Construction Audit Issues Update

AGC Financial Issues Forum

January 9, 2014

Presented By: Tim Wilson

Agenda

• AICPA Audit Risk Alert Accounting and Auditing issues

• Auditor Risk Assessment Approach

• Enterprise Risk Management

• IT Risk

• Governance

AICPA Audit Risk Alert

• AICPA publishes annually

• Focus is to help auditors better understand business, economic and regulatory environment

• Understanding audit risk is the key

• Combines Real Estate and Construction

Real Estate Market Conditions

• Keep an eye on residential

• Commercial Strength – Q3 of 2013 Industrial availability – 11.7%, 130bps under 2012

Retail availability – 12.2%, 70bps under 2012

Apartment vacancy – steady at 4.6%

Office vacancy – 15.1%, 50bps under 2012

Hotels – 35.8% growth in rooms under construction

Construction Market Conditions

• Total construction starts up 6% over 2012 Residential up 25%

Non-residential building up 8%

Non-building down 15%

Excluding electric utility category total is up 14%

Economic and Industry Risks

• Debt modifications

• Debt covenants

• Decreased margins

• Subcontractor concerns

• Warranty claims and change orders

Accounting Developments

• AICPA FRF for SME’s

• FASB/PCC for nonpublic companies

• ASU 2013-02 – Reclasses of AOCI Public – 12/15/12, Nonpublic – 12/15/13

• ASU 2013-03 – Disclosures related to fair value for nonpublic companies – effective on issuance

• Other narrow subjects

Auditing Developments

• Continued push towards risk based auditing

• Clarity standards Larger focus on planning, interim testing, analyzing risk

of material misstatement (RMM)

Group audit issues and materiality

Component auditors

Related party transactions

Common Issues in Peer Review Findings

• Subsequent event date disclosures and evaluation

• Lack of disclosure of open tax years

• Documentation on expectations for analytics

• Documentation on risk assessment procedures

• Engagement letters not updated

Risk Assessment Approach

• Looking for RMM in the financials

• Control Risk Usually assessed as high unless testing key controls for

operating effectiveness

• Inherent Risk Must understand transactions that flow thru

• Any stories from 2012 audits?

Enterprise Risk Management

• Boards and audit committees are becoming more involved – governance

• Integrated approach for companies to assess risk and controls

• More than financial risks

• Not just for public companies

• Treadway Commission (COSO) – 2004 Report

Enterprise Risk Management

• Integrated Approach Operational

Financial

Strategic

Regulatory

Technology

Components of Enterprise Risk Management

• Internal Environment – the tone

• Objective Setting – must exist to understand risk

• Event Identification – internal and external

• Risk Assessment – analyze likelihood and impact

• Risk Response – align response with tolerances

• Control Activities – policies and procedures

Components of Enterprise Risk Management

• Information and Communication – important process to allow flow of information

• Monitoring – ERM must be monitored and modified

IT Risk

• Anybody seen the headlines lately?

• Do you know where your risks are?

• More mobile technology in construction

• Remote job sites

• Vendor/subcontractor connectivity

IT Risk

• Should review IT risk in all areas Identity theft

Physical security

Logical security

Business continuity planning

Information security

Vendor management

Internet security

Social Engineering

• Obtaining confidential information thru user manipulation Simulated pretext phone calls

Spoofing

Phishing

Physical access attempts

Malware

Counterfeit websites for security testing

IT Risks

• Network scanning Beginning step for full penetration testing

• Vulnerability Scanning Network hosts, services, operating system, applications

• Penetration Testing Combination of network and vulnerability scanning –

the true hacking approach

Governance

• Auditors are much more focused on the “Tone at the Top”

• Active board and audit committees are good!!

• Closely aligned with ERM

• Open discussion on best practices