The objective of a financial statement audit is the expression of an opinion by an independent accountant as to whether a company’s financial statements and financial statement disclosures are fairly presented under the U.S. generally accepted accounting principles.
10 FAQs to ask when preparing for a financial statement audit
1. Does my company need a financial statement audit?
A privately-held healthcare company may be required to obtain a financial statement audit for compliance with third-party debt covenants, operating agreements, state regulations, private equity requirements and many other reasons. Consider asking your legal counsel or executive officers to determine if any requirements are applicable to your company. If applicable, ensure all parties confirm and understand the related timing requirements (i.e. 90 or 120 days after the company’s fiscal year-end).
2. What is the product of a financial statement audit?
At the conclusion of an audit, the company’s financial statements will include an independent auditors’ report. A clean auditors’ opinion is known as an “unmodified” opinion which states that the financial statements are fairly presented, in all material respects, under generally accepted accounting principles.
Governance letters will also be provided to management at the conclusion of an audit as a means of communicating additional information. Governance letters may include recommendations to management on where process or policy improvements could be made, particularly as they relate to the internal control environment and other areas that could have an impact on financial reporting. Such recommendations provide further value to the company in addition to the auditors’ report on the financial statements.
The audit team should also be available to present the audited financial statements and governance letter to the company’s board of directors or audit committee at the conclusion of the audit, if so desired.
3. How should we identify a firm to assist us in a financial statement audit?
Look for these key qualities to find the best partner for you:
- What is their experience? A wide range of experts should be utilized on an engagement, preferably with knowledge of the healthcare industry.
- Are they reputable? Professional and proficient services delivered in a timely and coordinated manner should be the standard. Consider requesting a Statement of Qualifications (SOQ) from each firm under consideration. An SOQ will give you additional information about the firm’s expertise and references of other companies with whom they work.
- Does the firm serve in an advisory capacity? A well-managed audit team should be consultative, knowledgeable of new or upcoming accounting literature changes, and informed on industry changes in order to assist companies in meeting and maximizing their long-term goals and objectives.
4. How do we prepare for a financial statement audit?
Based on general perceptions, many see the word “audit” and associate it with a negative connotation. Whether financial statement audits are viewed by accounting teams as a necessary evil or not, the primary goal of auditors is to help our clients ensure their financial statements are materially accurate and provide the data and operating insights necessary for financial executives to make informed company and management decisions.
As deadlines for privately-held fiscal year audits come to a close, we interviewed two LBMC clients who completed their first audits to ask what advice they would give others to aid in their first-year audit preparation. While an audit opinion is an ultimate deliverable, we always want to find a solution to make the process of completion as efficient and effective as possible.
Managing PBC Request Lists and Information
At the onset of an engagement, LBMC provides a PBC list (“prepared by client”) to company management. While not fully comprehensive in a first-year audit, this generally provides a detailed list of initial information we need to begin the audit and is organized by financial statement audit area. In preparing for the audit, we ask questions to determine the types of requests needed to address risks and key audit areas identified.
PBC list recommendations include:
1. Maintaining information electronically, which provides for easy upload to audit share sites
While most companies are moving towards maintaining electronic financial records instead of paper records, smaller start-up companies may not have a formal reconciliation and document retention process due to lack of resources. As your company prepares for the initial audit, consider scanning information electronically or moving to electronic records when available to provide for a smoother transition.
2. Reviewing the PBC list directly with the auditors
Review the PBC list with the auditors to identify items that are not driven by existing company reconciliations/analyses and begin working on those items first as they typically require more preparation time.
3. Asking for further clarity when the purpose of a request is unknown.
Additionally, consider asking the auditor follow-up questions to requests that aren’t clear, as there may be an easier way to provide the requested information or an alternative based on how the company typically reviews a certain metric. Discussions such as these with your auditors will not only reduce the preparation time on your end but also assist the auditors with understanding your business and metrics that are important to management.
Working through any issues or questions during the first year of an engagement will help make the PBC list more tailored to your company and easier to tackle in future years.
Preliminary Analytics
Clients have also expressed that performing analytics prior to the audit, similar to how the auditor would perform their independent analyses, would be beneficial.
For healthcare clients, these preliminary analytics around accounts receivable and revenue recognition would be advantageous, not only to the company but the auditor as well. This information will help prepare the client for questions that will arise during the audit.
Additionally, having client-prepared analytics as a reference during the audit can reduce the number of questions that are sent back to the client for further research, as the work has already been done!
Auditors also tend to analyze financial results from a different perspective and provide a different viewpoint to management. However, if an internal preliminary analysis has already been performed, it will be easier to compare the auditor’s analysis to the internal analysis and provide timely responses to questions.
Whether it’s an in-depth review of accounts receivable or a trended income statement variance analysis, preliminary internal analytics before the auditor arrives will help in preparation for the follow-up questions that will arise during your financial statement audit.
Locating pertinent documents
Some of the first PBC items requested during an audit relate to the company’s formation and operating documents, significant contracts, lease agreements, buy/sell agreements, as well as related amendments. As most of these documents are not referred to daily, locating them can sometimes prove to be challenging. If a financial statement audit is in your company’s future, making efforts now to locate and retain these documents in an easily accessible location can save time when the audit is upon you.
Documenting company policies and procedures
As part of a financial statement audit for a private company, auditors are required to obtain an understanding of the company’s internal control environment. As part of these procedures, we typically request written documentation of the company’s significant policies and procedures. For healthcare companies specifically, the most significant areas would include the revenue and accounts receivable cycle and third-party settlements (if applicable). While documentation can require substantial efforts initially, taking the time to formally document policies around the company’s revenue recognition model, contractual allowance and bad debt reserve methodologies, and reconciliation procedures around accounts receivable and third-party settlement accounts will not only reduce effort required during the actual audit but will also help identify any breakdowns or weaknesses in the company’s internal control environment, again ensuring the company is audit-ready. Additionally, if comprehensively drafted, documentation can include the company’s important key metrics, payor-specific information, important vernacular, etc. and double as a convenient resource for internal employees.
While a first-year audit will require additional time and employee resources than an accounting department may have previously anticipated, hopefully, these pieces of advice from other healthcare companies which have just completed their first-year audits will help prepare you and your company to be a step closer to becoming audit-ready when the time arises. Learn more about new revenue recognition standards and what you need to know.
5. How will our accounts receivable and revenue recognition policies be tested?
The accounts receivable valuation is typically one of the largest and most important pieces of a healthcare company’s financial statement audit. The accounts receivable and revenue recognition is typically testing during planning and final fieldwork. Auditors will request process narratives surrounding the revenue and billing cycle in order to develop the appropriate audit procedures.
6. How will information that contains PHI be shared between our company and the auditors?
PHI data is valuable on the black market because it is very personal static data which allows hackers to easily steal someone’s identity. Be sure the firm you choose utilizes secure software such as Smartsheet™ and Sharefile™ for confidential file transmission.
Our Information Security team recommends these five things to safeguard PHI Data:
- Use multi-factor authentication, or even token-based authentication. This is particularly important for reducing vulnerabilities that exist with remote access.
- Utilize better encryption. While stronger encryption is an important way to safeguard data, it’s only effective when paired with careful key management. The devil is in the details and the execution of stringent key management is necessary or the encryption becomes useless.
- Improve anti-phishing controls. This is the easiest entry point for thieves. It is well worth the time to implement training programs. The most effective method utilizes programs that are set up internally to mimic phishing attacks. This has been shown to be very effective at raising awareness of how to spot phishing attacks and train employees on how to avoid them.
- Enact network segmentation. This is another method companies can use to silo more sensitive data behind more stringent security controls in conjunction with multi-factor authentication.
- Add monitoring systems. By implementing monitoring systems you are able to more quickly detect and respond to attacks. Faster MTTD (Mean Time to Detect) translates into faster MTTR (Mean Time to Respond) and allows you to isolate and minimize the damage.
7. How long does an audit typically take?
The duration of an audit can vary depending on the company. Typically, an audit timeline is included with the proposal for the audit services and agreed upon by management and the audit firm ahead of beginning the engagement. Generally, the audit process is separated into three phases:
- Planning: The planning phase would typically include devoted time onsite with management and the accounting teams to gain an understanding of the business operations, key risk factors and general management controls. This time may also encompass documentation of processes and flow of transactions, testing of certain controls, testing of significant transactions during the year and interim review of significant financial statement areas. Planning typically occurs several months prior to the end of a company’s fiscal year.
- Fieldwork: The fieldwork phase is typically completed onsite with the duration dependent on the size of the company. Management should anticipate at least one to two weeks of onsite fieldwork. During this time, auditors perform final audit fieldwork and substantive audit procedures on financial statement accounts and balances. Fieldwork typically occurs within a few months of the end of a company’s fiscal year.
- Wrap-up: The wrap-up phase includes primarily assistance with and/or review of the company’s financial statements as well as audit file documentation steps.
8. Who will be to be involved for onsite planning and final fieldwork?
Depending on the company, we generally include the CFO, CEO, controller, accounting manager, compliance officer, human resources representative and staff and senior accountants, as applicable, in various discussions during the audit process.
9. Who prepares the company’s financial statement? The firm or the company?
The firm should be happy to assist with the company’s preparation of the financial statements. However, the management of the company is responsible for the financial statements and any accompanying information. As such, management must assume all responsibilities relating to the financial statements and related notes.
10. Will the firm assist with new accounting pronouncement implementation and/or offer technical accounting support?
Yes, the firm’s healthcare industry experts should be available to assist with consultation regarding new and upcoming accounting pronouncements as well as other technical accounting issues. However, as with financial statement preparation, management must assume responsibility for all decisions reached.
Laura McGregor is a Senior Manager in LBMC’s Audit and Advisory practice. She can be reached at lmcgregor@lbmcstage2.webservice.team.