All Posts by Charles Hall

Follow

About the Author

Charles Hall is a practicing CPA and Certified Fraud Examiner. For the last thirty years, he has primarily audited governments, nonprofits, and small businesses. He is the author of The Little Book of Local Government Fraud Prevention and Preparation of Financial Statements & Compilation Engagements. He frequently speaks at continuing education events. Charles is the quality control partner for McNair, McLemore, Middlebrooks & Co. where he provides daily audit and accounting assistance to over 65 CPAs. In addition, he consults with other CPA firms, assisting them with auditing and accounting issues.

SAS 134
Sep 08

SAS 134 Unmodified and Modified Audit Opinions

By Charles Hall | Auditing

In this post, you’ll gain an understanding of unmodified and modified audit opinions using the guidance from AU-C Section 700, Forming an Opinion and Reporting on Financial Statements and AU-C 705, Modifications to the Opinion in the Independent Auditor’s Report. SAS 134 (and other SASs) amended these sections resulting in new audit opinions for periods ending after December 15, 2021. 

There are four potential audit opinions:

  1. Unmodified
  2. Qualified
  3. Disclaimer
  4. Adverse

Video Overview of Audit Opinions

This video provides an overview of the four opinions:

Unmodified Opinion

If there are no material misstatements, then you will issue an unmodified opinion. The unmodified opinion says the financial statements are presented fairly. 

Example SAS 134 Unmodified Opinion

A sample unmodified audit opinion follows:

[Date]

INDEPENDENT AUDITOR’S REPORT

[Appropriate Addressee]

[Entity Name]

Opinion

We have audited the financial statements of [Entity Name], which comprise the balance sheets as of December 31, 2020 and 2019, and the related statements of income, changes in stockholders’ equity, and cash flows for the years then ended, and the related notes to the financial statements.

In our opinion, the accompanying financial statements present fairly, in all material respects, the financial position of [Entity Name] as of December 31, 2020 and 2019, and the results of its operations and its cash flows for the year then ended in accordance with accounting principles generally accepted in the United States of America.

Basis for Opinion

We conducted our audits in accordance with auditing standards generally accepted in the United States of America (GAAS). Our responsibilities under those standards are further described in the Auditor’s Responsibilities for the Audit of the Financial Statements section of our report. We are required to be independent of [Entity Name] and to meet our other ethical responsibilities, in accordance with the relevant ethical requirements relating to our audit. We believe that the audit evidence we have obtained is sufficient and appropriate to provide a basis for our audit opinion.

Responsibilities of Management for the Financial Statements

Management is responsible for the preparation and fair presentation of the financial statements in accordance with accounting principles generally accepted in the United States of America, and for the design, implementation, and maintenance of internal control relevant to the preparation and fair presentation of financial statements that are free from material misstatement, whether due to fraud or error.

In preparing the financial statements, management is required to evaluate whether there are conditions or events, considered in the aggregate, that raise substantial doubt about [Entity Name]’s ability to continue as a going concern for one year after the date that the financial statements are available to be issued.

Auditor’s Responsibilities for the Audit of the Financial Statements

Our objectives are to obtain reasonable assurance about whether the financial statements as a whole are free from material misstatement, whether due to fraud or error, and to issue an auditor’s report that includes our opinion. Reasonable assurance is a high level of assurance but is not absolute assurance and therefore is not a guarantee that an audit conducted in accordance with GAAS will always detect a material misstatement when it exists. The risk of not detecting a material misstatement resulting from fraud is higher than for one resulting from error, as fraud may involve collusion, forgery, intentional omissions, misrepresentations, or the override of internal control. Misstatements are considered material if there is a substantial likelihood that, individually or in the aggregate, they would influence the judgment made by a reasonable user based on the financial statements.

In performing an audit in accordance with GAAS, we:

    • Exercise professional judgment and maintain professional skepticism throughout the audit.
    • Identify and assess the risks of material misstatement of the financial statements, whether due to fraud or error, and design and perform audit procedures responsive to those risks. Such procedures include examining, on a test basis, evidence regarding the amounts and disclosures in the financial statements.
    • Obtain an understanding of internal control relevant to the audit in order to design audit procedures that are appropriate in the circumstances, but not for the purpose of expressing an opinion on the effectiveness of [Entity Name]’s internal control. Accordingly, no such opinion is expressed.
    • Evaluate the appropriateness of accounting policies used and the reasonableness of significant accounting estimates made by management, as well as evaluate the overall presentation of the financial statements.
    • Conclude whether, in our judgment, there are conditions or events, considered in the aggregate, that raise substantial doubt about [Entity Name]’s ability to continue as a going concern for a reasonable period of time.

We are required to communicate with those charged with governance regarding, among other matters, the planned scope and timing of the audit, significant audit findings, and certain internal control-related matters that we identified during the audit.

Firm Signature

Modified Opinions

If material misstatements are present, then a modified audit opinion is necessary. Modifications can also occur when you are unable to obtain sufficient appropriate audit evidence; for instance, when a scope limitation is present. 

Modified Opinion

Definitions

AU-C 705 defines a modified opinion as a (1) qualified opinion, (2) an adverse opinion, or (3) a disclaimer of opinion. 

Another key definition in AU-C 705 is that of pervasiveness. This term is used in the context of misstatements; so if a material misstatements are present, you’ll want to know if they are pervasive. Two factors–material misstatements and pervasiveness–affect the type of opinion to be issued. Additionally, the ability or inability to obtain sufficient appropriate audit evidence affects the type of opinion to be issued. A misstatement (or possible misstatement) is pervasive if:

  • It’s not confined to specific accounts or items of the financial statement, or
  • If confined, the amount represents a substantial portion of the financial statements, or
  • If in relation to disclosures, the information is fundamental to the users’ understanding of the financial statements

For example, if material misstatements are present for inventory, receivables, and debt, they are pervasive. Or if, in another example, inventory makes up 60% of total assets and a material misstatement is present in that area, then it’s pervasive. Lastly, if key disclosures are not appropriately communicated or if they are omitted, then that is pervasive. 

Now, let’s look at the three modified opinions. 

1. Qualified Opinion

Suppose your audit reveals inventories are materially misstated, the client does not record your proposed audit adjustment, and there are no other material misstatements. If this is your situation (a material misstatement exists that is not pervasive), then audit standards allow for the issuance of a qualified opinion.

modified opinion

Here is sample qualified opinion language (this is not the full opinion):

Qualified Opinion

We have audited the financial statements of ABC Company, which comprise the balance sheets as of December 31, 20X1 and 20X0, and the related statements of income, changes in stockholders’ equity, and cash flows for the years then ended, and the related notes to the financial statements.

In our opinion, except for the effects of the matter described in the Basis for Qualified Opinion section of our report, the accompanying financial statements present fairly, in all material respects, the financial position of ABC Company as of December 31, 20X1 and 20X0, and the results of its operations and its cash flows for the years then ended in accordance with accounting principles generally accepted in the United States of America.

Basis for Qualified Opinion

The Company has property with impaired value. The impairment occurred in 20X9. Accounting principles generally accepted in the United States of America require that impaired assets be written down to their fair market value. The Company continues to reflect the property at cost. If the property was stated at fair value upon impairment, total assets and stockholder’s equity would have been reduced by $X,XXX,XXX as of December 31, 20X1 and 20X0, respectively. 

2. Adverse Opinion

Now let’s suppose that you are auditing a consolidated entity, and your client is not willing to include a material subsidiary and which, if included, would have a pervasive impact on the statements.

Adverse opinion

Here is sample adverse opinion language (this is not the full opinion):

Adverse Opinion

We have audited the consolidated financial statements of ABC Company and its subsidiaries, which comprise the consolidated balance sheet as of December 31, 20X1, and the related consolidated statements of income, changes in stockholders’ equity, and cash flows for the year then ended, and the related notes to the financial statements.

In our opinion, because of the significance of the matter discussed in the Basis for Adverse Opinion section of our report, the accompanying consolidated financial statements do not present fairly the financial position of ABC Company and its subsidiaries as of December 31, 20X1, or the results of their operations or their cash flows for the year then ended in accordance with accounting principles generally accepted in the United States of America.

Basis for Adverse Opinion

As described in Note X, The Golfing Company has not consolidated the financial statements of its subsidiary Easy-Go Company that it acquired during 20X1. This investment is accounted for on a cost basis by The Golfing Company. Under accounting principles generally accepted in the United States of America, the subsidiary should have been consolidated. Had Easy-Go Company been consolidated, many elements in the accompanying consolidated financial statements would have been materially affected. The effects on the consolidated financial statements of the failure to consolidate have not been determined.

3. Disclaimer of Opinion

Finally, let’s suppose you are performing an audit in which insufficient audit information is provided with regard to receivables and inventories (both of which are material) and that the misstatements have a pervasive impact on the financial statements as a whole.

disclaimer of opinion

Here is sample disclaimer of opinion language (this is not the full opinion):

Disclaimer of Opinion

We were engaged to audit the financial statements of ABC Company, which comprise the balance sheet as of December 31, 20X1, and the related statements of income, changes in stockholders’ equity, and cash flows for the year then ended, and the related notes to the financial statements.

We do not express an opinion on the accompanying financial statements of ABC Company. Because of the significance of the matters described in the Basis for Disclaimer of Opinion section of our report, we have not been able to obtain sufficient appropriate audit evidence to provide a basis for an audit opinion on these financial statements.

Basis for Disclaimer of Opinion

The Company’s accounting system was hacked during the year by an unknown party, resulting in a series of changes in accounting entries. Additionally, the Company was unable to restore the accounting system. As a result of these matters, we were unable to determine the adjustments that were necessary to correct the balance sheet, statement of income, changes in stockholder’s equity, and cash flow statement as of and for the year ended December 31, 20X1.

Effective Date of SAS 134

The new SAS 134 opinions are required for periods ending on or after December 15, 2021. 

Resolving Conflict with Clients

If, as described above, you have a client that is unwilling to post a material audit adjustment, consider creating a draft of the opinion and providing it to them. This is not a threat, just a way to clearly communicate the effect of not posting the adjustment. 

Before doing anything, allow the client to fully explain their position. A modified opinion may not be necessary once you understand the facts. But if after the discussion, the you are still convinced there is a material misstatement, a modified opinion may be necessary.

In some cases, you may want to consider withdrawing from the engagement. Consult with your legal counsel before doing so.

Audit Opinion Research

Deciding on the opinion is often the most important decision you will make in an audit. So, do your research, and, if needed, consult with others to gain assurance about your decisions. AU-C 705: Modifications to the Opinion in the Independent Auditor’s Report provides several sample opinions; so refer to those as you create any modified opinions including qualified, adverse, or disclaimer. See AU-C 700: Forming an Opinion and Reporting on Financial Statements for information about unmodified opinions. 

If you need to add an emphasis of matter or other matter paragraph for issues such as a lack of consistency, see my article.  

Evernote for CPAs
Aug 22

Evernote for CPAs: Developing a Super Power

By Charles Hall | Technology

There is no Evernote just for CPAs; even so, it’s a game-changer for beancounters. I’ve used this tool for about twenty years and it is one of my favorites software packages. In this article I tell you what Evernote is, how you can use it, how to feed information into it, and how to search it using Evernote operators. 

Evernote for CPAs

So, what is Evernote?

What is Evernote?

Think of it as your digital library. 

Evernote is a cloud-based storage system that allows you to capture and file voice recordings, documents (including Word, Excel, PDFs), pictures, and videos. Once information is placed in Evernote, it is searchable in a Google-like fashion. Even hand-written notes are searchable.

What can CPAs do with this app?

Things CPAs Can Do with Evernote

Here are examples of what you can do with Evernote:

  • Create a personal digital library (e.g., use an Evernote notebook to store research information, Journal of Accountancy articles, CPE material, videos of class instruction)
  • Share individual files or notebooks (a compilation of files) with others 
  • Capture meeting conversations with your smartphone and save them to Evernote
  • Use your smartphone to take a picture of meeting notes on a whiteboard (remember manually written words are searchable)
  • Encrypt selected text within an Evernote note (password protected); the encrypted information can’t be viewed without the password
  • Add selected web information to Evernote using an Evernote clipper 
  • Forward any email to your Evernote account using your private Evernote email address 

So, what are the main components of an Evernote storage system?

The Skeletal Framework: Notes, Notebooks, and Tags 

The skeletal framework for Evernote has three elements: Notes, notebooks, and tags.

 

Evernote for CPAs

1. The primary element of Evernote is a note.

Think of a note as a blank piece of paper on which you can type. You can also attach other files to the note (e.g., an Excel spreadsheet or a picture taken with your cell phone or a voice message recorded with your cell phone or a note you’ve jotted down). Once you create your notes, organize them in notebooks. 

2. Notes are placed in notebooks.

Think of a notebook as a three-ring binder.

For example, if I want to create a note about comprehensive income, I can do so. Then I can attach related files (e.g., PDFs) to the note. Next, I might add a note about other comprehensive income and another about reclassifications from other comprehensive income. The separate notes can, for example, be a text file, an Excel file, and a voice message.

All three notes can be added to a notebook titled Comprehensive Income.

Another way to organize your information is to tag each note.

3. You may also tag each note.

I could place the comprehensive income notes in a notebook titled accounting (a more generic category) and tag each note as comprehensive income. Then I can search and find all comprehensive income notes by using the comprehensive income tag. When I type tag:”comprehensive income” in the Evernote search bar, all notes tagged in this manner appear. (See below for information about operators such as tags.)

Use both folders and tags to help you more readily find information.

And how do you put information into Evernote?

Getting Information Into Evernote

First Set Up Your Default Evernote Notebook

Before sending information from one of your devices (e.g., smartphone) to Evernote, specify where it should go. My default landing area is my Often Used notebook. (You will need to create the Often Used notebook—or whatever you’d like to call it—in your Evernote account.)

Since I send information from a variety of devices, I initially send information to the Often Used notebook; later, when I have time, I tag each note (e.g., Fair Value) and then move each to an appropriate notebook (e.g., Accounting).

Tip – If you put asterisks in front of the folder name (e.g., **Often Used), Evernote will present it (the folder) at the top of your folder list. This will make it easier to locate your default folder.

Here’s a screenshot of Evernote from my iPad. 

Evernote

In short, my standard operating procedure: (1) capture on the fly and (2) classify with a block of time (it usually takes me less than five minutes each day to tag and move the new notes).

Seven Ways to Feed Evernote

1. Smart Phones

You can use your smartphone to create and send pictures, text files, and voice messages to Evernote.

To download Evernote for an Android phone, click here.

iPhone users should download the Evernote app.

Here’s a screenshot of my iPhone Evernote app. Notice the note names at the top of each note and the tags (in the oval shapes) at the bottom of each note. 

Evernote

2. Scanners

I use a Fujitsu scanner (model iX500) to scan documents directly to Evernote. (The iX500 costs about $780 from Amazon.)

3. Web Clippers

Evernote provides web clippers for browsers including Safari, Explorer, Google Chrome, and Firefox. If you click this web clipper link, Evernote will automatically recognize your browser; then you can download the clipper software to your browser. While browsing, click the Elephant icon to clip a portion of the web page, the full page, or the full article.

4. Hotkeys

Evernote allows you to use hotkeys to capture information from any program (as long as Evernote is running in the background). To activate screen clipping, use the key combination (e.g., for Windows: Win+PrintScreen). See Preferences to change your hotkeys.

So if you are working on an Excel spreadsheet, for example, and would like to capture the information into Evernote, use the hotkey combination and select the portion of the screen you wish to save. The screenshot will go to your default Evernote location.

You can do the same with an email, a Word document, and anything else that appears on your screen.

5. Email Directly to Evernote Account

One of my favorite ways to feed Evernote is to email a document (e.g., Excel, Word, PDF) directly to Evernote; when you set up your Evernote account, you will be provided a private Evernote email address. Set this address up in your email contact list; then you can send any email or document (attached to an email) to your Evernote default notebook.

6. Drag and Drop

With Evernote open, you can create a new note and then drag a document (e.g., Word or Excel file) onto the open note. The material is added to the note. You can add multiple documents to one note.

7. Import Folder

An even easier way to get files into Evernote is to use an “import folder.” After you specify in Evernote where the “import folder” is located on your computer (i.e., a particular Windows folder), you can drop files into the designated folder, and they will automatically feed into your default Evernote notebook. 

Searching Your Evernote Account

Once you’ve used Evernote for some time, you’ll have several thousand notes, so many it can be difficult to find the information you’ve stored. That’s when operators can help. Use these to locate the notes you are looking for. 

Evernote Operators

You can use Evernote operators in the search box to locate particular information. Some of the more commonly used operators are:

1. And
2. Any
3. Tag
4. Notebook
5. Intitle
6. Created

And – Normally you will not type the word “and” as an operator; it’s implied. So if you type: comprehensive income in the search box, Evernote will locate all notes with the words comprehensive and income. If you want to see all notes with the phrase “comprehensive income,” then type: “comprehensive income”–using quotation marks.

Any – Typing the words “any: compilation review” will provide all notes with either the word “compilation” or the word “review.” If a note has the word “compilation” (and not “review”), then it will appear in your search list. If a note has the word “review” (and not “compilation”), then it will also appear in the list.

Tag – By typing “tag:Bank” into the search box, you’re telling Evernote that you want to see all notes tagged “Bank.” (You can tag each note regardless of which notebook it is in; for example, you might have four different notes in four different notebooks, but each tagged “Bank.”)

Notebook – Let’s say you have a notebook titled: Auditing (along with 70 other notebooks). You can type: “notebook:Auditing” in the search box and Evernote will locate your auditing notebook.

Intitle – Typing intitle:”fair value” will yield all notes with the words “fair value” in the title.

 

Evernote operator

Created – “created:day-1” will provide you with a list of all notes created yesterday and today. You can substitute “day” with “week,” “month,” or “year”. If you want to see all the notes created in the last two weeks, issue a search with “created:week-1.”

Combining Evernote Operators

Searching becomes even more powerful when you combine operators.

For example, typing:

Intitle:derivative swap “cash flow hedge”

will provide you with all notes that have the word “derivative” in the title and the words (1) “swap” and (2) “cash flow hedge” as a phrase.

Another example, typing:

Notebook:Accounting any:swap “cash flow hedge”

will provide you with a list of all notes from your accounting notebook that have either the word “swap” or the words “cash flow hedge” as a phrase.

Finally, typing:

Notebook:Bank tag:Deposits FDIC “Due to Due from”

will provide you with notes from your Bank notebook that have a “Deposits” tag and that contain the words FDIC and “Due to Due from” as a phrase.

Create Your Evernote Account

To create your account, go to the Evernote website and follow the directions. There is a free version if you want to try it out. You can see a comparison of their plans here. I have not received any type of commission for this recommendation. 

See my article An Auditor’s Cell Phone.

audit documentation
Aug 15

Audit Documentation: Peer Review Finding

By Charles Hall | Auditing

Peer reviewers are saying, “If it’s not documented, it’s not done.” Why? Because standards require sufficient audit documentation in AU-C 230. And if it’s not documented, the peer reviewer can’t give credit. Work papers are your vehicle of communication. 

But what does sufficient documentation mean? What should be in our work papers? How much is necessary? This article answers these questions.

audit documentation

Insufficient Audit Documentation

Insufficient audit documentation has been and continues to be a hot-button peer review issue. And it’s not going away. 

But auditors ask, “What is sufficient documentation?” That’s the problem, isn’t it? The answer is not black and white. We know good documentation when we see it–and poor as well. It’s the middle that is fuzzy. Too often audit files are poor-to-midland. But why? 

First, many times it boils down to profit. Auditors can make more money by doing less work. So, let’s go ahead and state the obvious: Quality documentation takes more time and may lessen profit. But what’s the other choice? Poor work.

Second, the auditor may not understand what the audit requirements are. So, in this case, it’s not motive (make more money), it’s a lack of understanding.

Thirdly, another contributing factor is that firms often bid for work–and low price usually carries the day. Then, when it’s time to do the work, there’s not enough budget (time)–and quality suffers. Corners are cut. Planning is disregarded. Confirmations, walkthroughs, fraud inquiries are omitted. And yes, it’s easier–at least in the short run.

But we all know that quality is the foundation of every good CPA firm. And work papers tell the story–the real story–about a firm’s character. How would you rate your work paper quality? Is it excellent, average, poor? If you put your last audit file on a website and everyone could see it, would you be proud? Or does it need improvement?

Sufficient Audit Documentation According to AU-C 230

Let’s see what constitutes sufficient documentation.

AU-C 230 Audit Documentation defines how auditors are to create audit evidence. It says that an experienced auditor with no connection to the audit should understand:

  • Nature, timing, and extent of procedures performed
  • Results and evidence obtained
  • Significant findings, issues, and professional judgments

While most auditors are familiar with this requirement, the difficulty lies in how to accomplish this. What does it look like? Here are some pointers for complying with AU-C 230. 

Experienced Auditor’s Understanding

Here’s the key: When an experienced auditor reviews the documentation, does she understand the work?

Any good communicator makes it her job to speak or write in an understandable way. The communicator assumes responsibility for clear messages. In creating work papers, we are the communicators. The responsibility for transmitting messages lies with us (the auditors creating work papers).  

A Fog in the Work Papers

So what creates fogginess in work papers? We forget we have an audience. Others will review the audit documentation to understand what was done. As we prepare work papers, we need to think about those who will see our work. All too often, the person creating a work paper understands what he is doing, but the reviewer doesn’t. Why? The message is not clear.

Just because I know why I am doing something does not mean that someone else will. So how can we create clarity?

Creating Clarity

Work papers should include the following:

  • A purpose statement (what is the reason for the work paper?)
  • The source of the information (who provided it? where did they obtain it and how?)
  • An identification of who prepared and reviewed the work paper
  • The audit evidence (what was done)
  • A conclusion (does the audit evidence support the purpose of the work paper?)

When I make these suggestions, some auditors push back saying, “We’ve already documented some of this information in the audit program.” That may be true, but I am telling you–after reviewing thousands of audit files–the message (what is being done and why) can get lost in the audit program. The reviewer often has a difficult time tieing the work back to the audit program and understanding its purpose and whether the documentation provides sufficient audit evidence.

Remember, the work paper preparer is responsible for clear communication. 

And here’s another thing to consider: You (the work paper preparer) might spend six hours on one document, so you are keenly aware of what you did. The reviewer, on the other hand, might spend five minutes–and she is trying (as quickly as she can) to understand your work.

Help Your Reviewers

To help your reviewers:

  1. Tell them what you are doing (purpose statement)
  2. Do it (document the test work)
  3. Then, tell them how it went (the conclusion)

Now let’s move from proper to improper documentation.

Examples of Poor Work Paper Documentation

So, what does insufficient audit documentation look like? In other words, what are some of the signs that we are not complying with AU-C 230?

Here are examples of poor audit work paper documentation:

  • Signing off on audit steps with no supporting work papers (and no explanation on the audit program)
  • Placing a document in a file without explaining why (what is its purpose?)
  • Not signing off on audit steps
  • Failing to reference audit steps to supporting work papers
  • Listing a series of numbers on an Excel spreadsheet without explaining their source (where did they come from? who provided them?)
  • Not signing off on work papers as a preparer
  • Not signing off on work papers as the reviewer
  • Failing to place excerpts of key documents in the file (e.g., debt agreement)
  • Performing fraud inquiries but not documenting who was interviewed (their name) and when (the date)
  • Not documenting the selection of a sample (why and how and the sample size)
  • Failing to explain the basis for low inherent risk assessments
  • Key bank accounts and debt are not confirmed
  • Not documenting the reason for not sending receivable confirmations
  • A lack of retrospective reviews
  • A failure to document the current year walkthroughs for significant transaction cycles (the file contains a generic description of controls with no evidence of a current year review)
  • Not documenting entity-level controls (e.g., tone at the top, management’s risk assessment procedures)
  • A failure to document risk assessments
  • Low control risk assessments without a test of controls
  • A lack of linkage from the risk assessment to the audit plan
  • No independence documentation though nonattest services are provided

This list is not comprehensive, but it provides examples to consider. This list is based on my past experiences. Probably the worst offense (at least in my mind) is signing off on an audit program with no support.

Strangely, however, poor work papers are not the result of insufficient documentation, but too much documentation. 

Too Much Audit Documentation

Many CPAs say to me, “I feel like I do too much,” meaning they believe they are auditing more than is necessary. To which I often respond, “I agree.”

In looking at audit files, I see:

  • The clutter of unnecessary work papers
  • Files received from clients that don’t support the audit opinion
  • Unnecessary work performed on extraneous documents

For whatever reason, clients usually provide more information than we request. And then–for some other reason–we retain those documents, even if not needed.

If auditors add purpose statements to each work paper, then they will discover that some work papers are unnecessary. In writing the purpose statement, we might realize it has none. Which is nice–now, we can eliminate it.

One healthy exercise is to pretend we’ve never audited the company and that we have no prior year audit files. Then, with a blank page, we plan the audit. Once done, we compare the new plan to prior year files. If there’s any fat, start cutting. 

The key to eliminating unnecessary work lies in performing the following steps (in the order presented):

  1. Perform risk assessment
  2. Plan your audit based on the identified risks
  3. Perform the audit procedures

Too often, we roll the prior year file forward and rock on. If the prior year file has extraneous audit procedures, we repeat them. This creates waste year after year after year.

Before I close this article, here is one good work paper suggestion from my friend Jim Bennett of Bennett & Associates: transaction area maps. 

Transaction Area Maps

Include transaction area maps in your file. A summary creates organization and makes it easier to find your work papers. It also provides a birds-eye view of what you have done. Here’s an example:

ACCOUNTS RECEIVABLE WORKPAPER MAP

4-02 Audit Program

4-10 Risk Assessment Analyticals

ACCOUNTS RECEIVABLE AGING

4-20 Customer aging report

4-21 AR break-out of intercompany balances

4-23 AR aging tie in to TB

4-24 Review of AR aging

ACCOUNTS RECEIVABLE CONFIRMATIONS

4-50 Planning worksheet – substantive procedures

4-51 AR confirmation reconciliation

4-52 AR confirmation replies

4-60 Allowance for doubtful accounts

4-70 Intercompany balances and sales to significant customers

4-80 Sales analytics

4-90 Sales cut-off testing

4-95 Revenue recognition 606 support and disclosures

Summary

In summary, audit documentation continues to be a significant peer review problem. We can enhance the quality of our work papers by remembering we are not just auditing. We are communicating. It is our responsibility to provide a clear message. We need to do so to comply with AU-C 230, Audit Documentation

Additional Guidance

The AICPA also provides some excellent guidance regarding work paper documentation. Download their work paper template; it’s very helpful. 

Also, see my article titled 10 Ways to Make Your Work Papers Sparkle.

audit risk assessment
Aug 14

Audit Risk Assessment: The Why and the How

By Charles Hall | Auditing

Today we look at one of most misunderstood parts of auditing: audit risk assessment.

Are auditors leaving money on the table by avoiding risk assessment? Can inadequate risk assessment lead to peer review findings? This article shows you how to make more money and create higher quality audit documentation. Below you’ll see how to use risk assessment procedures to identify risks of material misstatement. You’ll also learn about the risk of material misstatement formula and how you can use it to plan your engagements. 

risk assessment

Audit Risk Assessment as a Friend

Audit risk assessment can be our best friend, particularly if we desire efficiency, effectiveness, and profit—and who doesn’t?

This step, when properly performed, tells us what to do—and what can be omitted. In other words, risk assessment creates efficiency.

So, why do some auditors (intentionally) avoid audit risk assessment? Here are two reasons:

  1. We don’t understand it
  2. We're creatures of habit

Too often auditors continue doing the same as last year (commonly referred to as SALY)--no matter what. It’s more comfortable than using risk assessment.

But what if SALY is faulty or inefficient?  

Maybe it’s better to assess risk annually and to plan our work accordingly (based on current conditions).

Are We Working Backwards?

The old maxim “Plan your work, work your plan” is true in audits. Audits—according to standards—should flow as follows:

  1. Determine the risks of material misstatements (plan our work)
  2. Develop a plan to address those risks (plan our work)
  3. Perform substantive procedures (work our plan) and tests controls for effectiveness (if planned)
  4. Issue an opinion (the result of planning and working)

Auditors sometimes go directly to step 3. and use the prior year audit programs to satisfy step 2. Later, before the opinion is issued, the documentation for step 1. is created “because we have to.”

In other words, we work backwards.

So, is there a better way?

A Better Way to Audit

During the initial planning phase of an audit, an auditor should do the following:

  1. Understand the entity and its environment
  2. Understand entity-level controls
  3. Understand the transaction level controls
  4. Use preliminary analytical procedures to identify risk
  5. Perform fraud risk analysis
  6. Assess risk

While we may not complete these steps in this order, we do need to perform our risk assessment first (1.-4.) and then assess risk.

Okay, so what procedures should we use?

Audit Risk Assessment Procedures

AU-C 315.06 states:

The risk assessment procedures should include the following:

  • Inquiries of management, appropriate individuals within the internal audit function (if such function exists), others within the entity who, in the auditor's professional judgment, may have information that is likely to assist in identifying risks of material misstatement due to fraud or error
  • Analytical procedures
  • Observation and inspection

I like to think of risk assessment procedures as detective tools used to sift through information and identify risk.

Risk assessment

Just as a good detective uses fingerprints, lab results, and photographs to paint a picture, we are doing the same.

First, we need to understand the entity and its environment.

Understand the Entity and Its Environment

The audit standards require that we understand the entity and its environment.

I like to start by asking management this question: "If you had a magic wand that you could wave over the business and fix one problem, what would it be?"

The answer tells me a great deal about the entity's risk.

I want to know what the owners and management think and feel. Every business leader worries about something. And understanding fear illuminates risk.

Think of risks as threats to objectives. Your client's fears tell you what the objectives are--and the threats. 

To understand the entity and its related threats, ask questions such as:

  • How is the industry faring?
  • Are there any new competitive pressures or opportunities?
  • Have key vendor relationships changed?
  • Can the company obtain necessary knowledge or products?
  • Are there pricing pressures?
  • How strong is the company’s cash flow?
  • Has the company met its debt obligations?
  • Is the company increasing in market share?
  • Who are your key personnel and why are they important?
  • What is the company’s strategy?
  • Does the company have any related party transactions?

As with all risks, we respond based on severity. The higher the risk, the greater the response.

Audit standards require that we respond to risks at these levels:

  • Financial statement level
  • Transaction level

Responses to risk at the financial statement level are general, such as appointing more experienced staff for complex engagements.

Responses to risk at the transaction level are more specific such as a search for unrecorded liabilities.

But before we determine responses, we must first understand the entity's controls.

Understand Transaction Level Controls

We must do more than just understand transaction flows (e.g., receipts are deposited in a particular bank account). We need to understand the related controls (e.g., Who enters the receipt in the general ledger? Who reviews receipting activity?). 

So, as we perform walkthroughs or other risk assessment procedures, we gain an understanding of the transaction cycle, but—more importantly—we gain an understanding of controls. Without appropriate controls, the risk of material misstatement increases.


 AU-C 315.14 requires that auditors evaluate the design of their client's controls and to determine whether they have been implemented. However, AICPA Peer Review Program statistics indicate that many auditors do not meet this requirement. In fact, noncompliance in this area is nearly twice as high as any other requirement of AU-C 315 - Understanding the Entity and Its Environment and Assessing the Risk of Material Misstatement.


Some auditors excuse themselves from this audit requirement saying, "the entity has no controls."  


All entities have some level of controls. For example, signatures on checks are restricted to certain person. Additionally, someone usually reviews the financial statements. And we could go on.


The AICPA has developed a practice audit that you'll find handy in identifying internal controls in small entities.


The use of walkthroughs is probably the best way to understand internal controls.

Sample Walkthrough Questions 

As you perform your walkthroughs, ask questions such as:

  • Who signs checks?
  • Who has access to checks (or electronic payment ability)?
  • Who approves payments?
  • Who initiates purchases?
  • Who can open and close bank accounts?
  • Who posts payments?
  • What software is used? Does it provide an adequate audit trail? Is the data protected? Are passwords used?
  • Who receives and opens bank statements? Does anyone have online access? Are cleared checks reviewed for appropriateness?
  • Who reconciles the bank statement? How quickly? Does a second person review the bank reconciliation?
  • Who creates expense reports and who reviews them?
  • Who bills clients? In what form (paper or electronic)?
  • Who opens the mail?
  • Who receipts monies?
  • Are there electronic payments?
  • Who receives cash onsite and where?
  • Who has credit cards? What are the spending limits?
  • Who makes deposits (and how)?
  • Who keys the receipts into the software?
  • What revenue reports are created and reviewed? Who reviews them?
  • Who creates the monthly financial statements? Who receives them?
  • Are there any outside parties that receive financial statements? Who are they?

Understanding the company’s controls illuminates risk. The company’s goal is to create financial statements without material misstatement. And a lack of controls threatens this objective.

So, as we perform walkthroughs, we ask the payables clerk (for example) certain questions. And—as we do—we are also making observations about the segregation of duties. Also, we are inspecting certain documents such as purchase orders.

This combination of inquiries, observations, and inspections allows us to understand where the risk of material misstatement is highest.

In a AICPA study regarding risk assessment deficiencies, 40% of the identified violations related to a failure to gain an understanding of internal controls.

40%
failure to gain understanding of internal controls

Need help with risk assessment walkthroughs?

See my article Audit Walkthroughs: The What, Why, How, and When.

Another significant risk identification tool is the use of planning analytics.

Preliminary Analytical Procedures

Use planning analytics to shine the light on risks. How? I like to use:

  • Multiple-year comparisons of key numbers (at least three years, if possible)
  • Key ratios

In creating preliminary analytics, use management’s metrics. If certain numbers are important to the company, they should be to us (the auditors) as well—there’s a reason the board or the owners are reviewing particular numbers so closely. (When you read the minutes, ask for a sample monthly financial report; then you’ll know what is most important to management and those charged with governance.)

You may wonder if you can create planning analytics for first-year businesses. Yes, you can. Compare monthly or quarterly numbers. Or you might compute and compare ratios (e.g., gross profit margin) with industry benchmarks. (For more information about, see my preliminary analytics post.)

Sometimes, unexplained variations in the numbers are fraud signals.

Identify Fraud Risks

In every audit, inquire about the existence of theft. In performing walkthroughs, look for control weaknesses that might allow fraud to occur. Ask if any theft has occurred. If yes, how?

Also, we should plan procedures related to:

  • Management override of controls, and
  • The intentional overstatement of revenues

My next post—in The Why and How of Auditing series—addresses fraud, so this is all I will say about theft, for now. Sometimes the greater risk is not fraud but errors.

Same Old Errors

Have you ever noticed that some clients make the same mistakes—every year? (Johnny--the controller--has worked there for the last twenty years, and he makes the same mistakes every year. Sound familiar?) In the risk assessment process, we are looking for the risk of material misstatement whether by intention (fraud) or by error (accident).

One way to identify potential misstatements due to error is to maintain a summary of the larger audit entries you’ve made over the last three years. If your client tends to make the same mistakes, you’ll know where to look.

Now it’s time to pull the above together.

Creating the Risk Picture

Once all of the risk assessment procedures are completed, we synthesize the disparate pieces of information into a composite image

Synthesis of risks

What are we bringing together? Here are examples:

  • Control weaknesses
  • Unexpected variances in significant numbers
  • Entity risk characteristics (e.g., level of competition)
  • Large related-party transactions
  • Occurrences of theft

Armed with this risk picture, we can now create our audit strategy and audit plan (also called an audit program). Focus these plans on the higher risk areas.

How can we determine where risk is highest? Use the risk of material misstatement (RMM) formula.

Assess the Risk of Material Misstatement

Understanding the risk of material misstatement formula is key to identifying high-risk areas.

What is the risk of material misstatement formula?

Put simply, it is:

Risk of Material Misstatement = Inherent Risk X Control Risk

Using the RMM formula, we are assessing risk at the assertion level. While audit standards don’t require a separate assessment of inherent risk and control risk, consider doing so anyway. I think it provides a better representation of your risk of material misstatement.

Here's a short video about assessing inherent risk.

And another video regarding control risk assessment.

Once you have completed the risk assessment process, control risk can be assessed at high--simply as an efficiency decision. See my article Assessing Audit Control Risk at High and Saving Time

The Input and Output

The inputs in audit planning include all of the above audit risk assessment procedures.

The outputs (sometimes called linkage) of the audit risk assessment process are:

  • Audit strategy
  • Audit plan (audit programs)
Linking risk assessment to audit planning

We tailor the strategy and plan based on the risks..

In a nutshell, we identify risks and respond to them.

(In a future post in this series, I will provide a full article concerning the creation of audit strategy and plans.)

Next in the Audit Series

In my next post, we’ll take a look at Auditing for Fraud: The Why and How

The Auditing Standards Board has issued an exposure draft for a new risk assessment standard. Final issuance of the new standard is expected in August or September of 2021. 

Audit Risk Assessment Made Easy - My New Book

My new book titled Audit Risk Assessment Made Easy will soon be available on Amazon. I’ve been working on this for over a year and I think you’ll find it to be a valuable resource in understanding, documenting, planning, and performing risk assessment procedures. Look for it in September 2021. 


Expense fraud
Aug 08

Expense Fraud: An Honest Theft

By Charles Hall | Asset Misappropriation

Honest people steal. Nice, innocent looking people take money that’s not theirs. How? One way is expense fraud.

The Honest Person’s Fraud

Expense fraud is one of the most common frauds. While the damage is usually low, this theft is pervasive in most businesses.

Expense fraud

I teach a college Bible study, and in it, I sometimes talk about “acceptable sins,” things like gossip, impatience, anger. My point is they are all issues and not acceptable, but we like to pawn them off as being okay–especially when it’s me that’s angry.

Likewise, expense report fraud is often viewed as acceptable, at least when it’s within bounds. But we all know fraud is fraud. The taking of something that does not belong to us is theft. But, I must say, it is so human to fudge on expense reports. We think things like: If I drove 355 miles, isn’t it okay to round up to 375? After all, I forgot to turn on my distance gauge until I was at least three miles out of town. Such rationalizations are easy to come by.

It always amazes me that executives–making six figures–are willing to jeopardize their positions for a few measly dollars. But C-suite employees commit expense report fraud just like new-hires. You might remember the Health and Human Services Secretary once resigned over questions about travel. While the Secretary was not accused of expense report fraud, it’s an example of how powerful people can abuse the use of travel privileges and, in this case, cost his employer (the federal government) money.

So how do people inflate their expense reports?

  • Inflating mileage
  • Filing the same receipt multiple times
  • Asking for advances and then requesting a second payment after returning from the trip
  • Submitting receipts of a nonemployee (e.g., spouse)
  • Submitting hotel reservation printouts (with projected cost) but not spending the night there

The Control Weakness

Usually, the weakness is that no one is properly reviewing the expense reports. Also, the company may not appropriately communicate the penalties (what happens when fraud is detected) for false reporting.

Correcting the Control Weakness

Create a written expense report policy that all employees sign, acknowledging their agreement to abide by the guidance.

The person reviewing the expense reports should be trained. He needs to know what is acceptable–and what is not. And most importantly, the person reviewing expense reports must be supported by the leadership of the entity–he has to know that the CEO or board chair has his back. (It’s difficult to stand up to high-level employees unless the reviewer knows the leader supports him.)

See a list of my other fraud-related articles.

1 2 3 37
>