
time to submit any necessary documentation to the AE by my firm's review due
date?
4. Does the reviewer have any references? Can we contact those references and
ask whether they would recommend the reviewer and why?
5. Are there any other value-added services that the reviewer can provide me
during the peer review?
6. What type of Government and/or ERISA audits does the reviewer perform (if
applicable)?
7. Does the reviewer meet all of the qualifications to be a peer reviewer (during the
time of scheduling and expected performance of the review)? See below and
Appendix B regarding training and reviewer qualifications.
8. Has the ability to be a reviewer been limited or restricted or has the reviewer
received notifications of limitations/restrictions on their ability to practice public
accounting by regulatory, monitoring or enforcement bodies?
9. Has the reviewer ever served on a Peer Review Committee or been a RAB
member?
10. Has the reviewer ever attended the annual Peer Review Conference? If so, what
was the last year attended?
11. Has the reviewer ever been oversighted? If so, what were the results?
12. Is the reviewer a member of the GAQC (Governmental Audit Quality Center), the
EBPAQC (Employee Benefit Audit Quality Center), the PCPS (Private
Companies Practice Section), or the CPEA (Center for Plain English
Accounting)?
If you are a member of the Governmental Audit Quality Center and/or the Employee
Benefit Plan Audit Quality Center, keep in mind the membership requirement to have a
quality center member review the GAO, and/or ERISA engagement(s).
For more information and questions, see Questions to Consider when Vetting Prospective
Reviewers.
The suspension, restriction or otherwise disqualification of a reviewer is not a valid reason
for request of an extension of due date by a reviewed firm. In some circumstances in
which the peer review has to be re-performed by another reviewer, the associated cost
may be the responsibility of the reviewed firm. It is the reviewer’s responsibility to
accurately determine and represent its capabilities and qualifications to perform the peer
review. The AICPA’s Guide to Selecting a Quality Peer Reviewer will assist your firm in
understanding the importance of having a quality peer review, hiring a quality peer
reviewer and evaluating peer reviewer qualifications.
When should I reach out to potential reviewers to schedule my peer review?
As a good practice, your firm should begin to reach out to potential reviewers either before
or at your peer review year-end date, as this will provide your firm and your reviewer
17
adequate time to plan for the peer review. Ordinarily, a peer review is performed within
three to five months following the peer review year-end, but schedules can fill up quickly
so it recommended to reach out sooner rather than later. As a reminder, the below
timeline gives an example of the various steps in the peer review process and is taken
from PR-C Section 100 paragraph A39.
Back to top
How can I find a list of firms interested in performing peer reviews?
The AE may be able to supply you with a list of firms in a geographic area that you specify
that are interested in performing reviews of other firms. The AICPA also maintains a
reviewer search feature on the Program website that you can use to search for reviewers
by state, industry or size of firm.
Back to top
Who is responsible for making sure the review team is qualified to perform my
firm’s peer review?
You should determine if the team captain or review captain has the experience needed
to perform your firm’s peer review. A reviewer/review team not only has to have
experience in the right industries but must also have the right amount and type of
experience. Additionally, all members of the review team have to be approved by the AE
prior to the commencement of the review. In addition, the AE has the authority to
determine whether a reviewer/review team’s experience is sufficient to perform a
particular review. See Appendix B for additional information on reviewer qualification.
If you are a member of the Governmental Audit Quality Center or the Employee Benefit
Plan Audit Quality Center, keep in mind the membership requirement to have a quality
center member review the GAS, and/or ERISA engagement(s).
If a firm chooses to hire its peer reviewer to perform services outside of the scope of peer
review but related to the firm’s accounting and auditing practice, the firm should consider
whether the arrangement would violate independence and objectivity requirements which
18
might prohibit the reviewer from performing the firm’s next peer review.
Back to top
PREPARING FOR THE REVIEW
How should I prepare for my review?
In accordance with Statements on Quality Control Standards (SQCS) No. 8, A Firm’s
System of Quality Control, all firms must establish and maintain appropriate quality control
policies and procedures and comply with those policies and procedures to ensure the
quality of the services they provide to the public. Several publications are available from
the AICPA such as the Standards, the AICPA Peer Review Program Manual, and the
Practice Aids for Establishing and Maintaining a System of Quality Control for a Firm's
Accounting and Auditing Practice.
Back to top
When should my firm’s peer review be finished?
Your firm’s peer review should be finished by its due date. The firm’s due date is reflected:
• On the letter acknowledging your firm’s original enrollment in the Program, or
• In the committee acceptance letter related to your firm’s last peer review.
The due date is the date by which peer review documents, including the report and if
applicable, the letter of response, should be submitted to the AE. To make sure your peer
review is completed on time, you should start the review soon after your firm’s peer review
year-end. You should plan ahead so that the review takes place at a convenient time for
your firm and to allow your reviewer time to properly plan and schedule your review. For
example, if you have a heavy tax practice and your review due date falls between January
and April, you should plan to start the review in September or October to make sure the
review is completed before your busy season begins.
Back to top
What if my firm cannot finish its review by the due date?
If your firm cannot complete its review by the due date, please request an extension in
PRIMA before the due date. Extensions requested after your review’s due date will likely
not be granted. If possible, extensions should be requested at least 60 days before the
due date. However, it is plausible that extensions may be needed due to unforeseen
circumstances within 60 days of the due date. Your explanation to the AE should explain
why your firm cannot complete its review on time and offer an alternative due date for the
review. The AE considers extension requests on a case-by-case basis. Extensions are
not granted simply because a firm believes it needs more time to prepare for the review.
Extensions of a review date by more than three months are rare.
19
In certain circumstances extension requests for due dates may be granted by the AEs,
however, the extensions may not be recognized by your state board of accountancy or
other regulators. Government Auditing Standards require a firm to have an external
quality control review every three years. This three-year period begins with the date your
firm starts fieldwork on its first engagement under GAO Standards. Subsequent reviews
under GAO Standards should be completed within three years after the issuance of the
prior peer review report. If your firm performs governmental audits, don’t forget to take
these requirements and potential changes into account when you request an extension
of your firm’s due date. The GAO and SBOAs are not required to recognize extensions
granted by the AICPA.
Back to top
What if my firm’s peer review documents are not submitted to the administering
entity by the due date?
If the peer review is not completed or documents are not submitted to the AE by the firm’s
due date (including any approved extensions), the firm will receive notifications about the
overdue documents. If the overdue documents are not received after a specified time, the
AE may recommend to the PRB that a hearing be held to determine whether a firm should
be terminated from the Program for failure to cooperate with the AE. If the firm has
cooperated in the completion of the peer review, and the delay is caused by the reviewer,
the firm should communicate this matter to the AE so that appropriate actions can be
taken with regard to the reviewer.
Back to top
What period should my firm’s peer review cover?
The peer review covers a one-year period mutually agreed upon by you and the reviewer
and normally should not change from review to review. Engagements selected for review
in a System Review would generally be those with periods ending during the year under
review, except financial forecasts or projections and agreed upon procedures. Financial
forecasts and/or projections and agreed upon procedures with report dates during the
year under review would be subject to selection. If the current years’ selected
engagement is not completed and a comparable engagement within the peer review year
is not available, the prior years’ engagement will likely be reviewed. If the subsequent
years’ engagement has been completed, the peer review team will consider, based on its
assessment of peer review risk, whether the more recently completed engagement
should be reviewed instead.
The criteria for selecting the peer review year-end and the period to be covered by
Engagement Reviews are the same as those for a System Review.
It is generally anticipated that a firm will keep the same peer review year-end from review
to review. If the prior peer review year-end was not the most convenient for firm personnel
or the most natural year-end for your firm’s practice, send a request to your AE (via
PRIMA) that you be allowed a permanent change to a year-end that is more natural for
20
your firm. Your submission should describe the reasons for your request.
Back to top
What if my client does not want their financial information reviewed by the peer
reviewer?
Firms may have legitimate reasons for excluding an engagement from the scope of peer
reviewers. The following explanations are reasonable for excluding an engagement from
selection in the peer review (this is not intended to be an all-inclusive list):
1. The engagement is subject to litigation.
2. The client will not permit the firm to make the engagement available.
In these situations, the reviewed firm should submit a written statement to the AE prior to
commencement of the review, indicating a) it plans to exclude an engagement(s) from
the peer review selection process, b) the reasons for the exclusion and c) it is requesting
a waiver from a scope limitation in the peer review report. The AE must decide if the
reviewed firms request to exclude an engagement is reasonable and whether the firm
should receive an exemption from the scope limitation.
The PRB has agreed that the following explanations are unacceptable reasons for
excluding an engagement from selection in the peer review (this is not intended to be an
all-inclusive list):
1. The engagement working papers are in a warehouse.
2. The firm no longer performs the audit for that client (and still has access to the
documentation).
3. The firm decided to no longer perform audits.
4. The engagement was selected during the last peer review.
5. The partner on that engagement will not be available when the review is
scheduled.
6. The firm no longer performs engagements in that industry.
If the AE concludes that there is not a legitimate reason for the requested exclusion and
the firm continues to insist on the exclusion, it should be evaluated whether this is a matter
of noncooperation.
Back to top
What is a scope limitation?
There is a presumption that all engagements and other supporting documentation (for
example, CPE records) subject to peer review will be included in the scope of the review.
In rare situations a reviewed firm may have legitimate reasons for excluding certain
engagements or other supporting documentation, for example when an engagement or
an employee’s personnel records are subject to pending litigation.
In these situations, an AE may conclude that scope has been limited due to circumstances
21
beyond the firm’s control and the review team cannot accomplish the objectives of those
procedures through alternate procedures, thus precluding the application of one or more
peer review procedure(s) considered necessary in the circumstances. For example,
ordinarily, the team would be unable to apply alternate procedures if:
• the firm’s only engagement in an industry that must be selected is unavailable for
review and there isn’t an earlier issued engagement that may be able to replace it,
• a significant portion of the firm’s accounting and auditing practice during the year
reviewed had been divested before the review began.
In these circumstances, the team captain or review captain should consider issuing a
report with a peer review rating of pass (with a scope limitation), pass with deficiency (with
a scope limitation), or fail (with a scope limitation), as applicable.
The existence of a scope limitation in and of itself does not result in a report with a peer
review rating of pass with deficiencies or fail; it is in addition to the grade that was
determined to be issued (which is why it is possible to have a report with a grade of pass
(with a scope limitation).
The following explanations are examples of unacceptable reasons for excluding an
engagement from selection in the peer review:
1. The engagement working papers are in a warehouse.
2. The firm no longer performs the audit for that client (but still has access to the
documentation).
3. The firm decided to no longer perform audits.
4. The engagement was selected during the last peer review.
5. The partner on that engagement will not be available when the review is
scheduled.
6. The firm no longer performs engagements in that industry.
If the AE concludes that there is not a legitimate reason for the requested exclusion and
the firm continues to insist on the exclusion, it should be evaluated whether this is a matter
of noncooperation.
Back to top
If my firm is enrolled in the AICPA Peer Review Program, are engagements of
employee benefit plans subject to peer review?
Yes. The Employment Retirement Income Security Act of 1974 contains a requirement
for annual audits of employee benefit plan financial statements by an independent
qualified public accountant. These audits produce reports from the auditor that include
either an opinion in accordance with the auditor’s findings or a statement that an opinion
cannot be expressed. These audited financial statements and auditor’s reports are often
incorporated in a filing with the Department of Labor (DOL) along with the Form 5500
annual report. When included in a filing with the DOL, the auditor’s report is required to
be prepared in accordance with auditing standards generally accepted in the United
States and to reference such standards. As these engagements would be performed
under the Statement on Auditing Standards (SASs), these engagements would be subject
22
to peer review and would require the firm to undergo a system review.
If a firm has historically undergone engagement reviews and decides to perform an audit
of employee benefit plan financial statements subject to DOL filing requirements, the firm
should immediately notify their AE and undergo a System Review. This System Review
would normally be due 18 months from the year-end of the engagement or by the firm’s
next scheduled due date, whichever is earlier. If a firm has never been peer reviewed and
decides to perform an audit of employee benefit plan financial statements (and is required
to be enrolled in the Program), the due date for this initial peer review is ordinarily 18
months from the date the firm enrolled in the Program, or should have enrolled, whichever
date is earlier.
Additionally, a firm may be deemed as failing to cooperate if they omit or misrepresent
information relating to its accounting and auditing practice as defined by the Standards.
If a firm is dropped or terminated for not accurately representing information relating to
its accounting and auditing practice as defined by the Standards, the matter will result in
referral to the AICPA Professional Ethics Division for investigation of a possible violation
of the AICPA Code of Professional Conduct.
Back to top
When should I contact my System Review team captain and what will he or she
want from me?
You should contact your team captain and begin planning the review together early
enough, at least six to nine months prior to the due date, to make sure all documents will
be submitted to the AE by your firm’s due date. Amongst other items, the team captain
will ask for the following items prior to the review:
• The firm’s comprehensive quality control document as required by SQCS No. 8.
• A list of accounting and auditing engagements for all engagements with periods
ending during the year under review (or report dates during the year under review
for financial forecasts and/or projections and agreed upon procedures) regardless
of whether the engagement reports are issued
• A description of the approach taken to ensure a complete and accurate
engagement listing.
• A list of the firm’s professional personnel showing name, position and years of
experience with the firm and in total.
• A copy of the firm’s documentation maintained since its last peer review to
demonstrate compliance with the monitoring element of quality control.
Based on this information, the team captain will make a preliminary selection of the offices
and engagements he or she intends to review. The initial selection of engagements to be
reviewed will be provided no earlier than three weeks before the commencement of the
peer review. This should provide ample time to enable the firm (or office) to assemble the
required client information and engagement documentation before the review team
commences the review. However, at least one engagement from the initial selection to
be reviewed will be provided to the firm once the review commences and not provided to
23
the firm in advance. This engagement should be the firm’s highest level of service and
will not increase the scope of the review.
All engagements with years ending during the peer review year (or report dates during
the year under review for financial forecasts and/or projections and agreed upon
procedures) that are performed and issued by the firm should be available to the team
captain at the start of fieldwork.
Back to top
How should my firm prepare for a subsequent peer review?
In preparing for its next review, your firm should:
• Read the report and any findings from your firm’s previous peer review. If
applicable, be certain that you have taken the proposed actions outlined in your
letter of response from the previous review.
• Perform and document ongoing monitoring procedures to make sure prior
deficiencies have been corrected.
• Review your quality control document making sure your documented policies and
procedures are appropriate based on the size, structure and nature of your firm.
Back to top
HAVING THE REVIEW
How are engagements selected for a System Review?
The Standards require engagements selected by the review team should provide a
reasonable cross section of the reviewed firm’s accounting and auditing practice, with
greater emphasis on those engagements in the practice with higher assessed levels of
peer review risk. Examples of the factors considered when assessing peer review risk at
the engagement level include size, industry area, level of service, personnel (including
turnover, use of merged-in personnel, or personnel not routinely assigned to accounting
and auditing engagements), communications from regulatory, monitoring, or enforcement
bodies; the results of reviews or inspections performed by regulatory or governmental
entities; extent of non-audit services to audit clients, significant clients’ fees to a practice
office(s) and a partner(s) and initial engagements.
In addition, at least one of each of the following types of engagement should be selected
for review:
• Engagements subject to Government Auditing Standards (GAS),
• Audits subject to the Employment Retirement Income Security Act (ERISA),
• Engagement subject to the Federal Deposit Insurance Corporation Improvement
Act (FDICIA) and
• Examinations of service organizations (SOC 1 or SOC 2 engagements).
24
If a firm performs the financial statement audit of one or more entities subject to GAS, at
least one such audit engagement should be selected for review. Additionally, if the firm
performs engagements of entities subject to the Single Audit Act, the reviewer must
evaluate a compliance audit.
Finally, while carrying and non-carrying broker-dealer engagements were scoped out of
peer reviews, the Securities Investor Protection Corporation (SIPC) agreed upon
procedures engagements will remain subject to peer review. Further, the only Broker
Dealers subject to peer review are CFTC-only registered. Due to the limited population
of these BDs, the PRB determined must-select designation for these engagements is not
necessary.
Back to top
How are engagements selected for an Engagement Review?
The review captain or the AE (in a CART review) will select the types of engagements to
be submitted for review in accordance with the following guidelines:
a. One engagement will be selected from each of the following areas of service
performed by the firm:
1. Review of financial statements (performed under SSARSs)
2. Compilation of financial statements, with disclosures (performed under
SSARSs)
3. Compilation of financial statements that omits substantially all disclosures
(performed under SSARSs)
4. Engagements performed under the SSAEs other than examinations
b. One engagement will be selected from each partner, or individual of the firm, if not
a partner, responsible for the issuance of reports listed in item (a).
c. Selection of preparation engagements will only be made in the following instances:
1. One preparation engagement with disclosures (performed under SSARSs)
should be selected when performed by an individual in the firm who does
not perform any engagements included in item (a) or when the firm’s only
engagements with disclosures are preparation engagements.
2. One preparation engagement that omits substantially all disclosures
(performed under SSARSs) should be selected when performed by an
individual within the firm who does not perform any engagements included
in item (a) or when the firms only omit disclosure engagements are
preparation engagements.
3. One preparation engagement should be selected if needed to meet the
requirement in item (d).
d. At least two engagements will be selected for review.
The preceding criteria are not mutually exclusive. One of every type of engagement that
25
a partner, or individual if not a partner, responsible for the issuance of the reports listed
in item (a) in the previous list performs does not have to be reviewed as long as, for the
firm taken as a whole, all types of engagements noted in item (a) in the previous list
performed by the firm are covered.
Back to top
TYPES OF REPORTS
What types of peer review reports are issued on System Reviews?
A team captain on a System Review can issue one of three types of opinions on the firm’s
system of quality control (system): Pass, Pass with Deficiencies or Fail.
Pass
A report with a peer review rating of pass is issued when the team captain concludes that
the firm’s system of quality control for the accounting and auditing practice has been
suitably designed and complied with to provide the firm reasonable assurance of
performing and reporting in conformity with applicable professional standards in all
material respects.
There are no deficiencies or significant deficiencies that affect the nature of the report. In
the event of a scope limitation, a report with a peer review rating of pass (with a scope
limitation) is issued.
Pass with Deficiencies
A report with a peer review rating of pass with deficiencies is issued when the team
captain concludes that the firm’s system of quality control for the accounting and auditing
practice has been suitably designed and complied with to provide the firm with reasonable
assurance of performing and reporting with applicable professional standards in all
material respects with the exception of a certain deficiency or deficiencies that are
described in the report. These deficiencies are conditions related to the firm’s design of
and compliance with its system of quality control that could create a situation in which the
firm would have less than reasonable assurance of performing and/or reporting in
conformity with applicable professional standards in one or more important respects due
to the nature, causes, pattern, or pervasiveness, including the relative importance of the
deficiencies to the quality control system taken as a whole.
In the event of a scope limitation, a report with a peer review rating of pass with
deficiencies (with a scope limitation) is issued.
Fail
A report with a peer review rating of fail is issued when the team captain has identified
significant deficiencies and concludes that the firm’s system of quality control is not
26
suitably designed to provide the firm with reasonable assurance of performing and
reporting in conformity with applicable professional standards in all material respects or
the firm has not complied with its system of quality control to provide the firm with
reasonable assurance of performing and reporting in conformity with applicable
professional standards in all material respects.
In the event of a scope limitation, a report with a peer review rating of fail (with a scope
limitation) is issued.
Back to top
What types of peer review reports are issued on Engagement Reviews?
A review captain on an Engagement Review can issue three types of peer review reports:
Pass, Pass with Deficiencies or Fail.
Pass
A report with a peer review rating of pass is issued when the review captain concludes
that nothing came to his or her attention that caused him or her to believe that the
engagements submitted for review were not performed and reported on in conformity with
applicable professional standards in all material respects. There are no deficiencies that
affect the nature of the report. In the event of a scope limitation, a report with a peer
review rating of pass (with a scope limitation) is issued.
Pass with Deficiencies
A report with a peer review rating of pass with deficiencies is issued when at least one
but not all of the engagements submitted for review contain a deficiency.
In the event of a scope limitation, a report with a peer review rating of pass with
deficiencies (with a scope limitation) is issued.
Fail
A report with a peer review rating of fail is issued when the review captain concludes that
the engagements submitted for review were not performed and/or reported on in
conformity with applicable professional standards in all material respects. A report with a
peer review rating of fail is issued when deficiencies are evident on all of the engagements
submitted for review.
In the event of a scope limitation, a report with a peer review rating of fail (with a scope
limitation) is issued.
Back to top
My firm received an FFC for pervasive issues with complying with the risk
assessment standards (AU-C 315 and 330) on my last peer review. Can I expect
27
similar treatment on my current peer review?
For peer reviews commencing after September 30, 2021, the guidance in the
Supplemental Guidance section of the old Peer Review Program Manual (PRP Section
3100) no longer applies and existing guidance in Section 210 of the clarified peer review
standards will be followed by your peer reviewer as it relates to the evaluation of
noncompliance with the risk assessment standards (AU-C section 315, Understanding
the Entity and Its Environment and Assessing the Risks of Material Misstatement, or 330,
Performing Audit Procedures in Response to Assessed Risks and Evaluating the Audit
Evidence Obtained).
The April 2022 Special Reviewer alert also provides additional guidance regarding
assessing noncompliance with the risk assessment standards.
Depending on the facts and circumstances of the peer review (such as the nature and
pervasiveness of any identified noncompliance), deficiencies or significant deficiencies
may be warranted when noncompliance with the risk assessment standards has been
identified. In short, these instances of noncompliance will be evaluated and assessed
similarly to any other identified instances of noncompliance identified during the peer
review.
Back to top
PEER REVIEW COMMITTEE CONSIDERATION AND ACCEPTANCE
When are the results of my peer review communicated to me?
The reviewer may have additional questions and communicate matters to the respective
engagement team or quality control partner throughout a System Review as situations
arise. This is to prevent any surprises at the end of the review. Expectations of such
communication should be established at the beginning of the peer review. For System
Reviews, the review team should communicate its conclusions at the closing meeting and
exit conference. A closing meeting is a meeting to discuss the preliminary results of the
peer review. The purpose of this meeting is to discuss matters, findings, deficiencies or
significant deficiencies with senior members of the firm and remind your firm of its
requirement to respond. This meeting will generally be held prior to the exit conference,
preferably at least 30 days prior to your firm’s review due date. The exit conference will
be held after your firm has responded to any matters, findings, deficiencies or significant
deficiencies and the team captain has assessed those responses. This applies to
Engagement Reviews as well. The closing meeting and exit conference may be combined
if, for example, there are no matters, findings or deficiencies to discuss or all matters have
been resolved, responded to and evaluated.
Although the reviewer may communicate these preliminary results during an exit
conference or closing meeting, the results are not considered final and should not be
published until the peer review is accepted by a report acceptance body of the applicable
AE.
28
Back to top
Who is responsible for submitting review documents to the administering entity?
The team captain or review captain is responsible for submitting the peer review
documentation and report to the AE within 30 days of the exit conference date or by the
firm’s peer review due date, whichever is earlier.
Back to top
What happens if deficiencies are found by my peer reviewer?
If deficiencies are found, your firm is expected to identify and take corrective measures
to prevent the same/similar types of deficiencies from occurring in the future. Such
measures could include making appropriate changes in your firm’s system of quality
control or having personnel take additional continuing professional education in specified
areas. These measures should be described in a letter, addressed to the AE’s peer review
committee, responding to the deficiencies or significant deficiencies identified in the
report. In reviewing your response to the deficiencies noted in the report, the peer review
committee will ask your firm to agree to certain other actions (referred to as “corrective
actions”) it deems appropriate in the circumstances, such as the submission of a
monitoring report, a revisit by the reviewer or joining an applicable audit quality center.
For any engagements associated with these deficiencies that are identified as not being
performed or reported on in conformity with applicable professional standards in all
material respects, your firm should take appropriate actions in accordance with the
relevant professional standards. The relevant professional standards in this case would
be AU-C section 560, Subsequent Events and Subsequently Discovered Facts, or the
relevant section of the SSARSs or SSAEs, as applicable, or, if the firm’s work does not
support the report issued, as addressed in AU-C section 585, Consideration of Omitted
Procedures After the Report Date (AICPA, Professional Standards). An AE’s committee
can require its reviewed firms to make appropriate considerations regarding
nonconforming engagements as a condition of acceptance of the peer review and will not
accept your peer review if the response is not deemed to be sufficient (genuine,
comprehensive and feasible). In addition, the AE’s committee can impose certain
monitoring actions, such as requiring a firm to agree to have someone acceptable to the
committee review the engagement remediation. Your firm’s letter of response should
indicate how the firm plans to remediate any nonconforming engagements, as applicable.
The main objective of a review, and these related corrective measures, is to help the firm
improve the quality of its practice.
Back to top
What if I don’t agree with the peer reviewer’s conclusions?
Because peer review is a subjective process, there may be differences of opinion
between you and the reviewer that are not resolved to your satisfaction. In such
29
circumstances, the reviewed firm or reviewer should consult with their AE and, if
necessary, request that a panel of the AE’s peer review committee members resolve the
disagreement. The panel must reach a decision to resolve the disagreement.
During the disagreement panel, the AE will give the disagreeing party an opportunity to
provide reasons for the disagreement in person before the panel, in a telephone
conference, or in writing. The peer review committee will form a panel of at least three
members of the committee to discuss the disagreement. After reviewing the supporting
documentation and each disagreeing party’s position, the panel will discuss the matter in
private. The decision of the panel is provided to all parties immediately following the
panel’s decision. A written communication of the panel’s decision is also sent within three
business days. Once the panel has reached a decision on the issues in question after
considering the facts presented, even if the firm or reviewer still disagree, the matter is
considered resolved by the AE.
Any of the disagreeing parties may request an appeal of this decision by writing the PRB
and explaining why he or she believes a review of the panel’s decision is warranted and
provide support for the request by submitting evidence. A panel formed by the PRB will
review and consider the request and take further action pursuant to fair procedures that
have been established.
Alternative to requesting a panel, the firm may consult with the Issue Advisory Hotline.
The Issue Advisory Hotline has been established for the primary purpose of resolving
differences of opinion between a peer reviewer and a reviewed firm regarding the
application of established accounting and auditing guidance. That is, if an issue arises
during a peer review as to whether the reviewed firm appropriately applied authoritative
guidance on a selected engagement, the peer reviewer and the reviewed firm can call the
Hotline together and discuss the issue with a member of the AICPA’s Accounting &
Auditing team. The objective of this discussion is to determine how the standard was
intended to be applied. Once the Accounting & Auditing team member has provided
further explanation regarding the intended application of the standard, it will be the peer
reviewer’s responsibility to use their professional judgment to determine if the reviewed
firm complied with the standard with respect to the selected engagement being reviewed.
To contact the Issue Advisory Hotline, please call (919) 402-4502, option 4. For additional
information regarding the Issue Advisory Hotline, please access the following Q&A
document.
Back to top
Can my peer review acceptance letter be withheld until peer review administrative
fees are paid?
No. If the fieldwork has begun, the review should be performed, technically reviewed,
considered by a report acceptance body and then the appropriate acceptance letter
should be issued. However, failure to pay fees related to the administration of the peer
review program that have been authorized by the governing body of an AE can lead to
the firm’s enrollment in the Program being dropped.
30
Back to top
When are the results of my peer review available for publication?
You should not publicize the results of the review or distribute copies of the report until
the committee has advised you that the report has been accepted.
Additionally, at the time you complete your firm’s scheduling information, you can choose
to make your firm’s peer review documents open to public inspection by instructing your
AE to place the documents in the AICPA’s Public File.
Back to top
How can I obtain a copy of my firm’s latest peer review report?
Peer review results for firms enrolled in the Program are confidential. However, if asked,
the reviewed firm is allowed to provide copies of its most recently accepted peer review
report.
The latest accepted peer review report for a firm that is a voluntary member of one of the
AICPA’s audit quality centers or sections that has a membership requirement such that
certain peer review documents be open to public inspection may be obtained from the
firm's Public File. The Public File also contains peer review documents of firms that are
PCPS members or those that voluntarily request to have their peer review documents
publicly available.
Back to top
When is my peer review complete?
Generally, a peer review is complete the date the AE’s peer review committee
(committee) accepts your firm’s peer review without any further action(s) required of your
firm. However, in the event that further action(s) is required, the completion date is the
date the committee decides that the reviewed firm has performed the agreed-to corrective
action(s) to the committee’s satisfaction and the committee requires no additional
corrective action(s) by the reviewed firm.
Back to top
When would further action(s) be required?
When a firm receives a report with a rating of pass with deficiencies or fail, the committee
ordinarily will require some type of further action(s) (referred to as corrective actions).
The type of action required would depend on the nature of the deficiencies.
Back to top
What could cause my peer review report to be recalled and what are my
31
responsibilities after it has been recalled?
The following situations are examples of what could cause your firm’s peer review report
(or other previously accepted peer review documents) to be recalled:
• The reviewed firm fails to include or properly identify any engagement(s) or level(s)
of service that should have been included in the scope of the peer review.
(Examples include if the firm had an engagement review performed and failed to
inform the AE or reviewer of an audit performed during the period covered by the
peer review; OR if the firm had a system review performed and neglected to
disclose that it performed an engagement in a must-select industry during the
period covered.)
• The reviewed firm failed to inform the reviewer of communications or summaries
of communications from regulatory, monitoring or enforcement bodies relating to
allegations or investigations of deficiencies in the conduct of an accounting,
auditing, or attestation engagement performed and reported on by the firm or
limitations or restrictions on the firm’s ability to practice public accounting related
to the firm or its personnel. This includes failure to inform of such
communications received through the date of the peer review report and
acceptance thereof.
• The reviewed firm provided erroneous or incomplete information in response to
inquiries from the AE, AICPA staff, or reviewer in relation to the peer review.
Your firm has the responsibility to notify all parties that might be relying on the recalled
peer review documents to discontinue reliance when those documents are recalled. This
includes but is not limited to notification to the state board(s) of accountancy, current or
potential clients, regulators, enforcement agencies, insurance carriers or government
agencies, if applicable. Your firm is also responsible for the removal of the documents
from publicly available sources, such as the firm’s website.
The firm needs to be aware that firm noncompliance with peer review requirements could
affect its ability to meet AICPA membership requirements, as well as licensing and other
regulatory requirements. Additionally, it is ultimately the firm’s responsibility to have the
peer review submitted by the firm’s due date. Therefore, the firm is responsible for hiring
a reviewer who understands the importance of the issue and timing for the replacement
review, if a replacement review is necessary.
For a more detailed discussion of the recall process, see the Standards Section 400
paragraphs .40-.42 as well as Section 400 Appendix C Considerations for the Recall of
Peer Review Documents.
Back to top
What happens if it is discovered that a firm that has historically signed “no A&A”
affirmations has been performing engagements subject to peer review?
If it is subsequently discovered that a firm that had historically provided its AE with
affirmations that it performed no A&A engagements did in fact perform an A&A
engagement, an AE could require the firm to have a peer review (typically within 90 days
32
of discovery).
Additionally, a firm may be deemed as failing to cooperate if they omit or misrepresent
information relating to its accounting and auditing practice as defined by the Standards.
If a firm is dropped or terminated for not accurately representing information relating to its
accounting and auditing practice as defined by the Standards, the matter will result in
referral to the AICPA Professional Ethics Division for investigation of a possible violation
of the AICPA Code of Professional Conduct.
AICPA bylaws do not require a firm without accounting, auditing, or attestation
engagements to enroll in a practice monitoring program. However, an enrolled firm that
no longer performs engagements defined in the Standards will not be required to have a
peer review in accordance with AICPA bylaws if the firm confirms annually that it does
not perform any of these services.
Back to top
What happens if after my firm’s review is accepted, it is discovered that my firm
failed to include all engagements in its engagement listing provided to the
reviewer?
A firm may be deemed as failing to cooperate if they omit or misrepresent information
relating to its accounting and auditing practice as defined by the Standards. If a firm is
dropped or terminated for not accurately representing information relating to its
accounting and auditing practice as defined by the Standards, the matter will result in
referral to the AICPA Professional Ethics Division for investigation of a possible violation
of the AICPA Code of Professional Conduct.
In accordance with the noncooperation guidance, if a firm omits or misrepresents
information relating to its accounting and auditing practice the firm will be subject to a
hearing panel to consider whether the firm’s enrollment in the Program should be
terminated. If the omission or misrepresentation results in a material departure (for
example, must select engagements were not reviewed but could have been) the
acceptance letter of the review in question will be recalled. If the hearing panel determines
that the firm’s enrollment in the program should not be terminated, at a minimum the
hearing panel will require that the firm have a replacement review submitted to the AE by
the due date which will be approximately 60 days after the hearing panel’s decision. The
hearing panel may also indicate other specific criteria for the replacement review.
Firms that voluntarily notify the AE of an omission or misrepresentation resulting in a
material departure will not be subject to a hearing panel. This notification from the firm
must be prior to the AICPA or AE being otherwise notified of or discovering the omission
or misrepresentation and prior to the firm receiving notification from another regulatory or
monitoring agency. The peer review acceptance letter for the impacted peer review will
be recalled and the firm will be required to submit a replacement review to its AE by the
due date which will be approximately 90 days after the firm’s notification to the AE.
For recalled reviews that commenced on or after April 1, 2014 for which the firm’s
33
enrollment is terminated due to the firm omitting or misrepresenting information related to
the firm’s accounting and auditing practice, the matter will result in referral to the AICPA
Professional Ethics Division for investigation of a possible violation of the AICPA Code of
Professional Conduct.
Back to top
What is an implementation plan?
During the peer review, if a reviewer finds a matter that does not rise to the level of a
deficiency, the reviewer may complete a Finding for Further Consideration (FFC) Form.
The firm’s response should describe:
• The firm’s actions (taken or planned) to remediate findings in the firm’s system of
quality control,
• The firm’s actions (taken or planned) to remediate the engagements identified on
the FFC form as nonconforming, if applicable and
• The timing of the implementation.
The AE’s report acceptance body (RAB) will evaluate whether reviewed firm’s responses
to the findings appear comprehensive, genuine and feasible. The RAB will determine if a
finding should require the firm to complete an implementation plan (for example, the
requirement to complete additional CPE) in addition to the plan described by the firm in
its response to the findings on the FFC form.
An implementation plan is not tied to the reporting process or to the acceptance or
completion of the peer review. It is considered part of the working papers and
administrative files. Firms are expected to agree to and complete any such
implementation plans as a part of cooperating with the AE and the PRB in all matters
related to the review. Failure to cooperate with the AE or the PRB may impact the firm’s
enrollment in the Program.
Back to top
What is a corrective action?
When a firm receives a report with a rating of pass with deficiencies or fail, the RAB
ordinarily should require some type of remedial, corrective action as a condition of
acceptance regardless of whether the firm appears to have an understanding of
professional standards.
A corrective action is tied to the reporting process and the acceptance and completion of
the peer review. It is considered part of the working papers and administrative files when
a corrective action plan is required by the peer review committee. Firms are expected to
agree to and complete any such corrective actions as part of cooperating with the AE and
the PRB in all matters related to the review. Failure to cooperate with the AE or the PRB
may impact the firm’s enrollment in the program.
Back to top
34
IMPLEMENTATION PLANS AND CORRECTIVE ACTIONS
.
How do I know whether the letter I received from the administering entity is an
implementation plan or a corrective action?
The letter communicating the corrective action(s) will contain the following language:
“The Committee accepted the aforementioned documents with the understanding that the
firm will…”
The letter communicating the implementation plan(s) will contain the following language:
“…the action(s) outlined in the following implementation plan are required of your firm…”
After the prescribed action(s) or plan the letters differ as follows:
Corrective Action wording
“Your firm's agreement demonstrates its commitment to the objectives of the
<AICPA/State> Peer Review Program.
Please acknowledge your agreement through the Peer Review Integrated Management
Application (PRIMA) system. Upon receipt of the acknowledgement and satisfactory
completion of any outstanding corrective actions within PRIMA, you will receive
notification that your firm’s peer review has been completed.”
Implementation Plan wording
“Your firm's agreement to complete this implementation plan demonstrates its
commitment to the objectives of the <AICPA/State> Peer Review Program. Please
acknowledge your agreement within PRIMA.”
Back to top
What happens if I don’t complete the implementation plan?
Although agreeing to and completing an implementation plan is not tied to the acceptance
of the peer review, if a firm fails to cooperate (by not agreeing to or by not performing),
the firm’s enrollment in the program may be terminated.
Back to top
What happens if I don’t complete the corrective action(s)?
The reviewed firm is required to evidence its agreement to perform the prescribed
corrective action(s) in writing before the peer review report can be accepted. The
completion of the required corrective action(s) is a condition of cooperation with the AE
35
and the PRB. If a firm fails to cooperate, the firm’s enrollment in the program may be
terminated.
Back to top
Can my firm receive both a corrective action and an implementation plan related
to the same peer review?
Yes, the peer review committee of the AE can require corrective action(s) related to
receiving a peer review report rating of pass with deficiencies or fail and also require an
implementation plan related to FFCs received on the same peer review.
Back to top
What are some suggested actions that may be required related to a pass with
deficiency(ies) or fail peer review report?
Actions required by the RAB differ depending on if the peer review was a System Review
or an Engagement Review. The charts at the end of this section provide some common
suggested actions. The peer review committee could recommend other actions or a
combination of one or more actions.
Back to top
What are allowable plans that may be required related to a Finding for Further
Consideration?
The charts at the end of this section provide the allowable implementation plans. The
peer review committee could recommend a combination of one or more plans in response
to the findings noted on a peer review.
Back to top
How do the corrective action and implementation plan affect my ability to
publicize the results of my peer review?
A firm may not publicize the results of its peer review until it is notified that the report has
been accepted by the AE. A corrective action affects the acceptance of the peer review
report. A peer review report is not considered accepted until the reviewed firm signs the
written letter from the AE evidencing the firm’s agreement to the corrective action. An
implementation plan does not affect the acceptance of the peer review report, and thus
does not affect the firm’s ability to publicize peer review results.
Back to top
Should my firm expect an implementation plan for every FFC?
No. The decision of whether to require an implementation plan and deciding on what
actions or procedures are appropriate is a matter of professional judgment that each RAB
36
makes based on the applicable facts and circumstances. Generally, if the finding is not a
repeat finding or associated with a must-select engagement that was not performed or
reported on in conformity with professional standards in all material respects (System
Reviews only), no implementation plan is suggested by the RAB.
However, when a finding is a repeat finding or associated with a must-select engagement
that was not performed or reported on in conformity with professional standards in all
material respects, the firm will often be required to complete an implementation plan.
Back to top
Allowable Implementation Plans: System Reviews (PRC 420 Exhibit C)
Finding
Allowable Implementation Plan
Nonconforming engagements and
• initial findings on a must-select industry
or
• repeat findings for any industry
• Require members of the firm to take
specified types and amounts of CPE.
• Require the firm to hire an outside
party approved by the report
acceptance body (RAB) to perform a
pre-issuance or post-issuance review
of certain types or portions of
engagements.
• Require the firm to hire an outside
party approved by the RAB to review
the firm’s remediation of
nonconforming engagements.
• Require the firm to hire an outside
party approved by the RAB to review
the firm’s completion of its intended
remedial actions outlined in its
response on the finding for further
consideration (FFC) form or to evaluate
the appropriateness of alternative
actions.
• Require the firm to hire an outside
party approved by the RAB to review
the firm’s internal monitoring or
inspection report.
Repeat findings without nonconforming
engagements
• Require members of the firm to take
specified types and amounts of CPE.
• Require the firm to hire an outside
party approved by the RAB to review
the firm’s internal monitoring or
inspection report.
Failure to possess applicable firm licenses
• Require the firm to submit proof of its
valid firm licenses.
37
Back to top
Suggested Corrective Actions: System Reviews (PRC 420 Exhibit D)
Back to top
Deficiency or Significant
Deficiency
Suggested Actions to Be Performed as Soon as
Reasonably Possible
Deficiency or significant
deficiency related to
engagement performance
• Require members of the firm to take specified types and
amounts of CPE.
• Allow firm members responsible for the applicable
nonconforming engagements to pass the related AICPA
advanced certificate exam, if applicable, in lieu of CPE.
This option is applicable only for firms that have
nonconforming engagements in certain industries that
were identified in the peer review and for which a related
AICPA advanced certificate exists.
• Require the firm to hire an outside party approved by the
report acceptance body (RAB) to perform a pre-issuance
or post-issuance review of certain types or portions of
engagements.
• Require the firm to hire an outside party approved by the
RAB to review the firm’s remediation of nonconforming
engagements.
• Require the firm to hire an outside party approved by the
RAB to review the firm’s completion of its intended
remedial actions as outlined in its letter of response or to
evaluate the appropriateness of alternative actions.
Though not required, this is commonly performed by the
team captain of the peer review.
• Require the firm to join an AICPA audit quality center
applicable to the nonconforming engagements.
Deficiency or significant
deficiency related to design
of or noncompliance with
another element of the
quality control system
• Require the firm to hire an outside party approved by the
RAB to review the firm’s internal monitoring or inspection
report.
• Require the firm to hire an outside party approved by the
RAB to perform a pre-issuance review of certain types or
portions of engagements.
• Require the relevant members of the firm to submit proof
of their valid individual licenses.
38
Allowable Implementation Plans: Engagement Reviews (PRC 420 Exhibit A)
Back to top
Suggested Corrective Actions: Engagement Reviews (PRC 420 Exhibit B)
Back to top
Deficiency
Suggested Actions to Be Performed as Soon as Reasonably
Possible
Deficiency
• Require members of the firm to take specified types and
amounts of CPE.
• Require the firm to hire an outside party approved by the
report acceptance body (RAB) to perform a pre-issuance or
post-issuance review of certain types or portions of
engagements.
• Require the firm to hire an outside party approved by the
RAB to review the firm’s remediation of nonconforming
engagements.
• Require the firm to engage an outside party approved by the
RAB to review the firm’s completion of its intended remedial
actions as outlined in its letter of response or to evaluate the
appropriateness of alternative actions. Though not required,
this is commonly performed by the review captain.
• Require the relevant members of the firm to submit proof of
their valid individual licenses.
Finding
Allowable Implementation Plan
Engagements indicate
the
following:
• Repeat findings
• Require members of the firm to take specified types
and
amounts of CPE.
• Failure to
possess
applicable firm
licenses
• Require the firm to submit proof of its valid firm
licenses.
39
COOPERATION WITH THE AICPA PEER REVIEW PROGRAM
What if my firm chooses not to cooperate with the AICPA Peer Review Program?
Enrollment in an approved practice monitoring program is a requirement for admittance
and retention of membership in the AICPA if the firm performs services within the scope
of the AICPA’s practice monitoring Standards (see page 2 of this Q&A). A firm enrolled in
the Program is required under the Standards to cooperate with the peer reviewer, AE and
the PRB in all matters related to the review. If an enrolled firm does not cooperate with
the requirements of the Program, their enrollment may be terminated or dropped (as
discussed below). A firm should carefully consider any implications of its noncooperation
and impact on SBOAs or other regulatory requirements.
Additionally, a firm may be deemed as failing to cooperate if they omit or misrepresent
information relating to its accounting and auditing practice as defined by the Standards.
If a firm is dropped or terminated for not accurately representing information relating to its
accounting and auditing practice as defined by the Standards, the matter will result in
referral to the AICPA Professional Ethics Division for investigation of a possible violation
of the AICPA Code of Professional Conduct.
Back to top
Under what circumstances may a firm’s enrollment be dropped?
A firm’s enrollment in the Program will be dropped by the PRB, without a hearing, 30 days
after the Program notifies the firm by certified mail that the firm has failed to:
1. Timely file requested information with the entity administering the firm’s peer
review concerning the arrangement or scheduling of that peer review, prior to the
commencement of the peer review,
2. Timely submit requested information to the reviewer necessary to plan the firm’s
peer review, prior to the commencement of the peer review,
3. Have a peer review by the required date,
4. Accurately represent its accounting and auditing practice, as defined by the
Standards, after notifying its AE that it does not perform engagements that require
the firm to have a peer review,
5. Timely pay in full the fees and expenses of the review team formed by an AE or
6. Timely pay fees related to the administration of the program that have been
authorized by the governing body of an AE.
The PRB may at its discretion decide to hold a hearing. Whether a hearing is held or not,
a firm enrolled in the Program has the right to appeal to the AICPA Joint Trial Board within
30 calendar days of being notified that the firm’s enrollment has been dropped.
Back to top
40
Under what circumstances may a firm’s enrollment be terminated?
A firm is deemed as failing to cooperate once the review has commenced by:
• Not responding to inquiries once the review has commenced
• Withholding information significant to the peer review, including but not limited to:
o failing to disclose communications received by the reviewed firm relating to
allegations or investigations in the conduct of accounting, auditing or
attestation engagements from regulatory, monitoring or enforcement bodies
o omitting or misrepresenting information relating to its accounting and
auditing practice as defined by the Standards, including, but not limited to,
engagements performed under Government Auditing Standards; audits of
employee benefit plans, audits performed under FDICIA and examinations
of service organizations [Service Organizations Control (SOC) 1 and 2
engagements]
• Not providing documentation, including but not limited to, representation letters,
quality control documents, engagement working papers, all aspects of functional
areas
• Not responding to MFCs or FFCs timely, if applicable
• Limiting access to offices, personnel or other
• Not facilitating the arrangement for the closing meeting/exit conference on a timely
basis
• Failing to timely file the report and the response thereto related to its peer review,
if applicable
• Failing to cooperate during oversight
• Failing to timely acknowledge and complete required corrective actions or
implementation plans
• Failing to receive a pass report after receiving a peer review report with a rating of
pass with deficiencies or fail and the firm received notification through a method
providing proof of receipt that a consecutive peer review report rating of pass with
deficiencies or fail may be considered a failure to cooperate with the AE
• Failing to timely notify the AE that it is performing a type of engagement(s) or
engagement(s) in an industry in which the firm had previously represented (in
relation to a corrective action or implementation plan) that it was no longer
performing and had no plans to perform in the future, and this resulted in the AE
waiving the corrective action or implementation plan based on the firm’s
representation
• Erroneously providing or omitting information during the course of the peer review
that would have resulted in a significant change in the planning, performance, or
evaluation of results by the peer reviewer, or in the peer review report issued
• Failing to provide substantive responses to the AE during its evaluation of the
significance of erroneous or omitted information
The firm will be advised by certified mail that the PRB will appoint a hearing panel to
consider whether the firm’s enrollment in the Program should be terminated. A firm
enrolled in the Program that has been notified that it is the subject of such a hearing may
41
not resign until the matter causing the hearing has been resolved. After a hearing is held,
a firm whose enrollment in the Program has been terminated has the right to appeal the
panel’s decision to the AICPA Joint Trial Board within 30 calendar days of the hearing.
A firm’s enrollment in the Program will be terminated for failure to cooperate in any of the
preceding situations, without a hearing, upon receipt of a plea of guilty from the firm.
Pursuant to the Standards, the fact that a firm’s enrollment in the Program has been
terminated, whether with or without a hearing, will be published in such form and manner
as the AICPA Council may prescribe.
Back to top
Can my firm resign from the AICPA Peer Review Program at any time?
Your firm may resign from the Program as long as the peer review has not commenced,
and your firm submits a request within PRIMA to resign the firm from the Program.
Ordinarily, a peer review commences when the review team begins field work on a
System Review or begins the review of engagements on an Engagement Review. Once
a team captain, review captain or team member learns information that affects the results
of the review, the review is deemed to have commenced, even if such an event occurs
during planning before any engagements are reviewed. Once a peer review commences
a firm would not be able to resign from the Program unless the firm submits a letter
pleading guilty, acknowledging its noncooperation with the program, waiving its right to a
hearing and agrees to allow the AICPA to publish in such a form and manner as the
AICPA Council may prescribe, the fact the firm has resigned from the Program before
completion of its peer review, evidencing noncooperation with the Program.
Back to top
If my firm is terminated from the AICPA Peer Review Program, how does the firm
get reenrolled?
Ordinarily, firms may request reenrollment in the Program after the firm has sufficient
opportunity to implement appropriate changes to correct the cause of the drop or
termination. Reenrollment in the Program is subject to evaluation by either the AE or a
hearing panel of the PRB.
The AE or a hearing panel of the PRB should be made aware of information that led to
the firm’s most recent drop or termination from any practice monitoring program. The AE
may make the determination of whether action(s) is (are) satisfactorily completed and
approve reenrollment for drops or terminations such as overdue actions and all other
instances of noncooperation that do not require reenrollment consideration by a hearing
panel of the PRB.
Reenrollments decisions subject to approval by a hearing panel of the PRB, include but
are not limited to:
Drops for not accurately representing its accounting and auditing practice as
42
defined by the Standards; and
Terminations for:
• omission or misrepresentation of information relating to its accounting and
auditing practice as defined by the Standards;
• failure to receive a pass report rating subsequent to receiving notification
via certified mail, or other delivery method providing proof of receipt, after a
peer review rating of pass with deficiencies or fail; or
• failure to correct deficiencies or significant deficiencies after consecutive
corrective actions required by the committee on the most recent peer
review.
Reenrollment generally requires the firm to address and remediate the circumstances that
caused the firm to be dropped or terminated. Common criteria for reenrollment, include
but are not limited to, submitting evidence to the AE or hearing panel that demonstrates:
• Completion of the requested action
• Changes in the firm’s system of quality control (such as, but not limited to,
personnel changes or procedural changes, methodologies to identify the complete
population of engagements performed, access to technical resources or
membership in quality centers and voluntary changes in the practice or types of
industries or engagements performed)
• Competency through completion of relevant CPE, training or competency
assessments
• Assessment of quality in the performance of engagements through internal or
external monitoring results (such as, but not limited to, pre-issuance reviews, post
issuance reviews and internal inspections that reflect engagements are materially
performed and reported on in conformity with applicable professional standards)
The hearing panel or AE’s peer review committee may also require other actions as a
condition of reenrollment. Determination of final acceptance or completion of a review is
subject to the AE’s report acceptance body.
If reenrollment is approved and the firm is past its next peer review due date, the firm will
generally be required to complete its subsequent peer review
• within 90 days of reenrolling if the firm’s most recent peer review is completed, or
• within 90 days of the AE’s report acceptance body determining that actions taken
are satisfactory to complete a commenced peer review or
• by a later date set by the hearing panel or the AE.
Back to top
FIRMS THAT PERFORM EXAMINATIONS
OF SERVICE ORGANIZATIONS
43
What are the characteristics of SOC for Service Organizations engagements?
SOC for Service Organizations engagements include:
• SOC 1® - SOC for Service Organizations: ICFR (performed in accordance with
AT-C section 320, Reporting on an Examination of Controls at a Service
Organization Relevant to User Entities’ Internal Control Over Financial Reporting
and the AICPA Guide Reporting on an Examination of Controls at a Service
Organization Relevant to User Entities’ Internal Control Over Financial Reporting
(SOC 1®))
• SOC 2® - SOC for Service Organizations: Trust Services Criteria (performed
under AT-C section 205, and the AICPA Guide SOC 2® Reporting on an
Examination of Controls at a Service Organization Relevant to Security,
Availability, Processing Integrity, Confidentiality, or Privacy)
• SOC 3® - SOC for Service Organizations: Trust Services Criteria for General
Use Report (performed under AT-C section 205 and the AICPA Guide SOC 2®
Reporting on an Examination of Controls at a Service Organization Relevant to
Security, Availability, Processing Integrity, Confidentiality, or Privacy)
SOC 1 Engagements
The purpose of the report in a SOC 1 engagement is to provide management of the
service organization, user entities and the independent auditors of user entities’ financial
statements with information and a service auditor’s opinion about controls at a service
organization that are likely to be relevant to user entities’ internal control over financial
reporting. The report enables the user auditor to perform risk assessment procedures
and, if the report is a type 2 report, to use the report as audit evidence that controls at the
service organization are operating effectively. A SOC 1 report is a restricted-use report,
intended for use by user entities of the service organization and their financial statement
auditors. SOC 1 engagements should not be used for reporting on controls over subject
matter other than financial reporting. SOC 1 engagements are required to be
examinations, are subject to a System Review and are must-select engagements.
SOC 2 Engagements
The purpose of the report in a SOC 2 engagement is to provide service organization
management, user entities, business partners and other specified parties with information
and a service auditor’s opinion about controls at the service organization relevant to
security, availability, processing integrity, confidentiality or privacy. Many entities
outsource tasks or functions that are unrelated to financial reporting to service
organizations. SOC 2 reports are intended to meet the needs of a broad range of users
that want to understand internal control at a service organization as it relates to the
security, availability or processing integrity of the service organization’s system, or the
confidentiality or privacy of the data processed by that system. These reports may be
restricted in use but are intended for use by stakeholders (e.g., customers, regulators,
business partners, suppliers, directors) of the service organization that have a thorough
understanding of the service organization and its controls. Similar to SOC 1
engagements, SOC 2 engagements provide for both Type 1 and Type 2 reports. Unlike
SOC 1 engagements, the primary users of SOC 2 reports generally are not user auditors
44
but rather management of the user entities that use the reports to make operational
decisions. SOC 2 engagements are required to be examinations, are subject to a System
Review and can be a must-select engagement.
SOC 3 Engagements
The purpose of the report in a SOC 3 engagement is to provide interested parties with a
service auditor’s opinion about the effectiveness of controls at the service organization
relevant to security, availability, processing integrity, confidentiality or privacy. Because
of the different reporting requirements, a SOC 2 report is appropriate only for specified
parties with sufficient knowledge and understanding of the service organization and the
system, whereas a SOC 3 report is ordinarily appropriate for general use. The subject
matter in a SOC 3 engagement is essentially the same as it is in a SOC 2 engagement,
and the criteria for evaluating controls is the same as it is in a SOC 2 engagement.
However, SOC 3 reports are designed to meet the needs of users who want assurance
on the controls at a service organization related to security, availability, processing
integrity, confidentiality or privacy but do not need the detail included in a SOC 2 report.
SOC 3 reports do not contain a detailed description of the service auditor’s tests of the
operating effectiveness of controls and the results of those tests. Instead, SOC 3 reports
are general-use reports, which mean they may be used by anyone and therefore can be
used by the service organization to market its services to potential customers.
Back to top
I’m having difficulty finding a review team member with appropriate SOC
experience. What are my options?
Consistent with other must-select engagements, if a firm performs SOC 1 or SOC 2
engagements, someone on the review team should have experience with these types of
engagements. Peer reviews of firms that perform SOC 1 engagements will require a team
member with SOC 1 experience; similarly, peer reviews of firms that perform SOC 2
engagements will require a team member with SOC 2 experience. Due to the specialized
nature of SOC engagements, the PRB has determined that a specialist may be able to
assist the team captain in lieu of a team member with SOC experience. The specialist
should meet the criteria established by the AICPA in order to be approved to assist the
review team in reviewing SOC 1 or SOC 2 engagements. Refer to Appendix B for the
SOC specialist criteria.
Firms can use the reviewer search at peerreview.aicpa.org/reviewer_search.html to
identify a reviewer that meets the qualifications to review these engagements.
When a specialist is used, the team captain, as always, is responsible for supervising and
conducting the review, communicating the review team’s findings to the reviewed firm and
AE, preparing the report on the review and ensuring that peer review documentation is
complete and submitted to the AE on a timely basis. The team captain should supervise
and review the work performed by the specialist. The team captain will furnish instructions
to the specialist regarding the manner in which materials and other notes relating to the
review are to be accumulated to facilitate summarization of the review team’s findings
and conclusions. The specialist may be required to be available or participate in the exit
45
conference.
Back to top
INTERESTED IN BECOMING A PEER REVIEWER
What are the benefits of being a peer reviewer?
When you become a peer reviewer, you:
• Are seen as an expert in your field and gain increased respect from your
colleagues.
• Help firms achieve their A&A practice goals and enhance the quality of their A&A
practices.
• Identify best practices of other firms, which can be applied to other peer review
clients and to your own firm.
• Gain broader practice knowledge through the peer review process, which will help
sharpen your skills and reinforce your strengths.
• Are creating an opportunity to develop an additional profit center for your firm.
• Often receive referrals for additional consulting services as a result of performing
peer reviews.
• Enhance the effectiveness of the profession’s self-regulatory efforts and contribute
to the quality of our profession.
Back to top
What are the qualifications necessary to become a reviewer?
To qualify as a peer reviewer, you must:
• Be a member of the AICPA in good standing.
• Be currently active in public practice at a supervisory level in the accounting or
auditing function.
• Be associated with a firm that has received a report with a peer review rating of
pass.
• Possess appropriate experience and current knowledge of professional standards
applicable to the kind of practice to be reviewed.
• Have spent the last 5 years practicing in the accounting or auditing function.
• Have completed a peer review resume.
• Meet specific additional qualifications if you plan to review engagements that must
be selected during a peer review.
In addition, if you are a partner
1
in your firm, you are qualified to be a team captain. See
Appendix B for a complete listing of qualifications.
1
A Partner is a proprietor, shareholder, equity or non-equity partner or any individual who assumes the risks and
benefits of firm ownership or who is otherwise held out by the firm to be the equivalent of any of the aforementioned.
46
Back to top
How do I become a peer reviewer?
To become a team captain (on a System Review) or review captain (on an Engagement
Review):
• Meet all the reviewer requirements. A full list of requirements is located in
Appendix B and can also be downloaded at How to Become a Peer Reviewer.
• Peer reviewers must complete a peer review resume by logging into the Peer
Review Integrated Management Application (PRIMA). Once you enter your
resume you can be automatically listed in the online searchable database.
• Review the documents provided in the Practitioner's Tool Kit to help promote your
peer review services and develop your practice.
Back to top
Where can I find more information regarding the training requirements for peer
reviewers?
The Peer Review website outlines the training requirements for reviewers on the
following web page: aicpa.org/interestareas/peerreview/cpeandevents.html
Back to top
47
APPENDIX A
System Review or Engagement Review Determination
(Applies to engagements that are not subject to PCAOB permanent inspection)
If an enrolled firm performs these types of
engagements as its highest level of service,
the firm would be required to have:
System
Review
Engagement
Review
Statements on Auditing Standards (SAS)
Engagements
X
Government Auditing Standards (GAS)
Financial Audits
X
Attestation Engagements (Examination,
Review, or Agreed-upon procedures under
GAS)
X
Performance Audits
X
Statements on Standards for Attestation
Engagements (SSAEs)
Examination Engagements
X
Reviews
X
Agreed-upon procedures Engagements
X
Public Company Accounting Oversight
Board (PCAOB) Standards
Audits
X
Examinations
X
Other attestation engagements (reviews,
attest, or agreed upon procedures
engagements under PCAOB standards)
X
Statements on Standards for Accounting and
Review Services (SSARSs)
Reviews of financial statements
X
Compilations of financial statements
X
Preparation of financial statements
X
If a firm is required to have a System Review, all the engagements listed above would be
subject to selection for review, ordinarily based on periods ending during the year under
review, except for financial forecasts or projections and agreed upon procedures.
Financial forecasts or projections and agreed upon procedures with report dates during
the year under review would be subject to selection.
For enrollment information for firms that only perform preparation of financial statement
engagements in accordance with AR-C Section 70, please see the Peer Review
Enrollment Requirements.
If a firm performs or reports on engagements under International Standards, the
engagements should be included in the scope of a peer review. Under U.S. professional
48
standards, the engagement should comply with elements of both the international
standards and U.S. professional standards. Peer reviewers test compliance with only the
U.S. professional standards,, as testing of compliance with any international standard, is
not included in the scope of the review.
The International Auditing and Assurance Standards Board (IAASB) is not currently
recognized by AICPA Council to promulgate technical standards (nor is the International
Public Sector Accounting Standards Board); therefore, compliance with auditing, review,
or other assurance or related services standards issued by the IAASB, or any other audit
or assurance standards outside of the United States, is not included in the scope of peer
review. However, the IASB (International Accounting Standards Board), which issues
International Financial Reporting Standards (IFRS), is recognized by Council and is
therefore included in the scope of peer review (as are FASB, FASAB, and GASB). Contact
AICPA staff with additional questions, if needed.
Back to top
APPENDIX B
Reviewer Qualifications
Performing and reporting on a peer review requires the exercise of professional judgment
by peers (see paragraphs .05 - .08 of Section 200 of the Standards for a discussion of a
reviewer’s responsibilities when performing a peer review). Accordingly, an individual
serving as a reviewer on a System or Engagement Review should at a minimum:
a. Be a member of the AICPA in good standing, licensed to practice as a CPA, and
employed by or an owner of a firm enrolled in the program (that is, AICPA
membership in active, non-suspended status).
b. Be in public practice as a partner, manager, or person with equivalent
responsibilities in the accounting or auditing practice or carrying out a quality
control function in the CPA’s firm. (Ref: par. .A3)
c. Have current practice experience by performing or supervising accounting or
auditing engagements in the CPA’s firm or carrying out a quality control function in
the firm, with reports dated within the last 18 months. (Ref: par. .A4)
d. Have spent the last five years in the practice of public accounting in the accounting
or auditing function.
e. Be employed by or be the owner of a firm that has received a report with a peer
review rating of pass or pass with scope limitations for its most recent peer review.
(The report should have been accepted timely.) (Ref: par. .A5–.A6)
f. Possess appropriate experience and current knowledge of professional standards
related to the kind of practice and the industries of the engagements to be
reviewed. (Ref: par. .A7)
g. Obtain at least 48 hours of AICPA-required continuing professional education
(CPE) every 3 years in subjects relating to accounting, auditing, and quality control
with a minimum of 8 hours in any 1 year.
49
h. Be free of restrictions from regulatory or governmental bodies on the CPA’s ability
to practice public accounting. (Ref: par. .A8)
i. Provide qualifications and experience via a reviewer resume.
Back to top
Team Captain or Review Captain
In addition to adhering to the requirements in Section 200 to be a peer reviewer, a System
Review team captain must be a partner. For an Engagement Review, the review captain
is not required to be a partner. The team captain, or the review captain in limited
circumstances, is required to ensure that all team members possess the necessary
capabilities and competencies to perform assigned responsibilities and that team
members are adequately supervised. The team captain or review captain has the ultimate
responsibility for the review, including the work performed by team members.
Also, team captains and review captains should have completed peer review training that
meets the requirements established by the PRB.
Additionally, to initially qualify as a team captain on a System Review or as a review
captain on an Engagement Review, you must:
1. Complete the online peer reviewer curriculum Becoming an AICPA Peer Review
Team or Review Captain. The online peer reviewer curriculum is a series of
modules that are similar to self-study on-demand courses. The modules must be
taken sequentially, and each module contains a final exam that is designed to
comply with NASBA CPE Standards and is similar to competency assessments in
other on-demand self-study CPE courses.
2. Complete the Becoming an AICPA Peer Review Team or Review Captain: Case
Study Applications in a live seminar format. This course features realistic case
studies that encompass the most important elements of a system review, as well
as several case studies pertaining to an engagement review.
The Becoming an AICPA Peer Review Team or Review Captain: Case Study
Applications must be completed within the 12 months after the completion of the peer
reviewer curriculum.
The following outlines the ongoing training requirements:
To maintain the qualifications of a team captain or of a review captain, you should
participate in one of the following peer review training options within 12 months prior to
the commencement of a review. Peer review training options include:
1. Attending the general session of the annual Peer Review Conference.
50
2. Completing the AICPA Peer Review Update on-demand self-study course. This
course is an advanced reviewer training course that will be updated annually and
cover recent changes to peer review guidance in addition to how recent changes
in auditing or accounting standards impact peer review. This course will contain a
final exam that is designed to meet the NASBA CPE Standards.
3. Attend an alternative course or conference session that has been approved by the
PRB. For purposes of the ongoing training requirement, these alternative courses
and conference session will be selected by the PRB. The PRB will not consider
courses submitted by reviewers seeking consideration for an alternative course of
their choosing.
Back to top
Other Peer Reviewer or Reviewing Firm Qualification Considerations
Communications from regulatory, monitoring or enforcement bodies relating to
allegations or investigations of a peer reviewer or reviewing firm’s accounting and auditing
practice, and notifications of limitations or restrictions on a peer reviewer or reviewing firm
to practice, may impact the peer reviewer or reviewing firm’s ability to perform the peer
review. The peer reviewer or reviewing firm has a responsibility to inform the AE of such
communications or notifications.
If required by the nature of the reviewed firm’s practice, individuals with expertise in
specialized areas may assist the review team in a consulting capacity. For example, IT
specialists, statistical sampling specialists, actuaries, or experts in continuing
professional education (CPE) may participate in certain segments of the review.
Some review teams may also need to engage a SOC specialist to assist the review team
with reviewing SOC 1 or SOC 2 engagements. SOC specialists must meet specific criteria
and have prior approval before an AE can approve them as part of a review team.
To become an approved specialist, the specialist candidate should complete a peer
reviewer resume and indicate that they would like to serve as a specialist.
An individual serving as a SOC specialist on a System Review should at a minimum:
a. Be currently active in public practice at a supervisory level for managing SOC 1
and/or SOC 2 examinations. To be considered currently active, a specialist should
be presently involved in the SOC practice of a firm supervising one or more of the
firm’s SOC engagements.
b. Be associated with a firm (or all firms if associated with more than one firm) that
has received a report with a peer review rating of pass
2
for its most recent System
2
A peer review report with a rating of pass was previously referred to as an unmodified report (with or without a letter
of comments). If a firm’s most recent peer review rating was a pass with deficiencies or fail, the firm’s members are
not eligible to perform peer reviews.
51
Review that was accepted timely, ordinarily within the last three years and six
months.
c. Not be associated with an engagement that was deemed not performed or
reported on in accordance with professional standards in all material respects on
the specialist’s firm’s most recently accepted peer review.
d. Possess current knowledge of professional standards applicable to SOC 1 and/or
SOC 2 examinations, including Type 1 and Type 2 reports, qualified and
unqualified reports, carve in/carve out engagements and engagements with and
without relevant user entity controls.
e. Have at least five years of recent experience in the practice of public accounting
with a minimum of 500 hours of SSAE 16/SOC 1 and/or SysTrust/SOC 2
examinations.
f. Have provided the AE with information that accurately reflects the qualifications of
the specialist, which is updated on a timely basis.
Back to top
APPENDIX C
Resources, Publications and Important Website Links
Resources and Tools
AICPA Peer Review Program Manual (Manual)
This Manual provides up-to-date standards, policies, procedures, checklists, and
programs for use when arranging, administering and carrying out a peer review. You can
choose to purchase a subscription to the entire Manual. Alternatively, some sections of
the Manual are available online at no charge at:
aicpa.org/interestareas/peerreview/resources/peerreviewprogrammanual.html
Back to top
Hiring A Quality Peer Reviewer
How to Hire a Quality Peer Reviewer: Your Guide to the Selection Process is intended to
help firms understand the importance of having a quality peer review, hiring a quality peer
reviewer, and evaluating reviewer qualifications. Questions to Consider When Vetting
Prospective Peer Reviewers includes questions to ask regarding whether the reviewer is
a peer, timing and cost, evaluating competency, asking for references, and interviewing
reviewers. These resources are available for download on the AICPA’s website.
Back to top
Important AICPA Website Links
The AICPA website is: aicpa.org
52
Find information regarding the Program: aicpa.org/interestareas/peerreview.html
Find the Peer Review Program Standards, Interpretations and other relevant guidance:
aicpa.org/research/standards/peerreview.html
Find information regarding the quality management standards as well as news and
resources related to those standards:
aicpa-cima.com/topic/audit-assurance/quality-management
Find Peer Reviewer Training Courses:
aicpa.org/interestareas/peerreview/cpeandevents.html
AICPA Peer Review Staff Contact Information:
aicpa.org/InterestAreas/PeerReview/Community/Links/Pages/sources1.html
AICPA Peer Review Program Administering Entity Contact Information:
aicpa.org/interestareas/peerreview/community/links/pradministeringentities.html
AICPA Peer Reviewer Database and Public File: peerreview.aicpa.org
AICPA Newsletters: aicpa.org/publications/newsletters.html
Newly Released Ethics Rulings and Interpretations:
aicpa.org/interestareas/centerforauditquality/resources/caqauditlibrary/ethics-and-
independence.html
Government Audit Quality Center: aicpa.org/interestareas/governmentalauditquality.html
Employee Benefit Plan Audit Quality Center:
aicpa.org/interestareas/employeebenefitplanauditquality.html
Back to top
Other Important Website Links
General Accounting Standards Board: gasb.org
Federal Accounting Standards Advisory Board: fasab.gov
Government Auditing Standards (Yellow Book): gao.gov/yellowbook/overview
Office of Management and Budget (Grants Management): whitehouse.gov/omb/
Information on State Boards/Societies:
aicpa.org/advocacy/state/statecontactinfo.html
Public Company Accounting Oversight Board: pcaobus.org
53
Back to top
