Construction Audit Issues Update
AGC Financial Issues Forum
January 9, 2014
Presented By: Tim Wilson
Agenda
• AICPA Audit Risk Alert
 Accounting and Auditing issues
• Auditor Risk Assessment Approach
• Enterprise Risk Management
• IT Risk
• Governance
AICPA Audit Risk Alert
• AICPA publishes annually
• Focus is to help auditors better understand
business, economic and regulatory environment
• Understanding audit risk is the key
• Combines Real Estate and Construction
Real Estate Market Conditions
• Keep an eye on residential
• Commercial Strength – Q3 of 2013
 Industrial availability – 11.7%, 130bps under 2012
 Retail availability – 12.2%, 70bps under 2012
 Apartment vacancy – steady at 4.6%
 Office vacancy – 15.1%, 50bps under 2012
 Hotels – 35.8% growth in rooms under construction
Construction Market Conditions
• Total construction starts up 6% over 2012
 Residential up 25%
 Non-residential building up 8%
 Non-building down 15%
 Excluding electric utility category total is up 14%
Economic and Industry Risks
• Debt modifications
• Debt covenants
• Decreased margins
• Subcontractor concerns
• Warranty claims and change orders
Accounting Developments
• AICPA FRF for SME’s
• FASB/PCC for nonpublic companies
• ASU 2013-02 – Reclasses of AOCI
 Public – 12/15/12, Nonpublic – 12/15/13
• ASU 2013-03 – Disclosures related to fair value
for nonpublic companies – effective on issuance
• Other narrow subjects
Auditing Developments
• Continued push towards risk based auditing
• Clarity standards
 Larger focus on planning, interim testing, analyzing risk
of material misstatement (RMM)
 Group audit issues and materiality
 Component auditors
 Related party transactions
Common Issues in Peer Review Findings
• Subsequent event date disclosures and
evaluation
• Lack of disclosure of open tax years
• Documentation on expectations for analytics
• Documentation on risk assessment procedures
• Engagement letters not updated
Risk Assessment Approach
• Looking for RMM in the financials
• Control Risk
 Usually assessed as high unless testing key controls for
operating effectiveness
• Inherent Risk
 Must understand transactions that flow thru
• Any stories from 2012 audits?
Enterprise Risk Management
• Boards and audit committees are becoming more
involved – governance
• Integrated approach for companies to assess risk
and controls
• More than financial risks
• Not just for public companies
• Treadway Commission (COSO) – 2004 Report
Enterprise Risk Management
• Integrated Approach
 Operational
 Financial
 Strategic
 Regulatory
 Technology
Components of Enterprise Risk Management
• Internal Environment – the tone
• Objective Setting – must exist to understand risk
• Event Identification – internal and external
• Risk Assessment – analyze likelihood and impact
• Risk Response – align response with tolerances
• Control Activities – policies and procedures
Components of Enterprise Risk Management
• Information and Communication – important
process to allow flow of information
• Monitoring – ERM must be monitored and
modified
IT Risk
• Anybody seen the headlines lately?
• Do you know where your risks are?
• More mobile technology in construction
• Remote job sites
• Vendor/subcontractor connectivity
IT Risk
• Should review IT risk in all areas
 Identity theft
 Physical security
 Logical security
 Business continuity planning
 Information security
 Vendor management
 Internet security
Social Engineering
• Obtaining confidential information thru user
manipulation
 Simulated pretext phone calls
 Spoofing
 Phishing
 Physical access attempts
 Malware
 Counterfeit websites for security testing
IT Risks
• Network scanning
 Beginning step for full penetration testing
• Vulnerability Scanning
 Network hosts, services, operating system, applications
• Penetration Testing
 Combination of network and vulnerability scanning –
the true hacking approach
Governance
• Auditors are much more focused on the “Tone at
the Top”
• Active board and audit committees are good!!
• Closely aligned with ERM
• Open discussion on best practices