Category Archives for "Accounting and Auditing"

Audit Risk Assessment Made Easy

By Charles Hall | Accounting and Auditing

Audit risk assessment can be easy–or least easier–if you understand it. But many auditors continue to struggle with risk assessment. That’s why I’ve written the book Audit Risk Assessment Made Easy. 

Peer reviews continue to reveal the failure of auditors to:

• Understand and document internal controls 
• Identify risks of material misstatement
• Develop audit steps responsive to risks of material misstatement
• Document risk assessment at the assertion level
• Provide support for lower inherent risk assessments
• Assess control risk at the right level
• Document linkage between risk assessment and audit procedures
• Use tests of details, substantive analytics, and test of controls as responses to risks of material misstatement

So, we need to understand risk assessment to avoid peer review problems, but, more importantly, risk assessment allows us to see what others miss. 

My New Book Helps You See What Others Miss

I have written a new book, Audit Risk Assessment Made Easy, to help you to see what others miss. Here’s a video overview. 

Common Risk Assessment Questions

The book addresses common questions regarding risk assessment such as:

• Why do I need to understand internal controls if I am using a fully substantive approach?
• What internal controls should I pay attention to?
• What is a walkthrough and when is it needed?
• What risk assessment procedures are required?
• When is an account balance, transaction cycle, or disclosure significant?
• What makes an assertion inherently risky?
• Can I assess control risk at high even though controls are appropriate?
• What is a significant risk?
• How do I assess the risk of material misstatement, including inherent risk and control risk?
• What is linkage and why is it important?
• How do I know what audit procedures to include in my audit programs?

As you read the book, you’ll see the answers to these questions and you’ll gain a greater ability to see what others miss. In other words, you’ll have greater confidence in your ability to understand and use risk assessment. Let me go out on a limb and say you might—by the time you’re done—delight in risk assessment. Is that possible? I’m betting on it.

Here’s what others are saying about Audit Risk Assessment Made Easy. 

Praise for Audit Risk Assessment Made Easy

Too often auditors perform risk assessment procedures as a check-the-box compliance exercise, perhaps because genuine risk assessments require an intimidating amount of professional judgment. In Audit Risk Assessment Made Easy, Charles walks us gently through the process using helpful examples and anecdotes. In so doing, he makes a persuasive case that risk assessment is the key to performing audits that are both effective and efficient.

Dr. Eddie Thomas
Georgia College & State University
Milledgeville, Georgia

Charles clearly recognizes that the CPA’s world of auditing has its own specific, highly technical language many might call “auditor-ese” that can overcomplicate and confuse. Audit practitioners need to more easily visualize and more fully comprehend the application of risk assessment into professional and effective action steps. Charles’ writing style communicates that even the most complicated task is so much easier to understand and undertake when it is explained and described in simple language with practical examples. 

By taking a page from the Mark Twain method to describe fence painting and Mississippi rafting, Charles breaks risk assessment down into understandable, manageable and effective steps, using uncomplicated declarative sentences, plotting a path to help to make audit risk assessment “easy” and the assurance mission possible. 

James J. Newhard, CPA
JJN CPA
Paoli, Pennsylvania

It’s easy to look at risk assessment only in terms of what you need to pass peer review.  That’s a shame because when risk assessment is done well it can laser focus your audits and identify opportunities to help your clients improve their controls. Audit Risk Assessment Made Easy will help you really understand your clients risks and how to respond. 

James H. Bennett, CPA
Managing Member
Bennett & Associates, CPAs, PLLC
Ann Arbor, Michigan

The risk assessment part of the audit can sometimes be a neglected part of the audit as it is often misunderstood. Charles does a fantastic job of explaining the importance of the risk assessment process in present day audits and explains it in a way that can be understood by all levels of auditors.  Thank you Charles.

Mark A. Welp, CPA, CFE
Principal, Audit & Assurance
Holbrook & Manter, CPAs
Columbus, Ohio

Charles takes the time to explain one of the most difficult aspects of auditing in clear and concise language.  His knowledge and wisdom is evident throughout the book with his understanding and enthusiasm providing practical guidance for all levels of auditors.  I highly recommend this book for auditors from staff to partner to augment their skills in the crucial area.

Geoff Fulton, CPA
Audit Partner
Fulton and Kozak
Atlanta, Georgia

Charles dissects one of the most difficult and most misunderstood topics in auditing and renders it easy to understand. He provides a holistic and practical approach to risk assessment. Required reading for all auditors.

Samuel Latimer, CPA, CFE
Rushton and Company, LLC
Gainesville, Georgia

Get Your Copy Now

Get your copy now. Click the book below to see it on Amazon. 

Online CPA Resources: A List

By Charles Hall | Accounting and Auditing

Are you looking for online CPA resources? You’ve come to the right place. 

There’s plenty of free online information such as the audit standards, compilation and review standards, illustrative reports, and fraud prevention information. There are also paid resources such as those provided by the AICPA’s audit quality centers.

Below I provide a list of free resources with links.

Then you’ll see information regarding the audit quality centers. 

 

Free Online CPA Resources

Here’s a list of online CPA resources that I commonly use:

• AICPA Technical Hotline
• AICPA Plain English Guide to Independence
• AICPA Developing a System of Quality Control
• AICPA Code of Conduct
• AICPA Illustrative Compilation Reports
• AICPA Illustrative Accountant’s Review Reports
• AICPA Journal of Accountancy
• AICPA SASs (audit standards)
• AICPA SSARS (compilation and review standards)
• Accounting Tools (accounting blog) 
• LinkedIn Governmental Not-For-Profit Group
• LinkedIn Sole Practitioners and CPA Small Firms Group
• Best Accounting Software (List of accounting new sites, associations, organizations)
• Nonprofit Update Blog
• FASB Codification
• GASB Pronouncements
• 2020 Report to the Nations (Fraud Resource)
• COSO Internal Control (Executive Summary)
• 2021 OMB Compliance Supplement
• OMB Uniform Guidance
• 2018 Version of Yellow Book

Paid Online CPA Resources

AICPA Audit Quality Centers

While the following are not free, consider joining audit quality centers if you have a concentration in areas such as governments and benefit plans. I have found our membership in the AICPA Governmental Audit Quality Center (GAQC) particularly helpful. They provide timely information alerts to keep you abreast of evolving changes such as those related to Yellow Book and Single Audits. The Employee Benefit Audit Quality Center is also useful. These audit quality centers provide practice aids and CPE classes relevant to governments and benefit plans. 

Another great resource (though not free) is the Center for Plain English Accounting (CPEA). The CPEA provides written responses to your technical questions; the AICPA Technical Hotline listed above is free but they don’t provide written responses, only verbal. The CPEA also provides timely articles about accounting and auditing changes, some of the best I have seen. Their quarterly accounting and auditing CPE update is also quite useful. 

Your Online Resources

What other online resources do you use as a CPA? Leave a comment.

How to Identify and Manage Audit Stakeholders

By Harry Hall | Auditing

Some auditors perform the same procedures year after year. These individuals know the drill. Their thought is: been there; done that. But, before we start the engagement, we need to identify the audit stakeholders. 

Imagine a partner or an in-charge (i.e., project manager) with this attitude. He does little analysis and makes some costly stakeholder mistakes. As the audit team starts the audit, they encounter surprises:

• Changes in the client stakeholders – accounting personnel and management
• Changes in accounting systems and reporting
• Changes in business processes
• Changes in third-party vendors
• Changes in the client’s external stakeholders

Furthermore, imagine the team returning to your office after the initial work is done. The team has every intention of continuing the audit; however, some members are being pulled for urgent work on a different audit.

These changes create audit risks–both the risk that the team will issue an unmodified opinion when it’s not merited and the risk that engagement profit will diminish. Given these unanticipated factors, the audit will likely take longer and cost more than planned. And here’s another potential wrinkle: Powerful, influential stakeholders may insist on new deliverables late in the project.

So how can you mitigate these risks early in your audit?

Perform a stakeholder analysis.

“Prior Proper Planning Prevents Poor Performance.” – Brian Tracy

Continue reading

Project Management in Audits: Key to Profit

By Charles Hall | Auditing

On the first day of your audit, you’re confident you’ll deliver your report on time. You have visions of a happy client and happy firm partners. But, somewhere along the way, things break down. Your best auditor transfers to another job. You learn–as the audit progresses–that your junior staff member lacks sufficient training. Your client is not providing information as requested. And, additionally, your audit team has unearthed a fraud.

How can you lessen or respond to these problems? Project management. In this post, I’ll tell you what it is and how you can start using project management in audits, including software selection and practical implementation steps.

Using Project Management in Audits

Auditors need to be effective (by complying with professional standards), but we also need to be efficient (if we want to make money). And project management creates efficiency.

Managing resources, identifying impediments to audit processes, responding to scope creep–these are just a few of the issues that we encounter. And these challenges can increase engagement time and decrease profits. Worse yet, that promise regarding timely completion can go unmet. 

Either we will manage our audits, or they will manage us. 

So, what are the keys to using project management in audits?

• Audit team members
• Project management software
• Create a project management plan
• Be aware
• Be vigilant

Audit Team Members

The number one ingredient to a successful audit is your team members. Even more important is the person managing the engagement.

Have you noticed that some people–regardless of the obstacles–just get things done? If possible, get and keep people like this on your audit teams. You may be thinking–at this moment–“but our firm has a difficult time hiring and retaining great employees.” Then revisit your hiring and retention practices.

Having great team members is essential, but they need to work together. So, how do we get them to play their roles at the right time? A project management plan defined in project management software.

Project Management Software

There are plenty of useful project management software packages. They include:

• Basecamp
• Trello
• Asana
• Smartsheet
• XCMWorkflow
• SuraLink

Pricing varies. Some are free while others are expensive. So, you’ll need to do your research to determine which solution is best for you. Personally, I use Basecamp. If you want to start with a free application, try Trello or Asana. Another option is Smartsheet (an Excel-spreadsheet-based product). Larger firms may desire to take a look at XCMWorkflow.

I was recently exposed to SuraLink in an engagement where I assisted a city government with its preparation for an audit. The external auditors used SuraLink to request and receive information from the client. I was very impressed with this product. Though I have used Basecamp historically (as you’ll see in a moment), I plan to give SuraLink a hard look. Basecamp is wonderful in terms of use-of-use, but I’m not confident in the security. So I’ve used Basecamp in conjunction with other products such as ShareFile and Box. SuraLink appears to provide you with one product to manage and house documents. 

Regardless of the project management software you use, always think about security since you are uploading and downloading client files. 
Continue reading

Fake Bank Confirmation Responses: $6 Million Theft

By Charles Hall | Auditing

The Western District of North Carolina U.S. Attorney’s Office issued a press release on June 17, 2013, detailing how James Shepherd, an investment company owner, defrauded over 100 investors of approximately $6 million. How? By misusing funds and tricking his company’s external auditors with fake bank confirmation responses.

Hiding Theft with Fake Bank Confirmation Responses

The press release states, “Documents indicate that Shepherd built a $2 million residence in Vass, North Carolina, and used investor money to make mortgage payments on the residence.” The U.S. Attorney’s Office said, “For seven years Shepherd used his investment fund as his personal piggy bank and repeatedly lied to his investors who trusted him with their savings.” The release goes on to say the fraud was concealed as “Shepherd sent to investors certified financial statements…accompanied by an Independent Auditor’s Report.” The fraudulent December 31, 2012, financial statement reflected a $6,041,850 cash balance when in reality the fund had less than $100,000. So, how was Shepherd able to get an independent auditor’s report based on fraudulent numbers?

The auditor sent bank confirmations to a P.O. Box address provided by Shepherd. Additionally, the confirmations were sent to the attention of a “Charles Fisher,” a fictitious bank employee.

And who controlled the P.O. Box? Mr. Shepherd.

According to the U.S. Attorney’s Office, Shepherd would receive the bank confirmations, “forge the name Fisher on a fake bank letter” and “send forged bank statements with fake balances” to the auditor. The responses came in the form of both letters and faxes.

So, how were the forged bank statements created? The press release stated that “Shepherd generated the fraudulent bank statements using a version of Adobe Acrobat that enabled him to type false numbers over true bank statements.”

Given the false bank confirmations, how was Mr. Shepherd ever caught? In March 2013 the auditors “insisted on verifying the cash balance of funds’ bank account electronically through the audit confirmation website www.confirmation.com.” Shepherd then refused to give the accountant authority to utilize the site to verify the cash balance. After that, the auditor notified the National Futures Association that his audit opinion could no longer be relied upon.

Given this cautionary tale, how can auditors combat the threat of false bank contact information?

Designing Confirmations 

A while back, my friend James Ulvog brought to my attention the following clarified auditing section about confirmations.

AU-C Section 505.A7 states:

Determining that requests are properly addressed includes verifying the accuracy of the addresses, including testing the validity of some or all of the addresses on the confirmation requests before they are sent out, regardless of the confirmation method used. When a confirmation request is sent by e-mail, the auditor’s determination that the request is being properly directed to the appropriate confirming party may include performing procedures to test the validity of some or all of the e-mail addresses supplied by management.

Auditors often confirm bank accounts using:

1. Letters
2. Emails

Regardless of how an account is confirmed, auditors need to verify the contact information provided by the auditee–at least for some of the confirmations.

Bottom line

Audit standards require that steps be taken to ensure that confirmations are sent to the appropriate persons.

Using Confirmation.com reduces risk related to faulty confirmations. If you don’t use Confirmation.com, then consider checking street addresses by Googling them, or you might call the confirming party–especially for high-risk accounts.

The procedures used to verify mailing addresses, fax numbers, and email addresses should be documented in the auditor’s work papers.

Postscript

On February 11, 2015, Mr. Shepherd was sentenced to 84 months in prison and three years of supervised release. Shepherd pleaded guilty to one count of securities fraud in June 2013.