Today I describe five dirty, no good, terrible, audit habits.
Certain peer review deficiencies continue to persist. Today I tell you about a few and how you can stop them.
Have you ever had a bad habit? You eat too much, don't exercise enough, put your make-up on while driving to work (one I've never had, thankfully), spend too much money. Yes, we've all had bad habits.
Auditors have them as well. Some problems seem to never die. The AICPA periodically provides a list of peer review deficiencies. Here are five and what you can do about them.
Bad Habit 1 - Skipping Risk Assessment
Do you have the habit of starting your audit by testing bank reconciliations or reconciling equity accounts to the general ledger?
Solution - Start in the right place. At the beginning. And where is the beginning? First acceptance and continuance. Then risk assessment. Resolve to perform the following before doing any substantive work:
- Perform acceptance or continuance procedures
- Gain an understanding of the entity and its environment
- Perform walkthroughs
- Review prior year estimates for potential bias
- Ask questions regarding fraud
- Create your planning analytics
Now, assess risk at the financial statement level and at the transaction level by assertion. Once risk assessment is complete, start your substantive work.
In a another bad habit, some auditors create their risk assessments but don't use them.
Bad Habit 2 - Performing But Not Using Risk Assessment
Don't allow another bad habit to persist: Performing risk assessment procedures and ignoring the results. In other words, using the same substantive procedures as last year, though new risks are present.
Solution - Once a risk is identified, link a response to it. This can be done on your risk assessment summary form.
For example, the revenue recognition standard is effective for many of your December 31, 2019 clients. The standard represents change and can impact your risk of material misstatement for revenue. Change creates risk. And risk calls for a response. Link the risk (that revenue recognition and disclosures may be incorrect) to substantive procedures. Test the revenue recognition in light of Topic 606 and vet the disclosures with an updated disclosure checklist.
In another nasty habit, some auditors ignore controls.
Bad Habit 3 - Ignoring Controls
While a test of controls for effectiveness is not required, reviewing control design and implementation is. This is why we perform walkthroughs. But some auditors ignore or give little attention to this risk assessment procedure. Their attitude is "I already know what I'm going to do, so why waste time?"
This attitude can be the result on believing a balance sheet audit approach is sufficient. This is the belief that auditing all significant balance sheet accounts is enough. But is it? Suppose the CFO steals $5 million dollars during the year, skimming cash from unbilled receipts. You can audit the year-end bank reconciliation. The bank account can reconcile to the general ledger. But the $5 million is still missing.
Solution - Gain your understanding of controls early in the audit. Use walkthroughs to do so.
The next bad habit is an extension of not gaining an understanding of controls.
Bad Habit 4 - Not Reviewing SOC Reports
Putting a service organization controls (SOC) report in the audit file is not enough. We must understand the service organization's controls.
Why? Because the service organization controls are a part of the company's controls. The company's accounting system includes outsourced components.
Your client, for example, may outsource its payroll to ADP. Does that mean the auditor doesn't need to understand ADP's processes and controls? No. Why? Because ADP is acting as an extension of the company's accounting system. The SOC report allows you to see if the payroll controls are designed appropriately and implemented. And this is what we desire whether the accounting is in-house or outsourced.
Solution - Read the SOC report and document your considerations. If control weaknesses are present, determine how those weaknesses impact your risk assessment.
And what's the last bad habit? Drum roll. Auditors don't identify the significant risks.
Bad Habit 5 - Not Identifying Significant Risks
Every audit has at least one or two significant risks. Consider, for example. management override. Management can manipulate the books to satisfy their needs.
So, what is a significant risk? Audit standards define it as "An identified and assessed risk of material misstatement that, in the auditor's professional judgment, requires special audit consideration." But what is "special audit consideration"? It's those high risk areas that deserve extra attention. They are the two or three areas (the number varies by audit) that deserve our greatest effort. Understand that not all high risk of material misstatements are significant risks. Significant risks are those areas of an even higher concern. Examples include:
- Allowance for bad debt in a hospital
- Management override
- A fraud risk (because a known material theft exist)
By contrast, a high risk of material misstatement (RMM) for the completeness assertion in payables might not be a significant risk. The RMM might be high but, in this example, it's not a significant risk.
Solution - Identify significant risks. Do so on your risk assessment summary form. Then link to a response in your audit program. And these responses should be beyond your normal basic procedures. Additionally, they must include a test of details.
AICPA Areas of Focus
Each year the AICPA creates areas of focus in its Enhancing Audit Quality (EAQ) work. You may want to put this in your tickler file. Why? So you'll know the hot-button peer review issues. That way you can build your audit processes in a proactive manner.