What is the purpose of audit walkthroughs? How do you document walkthroughs? Is it better to use checklists, flowcharts or summarize narratively? How often should walkthroughs be performed? Are they required? Will a walkthrough allow me to assess control risk at less than high?
In this post, I answer these questions about one of the most important risk assessment procedures: walkthroughs. I share techniques I’ve used for over five years. They work for me, and they will work for you.
Let’s dive right in.
Walkthroughs are cradle-to-grave reviews of transaction cycles. You start at the beginning of a transaction cycle (usually a source document) and walk the transaction to the end (usually posting to the general ledger). The auditor is gaining an understanding of how a transaction makes its way through the accounting system and about related internal controls.
As we perform a walkthrough, we:
By asking questions, inspecting documents, and making observations, we are evaluating internal controls to see if there are weaknesses that would allow errors or fraud to occur. Audit standards do not permit the use of inquiries alone. Observations and inspections must also occur.
Some auditors believe that audit walkthroughs (or documentation of controls for significant transaction cycles) are not necessary if the auditor is assessing control risk at high. This is not true. While the auditor can assess control risk at high, she must first gain an understanding of the cycle and the related controls. In other words, the auditor can’t default to high. Risk assessment procedures are required.
Following a transaction through the accounting system–without reviewing controls–is not an audit walkthrough. We must examine controls to see if they have been implemented and to see if they are properly designed.
Placing a copy of the operating and accounting system manual in the audit file is not a walkthrough. While manuals tell you what the client intends to do, they don’t tell you what is occurring. In other words, they don’t answer the implementation question.
Lastly, asking a client, “Is everything the same as last year?” is not a walkthrough. Auditors must do more than inquire.
In some situations, AU-C section 315 allows the auditor to rely on audit evidence obtained in prior periods. In those situations, the auditor is required to perform audit procedures to establish the continued relevance of the audit evidence obtained in prior periods (for example, by performing a walkthrough).
Here’s what AU-C 315.A20 says about prior year audit information used in the current year:
Paragraph .10 requires the auditor to determine whether information obtained in prior periods remains relevant if the auditor intends to use that information for the purposes of the current audit. For example, changes in the control environment may affect the relevance of information obtained in the prior year. To determine whether changes have occurred that may affect the relevance of such information, the auditor may make inquiries and perform other appropriate audit procedures, such as walk-throughs of relevant systems.
Accountants are often more comfortable with numbers than processes. We like things that “tie,” “foot,” or “balance.” We may not enjoy probing accounting systems for risk. It’s too touchy-feely. Even so, passing this responsibility off to lower staff is not a good choice. It’s too complicated–and too important. So there’s no getting around it. The walkthrough—or something like it—must be done. Why? We’re gaining an understanding of risks and responding to them. We’re developing our audit plan. Screw up the plan, and we screw up the audit.
What is the purpose of the walkthrough? Identification of risk—specifically, the risk of material misstatement. Once we know the risks, we know where to audit.
Usually, audit walkthroughs are not sufficient to support lower control risk assessments (those less than high). If the auditor assesses control risk at less than high, she is required to test the effectiveness of the control. Since audit walkthroughs are usually a test of one transaction, they typically don’t prove operating effectiveness.
Regarding computer controls, a walkthrough of one transaction might be sufficient to prove effectiveness if general computer controls are working—namely, change control. Why? Computer controls are usually consistent.
An auditor can determine whether a control has been implemented with a test of one transaction. Effectiveness, on the other hand, normally requires a test of transactions. For example, a test of 40 transactions for appropriate purchase orders.
While you can use checklists, flowcharts, narratives, or any other method that enables you to gain your understanding of controls, my favorite is a narrative mixed with screenshots.
So how do I do this?
I interview personnel. Usually, one or two people can explain a particular transaction flow (e.g., disbursement cycle), but some complicated processes may require several interviews.
Early on, I may not know how each person’s work fits into the whole. It’s like gathering puzzle pieces. The interviews and information may feel random, even confusing. But, later, when you put the parts together, the picture speaks more clearly. Then, you’ll understand the accounting system and control environment.
I document the conversations using:
Using a Livescribe pen, I write notes and record the conversations.
I begin the interview by saying, “Tell me what you do and how you do it. Treat me as if I know nothing. I want to hear all the details.” (For sample transaction-level walkthrough questions, see my audit series titled The Why and How of Auditing.)
As I listen, I write notes. At the same time, my Livescribe pen records the audio. Later the conversation can be played from the pen. (For more information about Livescribe, see my article: Livescribe, Note Taking Magic (for CPAs). )
Click the pen below to see Livescribe on Amazon.
I find that most interviewees talk too fast—at least faster than I can write. As I’m writing about the last thing they’ve said, they are moving to the next, and I fall behind. So I write simple phrases in my Livescribe notebook such as:
Later, as I’m typing the walkthrough narrative, I touch the letter “A” in “Add vendor” with the tip of my pen (I’m doing so in my Livescribe notes). This action causes the pen to play the audio for that part of the conversation. Likewise, touching “C” with the tip of my pen–in “Checks signed by the computer”–causes the pen to play that part of the discussion. Since the audio syncs with my notes, I can hear any part of the discussion by touching a letter with my pen.
In addition to writing notes in my Livescribe notebook, I take pictures with my iPhone. Of what? Here are examples (from a payables interview):
So my inputs into the walkthrough document are as follows:
I write my narratives in Word and embed pictures as needed. The walkthrough documentation takes this shape:
Why identify control deficiencies in the walkthrough? So I can link them to my risk assessment summary. The system’s weaknesses tell me where risks exist.
Another key feature of the walkthrough documentation is the identification of who I spoke with and when. So, at the top of the transaction cycle description, I name the persons I interviewed and the date of the conversation. For example:
Charles Hall interviewed Johnny Mann, Hector Nunez, and Suzanne Milton on October 25, 2019.
It’s easy for clients to tell you about normal procedures, but they may not think about unusual situations such as the absence of an employee or how errors are corrected.
Always ask who performs control procedures when a key person is out. Why? If someone can—even though they don’t normally—perform key controls, you need to know. Why? Such a situation can lead to fraud. For example, if a person does not normally issue checks but can, and that person also reconciles the bank statement, he might issue fraudulent checks. He knows the theft will not be detected through normal controls–in this case, the bank reconciliation.
Always look beyond accounting policies and routine procedures to see what can happen. I often have clients say to me, “John is the only one who approves the purchase orders,” for example. But I know this is not true because purchases would cease to occur when John is out. So I ask, “Who issues purchase orders when John is on vacation?”
Additionally, ask how errors are corrected. When things go wrong (and they sometimes do), you want to know how they are made right.
As you write your narrative of the accounting system and controls, highlight both controls and control weaknesses.
I note appropriate controls as follows:
Control: Additions of new vendors is limited to three persons in the accounts payable department. Each time a new vendor is added, the computer system automatically sends an email to the CFO notifying her of the addition. Persons adding new vendors cannot process signed checks.
I note control weaknesses as follows:
Control Weakness: Only one signature is required on check disbursements. Johnny Mann signs checks, has possession of check stock, keys invoices into the payables system, and reconciles the related bank account.
The control weakness created by Johnny Mann’s duties increases the risk of theft. My response? I establish audit procedures in my audit program to address the risk such as:
How do you know what audit procedures to perform in response to the risk? Ask, “What can go wrong?” and design a test for that potential. Johnny can write checks to himself. My response? Scan cleared checks to see if the payees are appropriate.
Though this article focuses on planning and risk assessment, the identification of control weaknesses will impact our end-of-audit communications.
The words Control Weakness (as shown above) makes it easy to locate control weaknesses. Upon completion of the walkthrough, I summarize all control deficiencies so I can track the disposition of each one. Each weakness is a:
I report material weaknesses and significant deficiencies in writing to management and those charged with governance. I communicate other deficiencies in a management letter (or verbally and document the discussion in my work papers).
How often are walkthroughs required?
Answer: Once per year, if this is how you corroborate your understanding of the cycle. While walkthroughs are not specifically required in the audit standards, you do need to verify your understanding of the accounting system and related controls. And I know of no better way.
TIS Section 8200.12, as issued by the AICPA, states the following:
Inquiry—AU section 314 (now AU-C 315) requires the auditor to obtain an understanding of internal control. An auditor might perform walkthroughs to confirm his or her understanding of internal control. If the auditor decides to use walkthroughs to confirm his or her understanding of internal control, how often do walkthroughs need to occur?
Reply—In accordance with AU Section 314 (now AU-C 315), the auditor is required to obtain an understanding of internal control to evaluate the design of controls and to determine whether they have been implemented. To do that, performing a walkthrough would be a good practice. Accordingly, auditors might perform a walkthrough of significant accounting cycles every year [emphasis added].
If we’ve documented walkthroughs in prior years, then we need to do so again in the current year to prove the continuing relevance of the audit documentation.
Walkthroughs tell us where risks are so we can plan our engagements to detect material misstatements.
Additionally, they allow us to add value to our audits. Clients want more than just an opinion. They desire to keep assets safe and to maintain accurate records. Well written management letters that highlight control weaknesses allow you to do just that. Time to start walking.
For additional information about risk assessment, see my article Audit Risk Assessment: The Why and How.
Also, see my new book: Audit Risk Assessment Made Easy. Click the book below to see it on Amazon:
Charles Hall is a practicing CPA and Certified Fraud Examiner. For the last thirty-five years, he has primarily audited governments, nonprofits, and small businesses. He is the author of The Little Book of Local Government Fraud Prevention, The Why and How of Auditing, Audit Risk Assessment Made Easy, and Preparation of Financial Statements & Compilation Engagements. He frequently speaks at continuing education events. Charles consults with other CPA firms, assisting them with auditing and accounting issues.