All Posts by Charles Hall

Follow

About the Author

Charles Hall is a practicing CPA and Certified Fraud Examiner. For the last thirty years, he has primarily audited governments, nonprofits, and small businesses. He is the author of The Little Book of Local Government Fraud Prevention and Preparation of Financial Statements & Compilation Engagements. He frequently speaks at continuing education events. Charles is the quality control partner for McNair, McLemore, Middlebrooks & Co. where he provides daily audit and accounting assistance to over 65 CPAs. In addition, he consults with other CPA firms, assisting them with auditing and accounting issues.

auditing for fraud
Feb 23

Auditing for Fraud: The Why and How

By Charles Hall | Auditing , Fraud

Auditing for fraud is important, but some auditors ignore this duty.

So what is an auditor’s responsibility for detecting fraud? Today, I answer that question in light of generally accepted auditing standards in the United States. We’ll look specifically at AU-C 240, Consideration of Fraud in a Financial Statement Audit.

Here’s an overview of this article:

  • Auditor’s responsibility for detecting fraud
  • Turning a blind eye to fraud
  • Signs of auditor disregard for fraud
  • Incentives for fraud
  • Discovering fraud opportunities
  • Inquiries required by audit standards
  • The accounting story and big bad wolves
  • Documenting control weaknesses
  • Brainstorming and planning your response to fraud risk 

Auditor’s Responsibility for Detecting Fraud – AU-C 240

I still hear auditors say, “We are not responsible for detecting fraud.” But are we not? The detection of material misstatements whether caused by error or fraud is the heart and soul of an audit. So writing off our responsibility for fraud is not an option. We must plan to look for material fraud.

Audits will not, however, detect every material misstatement—even if the audit is properly planned and conducted. Audits are designed to provide reasonable assurance, not perfect assurance. Some material frauds will not be detected. Why? First, an auditor’s time is limited. He can’t audit forever. Second, complex systems make it extremely difficult to discover fraud. Third, the number of potential fraud schemes (there are thousands) makes it challenging to consider all possibilities. And, finally, some frauds are so well hidden that auditors won’t detect them.

Even so, auditors should not turn a blind eye to fraud.

Turning a Blind Eye to Fraud

Why do auditors not detect fraud?

Think of these reasons as an attitude—a poor one—regarding fraud. This disposition manifests itself in the audit file with signs of disregard for fraud.

Signs of Auditor Disregard for Fraud

A disregard for fraud appears in the following ways:

  • Asking just one or two questions about fraud
  • Limiting our inquiries to as few people as possible (maybe even just one)
  • Discounting the potential effects of fraud (after known theft occurs)
  • Not performing walkthroughs
  • We don’t conduct brainstorming sessions and window-dress related documentation
  • Our files reflect no responses to brainstorming and risk assessment procedures
  • Our files contain vague responses to the brainstorming and risk assessment (e.g., “no means for fraud to occur; see standard audit program” or “company employees are ethical; extended procedures are not needed”)
  • The audit program doesn’t change though control weaknesses are noted

In effect, auditors—at least some—dismiss the possibility of fraud, relying on a balance sheet approach.

So how can we understand fraud risks and respond to them? First, let’s look at fraud incentives.

Incentives for Fraud

The reasons for theft vary by each organization, depending on the dynamics of the business and people who work there. Fraudsters can enrich themselves indirectly (by cooking the books) or directly (by stealing).

Fraud comes in two flavors:

  1. Cooking the books (intentionally altering numbers)
  2. Theft

Two forms of fraud: Auditor's Responsibility for Fraud

Cooking the Books

Start your fraud risk assessment process by asking, “Are there any incentives to manipulate the financial statement numbers.” For example, does the company provide bonuses or promote employees based on profit or other metrics? If yes, an employee can indirectly steal by playing with the numbers. Think about it. The chief financial officer can inflate profits with just one journal entry—not hard to do. While false financial statements is a threat, the more common fraud is theft.

Theft

If employees don’t receive compensation for reaching specific financial targets, they may enrich themselves directly through theft. But employees can only steal if the opportunity is present. And where does opportunity come from? Weak internal controls. So, it’s imperative that auditors understand the accounting system and—more importantly—related controls. 

Discovering Fraud Opportunities

My go-to procedure in gaining an understanding of the accounting system and controls is walkthroughs.  Since accounting systems are varied, and there are no “forms” (practice aids) that capture all processes, walkthroughs can be challenging. So, we may have to “roll up our sleeves,” and “get in the trenches.” 

For most small businesses, performing a walkthrough is not that hard. Pick a transaction cycle; start at the beginning and follow the transaction to the end. Ask questions and note who does what. Inspect the related documents. As you do, ask yourself two questions:

  1. What can go wrong?
  2. Will existing control weakness allow material misstatements?

In more complex companies, break the transaction cycle into pieces. You know the old question, “How do you eat an elephant?” And the answer, “One bite at a time.” So, the process for understanding a smaller company works for a larger one. You just break it down and allow more time.

Discovering fraud opportunities requires the use of risk assessment procedures such as observations of controls, inspections of documents and inquiries. Of the three, the more commonly used is inquiries.

Inquiries Required by Audit Standards

Audit Standards (AU-C 240) state that we should inquire of management regarding:

  • Management’s assessment of the risk that the financial statements may be materially misstated due to fraud, including the nature, extent, and frequency of such assessments
  • Management’s process for identifying, responding to, and monitoring the risks of fraud in the entity, including any specific risks of fraud that management has identified or that have been brought to its attention, or classes of transactions, account balances, or disclosures for which a risk of fraud is likely to exist
  • Management’s communication, if any, to those charged with governance regarding its processes for identifying and responding to the risks of fraud in the entity
  • Management’s communication, if any, to employees regarding its views on business practices and ethical behavior
  • The auditor should make inquiries of management, and others within the entity as appropriate, to determine whether they know of any actual, suspected, or alleged fraud affecting the entity
  • For those entities that have an internal audit function, the auditor should make inquiries of appropriate individuals within the internal audit function to obtain their views about the risks of fraud; determine whether they have knowledge of any actual, suspected, or alleged fraud affecting the entity; whether they have performed any procedures to identify or detect fraud during the year; and whether management has satisfactorily responded to any findings resulting from these procedures

Notice that AU-C 240 requires the auditor to ask management about its procedures for identifying and responding to the risk of fraud. If management has no method of detecting fraud, might this be an indicator of a control weakness? Yes. What are the roles of management and outside auditors regarding fraud?

  • Management develops control systems to lessen the risk of fraud. 
  • Auditors review the accounting system to see if fraud-prevention procedures are designed and operating appropriately.

So, the company creates the accounting system, and the auditor gains an understanding of the same. As auditors gain an understanding of the accounting system and controls, we put together the pieces of a story.

The Accounting Story and Big Bad Wolves

Think of the accounting system as a story. Our job is to understand the narrative of that story. As we describe the accounting system in our work papers, we may find missing pieces. Controls may be inadequate. When they are, we ask more questions to make the story complete.

The purpose of writing the storyline is to identify any “big, bad wolves.”

The Auditor's Responsibility for Fraud - The Big Bad Wolves

The threats in our childhood stories were easy to recognize. The wolves were hard to miss. Not so in walkthroughs. It is only in connecting the dots—the workflow and controls—that the wolves materialize.

So, how long should the story be? That depends on the size of the organization. Scale your documentation. If the transaction cycle is simple, the documentation should be simple. If the cycle is complex, provide more details. By focusing on control weaknesses that allow material misstatements, you’ll avoid distracting details.

But what if control weaknesses are noted?

Documenting Control Weaknesses

I summarize the internal control strengths and weaknesses within the description of the system and controls and highlight the wording “Control weakness.” For example:

Control weakness: The accounts payable clerk (Judy Jones) can add new vendors and can print checks with digital signatures. In effect, she can create a new vendor and have a check sent to that provider without anyone else’s involvement.

Highlighting weaknesses makes them more prominent. Then I can use the identified fraud opportunities to brainstorm about how theft might occur and to develop my responses to the threats.

Brainstorming and Planning Your Responses 

Now, you are ready to brainstorm about how fraud might occur and to plan your audit responses.

The risk assessment procedures provide the fodder for the brainstorming session. 

Armed with knowledge about the company, the industry, fraud incentives, and the control weaknesses, we are ready to be creative. 

In what way are we to be creative? Think like a thief. By thinking like a fraudster, we unearth theft schemes. Why? So we can audit those possibilities. This is the reason for risk assessment procedures in the first place.

What we discover in risk assessment informs the audit plan. In other words, it has bearing on what we do in the days ahead, in the substantive procedures we perform.

The Auditor’s Responsibility for Detecting Fraud – AU-C 240

In conclusion, I started this post saying I’d answer the question, “What is an auditor’s responsibility for detecting fraud?”

Hopefully, you now better understand fraud procedures. But to understand the purpose of them, look at a standard audit opinion:

The procedures selected depend on the auditor’s judgment, including the assessment of the risks of material misstatement of the consolidated financial statements, whether due to fraud or error. In making those risk assessments, the auditor considers internal control relevant to the entity’s preparation and fair presentation of the consolidated financial statements in order to design audit procedures that are appropriate in the circumstances, but not for the purpose of expressing an opinion on the effectiveness of the entity’s internal control. Accordingly, we express no such opinion.

The purpose of fraud risk assessments is not to opine on internal control systems or to discover every fraud. It is to assist the auditor in determining where material misstatements—due to fraud—might occur.

Additionally, even well-performed audits will not detect all material fraud. As we saw above, some frauds are extremely difficult to detect. Audits are designed to provide reasonable assurance, not perfect assurance. The standard audit opinion states:

Our responsibility is to express an opinion on these financial statements based on our audits. We conducted our audits in accordance with auditing standards generally accepted in the United States of America. Those standards require that we plan and perform the audit to obtain reasonable assurance about whether the financial statements are free from material misstatement.

In summary, the auditor should conduct the audit in a manner to detect material fraud. But it is possible that some material frauds will be missed, even when we perform the audit correctly.

The Why and How of Auditing: A Blog Series About Basics

Have you been following my series of posts: The Why and How of Auditing? If not, you may want to review the prior posts:

Also, subscribe to my blog to receive future installments in this series (I have several more coming). This series is a great way for seasoned auditors to refresh their overall audit knowledge and for new auditors to gain a better understanding of the audit process. Join now.

See my book The Why and How of Auditing on Amazon.

audit documentation
Feb 20

Audit Documentation: If It’s Not Documented, It’s Not Done

By Charles Hall | Auditing

Peer reviewers are saying, “If it’s not documented, it’s not done.” Why? Because standards require sufficient audit documentation. And if it’s not documented, the peer reviewer can’t give credit. 

But what does sufficient documentation mean? What should be in our work papers? How much is necessary? This article answers these questions.

audit documentation

In the AICPA’s Enhanced Oversight program, one in four audits is nonconforming due to a lack of sufficient documentation. This has been and continues to be a hot-button peer review issue. And it’s not going away. 

But auditors ask, “What is sufficient documentation?” That’s the problem, isn’t it? The answer is not black and white. We know good documentation when we see it–and poor as well. It’s the middle that is fuzzy. Too often audit files are poor-to-midland. But why? 

First, many times it boils down to profit. Auditors can make more money by doing less work. So, let’s go ahead and state the obvious: Quality documentation takes more time and may lessen profit. But what’s the other choice? Poor work.

Second, the auditor may not understand what the audit requirements are. So, in this case, it’s not motive (make more money), it’s a lack of understanding.

Thirdly, another contributing factor is that firms often bid for work–and low price usually carries the day. Then, when it’s time to do the work, there’s not enough budget (time)–and quality suffers. Corners are cut. Planning is disregarded. Confirmations, walkthroughs, fraud inquiries are omitted. And yes, it’s easier–at least in the short run.

But we all know that quality is the foundation of every good CPA firm. And work papers tell the story–the real story–about a firm’s character. How would you rate your work paper quality? Is it excellent, average, poor? If you put your last audit file on a website and everyone could see it, would you be proud? Or does it need improvement?

Sufficient Audit Documentation According to AU-C 230

Let’s see what constitutes sufficient documentation.

AU-C 230 Audit Documentation defines how auditors are to create audit evidence. It says that an experienced auditor with no connection to the audit should understand:

  • Nature, timing, and extent of procedures performed
  • Results and evidence obtained
  • Significant findings, issues, and professional judgments

While most auditors are familiar with this requirement, the difficulty lies in how to accomplish this. What does it look like?

Experienced Auditor’s Understanding

Here’s the key: When an experienced auditor reviews the documentation, does she understand the work?

Any good communicator makes it her job to speak or write in an understandable way. The communicator assumes responsibility for clear messages. In creating work papers, we are the communicators. The responsibility for transmitting messages lies with us (the auditors creating work papers).  

A Fog in the Work Papers

So what creates fogginess in work papers? We forget we have an audience. Others will review the audit documentation to understand what was done. As we prepare work papers, we need to think about those who will read our work. All too often, the person creating a work paper understands what he is doing, but the reviewer doesn’t. Why? The message is not clear.

Just because I know why I am doing something does not mean that someone else will. So how can we create clarity?

Creating Clarity

Work papers should include the following:

  • A purpose statement (what is the reason for the work paper?)
  • The source of the information (who provided it? where did they obtain it and how?)
  • An identification of who prepared and reviewed the work paper
  • The audit evidence (what was done)
  • A conclusion (does the audit evidence support the purpose of the work paper?)

When I make these suggestions, some auditors push back saying, “We’ve already documented some of this information in the audit program.” That may be true, but I am telling you–after reviewing thousands of audit files–the message (what is being done and why) can get lost in the audit program. The reviewer often (speaking for myself) has a difficult time tieing the work back to the audit program and understanding its purpose and whether the documentation provides sufficient audit evidence.

Remember, the work paper preparer is responsible for clear communication. 

And here’s another thing to consider. You (the work paper preparer) might spend six hours on one document. So, you are keenly aware of what you did. The reviewer, on the other hand, might spend five minutes–and she is trying (as quickly as she can) to understand.

Help Your Reviewers

To help your less informed reviewers:

  1. Tell them what you are doing (purpose statement)
  2. Do it (document the test work)
  3. Then, tell them how it went (the conclusion)

Transaction Area Maps

Here’s an idea from my friend Jim Bennett of Bennett & Associates in Ann Arbor, Michigan.

Include transaction area maps in your file. A summary creates organization and makes it easier to find your work papers. It also provides a birds-eye view of what you have done. Here’s an example:

ACCOUNTS RECEIVABLE WORKPAPER MAP

4-02 Audit Program

4-10 Risk Assessment Analyticals

ACCOUNTS RECEIVABLE AGING

4-20 Customer aging report

4-21 AR break-out of intercompany balances

4-23 AR aging tie in to TB

4-24 Review of AR aging

ACCOUNTS RECEIVABLE CONFIRMATIONS

4-50 Planning worksheet – substantive procedures

4-51 AR confirmation reconciliation

4-52 AR confirmation replies

4-60 Allowance for doubtful accounts

4-70 Intercompany balances and sales to significant customers

4-80 Sales analytics

4-90 Sales cut-off testing

4-95 Revenue recognition 606 support and disclosures

Now let’s move from proper to improper documentation.

Insufficient Audit Documentation

So, what is insufficient audit documentation?

First, let’s look at examples of poor documentation:

  • Signing off on audit steps with no supporting work papers (and no explanation on the audit program)
  • Placing a document in a file without explaining why (what is its purpose?)
  • Not signing off on audit steps
  • Failing to reference audit steps to supporting work papers
  • Listing a series of numbers on an Excel spreadsheet without explaining their source (where did they come from? who provided them?)
  • Not signing off on work papers as a preparer
  • Not signing off on work papers as the reviewer
  • Failing to place excerpts of key documents in the file (e.g., debt agreement)
  • Performing fraud inquiries but not documenting who was interviewed (their name) and when (the date)
  • Not documenting the selection of a sample (why and how)
  • Failing to explain the basis for low inherent risk assessments
  • Key bank accounts and debt are not confirmed
  • Not documenting the reason for not sending receivable confirmations
  • A lack of retrospective reviews
  • A failure to document the current year walkthroughs for significant transaction cycles (the file contains a generic description of controls with no evidence of a current year review)
  • Not documenting COSO deficiencies (e.g., tone at the top, management’s risk assessment procedures)
  • A failure to document risk assessments
  • Low control risk assessments without a test of controls
  • A lack of linkage from the risk assessment to the audit plan
  • No independence documentation though nonattest services are provided

This list is not comprehensive, but it provides examples to consider. This list is based on my past experiences. Probably the worst offense (at least in my mind) is signing off on an audit program with no support.

Strangely, however, poor work papers are not the result of insufficient documentation, but too much documentation. 

Too Much Audit Documentation

Many CPAs say to me, “I feel like I do too much,” meaning they believe they are auditing more than is necessary. To which I often respond, “I agree.”

In looking at audit files, I see:

  • The clutter of unnecessary work papers
  • Files received from clients that don’t support the audit opinion
  • Unnecessary work performed on these extraneous documents

For whatever reason, clients usually provide more information than we request. And then–for some other reason–we retain those documents, even if not needed.

If auditors add purpose statements to each work paper, then they will discover that some work papers are unnecessary. In writing the purpose statement, we realize it has none. Which is nice–now, we can deep-six it.

One healthy exercise is to pretend we’ve never audited the company and that we have no prior year audit files. Then, with a blank page, we plan the audit. Once done, we compare the new plan to prior year files. If there’s any fat, start cutting. 

The key to eliminating unnecessary work lies in performing the following steps (in the order presented):

  1. Perform risk assessment
  2. Plan your audit based on the identified risks
  3. Perform the audit procedures

Too often, we roll the prior year file forward and rock on. If the prior year file has extraneous audit procedures, then we repeat them. This creates waste.

Summary

In summary, audit documentation continues to be a significant peer review problem. We can enhance the quality of our work papers by remembering we are not just auditing. We are communicating. It is our responsibility to provide a clear message.

Additional Guidance

The AICPA also provides some excellent guidance regarding work paper documentation

Also, see my article titled 10 Ways to Make Your Work Papers Sparkle.

SSARS 25
Feb 19

SSARS 25: Materiality and Adverse Conclusions

By Charles Hall | Accounting and Auditing , Preparation, Compilation & Review

The AICPA has issued SSARS 25. It is titled Materiality in a Review of Financial Statements and Adverse Conclusions. Below I tell you how this standard affects your future review engagements.

Materiality in Review Engagements

Until SSARS 25, there was no requirement for you to document materiality in review engagements. Some firms, like my own, decided to do so any way. Others have not. Now, there's no choice. SSARS 25 explicitly requires that we determine and use materiality. 

Makes sense. The accountant's conclusion says we are not aware of any material modifications that should be made. The conclusion paragraph follows:

Accountant's Conclusion
Based on our review, we are not aware of any material modifications that should be made to the accompanying financial statements in order for them to be in accordance with accounting principles generally accepted in the United States of America. 

It would be difficult to plan or conclude a review engagement without knowing what materiality is. SSARS 25 requires that  we design and perform analytical procedures and inquiries to address all material items in the financial statements. This includes disclosures.

Next, you will see that the standard now permits adverse conclusions.

Adverse Conclusions in Review Engagements

In the past, adverse conclusions in a review engagement were not allowed. SSARS 25 changes this. If the financial statements are materially and pervasively misstated, you can issue an adverse conclusion.

SSARS 25 provides an illustrative accountant's review report with an adverse conclusion. (See illustration 7 on pages 85 and 86 of SSARS 25.) That example states the financial statements are not in accordance with accounting principles generally accepted in the United States of America.

Here's the adverse review report conclusion:

Adverse Conclusion
Based on my (our) review, due to the significance of the matter described in the Basis for Adverse Conclusion paragraph, the financial statements are not in accordance with accounting principles generally accepted in the United States of America.

One more thing, SSARS 25 requires a statement in the review report regarding independence.

SSARS 25

Independence in Review Reports

Independence is still required to perform a review engagement. What is different, however, is the accountant must include a statement in the review report saying he or she is independent. That phrase, to be included in the Accountant's Responsibility section of the report, reads as follows:

We are required to be independent of ABC Company and to meet our other ethical responsibilities, in accordance with the relevant ethical requirements related to our review.

See examples of the independence wording in the illustrative reports in SSARS 25. Those reports start on page 75 of the standard.

So when is SSARS 25 effective?

SSARS 25 Effective Date 

The effective date for SSARS 25 is for periods ending on or after December 15, 2021. Early implementation is permitted.

audit risk assessment
Feb 15

Audit Risk Assessment: The Why and the How

By Charles Hall | Auditing

Today we look at one of most misunderstood parts of auditing: audit risk assessment.

Are auditors leaving money on the table by avoiding risk assessment? Can inadequate risk assessment lead to peer review findings? This article shows you how to make more money and create higher quality audit documentation.

risk assessment

Audit Risk Assessment as a Friend

Audit risk assessment can be our best friend, particularly if we desire efficiency, effectiveness, and profit—and who doesn’t?

This step, when properly performed, tells us what to do—and what can be omitted. In other words, risk assessment creates efficiency.

So, why do some auditors (intentionally) avoid audit risk assessment? Here are two reasons:

  1. We don’t understand it
  2. We're creatures of habit

Too often auditors continue doing the same as last year (commonly referred to as SALY)--no matter what. It’s more comfortable than using risk assessment.

But what if SALY is faulty or inefficient?  

Maybe it’s better to assess risk annually and to plan our work accordingly (based on current conditions).

Are We Working Backwards?

The old maxim “Plan your work, work your plan” is true in audits. Audits—according to standards—should flow as follows:

  1. Determine the risks of material misstatements (plan our work)
  2. Develop a plan to address those risks (plan our work)
  3. Perform substantive procedures (work our plan)
  4. Issue an opinion (the result of planning and working)

Auditors sometimes go directly to step 3. and use the prior year audit programs to satisfy step 2. Later, before the opinion is issued, the documentation for step 1. is created “because we have to.”

In other words, we work backwards.

So, is there a better way?

A Better Way to Audit

Audit standards—in the risk assessment process—call us to do the following:

  1. Understand the entity and its environment
  2. Understand the transaction level controls
  3. Use planning analytics to identify risk
  4. Perform fraud risk analysis
  5. Assess risk

While we may not complete these steps in this order, we do need to perform our risk assessment first (1.-4.) and then assess risk.

Okay, so what procedures should we use?

Audit Risk Assessment Procedures

AU-C 315.06 states:

The risk assessment procedures should include the following:

  • Inquiries of management, appropriate individuals within the internal audit function (if such function exists), others within the entity who, in the auditor's professional judgment, may have information that is likely to assist in identifying risks of material misstatement due to fraud or error
  • Analytical procedures
  • Observation and inspection

I like to think of risk assessment procedures as detective tools used to sift through information and identify risk.

Risk assessment

Just as a good detective uses fingerprints, lab results, and photographs to paint a picture, we are doing the same.

First, we need to understand the entity and its environment.

Understand the Entity and Its Environment

The audit standards require that we understand the entity and its environment.

I like to start by asking management this question: "If you had a magic wand that you could wave over the business and fix one problem, what would it be?"

The answer tells me a great deal about the entity's risk.

I want to know what the owners and management think and feel. Every business leader worries about something. And understanding fear illuminates risk.

Think of risks as threats to objectives. Your client's fears tell you what the objectives are--and the threats. 

To understand the entity and its related threats, ask questions such as:

  • How is the industry faring?
  • Are there any new competitive pressures or opportunities?
  • Have key vendor relationships changed?
  • Can the company obtain necessary knowledge or products?
  • Are there pricing pressures?
  • How strong is the company’s cash flow?
  • Has the company met its debt obligations?
  • Is the company increasing in market share?
  • Who are your key personnel and why are they important?
  • What is the company’s strategy?
  • Does the company have any related party transactions?

As with all risks, we respond based on severity. The higher the risk, the greater the response.

Audit standards require that we respond to risks at these levels:

  • Financial statement level
  • Transaction level

Responses to risk at the financial statement level are general, such as appointing more experienced staff for complex engagements.

Responses to risk at the transaction level are more specific such as a search for unrecorded liabilities.

But before we determine responses, we must first understand the entity's controls.

Understand Transaction Level Controls

We must do more than just understand transaction flows (e.g., receipts are deposited in a particular bank account). We need to understand the related controls (e.g., Who enters the receipt in the general ledger? Who reviews receipting activity?). 

So, as we perform walkthroughs or other risk assessment procedures, we gain an understanding of the transaction cycle, but—more importantly—we gain an understanding of controls. Without appropriate controls, the risk of material misstatement increases.


 AU-C 315.14 requires that auditors evaluate the design of their client's controls and to determine whether they have been implemented. However, AICPA Peer Review Program statistics indicate that many auditors do not meet this requirement. In fact, noncompliance in this area is nearly twice as high as any other requirement of AU-C 315 - Understanding the Entity and Its Environment and Assessing the Risk of Material Misstatement.


Some auditors excuse themselves from this audit requirement saying, "the entity has no controls."  


All entities have some level of controls. For example, signatures on checks are restricted to certain person. Additionally, someone usually reviews the financial statements. And we could go on.


The AICPA has developed a practice audit that you'll find handy in identifying internal controls in small entities.


The use of walkthroughs is probably the best way to understand internal controls.

Sample Walkthrough Questions 

As you perform your walkthroughs, ask questions such as:

  • Who signs checks?
  • Who has access to checks (or electronic payment ability)?
  • Who approves payments?
  • Who initiates purchases?
  • Who can open and close bank accounts?
  • Who posts payments?
  • What software is used? Does it provide an adequate audit trail? Is the data protected? Are passwords used?
  • Who receives and opens bank statements? Does anyone have online access? Are cleared checks reviewed for appropriateness?
  • Who reconciles the bank statement? How quickly? Does a second person review the bank reconciliation?
  • Who creates expense reports and who reviews them?
  • Who bills clients? In what form (paper or electronic)?
  • Who opens the mail?
  • Who receipts monies?
  • Are there electronic payments?
  • Who receives cash onsite and where?
  • Who has credit cards? What are the spending limits?
  • Who makes deposits (and how)?
  • Who keys the receipts into the software?
  • What revenue reports are created and reviewed? Who reviews them?
  • Who creates the monthly financial statements? Who receives them?
  • Are there any outside parties that receive financial statements? Who are they?

Understanding the company’s controls illuminates risk. The company’s goal is to create financial statements without material misstatement. And a lack of controls threatens this objective.

So, as we perform walkthroughs, we ask the payables clerk (for example) certain questions. And—as we do—we are also making observations about the segregation of duties. Also, we are inspecting certain documents such as purchase orders.

This combination of inquiries, observations, and inspections allows us to understand where the risk of material misstatement is highest.

In a recent AICPA study regarding risk assessment deficiencies, 40% of the identified violations related to a failure to gain an understanding of internal controls.

40%
failure to gain understanding of internal controls

Need help with risk assessment walkthroughs?

See my article Audit Walkthroughs: The What, Why, How, and When.

Another significant risk identification tool is the use of planning analytics.

Planning Analytics

Use planning analytics to shine the light on risks. How? I like to use:

  • Multiple-year comparisons of key numbers (at least three years, if possible)
  • Key ratios

In creating planning analytics, use management’s metrics. If certain numbers are important to the company, they should be to us (the auditors) as well—there’s a reason the board or the owners are reviewing particular numbers so closely. (When you read the minutes, ask for a sample monthly financial report; then you’ll know what is most important to management and those charged with governance.)

You may wonder if you can create planning analytics for first-year businesses. Yes, you can. Compare monthly or quarterly numbers. Or you might compute and compare ratios (e.g., gross profit margin) with industry benchmarks. (For more information about first-year planning analytics, see my planning analytics post.)

Sometimes, unexplained variations in the numbers are fraud signals.

Identify Fraud Risks

In every audit, inquire about the existence of theft. In performing walkthroughs, look for control weaknesses that might allow fraud to occur. Ask if any theft has occurred. If yes, how?

Also, we should plan procedures related to:

  • Management override of controls, and
  • The intentional overstatement of revenues

My next post—in The Why and How of Auditing series—addresses fraud, so this is all I will say about theft, for now. Sometimes the greater risk is not fraud but errors.

Same Old Errors

Have you ever noticed that some clients make the same mistakes—every year? (Johnny--the controller--has worked there for the last twenty years, and he makes the same mistakes every year. Sound familiar?) In the risk assessment process, we are looking for the risk of material misstatement whether by intention (fraud) or by error (accident).

One way to identify potential misstatements due to error is to maintain a summary of the larger audit entries you’ve made over the last three years. If your client tends to make the same mistakes, you’ll know where to look.

Now it’s time to pull the above together.

Creating the Risk Picture

Once all of the risk assessment procedures are completed, we synthesize the disparate pieces of information into a composite image

Synthesis of risks

What are we bringing together? Here are examples:

  • Control weaknesses
  • Unexpected variances in significant numbers
  • Entity risk characteristics (e.g., level of competition)
  • Large related-party transactions
  • Occurrences of theft

Armed with this risk picture, we can now create our audit strategy and audit plan (also called an audit program). Focus these plans on the higher risk areas.

How can we determine where risk is highest? Use the risk of material misstatement (RMM) formula.

Assess the Risk of Material Misstatement

Understanding the RMM formula is key to identifying high-risk areas.

What is the RMM formula?

Put simply, it is:

Risk of Material Misstatement = Inherent Risk X Control Risk

Using the RMM formula, we are assessing risk at the assertion level. While audit standards don’t require a separate assessment of inherent risk and control risk, consider doing so anyway. I think it provides a better representation of your risk of material misstatement.

Here's a short video about assessing inherent risk.

And another video regarding control risk assessment.

Once you have completed the risk assessment process, control risk can be assessed at high--simply as an efficiency decision. See my article Assessing Audit Control Risk at High and Saving Time

The Input and Output

The inputs in audit planning include all of the above audit risk assessment procedures.

The outputs (sometimes called linkage) of the audit risk assessment process are:

  • Audit strategy
  • Audit plan (audit programs)
Linking risk assessment to audit planning

We tailor the strategy and plan based on the risks..

In a nutshell, we identify risks and respond to them.

(In a future post in this series, I will provide a full article concerning the creation of audit strategy and plans.)

Next in the Audit Series

In my next post, we’ll take a look at the Why and How of Fraud Auditing. So, stay tuned.

If you haven’t subscribed to my blog, do so now. See below.


changes in accounting for equity securities
Feb 14

ASU 2016-01 – Changes in Accounting for Equity Securities

By Charles Hall | Accounting

Are you aware of the coming changes in accounting for equity securities?

In the past, FASB required that changes in the fair value of available-for-sale equity investments be parked in accumulated other comprehensive income (an equity account) until realized--that is, until the equity investment was sold. In other words, the unrealized gains and losses of equity investments were not recognized in net income until the investments were sold. This is about to change.

Changes in equity investments will generally be reflected in net income as they occur--even before the equity investments are sold. 

The guidance for classifying and measuring investments in debt securities is unchanged.

changes in accounting for equity securities

Changes in Accounting for Equity Securities

First, ASU 2016-01 removes the current guidance regarding classification of equity securities into different categories (i.e., trading or available-for-sale)

Secondly, the new standard requires that equity investments  generally be measured at fair value with changes in fair value recognized in net income (see exceptions below). Companies will no longer recognize changes in the value of available-for-sale equity investments in other comprehensive income (as we have in the past).

Exceptions

ASU 2016-01 generally requires that equity investments be measured at fair value with changes in fair value recognized in net income. There are some equity investments that are not treated in this manner such as equity method investments and those that result in consolidation of the investee.

Is the accounting for equity investments without readily determinable fair values different? It can be.

Equity Investments without Readily Determinable Fair Values

An entity may choose to measure equity investments that do not have readily determinable fair values at cost minus impairment.  This election should be documented at the time of adoption (for existing securities) or at the time of purchase for securities acquired subsequent to the date of adoption. The alternative can be elected on an investment-by-investment basis.

Why make the election to measure equity investments that do not have readily determinable fair values at cost minus impairment? Because of the difficulty of determining the fair value of such investments. This election will probably be used by entities that previously carried investments at cost. 

ASU 2016-01 requires that equity investments without readily determinable fair values undergo a one-step qualitative assessment to identify impairment (similar to what we do with long-lived assets and goodwill). 

At each reporting period, an entity that holds an equity security shall make a qualitative assessment considering impairment indicators to evaluate whether the investment is impaired. Impairment indicators that an entity considers include, but are not limited to, the following:

  • A significant deterioration in the earnings performance, credit rating, asset quality, or business prospects of the investee
  • A significant adverse change in the regulatory, economic, or technological environment of the investee
  • A significant adverse change in the general market condition of either the geographical area or the industry in which the investee operates
  • A bona fide offer to purchase, an offer by the investee to sell, or a completed auction process for the same or similar investment for an amount less than the carrying amount of that investment
  • Factors that raise significant concerns about the investee’s ability to continue as a going concern, such as negative cash flows from operations, working capital deficiencies, or noncompliance with statutory capital requirements or debt covenants.

So what happens if there is an impairment?

321-10-35-3 of the FASB Codification states, "An equity security without a readily determinable fair value that does not qualify for the practical expedient to estimate fair value in accordance with paragraph 820-10-35-59...shall be written down to its fair value if a qualitative assessment indicates that the investment is impaired and the fair value of the investment is less than its carrying value." (820-10-35-59 deals with measuring the fair value of investments in certain entities that calculate net asset value per share.)

How is the change in value to be reflected in the income statement?

If an equity security without a readily determinable fair value is impaired, the entity should include the impairment loss in net income equal to the difference between the fair value of the investment and its carrying amount.

Presentation of Financial Instruments

Entities are to present their financial assets and liabilities separately in the balance sheet or in the notes to the financial statements. This disaggregated information is to be presented by:

  • Measurement category (i.e., cost, fair value-net income, and fair value-OCI
  • Form of financial asset (i.e., securities or loans and receivables)

So, financial assets measured at fair value through net income are to be presented separately from assets measured at fair value through other comprehensive income.

Debt Securities Accounting 

U.S. GAAP for classification and measurement of debt securities remains the same. Show unrealized holding gains and losses on available-for-sale debt securities in other comprehensive income.

Disclosure Eliminated - Financial Instruments Measured at Amortized Cost

ASU 2016-01 removes a prior disclosure requirement. In the past, entities disclosed the fair value of financial instruments measured at amortized cost. Examples include notes receivables, notes payable, and debt securities. ASU 2016-01 removes this disclosure requirement for entities that are not public business entities

Effective Dates for ASU 2016-01

ASU 2016-01 says the following concerning effective dates:

For public business entities, the amendments in this Update are effective for fiscal years beginning after December 15, 2017, including interim periods within those fiscal years.

For all other entities including not-for-profit entities and employee benefit plans within the scope of Topics 960 through 965 on plan accounting, the amendments in this Update are effective for fiscal years beginning after December 15, 2018, and interim periods within fiscal years beginning after December 15, 2019. All entities that are not public business entities may adopt the amendments in this Update earlier as of the fiscal years beginning after December 15, 2017, including interim periods within those fiscal years.

Also, the provision exempting nonpublic entities from the requirement to disclose fair values of financial instruments can be early adopted.

Initial Accounting

An entity should apply the amendments by means of a cumulative-effect adjustment to the balance sheet as of the beginning of the fiscal year of adoption.

The amendments related to equity securities without readily determinable fair values (including disclosure requirements) should be applied prospectively to equity investments that exist as of the date of adoption of ASU 2016-01.

>