audit walkthrough
Oct 23

How to Document Audit Walkthroughs

By Charles Hall | Accounting and Auditing , Risk Assessment

How do you document your audit walkthroughs? Is it better to use checklists, flowcharts or summarize narratively?

audit walkthrough

Audit Walkthrough Documentation

While you can use checklists, flowcharts, narratives, or any other method that enables you to gain your understanding of controls, my favorite is a narrative mixed with screenshots.

So how do I do this?

I interview personnel. Usually, one or two people can explain a particular transaction flow (e.g., disbursement cycle), but some complicated processes may require several interviews. 

Early on, I may not know how each person’s work fits into the whole. It’s like gathering puzzle pieces. The interviews and information may feel random, even confusing. But, later, when you put the parts together, the picture speaks more clearly. Then, you’ll understand the accounting system and control environment.

As you perform a walkthrough, remember your goals: to understand the accounting system and to see if internal controls exist. You also want to see if the controls are properly designed. The walkthrough is a risk assessment procedure. It tells us where risks are. If, for example, the disbursement cycle lacks appropriate segregation of duties, we want to know this. Once we know what the risks are, we assess the risk of material misstatement and plan our audit.

My Walkthrough Tools

I document the conversations using:

  • A Livescribe pen
  • My iPhone camera

Taking Notes

Using a Livescribe pen, I write notes and record the conversations.

I begin the interview by saying, “Tell me what you do and how you do it. Treat me as if I know nothing. I want to hear all the details.” (For sample transaction-level walkthrough questions, see my audit series titled The Why and How of Auditing.)

As I listen, I write notes. At the same time, my Livescribe pen records the audio. Later the conversation can be played from the pen. (For more information about Livescribe, see my article: Livescribe, Note Taking Magic (for CPAs). )

Click the pen below to see Livescribe on Amazon.

I find that most interviewees talk too fast—at least faster than I can write. As I’m writing about the last thing they’ve said, they are moving to the next, and I fall behind. So I write simple phrases in my Livescribe notebook such as:

  • Add vendor
  • Charlie opens mail
  • P.O. issued by Purchasing
  • Checks signed by the computer

Later, as I’m typing the walkthrough narrative, I touch the letter “A” in “Add vendor” with the tip of my pen (I’m doing so in my Livescribe notes). This action causes the pen to play the audio for that part of the conversation. Likewise, touching “C” with the tip of my pen–in “Checks signed by the computer”–causes the pen to play that part of the discussion. Since the audio syncs with my notes, I can hear any part of the discussion by touching a letter with my pen.  

Taking Pictures

In addition to writing notes in my Livescribe notebook, I take pictures with my iPhone. Of what? Here are examples (from a payables interview):

  • Invoice with approver’s initials  
  • Screenshot of an invoice entry  
  • If several people are processing invoices, I take a group picture of them at their desks
  • A signed check 
  • The bank reconciliation 

So my inputs into the walkthrough document are as follows:

  • Livescribe notes and audio
  • Photos of documents and persons 

 Walkthrough Summary

I write my narratives in Word and embed pictures as needed. The walkthrough documentation takes this shape:

  • Narrative
  • Pictures
  • Control identification
  • Control weakness identification

Why identify control deficiencies in the walkthrough? So I can link them to the audit procedures to be performed—what audit standards refer to as “further audit procedures.” The system’s strengths and weaknesses tell me where to conduct substantive procedures.

Another key feature of the walkthrough documentation is the identification of who I spoke with and when. So, at the top of the transaction cycle description, I name the persons I interviewed and the date of the conversation. For example:

Charles Hall interviewed Johnny Mann, Hector Nunez, and Suzanne Milton on October 25, 2019. 

Identification of Controls and Control Weaknesses

I note appropriate controls as follows: 

Control: Additions of new vendors is limited to three persons in the accounts payable department. Each time a new vendor is added, the computer system automatically sends an email to the CFO notifying her of the addition. Persons adding new vendors cannot process signed checks.

I note control weaknesses as follows:

Control Weakness: Only one signature is required on check disbursements. Johnny Mann signs checks, has possession of check stock, keys invoices into the payables system, and reconciles the related bank account. 

Response to Risk

The control weakness created by Johnny Mann’s duties increases the risk of theft. My response? I establish audit procedures in my audit program to address the risk such as:

  • Review one month’s cleared checks for appropriate payees. 

How do you know what audit procedures to perform in response to the risk? Ask, “What can go wrong?” and design a test for that potential. Johnny can write checks to himself. My response? Scan cleared checks to see if the payees are appropriate.

Communication of Control Weaknesses

Though this article focuses on planning and risk assessment, the identification of control weaknesses will impact our end-of-audit communications.

The words Control Weakness (as shown above) makes it easy to locate control weaknesses. Upon completion of the walkthrough, I summarize all control deficiencies so I can track the disposition of each one. Each weakness is a:

  1. Material weakness
  2. Significant deficiency, or
  3. Other weakness 

I report material weaknesses and significant deficiencies in writing to management and those charged with governance. I communicate other deficiencies in a management letter (or verbally and document the discussion in my work papers). 

For more information about how to categorize control weaknesses, click here.

See my other walkthrough posts:

Why Should Auditors Perform Audit Walkthroughs?

How to Identify Risk of Material Misstatements with Walkthroughs

Lease accounting effective date
Oct 23

Effective Date of Lease Standard Delayed

By Charles Hall | Accounting

Lease Dates

FASB voted to delay the effective date of the lease accounting standard. For private companies, the effective date will be fiscal years beginning after December 15, 2020. This is a one-year extension.

Lease accounting effective date

FASB is now drafting an Accounting Standards Update (ASU) that will change the effective date. The formal ballot for this ASU is expected in November.

The ASU will result in effective dates as follows:

  • SEC filers: The lease accounting effective dates would remain for fiscal years beginning after December 15, 2018.
  • Private companies and all others: The lease accounting effective dates would be delayed one year to fiscal years beginning after December 15, 2020. 

Early adoption options remain the same.

CECL and Hedging Dates

Additionally, FASB voted to delay the effective dates for hedging and the credit loss standard. The Journal of Accountancy provides details on these extensions.

Oct 05

A Fraudster’s Refuge: The Appalachian Trail

By Charles Hall | Asset Misappropriation

Some fraudsters funnel money into fraudulent bank accounts. Today, I show you how one controller did so and walked away with millions.

A Fraudster's Refuge: The Appalachian Trail


The Theft

In May 2015 James Hammes was arrested for the theft of $8.7 million from his former employer, G&P Pepsi-Cola Bottlers. After Mr. Hammes was confronted about the theft in February 2009, he left his home and hid on the Appalachian Trail, which runs from Georgia to Maine. Hammes assumed a hiking name of “Bismarck” and spent several years on the popular trail. Fellow hikers enjoyed Bismarck since he seemed to be one of them.

How the Funds Were Stolen

The FBI reported the following:

Court documents show that Hammes’ embezzlement began around 1998. As a controller, he was responsible for all financial accounting and internal controls for his division, including supervising accounts payable to several hundred outside vendors. He carried out the fraud by establishing a new bank account for an existing vendor at a different bank. He then deposited hefty payments to that vendor—often $100,000 at a time—in the phantom account that he alone controlled. He then could transfer money from the phantom account to his personal accounts.

“He knew how to cover his tracks by manipulating audits and ledger entries,” Jones said. “He got away with it for so long because he knew how to manipulate his subordinates and how not to raise accounting red flags.”

So, Hammes opened a fraudulent bank account at another bank (one the company did not use) and deposited vendor checks into that account. Then he transferred funds out of the fraudulent bank account to himself.  Since he opened the account, he was the authorized check signer. Simple but effective.

The Weakness

If extra payments were made to vendors (and it appears that occurred), then the company may not have been reviewing vendor payments. If appropriate controls are not in place, it’s easy for a fraudster to make fraudulent vendor payments without detection, especially if hundreds of monthly checks are processed.

Also, it appears the company may have lacked sufficient segregation of duties since Hammes was able to disburse extra vendor payments without detection.

The Fix

Periodically, review the total payments made to each vendor. For example, generate the total monthly payments made to XYZ Company. Then compare the monthly payments over a two to three year period. If payments dramatically increase, then someone within the company may be making additional payments and stealing those checks. Or there may a legitimate reason for the increase. Either way, it’s wise to review vendor payments for anomalies. 

You might also contact your company’s bank (and other local banks) and ask for a list of accounts in your company’s name. Then compare that list to your general ledger to see if the accounts match. If mismatches are present (there’s bank account listed but no corresponding account in the general ledger), follow up to see why.

Positive pay is another strong payables processing control.

correction of an error
Oct 04

Correction of an Error in Financial Statements

By Charles Hall | Accounting and Auditing

A correction of an error--also referred to as a prior period adjustment--is sometimes necessary. But when should such a correction be made? And are there situations where a prior period adjustment is improper? 

Below I explain what a correction of an error is, when it's appropriate, disclosure requirements, and implications for auditors.

correction of an error

Correction of an Error

In comparative statements (when two or more years are presented), the correction of a prior period error affects the prior period financial statements and opening balances in the current year. In single-year statements, the correction affects opening balances. Here's an example.

If Mountain Bikes, Inc. failed to accrue it's last two weeks’ payables in the prior year, a correction might be needed. Why do I say might? Well, if the amount is not material, then the correction of the error may not be required. If the amount is material, then a correction is necessary. 

Suppose you are auditing the financial statements of Mountain Bikes, Inc. for the year ended December 31, 2019, and you discover an error made in the December 31, 2018 financial statements. December 31, 2018 payables of $1 million were not accrued (and the amount is material). In this example, the invoices supporting the $1 million error existed and were on hand during last year’s audit, but, for whatever reason, the amount was not accrued. And the misstatement was not detected by the audit. Now, it's necessary to make a prior period adjustment.

If Mountain Bikes, Inc. provides comparative financial statements, the restated 2018 numbers must reflect the additional $1 million in payables and expenses. This adjustment will of course decrease net income for 2018 and retained earnings. So opening retained earnings (January 1, 2019) will decrease $1 million. The adjustment should not affect net income in 2019. 

Before suggesting any corrections, discuss them with your audit client.

Discuss the Error with Management

It’s time to discuss the error with management or the owners. Why? You want to make sure the error is real. If management disagrees, they will tell you, and they will provide an explanation. But if management agrees, it’s time to propose a prior period adjustment (technically referred to as a restatement in the FASB Codification).

Correction of Error Defined

FASB defines a correction of an error as follows:

An error in recognition, measurement, presentation, or disclosure in financial statements resulting from:

  • mathematical mistakes, 
  • mistakes in the application of generally accepted accounting principles (GAAP), or 
  • oversight or misuse of facts that existed at the time the financial statements were prepared. 

Correction of an Error Disclosures

If Mountain Bikes, Inc. presents single year financial statements, the prior period adjustment affects just the opening balance of retained earnings (January 1, 2019, in this example). The company should still provide a disclosure explaining the prior period adjustment.  

What should be in the note?

Provide a description of the nature of the error. For example, "The Company failed to record $1 million in payables as of December 31, 2018."

When comparative statements are provided, disclose the prior year numbers compared to the corrected numbers for each affected financial statement line items. (Consider displaying three columns: the uncorrected numbers as stated previously, the corrected numbers, and the difference.) FASB specifically requires disclosure of changes to retained earnings or other equity accounts for each prior period presented. 

If a single period financial statement is issued, disclose the effects of the restatement on beginning retained earnings and net income from the preceding period. 

Correction of Errors and Auditing

If you are the auditor, consider whether the error was intentional (fraudulent). What if, for example, the recording of the 2018 payables would have adversely affected the company's compliance with debt covenants? Then the understatement of payables may have been intentional.

Regardless, now that the misstatement is known, a prior period adjustment is necessary. Either management makes (accepts) the adjustment or you will need to qualify your opinion. Or, depending on the facts, withdrawal might be necessary. If the prior period adjustment is not made, you may need to contact your attorney and insurance company.

Additionally, if fraud is suspected in the prior period (2018, for example), it will have a bearing on the current year planning and risk assessment. You may be thinking, “But what if I discovered the error while performing the 2019 audit?” In other words, this potential fraud was not known during your 2019 audit planning. What then? Return to your audit plan and adjust accordingly. The audit plan is not static. It is living. The plan should reflect the facts, regardless of when they are discovered—in the early stage of the engagement or later.  

If you believe the prior year misstatement was intentional (fraudulent), then incorporate this element in your current year audit planning and responses.  

When a Prior Period Adjustment is not Merited 

Sometimes there is no error as defined above. If so, a prior period adjustment should not be made. For example, suppose the allowance for uncollectibles as of December 31, 2018 was adequate based on the facts that existed when the financial statements were created. However, in August 2019 (after the issuance of the 2018 statements) the company realizes it will not collect a material 2018 receivable, one that was previously believed to be collectible. Now what? Well, the allowance for uncollectibles should be adjusted in August 2019. A prior period adjustment should not be made. Changes in estimates are prospective. 

Sometimes a company might desire a prior period adjustment though one is not merited. Why? It’s a way to sweep problems under the rug. Consider the example in the prior paragraph. If the company incorrectly records the bad debt as a restatement of the January 1, 2019 retained earnings, the expense does not appear in the 2019 income statement. Now, if a single-year presentation is provided, the bad debt expense does not appear in the 2018 or 2019 income statements. (A correction of an error disclosure is required. But some companies don’t mind as long as net income isn't adversely affected.) 

Consider that bonuses may be based on net income. If so, this slight of hand could result in extra (fraudulent) compensation. A prior period adjustment might be desired for other reasons as well. Maybe the owners are sensitive to net income or management doesn’t want the embarrassment of declining net income. Whatever the reason, a correction of error should be made only when required by generally accepted accounting principles.

internal controls
Sep 26

Internal Controls: How to Understand and Develop

By Charles Hall | Accounting and Auditing , Risk Assessment

Many CPAs don't understand internal controls. Sure, we know that segregation of duties is a positive, but we are sometimes unaware of internal control weaknesses though they lie right before us. Why is this? Well, there are about a million ways that an accounting system can be designed, and no two businesses are the same. So seeing control weaknesses can be challenging. 

internal controls

If you work for a business, you need to understand controls so you can build a safer accounting system.

If you are an auditor, you need to understand controls so you can appropriately design your audit. 

Today, I show you how to design an accounting system with sound internal controls. And if you are an auditor, you'll better understand how to see control weaknesses. We'll start with the COSO framework and later we'll examine the importance of separation of duties.

The focus of this article is building an internal control structure that ensures financial statement accuracy and prevents fraud.

COSO Internal Control Framework

COSO provides a framework for developing internal controls. Think of this framework as your ecosystem to ensure a healthy internal control system. The five elements of the framework are:

  1. Control environment
  2. Risk assessment
  3. Control activities
  4. Monitoring 
  5. Communication and information

Though accountants and auditors tend to focus on the third element, control activities, all five are important in the development of a sound internal control system. 

1. Control Environment

Control environment is often referred to as tone at the top. It's the leadership part of the organization, and it's here that internal controls live or die. 

If you are a board member, demand internal control reports from management. Those reports should explain the organization's processes and controls as well as monitoring activities. In other words, management should demonstrate not only that controls exist, but that they are working.

My experience with boards is they often don't think about internal controls until it's too late. When fraud happens, then the board wants to know how it happened and why. Boards need to know what is happening and why, before theft occurs. Then they can devote enough resources---hire the right people with the right experience--to ensure system development and monitoring. 

Developing a strong internal control system is an ongoing process. Companies need to constantly evaluate their accounting system and its operation. How? First, by performing risk assessments. 

2. Risk Assessment

An organization should determine if its accounting system allows misstatements. How? By examining the various transaction cycles such as billing and receipting; payables and disbursements; and payroll. As you examine each transaction cycle, ask what can go wrong?  Then create controls to address accounting system weaknesses.

Are daily receipts being reconciled to the general ledger? If not, then develop a control requiring that this be done. Are new vendors vetted for appropriateness? If not, require procedures to ensure the propriety of new vendors. (My book, The Why and How of Auditing, provides lists of questions to ask by transaction cycle. You'll find it on Amazon.)

The risk assessment process naturally leads to the develop of appropriate controls. Once you know what can go wrong, you fix it by developing a control. This is the third element of COSO: control activities. 

3. Control Activities

Control activities is the core component of internal controls. This is where the action is, where you develop your controls. The other four components of COSO (control environment, risk assessment, monitoring, and communication) support this central core. Examples of control activities include:

  • Bank reconciliations
  • Purchase orders
  • Signatures on checks by authorized personnel
  • Review of cash receipting activity by the receipts supervisor (after cash drawers are balanced at the end of a shift)
  • Periodic physical inventories of plant, property, and equipment 
  • Reconciliation of debt in the general ledger to amortization schedules

In risk assessment, we determine what could go wrong? Now we create a control to lessen the risk that the event could occur. For instance, with regard to cash, we might think, "cash balances could be incorrectly stated." Therefore, we implement a control--bank reconciliations--to ensure correctness. 

Separation of accounting duties is important in regard to control development. We'll discuss that area in more detail below.

4. Monitoring

Once controls are in place, you want to monitor them to ensure their use. What good is a control if it is not performed? An example of monitoring is having a supervisor inspect bank reconciliations to ensure that they were created (and that they are correct). 

So, the idea here is you develop internal controls and then monitor them. Why? To ensure the control is in use and that it is performed correctly.

Next, document the accounting system and controls to make them understandable. 

5. Communication and Information

In the fifth COSO element, we are documenting the internal control system. You can document the controls in several different ways including:

  • Memos
  • Flowcharts
  • Formal manuals
  • In Excel workbooks
  • Mindmaps

Which is best? That depends on the complexity of your system. Small organizations can use simple memos. Large entities should create formal manuals. 

What is the goal? To make sure everyone understands how controls work and the reason for their existence.

In many organizations (especially smaller ones), controls are never written down. They are passed down. What do I mean? When a new accountant is hired, he or she is told what to do. Often there is no manual explaining procedures and controls. These oral instructions may not explain why internal controls are performed or how they interact with other parts of the accounting system. Consequently, new employees blindly follow oral instructions without understanding their importance. Worse yet, some don't perform the controls at all. 

An added benefit of documenting controls is it makes system weaknessses more transparent. For instance, if you are documenting your accounts payable system, you might realize that an inappropriate person can add vendors. Or you might see that the payables process lacks segregation of duties. 

Now let's take a look at a key feature of developing an internal control system: separation of accounting duties. 

Separation of Accounting Duties

In the third COSO element above (control activities), we mentioned separation of accounting duties (also known as segregation of duties). What is this? It's dividing accounting responsibilities among multiple people in order to enhance safety. More eyes equals greater safety. Why? Well, if a mistake or theft occurs, it is more likely to be seen. 

separation of accounting duties

There are four actions that are performed in most accounting transaction cycles. They are:

  1. Authorization
  2. Bookkeeping
  3. Custody
  4. Reconciliation

A potential fraud danger exists when one person performs two or more of the above. For example, if Mark enters payments in the accounting system (bookkeeping) and signs checks (authorization), there is a threat that Mark will write checks to myself--especially if he knows that no one compares cleared checks to the general ledger.

The determination of whether danger exists is dependent on the full picture. If Mark knows that Joan--the person reconciling the bank statement--compares cleared checks to the general ledger and that she reviews the payee's on each check, then the danger of theft goes down. If Joan just compares the amount on the bank statement to the general ledger (and does not review the payee on the cleared check), the danger increases.

If all four of the above actions are performed by one person, then a significant control weakness exists. Auditors call this a material weakness. In such situations, it's advisable to include additional personnel in the accounting system. Why? So duties can be separated among various people. 

Some companies are unable create separation of duties. Why? There may not be enough people to do so (it's hard to segregate duties with only one person in accounting) and it costs money to hire additional personnel. Without a sufficient number of people, it is difficult to design a safe environment. Even so, there are still ways to make your accounting system safer

Financial Statement Misstatements

There are two ways that financial statements can be misstated: one is by mistake, and the second is intentionally. The first is just part of being human, the second is fraud. We need a system that reduces both threats. 

Misstatements Due to Mistakes

We all make mistakes. Entries are coded to the wrong chart of accounts line. We forget to enter an invoice in payables. We fail to reconcile our bank accounts. We use inappropropriate revenue recognition methods. 

How do we become aware of our mistakes? By review. These reviews are performed by the person that does the initial accounting work and by others--a supervisor, for example. The supervisor's review is an internal control. 

Some accounting systems point out our errors in real time. For example, if I try to enter the same invoice twice, the system will tell me. The accounting system notice is an internal control. 

So, internal controls can involve both humans (the review) and computers (input notices). The purpose of each is to ensure the correction of errors. 

Misstatements that are Intentional

Sometimes companies intentionally misstate their numbers. Why? Usually to make themselves look better than they are. If profits are declining, the CEO or CFO might pressure the staff to create fictitious entries. Consider that an organization can make one journal entry on the last day of a year to inflate it's profits such as:

                                            Dr.                                  Cr.

Receivables                    10,000,000

Revenue                                                    10,000,000

This is an example of financial statement fraud. Know that there are hundreds of ways that financial statement fraud can occur. Also understand that when assets are stolen from a business, fraudsters often hide theft with false accounting entries. 

In developing internal controls, you want to create a system that prevents these types of intentional misstatements. Even when a good accounting system exists, management override is always a concern. Consider the WorldCom fraud. What is management override? It's when management forces staff members to ignore internal controls and perform inappropriate procedures. 

Closing Comments

Now you have a better understanding of internal controls.

If you work for a business, nonprofit, or government, make your system better by applying these ideas.

If you're auditor, use the above to assist you in your risk assessments and walkthroughs. (See my article about documenting your walkthroughs.)

1 2 3 41