Want to know how to audit investments? You're in the right place. 

Below I provide a comprehensive look at how you can audit investments effectively and efficiently.

​The complexity of auditing investments varies. For entities with simple investment instruments, auditing is easy. Your main audit procedure might be to confirm balances. Complex investments, however, require additional work such as auditing values. As investment complexity increases, so will your need for stronger audit team members (those that understand unusual investments). Regardless, you need an audit methodology.

So, here we go.

How to Audit Investments

In this post, we will take a look at:

• Primary investment assertions
• Investment walkthroughs
• Directional risk for investments
• Primary risks for investments
• Common investment control deficiencies
• Risk of material misstatement for investments
• Substantive procedures for investments
• Common investment work papers

Primary Investments Assertions

First, let’s look at assertions.

Primary relevant investment assertions include:

• Existence
• Accuracy
• Valuation
• Cutoff

The audit client is asserting that the investment balances exist, that they are accurate and properly valued, and that only investment activity within the period is recorded. 

While investment balances in the financial statements are important, disclosures are also vital, especially when the entity owns complex instruments. 

Investment Walkthroughs

Second, perform your risk assessment work in light of the relevant assertions.

As you perform walkthroughs of investments, you normally look for ways that investments might be overstated (though investments can be understated as well). You are asking, “What can go wrong?” whether intentionally or by mistake. You want to know if:

• The controls were appropriately designed, and 
• The controls were implemented (in use)

Walkthrough Questions

In performing investment walkthroughs, ask questions such as:

• What types of investments are owned?
• Are there any unusual investments? If yes, how are they valued?
• Is a specialist used to determine investment values?
• Who determines the classification of investments (e.g., trading, available for sale, held to maturity) and how
• Do the persons accounting for investment activity have sufficient knowledge to do so?
• Are timely investment reconciliations performed by competent personnel?
• Are all investment accounts reconciled (from the investment statements to the general ledger)?
• Who reconciles the investment accounts and when?
• Are the reconciliations reviewed by a second person?
• Are all investment accounts on the general ledger?
• How does the entity ensure that all investment activity is included in the general ledger (appropriate cutoff)?
• Who has the ability to transfer investment funds and what are the related controls?
• Is there appropriate segregation of duties for:
  • Persons that record investments, 
  • Persons that buy and sell investments, and
  • Persons that reconcile the investment statements
• What investment accounts were opened in the period?
• What investment accounts were closed in the period? 
• Who has the authority to open or close investment accounts?
• Are there any investment restrictions (externally or internally)?
• What persons are authorized to buy and sell investments?
• Does the entity have a written investment policy? 
• Does the company use an investment advisor? If yes, how often does management interact with the advisor? How are investment fees determined?
• Are there any investment impairments?
• Who is responsible for investment disclosures and do they have sufficient knowledge to carry out this duty?
• Are there any cost or equity-method investments?

As we ask questions, we also inspect documents (e.g., investment statements) and make observations (e.g., who reconciles the investment statements to the general ledger?).

If control weaknesses exist, we create audit procedures to address them. For example, if during the walkthrough we note that there are improperly classified investments, then will plan audit procedures to address that risk.

Directional Risk for Investments

Third, consider the directional risk of investments.

The directional risk for investments is that they are overstated. So, in performing your audit procedures, perform procedures to ensure that balances are properly stated.

Primary Risks for Investments

Fourth, think about the risks related to investments.

Primary risks include:

1. Investments are stolen
2. Investments are intentionally overstated to cover up theft
3. Investments accounts are intentionally omitted from the general ledger
4. Investments are misstated due to errors in the investment reconciliations 
5. Investments are improperly valued due to their complexity and management’s lack of accounting knowledge
6. Investments are misstated due to improper cutoff
7. Investment disclosures are not accurate or complete

Common Investment Control Deficiencies

Fifth, think about control deficiencies noted during your walkthroughs and other risk assessment work.

It is common to have the following investment control deficiencies:

• One person buys and sells investments, records those transactions, and reconciles the investment activity
• The person overseeing investment accounting does not possess sufficient knowledge or skill to properly perform the duty
• Investment reconciliations are not performed timely or improperly
• The company does not employ sufficient assistance in valuing complex assets such as hedges or alternative investments

Risk of Material Misstatement for Investments

Sixth, now its time to assess your risks.

In my smaller audit engagements, I usually assess control risk at high for each assertion. (You may, however, assess control risk at less than high, provided your walkthrough reveals that controls are appropriately designed and that they were implemented. If control risk is assessed at below high, you must test controls for effectiveness to support the lower risk assessment.)

When control risk is assessed at high, inherent risk becomes the driver of the risk of material misstatement (control risk X inherent risk = risk of material misstatement). For example, if control risk is high and inherent risk is moderate, then my RMM is moderate. 

The assertions that concern me the most are existence, accuracy, valuation, and cutoff. So my RMM for these assertions is usually moderate to high.

My response to higher risk assessments is to perform certain substantive procedures: namely, confirming investments, testing investment reconciliations, testing values, and vetting investment disclosures.

Substantive Procedures for Investments

And finally, it’s time to determine your substantive procedures in light of your identified risks.

My customary audit tests include:

1. Confirming investment balances agreeing them to the general ledger
2. Inspecting period-end activity for proper cutoff
3. Using an investment specialist to value complex instruments (if any)
4. Vetting investment disclosures with a current disclosure checklist

I don’t normally test controls related to investments. If controls are tested and you determine they are effective, then some of the substantive procedures may not be necessary. 

Common Investment Work Papers

My investments work papers normally include the following:

• An understanding of investment-related internal controls 
• Risk assessment of investments at the assertion level
• Documentation of any control deficiencies
• Investment audit program
• Investment reconciliations 
• Investment confirmations
• Valuations performed by specialists
• Documentation of the specialist’s experience, competence, and objectivity
• Disclosure checklist

Auditing Investments - A Simple Summary

• The primary relevant investment assertions include existence, accuracy, valuation, and cutoff
• Perform a walkthrough of investments by making inquiries, inspecting documents, and making observations
• The directional risk for investments is an overstatement
• Primary risks for investments include:
  • Investments are stolen
  • Investments are intentionally overstated to cover up theft
  • Investments accounts are intentionally omitted from the general ledger
  • Investments are misstated due to errors in the investment reconciliations
  • Investments are improperly valued due to their complexity and management’s lack of accounting knowledge
  • Investments are misstated due to improper cutoff
  • Investments disclosures are not accurate or complete
• The substantive procedures for investments should be responsive to the identified risks; common procedures include:
  
  • Confirming investments 
  • Inspecting period-end activity for proper cutoff
  • Using an investment specialist to value complex instruments 
  • Vetting investment disclosures with a current disclosure checklist

Now you know how to audit investments. 

Next, we’ll see how to audit plant, property and equipment.

This post is a part of my series The Why and How of Auditing. Check my other posts.

Do you know what you need to know about emphasis-of-matter and other-matter paragraphs? Sometimes auditors elect to or are required to add an extra paragraph after the opinion paragraph. You need to know why and when.

This post gives you the leg up on emphasis-of-matter (EOM) paragraphs and other-matter (OM) paragraphs. 

Definitions

First, let’s first define the two terms.

AU-C 706.05 provides the following definitions:

Emphasis-of-matter paragraph. A paragraph included in the auditor's report that is required by GAAS, or is included at the auditor's discretion, and that refers to a matter appropriately presented or disclosed in the financial statements that, in the auditor's professional judgment, is of such importance that it is fundamental to users' understanding of the financial statements.

Other-matter paragraph. A paragraph included in the auditor's report that is required by GAAS, or is included at the auditor's discretion, and that refers to a matter other than those presented or disclosed in the financial statements that, in the auditor's professional judgment, is relevant to users' understanding of the audit, the auditor's responsibilities, or the auditor's report.

Notice that an EOM refers to “a matter appropriately presented or disclosed in the financial statements,” while an OM refers to “a matter other than those presented or disclosed in the financial statements.”

Now, let's take a look at sample EOM and OM paragraphs. 

Sample EOM Paragraph

Here’s a sample EOM paragraph:

Emphasis of Matter

As discussed in Note X to the financial statements, the Company has elected to change its policy for determining cash equivalents in 20X 7. Our opinion is not modified with respect to that matter.

Sample OM Paragraph

Here is a sample OM paragraph:

Other Matter

In our report dated April 18, 20X5, we expressed a qualified opinion since the Company’s main office had a material unrecognized impairment loss. As noted in Note 12, the Company has now recognized the impairment in conformity with accounting principles generally accepted in the United States of America. Accordingly, our present opinion on the restated 20X4 financial statements, as presented herein, is different from that expressed in our previous report.

You also need to know the presentation requirements for EOM and OM paragraphs.

Presentation Requirements for an EOM

AU-C 706.06 and 706.07 provides guidance in reference to EOMs. The auditor should:

• Refer only to information presented or disclosed in the financial statements
• Include the EOM immediately after the opinion paragraph in the auditor’s report
• Use the heading “Emphasis of Matter” or other appropriate heading
• Include a clear reference to the matter being emphasized and to where relevant disclosures that describe the matter can be found
• Indicate that the auditor’s opinion is not modified with respect to the matter emphasized

Presentation Requirements for an OM

AU-C 706.08 provides guidance in reference to OMs. The auditor should:

• Include the OM immediately after the opinion paragraph and any EOM paragraph (or elsewhere in the auditor’s report if the content of the OM paragraph is relevant to the “Other Reporting Responsibilities” section – see AU-C 706.A6--.A11)
• Use the heading “Other Matter” or other appropriate heading

AU-C Sections Requiring EOMs

Sometimes EOMs are required; here are examples:

• AU-C 570.15-.16 The Auditor’s Consideration of an Entity’s Ability to Continue as a Going Concern
• AU-C 560-.16c Subsequent Events and Subsequently Discovered Facts
• AU-C 708.08-.09 and .11-.13 Consistency of Financial Statements

See exhibit B of AU-C 706 for a complete listing of AU-C sections requiring EOM paragraphs.

An EOM is commonly required when a company has a change in an accounting principle (that has a material impact). AU-C 708 Consistency of Financial Statements paragraphs .07-.08 provides guidance on when the EOM is required.

The auditor also has an option to use an EOM to emphasize matters that are not required by audit standards. So, sometimes EOMs are included because they are required (e.g., going concern) and, other times, they are optional (e.g., to highlight a related party transaction).

AU-C Sections Requiring OMs

Sometimes OMs are required; here are examples:

• AU-C 725.09 Supplementary Information in Relation to the Financial Statements
• AU-C 800.20 Special Considerations—Audits of Financial Statements Prepared in Accordance With Special Purpose Frameworks

See exhibit C of AU-C 706 for a complete listing of AU-C sections requiring OM paragraphs.

Simple Summary

• Use EOMs to OMs to highlight important matters
• EOMs refer to matters presented or disclosed in the financial statements
• OMs refer to a matter other than those presented or disclosed in the financial statements
• EOMs and OMs are—in certain situations—required by audit standards
• An EOM should immediately follow the opinion paragraph and should refer to the note that describes the issue; include the heading “Emphasis of a Matter” or other appropriate heading
• An OM should immediately follow the opinion paragraph and any EOM (if one is included); include the heading “Other Matter” or other appropriate heading

Of course, creating your opinion is just a part of wrapping up your audits. 

The audit risk model enables you to focus on the important--and to ignore the unimportant. It is the key to performing efficient audits. So, today, we look at how to understand the audit risk model.

The Good, The Bad, The Ugly

Remember the cowboy movie The Good, The Bad, The Ugly? Well, in audits we have the same.

The Good. The audit firm issues an unmodified opinion and the financial statements are fairly stated. Moreover, the audit file properly supports the opinion.

The Bad. The audit firm issues an unmodified opinion and the financial statements are fairly stated, but the work papers are weak. The audit firm just got lucky.

The Ugly. The audit firm issues an unmodified opinion but the financial statements are not fairly stated. Material error (or fraud) is present. And the audit file…well, we won’t go there. It’s ugly.

Audit failure occurs when an audit firm issues an unmodified opinion and the financial statements are not fairly stated. A material misstatement is present and the auditor doesn’t know it. 

Material misstatements occur and remain in financial statements when:

• Internal controls (a responsibility of the company) fail or are improperly designed, and 
• Audit work (a responsibility of the auditor) is lacking

Auditing standards (AU-C 200.14) define audit risk as “The risk that the auditor expresses an inappropriate audit opinion when the financial statements are materially misstated. Audit risk is a function of the risks of material misstatement and detection risk.”

In other words, audit risk is the result of what the company does (or does not do) and what the auditor does (or does not do).

Audit Risk Model

The audit risk model is defined as follows:

I like to think of these three factors as follows:

• Inherent risk - the nature of the transaction or disclosure (risky or not risky)
• Control risk - the chance that material misstatements will not be prevented or detected by internal controls 
• Detection risk - the chance that material misstatement will not be detected by the auditors 

The first two (inherent risk and control risk) live in the company’s accounting system; the third (detection risk) lies with the audit firm.

As the the risk of material misstatement (the company’s risk) increases, so should the auditors work. Proper audit work decreases detection risk (the risk that the auditor will not detect material misstatements).

To understand the audit risk model, consider the tale of a villain.

A Tale of a Villain

A villain (inherently a thief) desires to make his way into your home. You have locks on your doors and an alarm system (controls, if you will). But you forget to lock your back door and you don’t set the alarm. During the night, the thief comes in and steals your money. You see the thief fleeing away, but you don't know how much you've lost. So, what’s next? You call the police. Why? To see if everything is okay.

This is the audit risk model in physical form. 

Think of a material misstatement as a villain. Its nature is to be wrong (inherent risk). If internal controls are weak or absent (control risk), the misstatement survives. And if the auditor fails (detection risk), the villain lives on without being caught.

Inherent Risk  

Some transactions are more likely to be misstated. They are inherently risky. Why? Reasons include:

• The complexity of the transaction (e.g., derivatives)
• The asset is easy to steal (e.g., cash)
• The need for judgment (e.g., a bank’s allowance for loan losses)
• The volume of transactions is high (e.g., cash)
• The accounting personnel are inexperienced or lack sufficient knowledge 

Inherent risk is what a transaction is (independent of related controls). There is a higher risk of misstatement—or not. And where does this risk come from? The transaction’s nature or its environment.

Control Risk

Internal controls are necessary when a transaction is risky. Why? To monitor and manage the risk. Think about the words internal control. First, internal means the control occurs within the company. Second, control means to manage.

Since some transactions are more prone to theft or error, companies need internal controls to prevent or detect misstatements.

Examples of internal controls include:

• The reconciliation of monthly bank statements to the general ledger
• Receipting clerks are not allowed to reconcile bank statements (to enhance segregation of duties)
• The cash supervisor reviews the daily work of collections personnel
• A department head reviews and approves bi-weekly time records (before payroll is processed)
• The accounting supervisor reviews all new vendors (added by payable clerks) to ensure legitimacy

If internal controls are designed appropriately and work correctly, the financial statements should be materially correct. But if the internal controls are absent or ineffective, material misstatements can occur. What then? Well, it’s up to the auditor.

Detection Risk

The auditor is tasked with detecting material misstatements. If he or she does not, audit failure occurs. The audit firm issues an unmodified opinion but a material misstatement is present.

Auditors decrease detection risk—the risk that material misstatements will not be detected—by appropriately planning and performing their work. Consider ​pricing your riskier audits at a higher amount.

Understanding the Audit Risk Model - A Simple Summary

Congratulations! You've won a new audit client. Now, let's consider the first year audit considerations.

In this post, I explain why it's necessary to obtain supporting information for opening balances and how contacting the predecessor auditor is to your advantage.

Here are three key first year audit considerations:

1. Obtaining information about opening balances 
2. Reviewing the predecessor auditor's workpapers
3. Complying with your firm's quality control standards 

Let's take a look at each of these.

1. Obtaining Information about Opening Balances

AU-C 510.08 states "The auditor should obtain sufficient appropriate audit evidence about whether the opening balances contain misstatements that materially affect the current period's financial statements." If you are unable to obtain such information, then you will need to qualify or disclaim your opinion. So, it's important to get comfortable with these balances.

Some auditors think, "Well, I'll just review the prior year audit report." That's a good start, but not good enough.

Why can't we just review the prior audit report? If the prior audit covered the period ending December 31, 2018, it does not cover the January 1, 2019 balances. If your audit is for the year ended December 31, 2019, then reviewing the audited financial statements for the year ending December 31, 2018 helps but it does not ensure the legitimacy of the January 1, 2019 opening balances. The audit standards state that the auditor has to determine whether the prior period closing balances were correctly brought forward to the new period. Additionally, we need to consider how the predecessor's audit work affects our current year risk assessment (more in a moment).

Also, determine that the opening balances are in compliance with appropriate accounting policies. If the prior year financial statements were created using the modified cash basis of accounting but GAAP financials are required in the current year, then bringing forward prior year balances won't do. GAAP is full accrual; the modified cash is not.

Additionally, the audit standards state that the successor auditor should perform "specific audit procedures to obtain evidence regarding opening balances" (per AU-C 510.08). You might, for example, examine the depreciation schedule for the prior year and compare it to the opening balances. For debt or investments, you could confirm the opening balances (I'm not saying this is required, just an option). For some (less significant balances) you might examine investment statements or loan amortizations and agree those to the opening balances. The opening balances for current assets or liabilities might be proven by activity early in the current year: Were prior year receivables collected? Were prior year payables paid?

What we can't do, however, is nothing. The General Audit Engagement Checklist (PRP Section 20,400) asks the peer reviewer the following:

Did the successor auditor obtain sufficient appropriate audit evidence regarding opening balances about whether opening balances contain misstatements that materially affect the current period's financial statements and appropriate accounting policies reflected in the opening balances have been consistently applied?

The peer reviewer will look for documentation as it relates to opening balances. If not present, then there is a problem. At a minimum, write a memo stating how you got comfortable with all significant opening balances. And create an audit program related to opening balances.

2. Reviewing the Predecessor Auditor's Workpapers

Reviewing the predecessor auditor's workpapers is one of the more unpleasant duties of an auditor. I did so recently. The predecessor auditor is a friend of mine. As I visited him, I was uncomfortable. He was cordial, respectful, and nice. Some predecessor auditors don't exactly roll out the red carpet for you (and I get that). I try to remember the importance of professional courtesy when I lose a job (though it stings my pride).

In any event, the successor auditor is required to initiate communications with the predecessor auditor prior to accepting the engagement (see AU-C 210.11-12). The peer review checklist asks:

If the auditor succeeded another auditor, did the successor auditor initiate communications with the predecessor auditor to ascertain whether there were matters that might assist the auditor in determining whether to accept the engagement?

Why call the predecessor auditor? To see if there were disagreements between the auditor and the company. To see if there were ethical issues.

Additionally, you need to request permission to review their prior year workpapers. AU-C 510.A 7 says, "The extent, if any to which a predecessor auditor permits access to the audit documentation...is a matter of the predecessor auditor's professional judgment." Translation: They don't have to permit access, but they (generally) should. If the predecessor allows access to their workpapers, you can use that information in planning your current year audit. 

3. Complying with Your Firm's Quality Control Standards

See what your firm's quality control document says about initial audits. Many firms require an engagement quality control review (an EQCR) for first-year engagements. (If yours does not, consider adding it to your QC document.) Why? New audits take a great deal of time. Because they do, it's tempting to cut corners. An EQCR lessens the temptation. The engagement partner knows the engagement will be reviewed by another firm member (often, another partner). 

How the Predecessor Auditor's Work Helps You

Contacting the predecessor auditor may be the best thing you can do prior to accepting an audit. They might tell you, for example, that the potential client is unethical or that they are slow to pay their audit fees. Because you desire a healthy book of business, this step may save you plenty of headaches. As I've said before client acceptance is the important audit step.

If you accept the engagement, consider how the predecessor's responses and workpapers affect your risk assessment. Were there several material audit adjustments in the prior year? Did the predecessor auditor issue a material weakness letter? Then such considerations should be included in your current year risk assessment.

The predecessor auditor's work can also help you get comfortable with opening balances.