Category Archives for "Accounting and Auditing"

Mar 23

Five Dirty, No Good, Terrible, Audit Habits

By Charles Hall | Auditing

Today I describe five dirty, no good, terrible, audit habits. 

Certain peer review deficiencies continue to persist. Today I tell you about a few and how you can stop them.

Have you ever had a bad habit? You eat too much, don't exercise enough, put your make-up on while driving to work (one I've never had, thankfully), spend too much money. Yes, we've all had bad habits.

Auditors have them as well. Some problems seem to never die. The AICPA periodically provides a list of peer review deficiencies. Here are five and what you can do about them. 

Bad Habit 1 - Skipping Risk Assessment 

Do you have the habit of starting your audit by testing bank reconciliations or reconciling equity accounts to the general ledger? 

Solution - Start in the right place. At the beginning. And where is the beginning? First acceptance and continuance. Then risk assessment. Resolve to perform the following before doing any substantive work:

  1. Perform acceptance or continuance procedures
  2. Gain an understanding of the entity and its environment
  3. Perform walkthroughs 
  4. Review prior year estimates for potential bias
  5. Ask questions regarding fraud
  6. Create your planning analytics

Now, assess risk at the financial statement level and at the transaction level by assertion. Once risk assessment is complete, start your substantive work.

In a another bad habit, some auditors create their risk assessments but don't use them.

Bad Habit 2 - Performing But Not Using Risk Assessment

Don't allow another bad habit to persist: Performing risk assessment procedures and ignoring the results. In other words, using the same substantive procedures as last year, though new risks are present. 

Solution - Once a risk is identified, link a response to it. This can be done on your risk assessment summary form.

For example, the revenue recognition standard is effective for many of your December 31, 2019 clients. The standard represents change and can impact your risk of material misstatement for revenue. Change creates risk. And risk calls for a response. Link the risk (that revenue recognition and disclosures may be incorrect) to substantive procedures. Test the revenue recognition in light of Topic 606 and vet the disclosures with an updated disclosure checklist.

In another nasty habit, some auditors ignore controls.

Bad Habit 3 - Ignoring Controls

While a test of controls for effectiveness is not required, reviewing control design and implementation is. This is why we perform walkthroughs. But some auditors ignore or give little attention to this risk assessment procedure. Their attitude is "I already know what I'm going to do, so why waste time?" 

This attitude can be the result on believing a balance sheet audit approach is sufficient. This is the belief that auditing all significant balance sheet accounts is enough. But is it? Suppose the CFO steals $5 million dollars during the year, skimming cash from unbilled receipts. You can audit the year-end bank reconciliation. The bank account can reconcile to the general ledger. But the $5 million is still missing. 

Solution - Gain your understanding of controls early in the audit. Use walkthroughs to do so. 

The next bad habit is an extension of not gaining an understanding of controls.

Bad Habit 4 - Not Reviewing SOC Reports

Putting a service organization controls (SOC) report in the audit file is not enough. We must understand the service organization's controls.

Why? Because the service organization controls are a part of the company's controls. The company's accounting system includes outsourced components.

Your client, for example, may outsource its payroll to ADP. Does that mean the auditor doesn't need to understand ADP's processes and controls? No. Why? Because ADP is acting as an extension of the company's accounting system. The SOC report allows you to see if the payroll controls are designed appropriately and implemented. And this is what we desire whether the accounting is in-house or outsourced.

Solution - Read the SOC report and document your considerations. If control weaknesses are present, determine how those weaknesses impact your risk assessment. 

And what's the last bad habit? Drum roll. Auditors don't identify the significant risks.

Bad Habit 5 - Not Identifying Significant Risks

Every audit has at least one or two significant risks. Consider, for example. management override. Management can manipulate the books to satisfy their needs. 

So, what is a significant risk? Audit standards define it as "An identified and assessed risk of material misstatement that, in the auditor's professional judgment, requires special audit consideration." But what is "special audit consideration"? It's those high risk areas that deserve extra attention. They are the two or three areas (the number varies by audit) that deserve our greatest effort. Understand that not all high risk of material misstatements are significant risks. Significant risks are those areas of an even higher concern. Examples include:

  • Allowance for bad debt in a hospital
  • Management override
  • A fraud risk (because a known material theft exist)

By contrast, a high risk of material misstatement (RMM) for the completeness assertion in payables might not be a significant risk. The RMM might be high but, in this example, it's not a significant risk. 

Solution - Identify significant risks. Do so on your risk assessment summary form. Then link to a response in your audit program. And these responses should be beyond your normal basic procedures. Additionally, they must include a test of details.

AICPA Areas of Focus

Each year the AICPA creates areas of focus in its Enhancing Audit Quality (EAQ) work. You may want to put this in your tickler file. Why? So you'll know the hot-button peer review issues. That way you can build your audit processes in a proactive manner. 

Segregation of Duties
Mar 21

Segregation of Duties: How to Overcome

By Charles Hall | Auditing , Fraud

Segregation of duties is key to reducing fraud. But smaller entities may not be able to do so. Today, I tell you how overcome this problem, regardless of the entity’s size. 

Segregation of Duties

The Environment of Fraud

Darkness is the environment of wrongdoing.

Why?

No one will see us. Or so we think.

Fraud occurs in darkness.

In J.R.R. Tolkien’s Hobbit stories, Sméagol, a young man murders another to possess a golden ring, beautiful in appearance but destructive in nature. The possession of the ring and Sméagol’s hiding of self and his precious (the ring) transforms him into a hideous creature–Gollum. I know of no better or graphic portrayal of how that which is alluring in the beginning, is destructive in the end.

Fraud opportunities have those same properties: they are alluring and harmful. And, yes, darkness is the environment where fraud happens.

What’s the solution? Transparency. It protects businesses, governments, and nonprofits.

But while we desire open and understandable processes, our businesses often have just a few employees that perform the accounting duties. And, many times, no one else understands how the system works.

It is desirable to divide accounting duties among various employees, so no one person controls the whole process. This division of responsibility creates transparency. How? By providing multiple eyes to see what’s going on.

But this segregation of duties is not always possible.

Lacking Segregation of Duties

Many small organizations lack appropriate segregation of duties and believe that solutions do not exist or that they are too costly. But is this true? I don’t think so.

Here’s two easy steps to create greater transparency and safety.

1. Bank Account Transparency

First, consider this simple control: Provide all bank statements to someone other than the bookkeeper. Allow this second person to receive the bank statements before the bookkeeper. While no silver bullet, it has power.

Persons who might receive the bank statements first (before the bookkeeper) include the following:

  • A nonprofit board member
  • The mayor of a small city
  • The owner of a small business
  • The library director
  • A church leader

What is the receiver of the bank statements to do? Merely open the bank statements and review the contents for appropriateness (mainly cleared checks).

In many small entities, accounting processes are a mystery to board members or owners. Why? Only one person (the bookkeeper) understands the disbursement process, the recording of journal entries, billing and collections, and payroll.

Relying on a trusted bookkeeper is not a good thing. So how can you shine the light?

Fraud Prevention

Picture courtesy of DollarPhoto.com

Allow a second person to see the bank statements.

Fraud decreases when the bookkeeper knows someone is watching. Suppose the bookkeeper desires to write a check to himself but realizes that a board member will see the cleared check. Is this a deterrent? You bet.

Don’t want to send the bank statements to a second person? Request that the bank provide read-only online access to the second person. And let the bookkeeper know.

Even the appearance of transparency creates (at least some) safety. Suppose the second person reviewer opens the bank statements (before providing them to the bookkeeper) and does nothing else. The perception of a review enhances safety. I am not recommending that the review not be performed. But if the bookkeeper even thinks someone is watching, fraud will lessen.

When you audit cash, see if these types of controls are in place.

Now, let’s look at the second step to overcome a lack of segregation of duties. Surprise audits.

2. Surprise Audits

Another way to create small-entity transparency is to perform surprise audits. These reviews are not opinion audits (such as those issued by CPAs). They involve random inspections of various areas such as viewing all checks clearing the May bank statement. Such a review can be contracted out to a CPA. Or they can be performed by someone in the company. For example, a board member.

Segregation of Duties

Picture courtesy of DollarPhoto.com

Additionally, adopt a written policy stating that the surprise inspections will occur once or twice a year.

The policy could be as simple as:

Twice a year a board member (or designee other than the bookkeeper) will inspect the accounting system and related documents. The scope and details of the inspection will be at the judgment of the board member (or designee). An inspection report will be provided to the board.

Why word the policy this way? You want to make the system general enough that the bookkeeper has no idea what will be examined but distinct enough that a regular review occurs. 

Surprise Audit Ideas

Here are some surprise audit ideas:

  • Inspect all cleared checks that clear a particular month for appropriate payees and signatures and endorsements
  • Agree all receipts to the deposit slip for three different time periods
  • Review all journal entries made in a two week period and request an explanation for each
  • Inspect two bank reconciliations for appropriateness
  • Review one monthly budget to actual report (look for unusual variances)
  • Request a report of all new vendors added in the last six months and review for appropriateness

The reviewer may not perform all of the procedures and can perform just one. What is done is not as important as the fact that something is done. In other words, the primary purpose of the surprise audit is to make the bookkeeper think twice about whether he or she can steal and not get caught.

I will say it again. Having multiple people involved reduces the threat of fraud.

Segregation of Duties Summary

In summary, the beauty of these two procedures (bank account transparency and surprise audits) is they are straightforward and cheap to implement. Even so, they are powerful. So shine the light.

What other procedures do you recommend?

For more information about preventing fraud, check out my book: The Little Book of Local Government Fraud Prevention.

Auditing Receivables and Revenues
Mar 20

Auditing Receivables and Revenues: The Why and How Guide

By Charles Hall | Auditing

Today we take a look at auditing receivables and revenues.

Revenues are the lifeblood of any organization. Without cash inflows, the entity may cease to exist. So, it’s important that each business generate sales or some type of revenue. For you, the auditor, it’s important to verify the revenue.  

Along with revenues, auditors need to prove receivables. Why? Some companies manipulate their earnings by inflating their period-end receivables.  When trade receivables increase, revenues increase. So, a company can increase its net income by recording nonexistent receivables.

In this post, we’ll answer questions such as, “should I confirm receivables or examine subsequent receipts?” and “why should I assume that revenues are overstated?"

Auditing Receivables and Revenues

Auditing Receivable and Revenues — An Overview

In this post, we will cover the following:

  1. Primary accounts receivable and revenue assertions
  2. Accounts receivable and revenue walkthrough
  3. Directional risk for accounts receivable and revenues
  4. Primary risks for accounts receivable and revenues
  5. Common accounts receivable and revenue control deficiencies
  6. Risk of material misstatement for accounts receivable and revenues
  7. Substantive procedures for accounts receivable and revenues
  8. Common accounts receivable and revenue work papers

Primary Accounts Receivable and Revenue Assertions

First, let’s look at assertions. The primary relevant accounts receivable and revenue assertions are:

  • Existence and occurrence
  • Completeness
  • Accuracy
  • Valuation
  • Cutoff

Of these assertions, I believe—in general—existence (of receivables), occurrence (of revenues) and valuation (of receivables) are most important. So, clients assert that:

  • Receivables exist 
  • Receivables are properly valued, and 
  • Revenues occurred

Accuracy comes into play if the customer has complex receivable transactions. Additionally, the cutoff assertion is often relevant, especially if the client has incentives to inflate the receivables balance (e.g., bonuses triggered at certain income levels).

Accounts Receivable and Revenue Walkthrough

Second, think about performing your risk assessment work in light of the relevant assertions.

As we perform walkthroughs of accounts receivable and revenue, we are looking for ways they are overstated (though they can also be understated as well). We are asking, “What can go wrong, whether intentionally or by mistake?”

In performing accounts receivable and revenue walkthroughs, ask questions such as:

  • Are receivables subsidiary ledgers reconciled to the general ledger?
  • Is a consistent allowance methodology used?
  • What method is used to compute the allowance and is it reasonable?
  • Who records and approves the allowance?
  • Who reviews aged receivables?
  • What controls ensure that revenues are recorded in the right period?
  • Is there adequate segregation of duties between persons recording, billing, and collecting payments? Who reconciles the related records?
  • What software is used to track billings and collections?
  • Are there any decentralized collection locations?
  • When are revenues recognized and is the recognition in accordance with the reporting framework?
  • What receivables and revenue reports are provided to the owners or the governing body?

As we ask questions, we also inspect documents (e.g., aged receivable reports) and make observations (e.g., who collects the payments?).

If controls weaknesses exist, we create audit procedures to respond to them. For example, if—during the walkthrough—we see inconsistent allowance methods, we will perform more substantive work to prove the allowance balances.

Directional Risk for Accounts Receivable and Revenues

Third, consider the directional risk of accounts receivable and revenues.

Auditing receivables and revenues

The directional risk for accounts receivable and revenue is an overstatement. So, in performing your audit procedures, perform procedures to ensure that accounts receivables and revenues are not overstated. For example, review the cutoff procedures at period-end. Be sure that no subsequent period revenues are recorded in the current fiscal year. 

Audit standards require that auditors review estimates for management bias. So, consider the current year allowance and bad debt write-offs in light of the prior year allowance. This retrospective review allows the auditor to see if the current estimate is fair. The threat is that management might reduce allowances to inflate earnings.

Moreover, the audit standards state there is a presumption (unless rebutted) that revenues are overstated. Therefore, we are to assume revenues are overstated, unless we can explain why they are not.

Primary Risks for Accounts Receivable and Revenues

Fourth, think about the risks related to receivables and revenues.

The main risks are:

  1. The company intentionally overstates accounts receivable and revenue 
  2. Company employees steal collections 
  3. Without proper cutoff, an overstatement of accounts receivables and revenue occurs 
  4. Allowances are understated
  5. Revenue recognition

Risks related to revenue also vary from company to company. For example, one telecommunications company might sell bundled services while another may not. Revenue recognition is more complex (risky) for the company selling bundled services.

Also, revenue risks vary from industry to industry. For example, the allowance for uncollectible is normally a high risk area for healthcare entities, but may not be so for other industries.

Common Accounts Receivable and Revenue Control Deficiencies

Fifth, think about the control deficiencies noted during your walkthroughs and other risk assessment work.

In smaller entities, the following control deficiencies are common:

  • One person performs one or more of the following: 
    • bills customers
    • receipts monies
    • makes deposits 
    • records those payments in the general ledger
    • reconciles the related bank account
  • The person computing allowances doesn’t possess sufficient knowledge to do so correctly
  • No surprise audits of receivables and revenues 
  • Multiple people work from one cash drawer
  • Receipts are not appropriately issued
  • Receipts are not reconciled to daily collections
  • Daily receipts are not reviewed by a second person
  • No one reconciles subsidiary receivable ledgers to the general ledger
  • Individuals with the ability to adjust customer receivable accounts (with no second-person approval or review) also collect cash 
  • Inconsistent bad debt recognition with no second-person review process
  • The revenue recognition policy may not be clear and may not be in accordance with the reporting framework

Risk of Material Misstatement for Accounts Receivable and Revenues

Sixth, now it’s time to assess your risks.

In smaller engagements, I usually assess control risk at high for each assertion. Controls must be tested to support any lower control risk assessments. Assessing risks at high is often more efficient than testing controls.

When control risk is assessed at high, inherent risk becomes the driver of the risk of material misstatement (inherent risk X control risk = risk of material misstatement). The assertions that concern me the most (those with higher inherent risks) are existence, occurrence, and valuation. So my RMM for these assertions is usually moderate to high.

My response to higher risk assessments is to perform certain substantive procedures: namely, receivable confirmations and tests of subsequent collections. As RMM increases, I send more confirmations and examine more subsequent collections.

Additionally, I thoroughly test management’s allowance computation. I pay particular attention to uncollected amounts beyond 90 days. Uncollected amounts beyond 90 days should usually be heavily reserved. And amounts beyond 120 days should—generally—be fully reserved.  

Substantive Procedures for Accounts Receivable and Revenues

And finally, it’s time to determine your substantive procedures in light of your identified risks.

auditing receivables and revenues

My customary audit procedures are as follows:

  1. Confirm accounts receivable balances (especially larger amounts)
  2. Vouch subsequent period collections, making sure the subsequent collections relate to the period-end balances (sampling can be used)
  3. Thoroughly review allowance computations to see if they are consistent with prior years; compare allowance percentages to industry averages; agree to supporting documentation (e.g., histories of uncollectible amounts); recompute the related numbers
  4. Create comparative summaries of all significant revenue accounts, comparing the current year amounts with historical data (three or more years if possible)
  5. Create summaries of average per customer income and compare with prior years (you may want to do this by specific revenue categories)
  6. Compute average profit margins by sales categories and compare with previous years

Common Accounts Receivable and Revenue Work Papers

My accounts receivable and revenue work papers frequently include the following:

  • An understanding of accounts receivable and revenue-related internal controls
  • Risk assessment of accounts receivable and revenue at the assertion level
  • Documentation of any control deficiencies
  • Accounts receivable and revenue audit program
  • A detail of receivables comprising amounts on the general ledger
  • Copies of confirmations sent
  • A summary of confirmations received
  • Subsequent collections work papers
  • Allowance work paper
  • Revenue comparison work papers

In Summary

In this chapter, we’ve looked at the following for receivables and revenues:

  • How to perform risk assessment procedures, 
  • Relevant assertions, 
  • Risk assessments (as a result of the risk assessment procedures), and
  • Substantive procedures

Next, we’ll see how to audit investments.

Get Your Copy of The Why and the How of Auditing

Click the book cover below to see the book on Amazon.

Get your copy on Amazon; click the book image.

Tests of Details
Mar 07

Tests of Details: Substantive Procedures

By Charles Hall | Auditing

Tests of details are the auditor's primary responses to risks of material misstatement. Today I tell you what a test of details is and how you can best use this substantive approach..

Tests of Details

Further Audit Procedures

AU-C 330: Performing Audit Procedures in Response to Assessed Risks and Evaluating the Audit Evidence Obtained defines substantive procedures as:

Once you assess your risks of material misstatement you determine your responses. These further audit procedures (responses) include the two substantive procedures listed above as well as test of controls.

So of the three further audit procedures, are certain ones required?

Yes.

A test of controls is necessary if substantive procedures can’t properly address a risk of material misstatement. Think complex information technology processes. For example, when a benefit plan participant changes his investment options in a 401(k). There may be no physical documents to examine. In these circumstances, a test of controls might be your only option.

By contrast, auditors are required to perform tests of details when significant risks are identified. A test of controls alone will not do. So if, for example, you have determined that a complex estimate is a significant risk, then plan and perform a test of details in response. Likewise, if you believe a fraud risk is present, perform a test of details.

Additionally, substantive procedures are required for relevant assertions related to each material class of transactions, account balances, and disclosures. However, for this requirement, the auditor can use:

  • Substantive analytics alone 
  • A tests of details alone
  • A combination of substantive analytics and test of details

This article focuses on tests of details. So, let’s move to that topic.

What is a Test of Details?

Audit standards don't define tests of details. They only say that a test of details is one of two substantive procedure options (the other being substantive analytics). Since there is no definition, here are examples of a test of details:

  • Vouching invoices
  • Tracing bills sent to customers
  • Search for unrecorded liabilities in accounts payable
  • Testing bank reconciliations by examining subsequent month bank statements
  • Sending bank confirmations
  • Sending customer confirmations
  • Agreeing receivables to contracts
  • Vouching subsequent receipts in receivables
  • Reconciling payroll in the general ledger to quarterly payroll tax returns

As you can see, a test of details is just what it says it is. You are digging into the details of transactions. Substantive analytics, by contrast, look at numbers from a broader perspective. For example, the auditor might compute the current ratio or compare this year's debt level with prior years. I provided examples of substantive analytics in a recent article.

Now let's see how you can best select your tests of details procedures.

Tests of Details - Selection of Procedures

So, how do you determine which response is best? 

AU-C 330 tells us to pay attention to the nature of the risk. Doing so allows us to determine the what, when and how of our procedures. The audit standards refer to this as the nature, timing and extent. So, here is the way to design appropriate responses to your client’s risks of material misstatement. 

1. Nature of Evidence

First, let's discuss the type of procedures or, as the audit standards call it, the nature of evidence. If an auditor believes that receivables might be overstated, then she might send confirmations to customers. Why confirmations? To prove the existence of the receivables. And confirmations provide third party evidence which is better than that from within the company. Customers usually have no reason to respond in a dishonest manner, so the third party evidence is more reliable.

Prepaid assets, by contrast, usually has a low risk of material misstatement. They are not complex. The volume of transactions is low. They are not an estimate. So, in this instance, the auditor could use substantive analytics. Again, the nature of the risk drives your response.

Your responses are critical. If your tests don't address the risk of material misstatement, what good are they? 

In addition to the nature of evidence, timing matters as well.

2. Timing of Evidence

So, should you perform interim audit procedures? The answer depends on the reliability of the accounting system. Interim work is more easily done when you audit reliable systems. Consider waiting until period-end to audit unreliable systems. Why? If your interim work yields significant problems, you may not feel comfortable with roll-forward procedures. In other words, you may have to re-perform your interim work at period end. 

Do you perform a search for unrecorded liabilities? Then some time must pass from period-end before you do this procedure. The entity needs time to receive period-end invoices and make payments before you can review them. Likewise, if you are examining subsequent period receivable collections, some time must pass before you do so. Wait at least three or four weeks from period end before you perform these types of procedures.  

In addition to the nature and timing, the quantity of information is critical.

3. Extent of Evidence

The extent or quantity of evidence is another decision. Higher risks call for more evidence. If accounts payable has been materially understated the last two years, then consider lowering your search threshold for unrecorded liabilities. If you've used $10,000, you could, for example, move it to $3,000. The lower threshold will yield more evidence. The main point here is you want more evidential matter as risk increases.

But can you audit too much information? The answer is yes, unless you have an unlimited time budget. So, you want to examine enough information without overdoing it.

A question to ask in designing your quantity is, “Will this test allow me to detect a material misstatement?” For instance, you might plan a sample. But once you total the individually significant items, you see the remaining amount is immaterial. Then test the individually significant items and stop. 

Choosing Your Tests of Details

So there you are. A summary of nature, timing and extent as they relate tests of details. Learning to match your procedures with risks is one of the most important things you'll do as an auditor. Using canned audit programs or the same-as-last-year approach can lead to significant problems. Therefore, know your risks. Then design and perform responsive procedures.

Tests of Details by Account Balance

If you desire to see tests of details by account balances and transaction cycles, see The Why and How of Auditing series. There I provide you with tests of details for accounts such as cash, receivables and debt. 

auditing cash
Mar 05

Auditing Cash: The Why and How Guide

By Charles Hall | Auditing

Auditing cash tends to be straightforward. We usually just obtain the bank reconciliations and test them. We send confirmations and vouch the outstanding reconciling items to the subsequent month’s bank statement. But are such procedures always adequate? Hardly. 

Recall the Parmalat and ZZZZ Best Carpet Cleaning frauds. In those businesses, the theft of cash was covered up with fake bank statements and fake confirmation responses. Millions were lost and reputations we’re sullied.

auditing cash

How to Audit Cash

In this post, we will take a look at the following:

  • Primary cash assertions
  • Cash walkthrough
  • Directional risk for cash
  • Primary risks for cash
  • Common cash control deficiencies
  • Risk of material misstatement for cash
  • Substantive procedures for cash
  • Common cash work papers

Primary Cash Assertions

The primary relevant cash assertions are:

  • Existence
  • Completeness
  • Rights
  • Accuracy
  • Cutoff

Of these assertions, I believe existence, accuracy, and cutoff are most important. The audit client is asserting that the cash balance exists, that it’s accurate, and that only transactions within the period are included.

Classification is normally not a relevant assertion. Cash is almost always a current asset. But when bank overdrafts occur, classification can be in play. The negative cash balance can be presented as cash or as a payable depending on the circumstances. 

Cash Walkthrough

As we perform walkthroughs of cash, we normally look for ways that cash might be overstated (though it can also be understated as well). We are asking, “What can go wrong?” whether intentionally or by mistake.

Cash Walkthrough

In performing cash walkthroughs, ask questions such as:

  • Are timely bank reconciliations performed by competent personnel?
  • Are all bank accounts reconciled?
  • Are the bank reconciliations reviewed by a second person?
  • Are all bank accounts on the general ledger?
  • Are transactions appropriately cut off at period-end (with no subsequent period transactions appearing in the current year)?
  • Is there appropriate segregation between persons handling cash, recording cash, making payments, and  reconciling the bank statements
  • What bank accounts were opened in the period?
  • What bank accounts were closed in the period?
  • Are there any restrictions on the bank accounts?
  • What persons are on the bank signature cards?
  • Who has the authority to open and/or close bank accounts?
  • What is the nature of each bank account (e.g., payroll bank account)?
  • Are there any cash equivalents (e.g., investments of less than three months)
  • Were there any held checks (checks written but unreleased) at period-end?

As we ask questions, we also inspect documents (e.g., bank reconciliations) and make observations (who is doing what?).

If controls weaknesses exist, we create audit procedures to address them. For example, if during the walkthrough we review three monthly bank reconciliations and they all have obvious errors, we will perform more substantive work to prove the year-end bank reconciliation. For example, we might vouch every outstanding deposit and disbursement.

Directional Risk for Cash

What is directional risk? It’s the potential bias that a client has regarding an account balance. A client might desire an overstatement of assets and an understatement of liabilities  since each makes the balance sheet appear healthier.

The directional risk for cash is overstatement. So, in performing your audit procedures, perform procedures such as testing the bank reconciliation to ensure that cash is not overstated.

Primary Risks for Cash

The primary risks are:

  1. Cash is stolen
  2. Cash is intentionally overstated to cover up theft
  3. Not all cash accounts are on the general ledger
  4. Cash is misstated due to errors in the bank reconciliation
  5. Cash is misstated due to improper cutoff

Common Cash Control Deficiencies

In smaller entities, it is common to have the following control deficiencies:

  • One person receipts and/or disburses monies, records those transactions in the general ledger, and reconciles the related bank accounts
  • The person performing the bank reconciliation does not possess the skill to perform the duty
  • Bank reconciliations are not timely performed

Risk of Material Misstatement for Cash

In my smaller audit engagements, I usually assess control risk at high for each assertion. If control risk is assessed at less than high, then controls must be tested to support the lower risk assessment. Assessing risks at high is usually more efficient than testing controls.

Risk of material misstatement for cash

When control risk is assessed at high, inherent risk becomes the driver of the risk of material misstatement (control risk X inherent risk = risk of material misstatement). For example, if control risk is high and inherent risk is moderate, then my RMM is moderate. 

The assertions that concern me the most are existence, accuracy, and cutoff. So my RMM for these assertions is usually moderate to high. 

My response to higher risk assessments is to perform certain substantive procedures: namely, bank confirmations and testing of the bank reconciliations. As RMM increases I examine more of the period-end bank reconciliations and more of the outstanding reconciling items. Also, I am more inclined confirm the balances.

Substantive Procedures for Cash

My customary audit tests are as follows:

  1. Confirm cash balances
  2. Vouch reconciling items to the subsequent month’s bank statement
  3. Ask if all bank accounts are included on the general ledger
  4. Inspect final deposits and disbursements for proper cutoff

The auditor should send confirmations directly to the bank. Some individuals create false bank statements to cover up theft. Those same persons provide false confirmation addresses. Then the confirmation is sent to an individual (the fraudster) rather than a bank. Once received, the fraudster replies to the confirmation as though the bank is doing so. You can lessen the chance of fraudulent confirmations by using Confirmation.com, a company that specializes in bank confirmations. Alternatively, you might Google the confirmation address to verify its existence.

Agree the confirmed bank balance to the period-end bank reconciliation (e.g., December 31, 20X7). Then, agree the reconciling items on the bank reconciliation to the bank statement subsequent to the period-end. For example, examine the January 20X8 bank statement activity when clearing the December 20X7 reconciling items. Finally, agree the reconciled balance to the general ledger cash balance for the period-end (e.g., December 31, 20X7).

Cut-off bank statements (e.g., January 20, 20X8 bank statement) may be used to test the outstanding items. Such statements, similar to bank confirmations, are mailed directly to the auditor. Alternatively, the auditor might examine the reconciling items by viewing online bank statements. (Read-only rights can be given to the auditor.)

Common Cash Work Papers

My cash work papers normally include the following:

  • An understanding of cash-related internal controls 
  • Risk assessment of cash assertions at the assertion level
  • Documentation of any control deficiencies
  • Cash audit program
  • Bank reconciliations for each significant account
  • Bank confirmations

In Summary

We’ve discussed how to perform cash risk assessment procedures, the relevant cash assertions, the cash risk assessments, and substantive cash procedures. 

Next we’ll examine how to audit receivables and revenues.

Get Your Copy of The Why and How of Auditing

Click the book below to see it on Amazon.

Click the book cover to see The Why and How of Auditing on Amazon.

1 2 3 23
>