Charles Hall is a practicing CPA and Certified Fraud Examiner. For the last thirty-five years, he has primarily audited governments, nonprofits, and small businesses.
He is the author of The Little Book of Local Government Fraud Prevention, The Why and How of Auditing, Audit Risk Assessment Made Easy, and Preparation of Financial Statements & Compilation Engagements. He frequently speaks at continuing education events.
Charles consults with other CPA firms, assisting them with auditing and accounting issues.
Do you ever want to include justone disclosure in your financial statements without providing all the notes? Selected disclosures can be included in certain situations, including when you omit substantially all disclosures.
Do professional standards allow this? Yes. But only if you use AR-C 70 (the preparation guidance) or AR-C 80 (the compilation guidance).
Made with Canva
Selected Disclosures in Compilations
As you probably already know, a CPA can issue compiled financial statements without disclosures as long as the compilation report discloses the omission. An example follows.
Management has elected to omit substantially all of the disclosures required by accounting principles generally accepted in the United States of America. If the omitted disclosures were included in the financial statements, they might influence the user’s conclusions about the Company’s financial position, results of operations and cash flows. Accordingly, the financial statements are not designed for those who are not informed about such matters.
If the financial statements include one or two notes, then the financial statements still omit substantially all of the disclosures, so the accountant (still) uses the wording in the preceding paragraph.
Sample Selected Disclosure
An example of a selected disclosure follows:
ABC Company
Selected Information –
Substantially All Disclosures Required by Accounting Principles
Generally Accepted in the United States of America are Not Included
December 31, 2020
Note 1. Long-Term Debt.
ABC Company borrowed $450,000 on July 15, 2020, from XYZ Bank. The rate of interest is 5%, and the loan is collateralized by equipment of the Company. Payments are $10,000 per month plus interest for two years with a balloon payment for the balance of the amount owed.
Additionally, you can omit substantially all disclosures in a preparation engagement.
Preparation Engagements
AR-C 70 says:
The accountant may prepare financial statements that include disclosures about only a few matters in the notes to the financial statements. Such disclosures may be labeled “Selected Information—Substantially All Disclosures Required by [the applicable financial reporting framework] Are Not Included.”
So, the selected-disclosure option is available in a Preparation of Financial Statements engagement. Include the required disclaimer at the bottom of the page such as “No assurance is provided on these financial statements.”
Other Considerations
The accountant should consider whether management’s election to include only selected disclosures causes the financial statements to be misleading (for example, by omitting the disclosures that contain negative information). If so, the accountant should request that the financial statements be revised to include the omitted disclosures.
The selected-disclosure option is not available for financial statements subject to a review engagement. Such financial statements must be full disclosure.
What About You?
Do you ever use this selected-disclosure option? Any reservations about doing so?
What is the difference in an internal control and a process? Most company accounting manuals do not clearly define what a control is. The result: it can be difficult to identify a company’s key controls. As a result, some auditors incorrectly identify processes as internal controls in their walkthrough documentation. Below, I help you distinguish between controls and processes so you won’t make this mistake.
Processes and Controls in Risk Assessment
As you perform your annual walkthroughs, you determine if the company’s internal controls are designed properly and if they are implemented. But what are internal controls? And how do they differ from processes?
Processes are the actions performed by accounting personnel that are not controls. For example, a cashier receives payments.
Controls, on the other hand, are the actions that ensure safety and accuracy. For example, the cashier might restrictively endorse a check For Deposit Only and create a receipt. These are controls. A business can, however, receive payments without controls. But if they do, monies might be stolen or recorded incorrectly. In short, accounting controls (or internal controls) lessen misstatements in the financial statements and theft.
In performing risk assessment, you consider whether an account balance or transaction might be misstated, whether by error or fraud. And how do you do this? By performing certain procedures such as reviewing the internal control system. This is why it’s important to know what the key controls are.
Below I provide examples of cashier processes and internal controls.
Cashier Processes
Remember a process is whatis being done. The purpose of the process, in this example, is to receive and process payments.
The cashier’s work manual might require processes as follows:
Take your cash drawer from the vault each morning
Turn on your computer by 7:50 a.m. to ensure it is working properly
Open your station at 8:00 a.m.
Press the f7 key before entering the receipt
Ask customers to place their credit cards into the credit card machine at your window
Press the f3 key when the receipt entry is complete
Now, let’s look at sample internal controls.
Cashier Internal Controls
Controls ensure accuracy and lessen fraud. The accounting manual might spell out the following controls (this list is not comprehensive):
No purses or handbags are allowed in the cash collections area
Station security cameras record all activity; retain video for at least one month
No person receiving cash can write down or eliminate receivables (of if they can, a second person reviews and signs off on all adjustments)
The receipting software flags all amounts greater than $1,000 (most receipts are less than $500)
Only one cashier can work from a cash drawer; the cashier must lock his or her drawer upon leaving their station and must log out of their computer
Cashiers issue a receipt for each payment received
The cash supervisor observes the daily closeout count of one cashier at least once per week
The cash supervisor creates the daily summary deposit and provides the same to the courier for delivery to the bank
Notice the segregation of duties andthe second-person reviews. The internal controls lessen the potential for misstatements and theft.
Some controls may sound like policies alone—and not controls—such as no purses are allowed in the collection area. But what is the purpose of the requirement? To lessen theft. So I consider this to be both a policy and a control.
Also, notice that some controls are automated such as the entry flag for amounts greater than $1,000. The purpose of this control is to lessen data entry error.
In summary, we see that a processes are the actions performed to get something done. Cashiers receive and process payments. By contrast, controls ensure that the resulting numbers are correct and that assets are secure from theft.
Understanding the differences in controls and processes helps you identify key controls. And why is this important? Understanding the distinction allows you to properly identify key controls in your walkthrough documentation. You don’t want to identify a process as a control when it’s not.
Today, we talk about auditing plant, property, and equipment (or capital assets if you work with governments).
Plant, property, and equipment is often the largest item on a balance sheet. But the risk is often low to moderate. After all, it’s difficult to steal land or a building. And the accounting is usually not difficult. So the dollar amount can be high but the risk low.
In this post, we’ll answer questions such as, “how should we test additions and retirements of property?” and “what should we do in regard to fair value impairments?”
Auditing Plant, Property, and Equipment — An Overview
I will—at times in this article—refer to plant, property, and equipment as property. Governments use the term capital assetsto refer to plant, property and equipment, but again, I will, for the most part, use the term property in this article.
Property is purchased for use in a business. For example, a corporate office might be bought or constructed. The building is an asset that is depreciated over its economic life. As depreciation is recorded, the book value (cost less accumulated depreciation) of the building decreases as depreciation is recognized. In other words, you expense the building as it is used.
In most reporting frameworks, including GAAP, assets are recorded at cost. Appreciation in market value is not recorded, but significant decreases, known as impairments, are booked. Property improvements (e.g., adding a new room to an existing building) are capitalized and depreciated. Repairs (e.g., painting a room) that don’t extend the life of an asset are expensed.
Also, most businesses elect to use a capitalization threshold such as $5,000. For these entities, amounts paid below the threshold are not capitalized, even if they extend the life of the asset. The amounts below the threshold are expensed as incurred.
So, how do most entities track property purchases and compute the related depreciation? They use depreciation software. Then when property is purchased, it is added to the depreciation software and an economic life (e.g., ten years) is assigned.
Below we will cover the following:
Primary property assertions
Property walkthroughs
Directional risk for property
Primary risks for property
Common property control deficiencies
Risk of material misstatement for property
Substantive procedures for property
Common property work papers
Primary Property Assertions
The primary relevant property assertions are:
Existence and occurrence
Completeness
Valuation
Classification
Of these assertions, I believe—in general—existence, occurrence, and classification are most important. So, the client is asserting that property exists, that depreciation expense is appropriate, and that amounts paid for property are capitalized (and not expensed).
Property Walkthroughs
As we perform walkthroughs of property, we are looking for ways that property might be overstated (though understatements can occur as well).
As we perform the property walkthrough, we ask, “what can go wrong, whether intentionally or by mistake?”
In performing the walkthrough, ask questions such as:
Are property ledgers reconciled to the general ledger?
Does the entity use reasonable and consistent depreciation methods?
Are the depreciation methods in accordance with the reporting framework (e.g., straight line for GAAP or accelerated for tax basis)
Who records depreciation?
Are the economic lives assigned to property appropriate?
What controls ensure that property is recorded in the right period?
What controls ensure that capital leases are capitalized as property (if applicable, see GAAP lease standards)?
Is there appropriate segregation of duties between persons that purchase, record, reconcile, and physically possess property?
What software is used to compute depreciation?
Does the company perform periodic physical inventories of property?
Are assets removed from the depreciation schedule upon sale?
What controls ensure that property purchases are added to the depreciation schedule (and not expensed as repairs and maintenance)?
What controls ensure that repair expenses are not capitalized as property?
What is the capitalization threshold (e.g., $5,000)?
As we ask questions, we also inspect documents (e.g., depreciation reports) and make observations (e.g., who has access to moveable property?).
If control weaknesses exist, we create audit procedures to respond to them. For example, if—during the walkthrough—we see that one person purchases property, has physical access to equipment, and performs the related accounting, then we will perform theft-related substantive procedures.
Directional Risk for Property
The directional risk for property is overstatement. So, in performing your audit procedures, perform procedures to ensure that property is not overstated. For example, vouch all significant property additions to invoices. See if the amounts added are equal to or greater than the capitalization threshold (e.g., $5,000).
Primary Risks for Property
The primary risks for property are:
Property is intentionally overstated
Repair expenses (or any other expenses) are improperly capitalized as property
Purchases that should be recorded as property are expensed
Depreciation is improperly computed and recorded (e.g., accelerated depreciation is used when straight-line is more appropriate)
Moveable property (e.g., equipment) is stolen
Common Property Control Deficiencies
In smaller entities, it is common to have the following control deficiencies:
One person performs more than one of the following:
Authorizes the purchase of property
Enters the property in the general ledger and depreciation schedule
Has physical custody of the property
Has responsibility for reconciling the depreciation schedule to the general ledger
The person computing depreciation doesn’t have sufficient knowledge to do so
A second person does not review the depreciation methods for appropriateness and economic lives assigned to each property
No one performs surprise audits of property
No one performs physical inventories of property
There are no controls over the disposal of property
Appropriate bidding procedures are not used
No one reconciles the depreciation schedule to the general ledger
Property is not reviewed for potential impairments of value
In smaller engagements, I usually assess control risk at high for each assertion. If control risk is assessed at less than high, then controls must be tested to support the lower risk assessment. Assessing risks at high is usually more efficient than testing controls.
When control risk is assessed at high, inherent risk becomes the driver of the risk of material misstatement (controls risk X inherent risk = risk of material misstatement). The assertions that concern me the most are existence (for additions to property), occurrence (for depreciation), and classification (of property). With regard to classification, the business determines whether the amount should be capitalized or expensed. So my RMM for these assertions is usually moderate to high.
My response to higher risk assessments is to perform certain substantive procedures: namely, the vouching of additions to property. As RMM increases I lower the dollar threshold for vouching property additions.
If controls related to bids are weak, your RMM for existence can be high. Bid rigging or kickbacks—fraudulent vendor actions—can result in overstatements of asset additions.
Substantive Procedures for Property
My customary audit tests are as follows:
1. Vouch property additions to related invoices
2. Agree opening property balances in the depreciation schedule to the prior year ending balances
3. Review economic lives assigned to new property for appropriateness
4. Review the selected depreciation method in light of the property’s life
5. Compute a ratio of depreciation to property and compare the result with prior periods
6. Review new lease agreements to determine if they should be capitalized
7. Inquire about potential decreases in the value of property and request valuations if necessary
Common Property Work Papers
My property work papers normally include the following:
An understanding of property-related internal controls
Documentation of control deficiencies related to property
Property audit program
A copy of the depreciation schedule that agrees to the general ledger
A summary of additions and retirements of property in the current audit period
Bid documents for significant construction projects or other property purchases
A valuation of a significant asset by a valuation specialist, if merited (potential impairment)
In Summary
In this article, we looked at how to perform property risk assessment procedures, the relevant property assertions, the property risk assessments, and substantive property procedures.
Today I describe five dirty, no good, terrible, audit habits.
Certain peer review deficiencies continue to persist. Today I tell you about a few and how you can stop them.
Have you ever had a bad habit? You eat too much, don't exercise enough, put your make-up on while driving to work (one I've never had, thankfully), spend too much money. Yes, we've all had bad habits.
Auditors have them as well. Some problems seem to never die. The AICPA periodically provides a list of peer review deficiencies. Here are five and what you can do about them.
Bad Habit 1 - Skipping Risk Assessment
Do you have the habit of starting your audit by testing bank reconciliations or reconciling equity accounts to the general ledger?
Solution - Start in the right place. At the beginning. And where is the beginning? First acceptance and continuance. Then risk assessment. Resolve to perform the following before doing any substantive work:
Perform acceptance or continuance procedures
Gain an understanding of the entity and its environment
Perform walkthroughs
Review prior year estimates for potential bias
Ask questions regarding fraud
Create your planning analytics
Now, assess risk at the financial statement level and at the transaction level by assertion. Once risk assessment is complete, start your substantive work.
In a another bad habit, some auditors create their risk assessments but don't use them.
Bad Habit 2 - Performing But Not Using Risk Assessment
Don't allow another bad habit to persist: Performing risk assessment procedures and ignoring the results. In other words, using the same substantive procedures as last year, though new risks are present.
Solution - Once a risk is identified, link a response to it. This can be done on your risk assessment summary form.
For example, the revenue recognition standard is effective for many of your December 31, 2019 clients. The standard represents change and can impact your risk of material misstatement for revenue. Change creates risk. And risk calls for a response. Link the risk (that revenue recognition and disclosures may be incorrect) to substantive procedures. Test the revenue recognition in light of Topic 606 and vet the disclosures with an updated disclosure checklist.
In another nasty habit, some auditors ignore controls.
Bad Habit 3 - Ignoring Controls
While a test of controls for effectiveness is not required, reviewing control design and implementation is. This is why we perform walkthroughs. But some auditors ignore or give little attention to this risk assessment procedure. Their attitude is "I already know what I'm going to do, so why waste time?"
This attitude can be the result on believing a balance sheet audit approach is sufficient. This is the belief that auditing all significant balance sheet accounts is enough. But is it? Suppose the CFO steals $5 million dollars during the year, skimming cash from unbilled receipts. You can audit the year-end bank reconciliation. The bank account can reconcile to the general ledger. But the $5 million is still missing.
Why? Because the service organization controls are a part of the company's controls. The company's accounting system includes outsourced components.
Your client, for example, may outsource its payroll to ADP. Does that mean the auditor doesn't need to understand ADP's processes and controls? No. Why? Because ADP is acting as an extension of the company's accounting system. The SOC report allows you to see if the payroll controls are designed appropriately and implemented. And this is what we desire whether the accounting is in-house or outsourced.
Solution - Read the SOC report and document your considerations. If control weaknesses are present, determine how those weaknesses impact your risk assessment.
And what's the last bad habit? Drum roll. Auditors don't identify the significant risks.
Bad Habit 5 - Not Identifying Significant Risks
Every audit has at least one or two significant risks. Consider, for example. management override. Management can manipulate the books to satisfy their needs.
So, what is a significant risk? Audit standards define it as "An identified and assessed risk of material misstatement that, in the auditor's professional judgment, requires special audit consideration." But what is "special audit consideration"? It's those high risk areas that deserve extra attention. They are the two or three areas (the number varies by audit) that deserve our greatest effort. Understand that not all high risk of material misstatements are significant risks. Significant risks are those areas of an even higher concern. Examples include:
Allowance for bad debt in a hospital
Management override
A fraud risk (because a known material theft exist)
By contrast, a high risk of material misstatement (RMM) for the completeness assertion in payables might not be a significant risk. The RMM might be high but, in this example, it's not a significant risk.
Solution - Identify significant risks. Do so on your risk assessment summary form. Then link to a response in your audit program. And these responses should be beyond your normal basic procedures. Additionally, they must include a test of details.
AICPA Areas of Focus
Each year the AICPA creates areas of focus in its Enhancing Audit Quality (EAQ) work. You may want to put this in your tickler file. Why? So you'll know the hot-button peer review issues. That way you can build your audit processes in a proactive manner.
Tests of details, a substantive procedure, is the auditor's primary response to risks of material misstatement. Today I tell you what a test of details is and how you can best use this substantive approach..
Further Audit Procedures
AU-C 330: Performing Audit Procedures in Response to Assessed Risks and Evaluating the Audit Evidence Obtained defines substantive procedures as:
Once you assess your risks of material misstatement you determine your responses. These further audit procedures (responses) include the two substantive procedures listed above as well as test of controls.
So of the three further audit procedures, are certain ones required?
Yes.
A test of controls is necessary if substantive procedures can’t properly address a risk of material misstatement. Think complex information technology processes. For example, when a benefit plan participant changes his investment options in a 401(k). There may be no physical documents to examine. In these circumstances, a test of controls might be your only option.
By contrast, auditors are required to perform tests of details when significant risks are identified. A test of controls alone will not do. So if, for example, you have determined that a complex estimate is a significant risk, then plan and perform a test of details in response. Likewise, if you believe a fraud risk is present, perform a test of details.
Additionally, substantive procedures are required for relevant assertions related to each material class of transactions, account balances, and disclosures. However, for this requirement, the auditor can use:
Substantive analytics alone
A tests of details alone
A combination of substantive analytics and test of details
This article focuses on tests of details. So, let’s move to that topic.
Audit standards don't define tests of details. They only say that a test of details is one of two substantive procedure options (the other being substantive analytics).
Test of Details Examples
Since there is no definition, here are examples of a test of details:
Vouching invoices
Tracing bills sent to customers
Search for unrecorded liabilities in accounts payable
Testing bank reconciliations by examining subsequent month bank statements
Sending bank confirmations
Sending customer confirmations
Agreeing receivables to contracts
Vouching subsequent receipts in receivables
Reconciling payroll in the general ledger to quarterly payroll tax returns
As you can see, a test of details is just what it says it is. You are digging into the details of transactions. Substantive analytics, by contrast, look at numbers from a broader perspective. For example, the auditor might compute the current ratio or compare this year's debt level with prior years. I provided examples of substantive analytics in a recent article.
Now let's see how you can best select your tests of details procedures.
Tests of Details - Selection of Procedures
So, how do you determine which response is best?
AU-C 330 tells us to pay attention to the nature of the risk. Doing so allows us to determine the what, when and how of our procedures. The audit standards refer to this as the nature, timing and extent. So, here is the way to design appropriate responses to your client’s risks of material misstatement.
1. Nature of Evidence
First, let's discuss the type of procedures or, as the audit standards call it, the nature of evidence. If an auditor believes that receivables might be overstated, then she might send confirmations to customers. Why confirmations? To prove the existence of the receivables. And confirmations provide third party evidence which is better than that from within the company. Customers usually have no reason to respond in a dishonest manner, so the third party evidence is more reliable.
Prepaid assets, by contrast, usually has a low risk of material misstatement. They are not complex. The volume of transactions is low. They are not an estimate. So, in this instance, the auditor could use substantive analytics. Again, the nature of the risk drives your response.
Your responses are critical. If your tests don't address the risk of material misstatement, what good are they?
In addition to the nature of evidence, timing matters as well.
2. Timing of Evidence
So, should you perform interim audit procedures? The answer depends on the reliability of the accounting system. Interim work is more easily done when you audit reliable systems. Consider waiting until period-end to audit unreliable systems. Why? If your interim work yields significant problems, you may not feel comfortable with roll-forward procedures. In other words, you may have to re-perform your interim work at period end.
Do you perform a search for unrecorded liabilities? Then some time must pass from period-end before you do this procedure. The entity needs time to receive period-end invoices and make payments before you can review them. Likewise, if you are examining subsequent period receivable collections, some time must pass before you do so. Wait at least three or four weeks from period end before you perform these types of procedures.
In addition to the nature and timing, the quantity of information is critical.
3. Extent of Evidence
The extent or quantity of evidence is another decision. Higher risks call for more evidence. If accounts payable has been materially understated the last two years, then consider lowering your search threshold for unrecorded liabilities. If you've used $10,000, you could, for example, move it to $3,000. The lower threshold will yield more evidence. The main point here is you want more evidential matter as risk increases.
But can you audit too much information? The answer is yes, unless you have an unlimited time budget. So, you want to examine enough information without overdoing it.
A question to ask in designing your quantity is, “Will this test allow me to detect a material misstatement?” For instance, you might plan a sample. But once you total the individually significant items, you see the remaining amount is immaterial. Then test the individually significant items and stop.
Choosing Your Tests of Details
So there you are. A summary of nature, timing and extent as they relate tests of details. Learning to match your procedures with risks is one of the most important things you'll do as an auditor. Using canned audit programs or the same-as-last-year approach can lead to significant problems. Therefore, know your risks. Then design and perform responsive procedures.
Tests of Details by Account Balance
If you desire to see tests of details by account balances and transaction cycles, see The Why and How of Auditing series. There I provide you with tests of details for accounts such as cash, receivables and debt.
