By Charles Hall | Risk Assessment
Some auditors have been told they can’t assess control risk at high. Is this true? Also, is it possible to assess control risk at high and not test controls?
Additionally, some auditors believe that control risk is assessed at high only if internal controls are not in place. But is that true?
Listen now to hear the answers. Hint — assessing control risk at high might be your best solution.
By Charles Hall | Auditing
This article teaches you how to develop your audit strategy and audit plan. In the last few posts, we’ve explored the risk assessment process. Now it’s time to link your risk assessment work to your audit strategy and plan.
AU-C 300 states, “The objective of the auditor is to plan the audit so that it will be performed in an effective manner.” We also desire—though not an objective of the audit standards—to plan for efficiency, so the engagement is profitable.
To be in compliance with audit standards, you need to develop:
What’s in the audit strategy? AU-C 300.08 states that the audit strategy should include the following:
Also, consider the resources necessary to perform the engagement.
Think of the audit strategy as the big picture. You are documenting:
When NASA planned to put a man on the moon, they—I am sure—created a strategy for Apollo 11. It could have read as follows:
We will put a man on the moon. The significant factors of our mission include mathematical computations, gravitational pull, thrust, and mechanics. The risks include threats to our astronauts’ lives, so we need to provide sufficient food, air, sound communications, and a safe vessel. The deliverable will be the placement of one man on the moon and the safe return of our three astronauts. The engagement team will include three astronauts, launch personnel at Kennedy Space Center, and mission-control employees in Houston, Texas.
The strategy led to Neil Armstrong’s historic walk on July 20, 1969.
Our audit strategy—in a more pedestrian pursuit—is a summary of objectives, resources, and risk. It’s the big picture. Our strategy leads to the successful issuance of our audit opinion (not quite as exciting as walking on the moon, but still important).
Did NASA perform any risk assessments before creating its strategy and plans? You bet. The lives of Neil Armstrong, Michael Collins, and Buzz Aldrin counted on it. So, the Agency took every precaution. NASA used the risks to define the project details—what we call our audit plan (or audit program). As with all projects, you must know your risks before you develop your plan. Doing so led to “one small step for man, one giant leap for mankind,” and—more importantly—the return of three brave astronauts. In a word: Success.
The audit strategy doesn’t have to be complicated or long, especially for smaller entities—it can be a short memo. What are we after? A summary of risks, needed resources, and objectives.
My firm uses an internally-developed strategy form—mainly, to ensure consistency. The form contains structure, such as references to risk assessment work and blank boxes in certain areas—such as partner directions—so it is flexible. As a result, the form has structure and flexibility.
Here are the main areas we cover:
Who should create the strategy? The in-charge can create it with the assistance of the engagement partner, or the partner can do so.
If you want to see one document that summarizes the entire audit, this is it. As you can see, the strategy is general in nature, but you also need a detailed plan to satisfy the demands of the strategy—this is the audit plan (commonly referred to as the audit program). NASA had a mission statement for Apollo 11, but—I’m sure—written guidelines directed the step-by-step execution of the project.
Now we create the detailed planning steps—the audit program. Think of the audit program as the final stage of audit planning. What have we done to get to this stage of the audit?
Now it’s time to create the audit plan.
The audit plan is the linkage between planning and further audit procedures. What are “further audit procedures”? They are the tactical steps to address risk including substantive procedures and test of controls. The audit program links back to the identified risks and points forward to the substantive procedures and test of controls.
How—in a practical sense—do we create the audit programs? Most auditors tailor the prior year audit programs. That works—as long as we revise them to address the current year risks. Audit programs are not—at least, they should not be—static documents. Even so, the current year audit program can be the same as last year—as long as the risks are the same.
How do we know if we have adequate audit program steps? Look at your risks of material misstatement (RMM)—which, hopefully, are assessed at the assertion level (e.g., completeness). Audit steps should address all high and moderate RMMs.
How else can we integrate our documentation? Put the relevant assertions next to each audit step—this makes the connections between the RMMs (at the assertion level) and the audit steps clear.
AU-C 330.18 says the auditor is required to apply substantive procedures to all relevant assertions related to each material class of transactions, account balance, and disclosure. So, the audit program should reflect steps for all material areas.
Once you complete your risk assessment work, you want to ask, “Which is the more efficient route? Testing controls or performing substantive procedures.” Then go with your instincts.
Generally, I assess control risk at high. While we can’t default to a high control, we can—once the risk assessment work is complete—decide to assess control risk at high as an efficiency measure. Why? If we assess control risk at below high, we must test the controls as a basis for the lower risk assessment. The testing of controls can—sometimes—take longer than substantive procedures.
For example, is it better to test the controls related to fixed asset additions or is it more efficient to vouch the invoices for significant additions? Usually, the vouching of the invoices will get you to your desired destination quicker than testing controls. Generally—at least in my opinion—this line of reasoning is less true for more complex organizations. Larger organizations process more transactions and tend to have better controls. So it can be better to test controls for larger entities.
There you have it—the creation of the audit strategy and the audit plan. Your strategy includes the risks, needed resources, and objectives. And your audit program contains the tactical steps to address risks. You are set to go. Now it’s time to execute our audit program.
Stay with me. In my upcoming posts, I will delve into the details of auditing by transaction areas. What specific steps should an auditor perform for cash, receivables, payables—for example? In the coming weeks, I will share with you audit approaches for significant transaction cycles. Subscribe below to ensure you don’t miss out.
To see my earlier posts in this series, click here.
By Charles Hall | Auditing
(It’s August 14, 2018 as I write this. The AICPA has just delayed the effective date of the Hosting Services rule to July 1, 2019. I have not amended the following post for that change.)
As of September 1, 2018, hosting services impair independence, so says the AICPA. And most firms are providing hosting services (though they may not know it). This article explains why your possession of client records, whether electronic or hard-copy, can affect your independence.
Starting September 1, 2018, your possession of client documents (e.g., tax records) or information (e.g., the housing of QuickBooks files on our server) can, in some instances, create an independence impairment. (If you temporarily possess original documents (e.g., tax records) but return them to the client in a short period, then the possession of the original documents does not impair your independence.)
The AICPA recently adopted a new interpretation, “Hosting Services,” which appears in the Code of Conduct under nonattest services. See 1.295.143 of the Code.
Why would possessing documents or information potentially impair independence? Because you accepted the responsibility for designing, implementing or maintaining internal controls for the records in your possession. And this is considered a management function.
In effect, the AICPA is saying there is an implicit understanding that you (the CPA) will safeguard the client’s records. And to safeguard the information, you agree to create controls to ensure the safety of the information in your possession.
To understand the actions that would impair your independence, see Catherine Allen’s article in the Journal of Accountancy. Specifically, look at her examples of where independence is impaired and where it is not.
By Charles Hall | Accounting and Auditing
As I enter the latter part of my career, I look back and see several mistakes I made. Here’s what I wish I had known about public accounting–before I started.
I thought I knew a lot when I graduated from college, but my education was just beginning.
In my first job, I went to work with a “big eight” public accounting firm in Tampa, Florida. As soon as I moved to my new digs on Tampa Bay, they shipped me out to Jackson, Mississippi where I remained for months (seeing my Tampa apartment twice in three months). Most days I did the expert work of pro-forming work papers—the thing they gave to newbies. Boredom defined. So I had this sexy job with a big firm, but I spent most days dawdling with routine duties. I kept thinking, “I went to college for this?” Surely accounting had to be more interesting.
I felt uncomfortable. This international firm was cold (even if this office was in Florida). I had grown up in a small town where you spoke to everyone and respected all. Soon I left Tampa and headed back home to Georgia.
What I learned: Work in a place that allows you to grow and one where you fit in. Firms have cultures. I needed one that aligned with who I was.
Back in Georgia, I landed work with a regional firm. I felt more at home. The work was more challenging than my former job, and my knowledge began to expand rapidly. This particular business had a strong niche practice and was very profitable. The firm used a pooled staffing approach, so I worked for one partner one week, another the next week, and another the next. I did not get a chance to start and finish audit engagements. It stressed me that so many different partners wanted me to complete their work. And each partner felt their work was the priority. After three years, I moved on.
What I learned: Firms that focus on niches perform better than those that don’t. As an employee, it’s better to work with one partner. You get to see engagements from start to finish, and the stress decreases since you know what your (one) boss wants.
My new firm was even smaller than the last, having about thirty people. Here I worked for one partner which was nice, and he worked in one industry which was also pleasant. When I interviewed with the firm, I was told that my assigned partner would retire in three or four years, and I would have the opportunity to take his place. Since I was the audit manager, I learned a great deal, but over time it became apparent to me I was doing most of the work and the partner was receiving most of the pay.
The partner was a wonderful guy, but after eight years (not three or four), the partner was still in plain sight (and had not retired).
So one day I screwed up my courage and asked, “When are you retiring?” The conversation was difficult (an understatement, he yelled at me). He wouldn’t answer my question. It was clear he had no intention of retiring (even though he was 68). I was angry. I had been duped (at least, I felt that way).
So I left.
What I learned: I like working for one boss. I knew what he wanted, and I delivered it. When someone makes you a partnership offer, get it in writing (clarify the timetable and how the transition will occur). Don’t allow years to go by without communicating.
The next step in my journey was to start a new firm. I bought a small company that was only yielding $200 per month (yes, you read that right—$200 a month). My wife was at home with our kids, so we had no other income.
About this same time, my two-year-old son was diagnosed with cystic fibrosis. I wondered how we would make it. I’ve never been so low in my life. And then three years into the solo practice, I was diagnosed with a brain tumor. (See my article, Audit Lessons from a Brain Tumor.)
We had an excellent opportunity to exercise faith, so we did, praying often. All I can say is God took care of us. At the end of the first year, my income was equal to my prior year of employment. The following five years were successful.
But after six years of being a sole proprietor (and then as a partner), my father’s health began to fail, and I was called to attend to his needs and…yes, you guessed it, another job.
What I learned: Going solo is one of the hardest things you will ever do. I quickly realized how important it is to have other professionals around me so I can bounce things off them and seek their guidance. Being alone is…lonely. (I brought in a partner in my third year. Having her there was wonderful.)
Without the economies of scale afforded to larger firms, my overhead ate most of my cash flow. I found it hard to get potential audit clients to take me seriously. They saw me as “small” though my skill level was no different than it was in my previous jobs. When it comes to marketing, perception is everything.
On to the next job.
I returned to my first Georgia employer (job #2 above) as their quality control director. I was 42 years old and had never been a quality control guy, so this was all new to me. But I enjoyed the challenge. While the firm had a niche practice, it still afforded me the opportunity to see a wide variety of audits, reviews, and compilations. I also began teaching more continuing education classes and loved doing so. When I taught, I felt “in my element.” The firm did (and still does) an excellent job of marketing.
After six years in this position, my father passed away, and my wife wanted to move back to middle Georgia to be near her mother. So we did.
What I learned: Exposure to a broad range of work expands your professional abilities. It is easier for niche firms to market themselves as go-to experts. A niche practice generates higher profits since a common client base allows a firm to build repeatable processes and train staff. Also, I was beginning to realize the importance of speaking and writing.
On a personal note, being there with my Dad was awesome. The conversations we had are some of my most treasured memories.
For the last ten years, I’ve worked as the quality control director and now as the quality control partner for our firm, McNair, McLemore, Middlebrooks & Co. We are well diversified, but we have specialized niches within the company, so no one industry defines us. The diversity of work keeps me on my toes. I deal with accounting and auditing issues for banks, telecommunication companies, nonprofits, governments, small businesses and more. I continue to speak at professional conferences and to our staff, and, as you can see, I write.
One thing I have thought about as I look back over my career: I changed jobs too often.
If I had my career to do over again, I would find a good firm, and I would stay.
What I learned: Finding and staying with a good firm will provide you with significant opportunities.
Speak to groups and write professional articles and blog posts. Doing so will allow you to make new friends and great contacts.
Finally, let me say this: Finding balance and taking care of ourselves physically and spiritually are keys to success. Sitting at a desk for ten to twelve hours a day—without breaks—will only make us less productive and less healthy.
Praying and running (now walking as I’m older) have been my two biggest allies. At 6:00 every morning, I spend about 30 minutes reading my Bible and praying. I also walk five days a week with my wife and every Saturday with my twin brother (he blogs at ProjectRiskCoach.com). Praying and walking give me energy and stamina. (See my article How to Create Energy that Sustains You.)
By the way, I mentioned my son with cystic fibrosis. He was three years old when diagnosed. Today he is twenty-four and works as a data scientist at the University of Georgia. Most importantly, he is doing well. And I am so thankful.
These are some things I have learned. I’d love to hear about your lessons. Please share one or two career experiences in the comment field below.
By Charles Hall | Auditing , Fraud
What is an auditor’s responsibility for fraud in a financial statement audit? Today, I’ll answer that question. Let’s take a look at the following:
I still hear auditors say, “We are not responsible for fraud.” But are we not? We know that the detection of material misstatements—whether caused by error or fraud—is the heart and soul of an audit. So writing off our responsibility for fraud is not an option. But auditors often turn a blind eye to it.
Why do auditors not perceive fraud risks?
Here are a few reasons:
Think of these reasons as an attitude—a poor one—regarding fraud. This disposition manifests itself—in the audit file—with signs of disregard for fraud.
A disregard for fraud appears in the following ways:
In effect, auditors—at least some—dismiss the possibility of fraud, relying on a balance sheet approach.
So how can we understand fraud risks and respond to them? First, let’s look at fraud incentives.
The reasons for theft vary by each organization, depending on the dynamics of the business and people who work there. Fraudsters can enrich themselves indirectly (by cooking the books) or directly (by stealing).
Fraud comes in two flavors:
Start your fraud risk assessment process by asking, “Are there any incentives to manipulate the financial statement numbers.” For example, does the company provide bonuses or promote employees based on profit or other metrics? If yes, an employee can indirectly steal by playing with the numbers. Think about it. The chief financial officer can inflate profits with just one journal entry—not hard to do. While false financial statements is a threat, the more common fraud is theft.
If employees don’t receive compensation for reaching specific financial targets, they may enrich themselves directly through theft. But employees can only steal if the opportunity is present. And where does opportunity come from? Weak internal controls. So, it’s imperative that auditors understand the accounting system and—more importantly—related controls.
My go-to procedure in gaining an understanding of the accounting system and controls is walkthroughs. Since accounting systems are varied, and there are no “forms” (practice aids) that capture all processes, walkthroughs can be challenging. So, we may have to “roll up our sleeves,” and “get in the trenches”—but the level of the challenge depends on the complexity of the business.
For most small businesses, performing a walkthrough is not that hard. Pick a transaction cycle; start at the beginning and follow the transaction to the end. Ask questions and note who does what. Inspect the related documents. As you do, ask yourself two questions:
In more complex companies, break the transaction cycle into pieces. You know the old question, “How do you eat an elephant?” And the answer, “One bite at a time.” So, the process for understanding a smaller company works for a larger one. You just have to break it down—and allow more time.
Discovering fraud opportunities requires the use of risk assessment procedures such as observations of controls, inspections of documents and inquiries. Of the three, the more commonly used is inquiries.
Audit Standards (AU-C 240) state that we should inquire of management regarding:
Notice that AU-C 240 requires the auditor to ask management about its procedures for identifying and responding to the risk of fraud. If management has no method of detecting fraud, might this be an indicator of a control weakness? Yes. What are the roles of management and auditors regarding fraud?
So, the company creates the accounting system, and the auditor gains an understanding of the same. As auditors gain an understanding of the accounting system and controls, we are putting together the pieces of a story.
Think of the accounting system as a story. Our job is to understand the narrative of that story. As we (attempt to) describe the accounting system, we may find missing pieces. When we do, we’ll go back and ask more questions to make the story complete.
The purpose of writing the storyline is to identify any “big, bad wolves.”
The threats in our childhood stories were easy to recognize—the wolves were hard to miss. Not so in the walkthroughs. It is only in connecting the dots—the workflow and controls—that the wolves materialize. So, how long is the story? That depends on the size of the organization.
Scale your documentation. If the transaction cycle is simple, the documentation should be simple. If the cycle is complex, provide more details. By focusing on control weaknesses that allow material misstatements, you’ll avoid unneeded—and distracting—details.
I summarize the internal control strengths and weaknesses within the description of the system and controls and highlight the wording “Control weakness.” For example:
Control weakness: The accounts payable clerk (Judy Jones) can add new vendors and can print checks with digital signatures. If effect, she can create a new vendor and have a check sent to that provider without anyone else’s involvement.
Highlighting weaknesses makes them more prominent. Then I can use the identified fraud opportunities to brainstorm about how theft might occur and to develop my responses to the threats.
Now, you are ready to brainstorm about how fraud might occur and to plan your audit responses.
The risk assessment procedures—discussed above and in my prior post—provide the fodder for the brainstorming session.
Armed with knowledge about the company, the industry, fraud incentives, and the control weaknesses, we are ready to be creative.
In what way are we to be creative? We think like a thief. By thinking like a fraudster, we unearth ways that stealing might occur. And why? So we can audit those possibilities. And this is the reason for the fraud risk assessment procedures in the first place.
What we discover in the risk assessment stage informs the audit plan—in other words, it has bearing upon the audit programs.
In conclusion, I started this post saying I’d answer the question, “What is an auditor’s responsibility for fraud?” Hopefully, you now have a better understanding of the fraud-related procedures we are to perform. But to understand the purpose of these procedures, look at the language in a standard audit opinion:
The procedures selected depend on the auditor’s judgment, including the assessment of the risks of material misstatement of the consolidated financial statements, whether due to fraud or error. In making those risk assessments, the auditor considers internal control relevant to the entity’s preparation and fair presentation of the consolidated financial statements in order to design audit procedures that are appropriate in the circumstances, but not for the purpose of expressing an opinion on the effectiveness of the entity’s internal control. Accordingly, we express no such opinion.
The purpose of fraud risk assessments is not to opine on internal control systems or to discover every fraud. It is to assist the auditor in determining where material misstatements—due to fraud—might occur.
Have you been following my series of posts: The What and Why of Auditing? If not, you may want to review the prior posts:
Also subscribe (below) to my blog to receive future installments in this series (we have several more coming). This series is a great way for seasoned auditors to refresh their overall audit knowledge and for new auditors to gain a better understanding of the audit process.
By Charles Hall | Auditing
Today we look at one of most misunderstood parts of auditing: audit risk assessment.
Are auditors leaving money on the table by avoiding risk assessment? Can inadequate risk assessment lead to peer review findings? This article shows you how to make more money and create higher quality audit documentation.
Audit risk assessment can be our best friend, particularly if we desire efficiency, effectiveness, and profit—and who doesn’t?
This step, when properly performed, tells us what to do—and what can be omitted. In other words, risk assessment creates efficiency.
So, why do some auditors (intentionally) avoid audit risk assessment? Here are two reasons:
Too often auditors continue doing the same as last year (commonly referred to as SALY)--no matter what. It’s more comfortable than using risk assessment.
But what if SALY is faulty or inefficient?
Maybe it’s better to assess risk annually and to plan our work accordingly (based on current conditions).
The old maxim “Plan your work, work your plan” is true in audits. Audits—according to standards—should flow as follows:
Auditors sometimes go directly to step 3. and use the prior year audit programs to satisfy step 2. Later, before the opinion is issued, the documentation for step 1. is created “because we have to.”
In other words, we work backwards.
So, is there a better way?
Audit standards—in the risk assessment process—call us to do the following:
While we may not complete these steps in this order, we do need to perform our risk assessment first (1.-4.) and then assess risk.
Okay, so what procedures should we use?
AU-C 315.06 states:
The risk assessment procedures should include the following:
I like to think of risk assessment procedures as detective tools used to sift through information and identify risk.
Just as a good detective uses fingerprints, lab results, and photographs to paint a picture, we are doing the same.
First, we need to understand the entity and its environment.
The audit standards require that we understand the entity and its environment.
I like to start by asking management this question: "If you had a magic wand that you could wave over the business and fix one problem, what would it be?"
The answer tells me a great deal about the entity's risk.
I want to know what the owners and management think and feel. Every business leader worries about something. And understanding fear illuminates risk.
Think of risks as threats to objectives. Your client's fears tell you what the objectives are--and the threats.
To understand the entity and its related threats, ask questions such as:
As with all risks, we respond based on severity. The higher the risk, the greater the response.
Audit standards require that we respond to risks at these levels:
Responses to risk at the financial statement level are general, such as appointing more experienced staff for complex engagements.
Responses to risk at the transaction level are more specific such as a search for unrecorded liabilities.
But before we determine responses, we must first understand the entity's controls.
We must do more than just understand transaction flows (e.g., receipts are deposited in a particular bank account). We need to understand the related controls (e.g., Who enters the receipt in the general ledger? Who reviews receipting activity?).
So, as we perform walkthroughs or other risk assessment procedures, we gain an understanding of the transaction cycle, but—more importantly—we gain an understanding of controls. Without appropriate controls, the risk of material misstatement increases.
AU-C 315.14 requires that auditors evaluate the design of their client's controls and to determine whether they have been implemented. However, AICPA Peer Review Program statistics indicate that many auditors do not meet this requirement. In fact, noncompliance in this area is nearly twice as high as any other requirement of AU-C 315 - Understanding the Entity and Its Environment and Assessing the Risk of Material Misstatement.
Some auditors excuse themselves from this audit requirement saying, "the entity has no controls."
All entities have some level of controls. For example, signatures on checks are restricted to certain person. Additionally, someone usually reviews the financial statements. And we could go on.
The AICPA has developed a practice audit that you'll find handy in identifying internal controls in small entities.
The use of walkthroughs is probably the best way to understand internal controls.
As you perform your walkthroughs, ask questions such as:
Understanding the company’s controls illuminates risk. The company’s goal is to create financial statements without material misstatement. And a lack of controls threatens this objective.
So, as we perform walkthroughs, we ask the payables clerk (for example) certain questions. And—as we do—we are also making observations about the segregation of duties. Also, we are inspecting certain documents such as purchase orders.
This combination of inquiries, observations, and inspections allows us to understand where the risk of material misstatement is highest.
See my article How to Document Audit Walkthroughs? Also see Should You Perform Audit Walkthroughs Annually? (Hint--the answer is yes.)
Another significant risk identification tool is the use of planning analytics.
Use planning analytics to shine the light on risks. How? I like to use:
In creating planning analytics, use management’s metrics. If certain numbers are important to the company, they should be to us (the auditors) as well—there’s a reason the board or the owners are reviewing particular numbers so closely. (When you read the minutes, ask for a sample monthly financial report; then you’ll know what is most important to management and those charged with governance.)
You may wonder if you can create planning analytics for first-year businesses. Yes, you can. Compare monthly or quarterly numbers. Or you might compute and compare ratios (e.g., gross profit margin) with industry benchmarks. (For more information about first-year planning analytics, see my planning analytics post.)
Sometimes, unexplained variations in the numbers are fraud signals.
In every audit, inquire about the existence of theft. In performing walkthroughs, look for control weaknesses that might allow fraud to occur. Ask if any theft has occurred. If yes, how?
Also, we should plan procedures related to:
My next post—in The Why and How of Auditing series—addresses fraud, so this is all I will say about theft, for now. Sometimes the greater risk is not fraud but errors.
Have you ever noticed that some clients make the same mistakes—every year? (Johnny--the controller--has worked there for the last twenty years, and he makes the same mistakes every year. Sound familiar?) In the risk assessment process, we are looking for the risk of material misstatement whether by intention (fraud) or by error (accident).
One way to identify potential misstatements due to error is to maintain a summary of the larger audit entries you’ve made over the last three years. If your client tends to make the same mistakes, you’ll know where to look.
Now it’s time to pull the above together.
Once all of the risk assessment procedures are completed, we synthesize the disparate pieces of information into a composite image.
What are we bringing together? Here are examples:
Armed with this risk picture, we can now create our audit strategy and audit plan (also called an audit program). Focus these plans on the higher risk areas.
How can we determine where risk is highest? Use the risk of material misstatement (RMM) formula.
Understanding the RMM formula is key to identifying high-risk areas.
What is the RMM formula?
Put simply, it is:
Risk of Material Misstatement = Inherent Risk X Control Risk
Using the RMM formula, we are assessing risk at the assertion level. While audit standards don’t require a separate assessment of inherent risk and control risk, consider doing so anyway. I think it provides a better representation of your risk of material misstatement.
Once you have completed the risk assessment process, control risk can be assessed at high--simply as an efficiency decision. See my article Assessing Audit Control Risk at High and Saving Time.
The inputs in audit planning include all of the above audit risk assessment procedures.
The outputs (sometimes called linkage) of the audit risk assessment process are:
We tailor the strategy and plan based on the risks..
In a nutshell, we identify risks and respond to them.
(In a future post in this series, I will provide a full article concerning the creation of audit strategy and plans.)
In my next post, we’ll take a look at the Why and How of Fraud Auditing. So, stay tuned.
If you haven’t subscribed to my blog, do so now. See below.
By Charles Hall | Auditing , Local Governments
The Government Accountability Office just issued the new Yellow Book titled Government Auditing Standards 2018 Revision.
An electronic version of the 2018 Yellow Book can be accessed on GAO’s Yellow Book web page at http://www.gao.gov/yellowbook.
The introduction to the new Yellow Book summarizes the significant changes as follows:
This revision contains major changes from, and supersedes, the 2011 revision. These changes, summarized below, reinforce the principles of transparency and accountability and strengthen the framework for high quality government audits.
Effective with the implementation dates for the 2018 revision of Government Auditing Standards, GAO is also retiring Government Auditing Standards: Guidance on GAGAS Requirements for Continuing Professional Education (GAO-05-568G, April 2005) and Government Auditing Standards: Guidance for Understanding the New Peer Review Ratings (D06602, January 2014).
The 2018 revision of Government Auditing Standards is effective for financial audits, attestation engagements, and reviews of financial statements for periods ending on or after June 30, 2020, and for performance audits beginning on or after July 1, 2019.
Early implementation is not permitted.
The 2018 revision of Government Auditing Standards supersedes the 2011 revision (GAO-12-331G, December 2011), the 2005 Government Auditing Standards: Guidance on GAGAS Requirements for Continuing Professional Education (GAO-05-568G, April 2005), and the 2014 Government Auditing Standards: Guidance for Understanding the New Peer Review Ratings (D06602, January 2014).
By Charles Hall | Auditing
Client acceptance and continuance may be the most critical step in an audit, but it’s one that gets little attention. A prospective client calls saying, “Can you audit my company?” and we respond, “sure.” While new business can be a good thing, relationships need appropriate vetting. Not doing so can lead to significant (and sometimes disastrous) consequences.
My daughter recently met a young man on Instagram. Not unusual these days. But now the relationship is entering into its third month. They talk every day for two or three hours. So far, they have not been in the same room—and not even in the same city. Skype, yes. Physical presence, no. That’s happening at the end of this month. (He lives eight hours away.)
So what do Mom and Dad think about all of this? Well, it’s fine. My wife checked him out on Facebook (I know you’ve never done this). And my daughter has told us all about the “fella” and his family. We like what we’re hearing. He has similar beliefs. He has a job (Yay!), and he has graduated from college. His family background is like ours.
Why do we want to know all the details about the young man? Because relationships impact people—my daughter, the young man, his family members, and yes, my wife and I. We want everyone to be happy.
And that’s what good relationships create. Happiness. The same is true with clients. As Steven Covey said, “think win, win.” When the customer wins, and your CPA firm wins, everyone is happy. Mutual needs are met.
Careless CPAs accept business with only one consideration: Can I get paid?
While getting paid is important, other factors are also critical.
Here are a few things to consider:
I want my daughter to marry a guy with beliefs that correspond with who she is. Is he honest? Would he steal? Is he transparent? Who are his associates? What do others think of him?
We ask similar questions about accepting a new client. Audit standards require us to consider whether the prospective client has integrity. If the company is not morally straight, then there’s no need to move forward.
The time to determine your firm’s independence is the beginning—not at the conclusion of the audit.
Consider what happens—during a peer review—when a firm is not independent, and it has issued an audit opinion. The original audit report will be recalled, and I’ll bet the company asks for and receives a full refund of your audit fee. Now, the company needs to be re-audited. (Oh, and there’s that impact on the peer review report.)
Pay attention to requested nonattest services—such as preparation of financial statements. If the client has no one with sufficient skill, knowledge, and experience to accept responsibility for such services, you may not be independent. See the AICPA’s Plain English Guide to Independence for more information.
If you can pick up a client in an industry in which you have no experience, should you? Possibly, but it depends on whether you can appropriately understand the client and their industry before you conduct the engagement. Some new customers may not be complicated. In those cases, CPE may get you into position to provide the audit.
But what if the potential engagement involves a highly sophisticated industry and related accounting standards for which you are ill-equipped? It may be better to let the engagement go and refer it to an audit firm that has the requisite knowledge. Or maybe you can partner with the other firm.
A prospective client calls saying, “Can you audit my company? We have a December 31 year-end, and we need the audit report by March 31.” After some discussion, I think the fee will be around $75,000. But my staff is already working sixty hours a week during this time of the year. Should I take the engagement?
My answer would be no unless I can create the capacity. How? I can hire additional personnel or maybe I can contract with another firm to assist. If I can’t build additional capacity, then I may let the opportunity pass.
Far too many firms accept work without sufficient capacity. When this happens, corners are cut, and staff members and partners suffer. Stuffing—even more—work into a stressful time of the year is not (always) a wise thing. We lose staff. And if the engagement is deficient, peer review results may take a hit.
When you don’t have the capacity to accept new good clients, consider whether you should discontinue service to existing bad customers.
Quality controls standards call for CPAs to not only develop acceptance procedures, but we are to create continuance protocols as well.
I previously said CPAs often don’t give proper attention to acceptance procedures. So, how about continuance decisions? Even worse.
Picture from AdobeStock.com
Each year, we should ask, “If this was a new client opportunity, would I accept them?” If the answer is no, then why do we continue serving them?
Here are a few questions to ponder:
Each year, well before the audit starts, ask these questions.
And then consider, is the bottom 10% of my book of business keeping me from accepting better clients? My experience has been that when I have the capacity, new business appears. When capacity is lacking, I don’t. The decision to hold on to bad clients is a decision to close the door to better clients. Don’t be afraid to let go.
When should we start thinking about risk assessment? Now.
Whether you are going through the initial acceptance procedures or you are making your continuance decision, start thinking about risk assessment now. Assuming you accept the client, you’ll be a step ahead as you begin to develop your audit plan. Ask questions such as:
Keep these notes for future reference and audit planning.
The above is the first post in The Why and How of Auditing. My next post will be Audit Risk Assessment: The Why and How. Subscribe to my blog (see below) to make sure you don’t miss anything.
By Charles Hall | Auditing
Do you struggle with what needs to be done in an audit–and what does not? Do you perform audit procedures (because they are in a standard audit program) but you’re not sure why? Do you want to be more efficient? You are not alone.
While audit forms—like risk assessment, audit planning, and audit program—are necessary, they can make us feel like a blind man being led by the hand. If you’re like me, you want to see, to know where you’re going and why. To gain sight, we need to go back to the basics.
Each year, Vince Lombardi (the revered coach of the Green Bay Packers) held a pigskin up and said, “This is a football.” And he did so with the best players in the world. He knew that winning is all about basics: blocking, tackling, passing, running. Understanding fundamentals brings clarity and power. And that’s what I’m after in The Why and How of Auditing. I’ll strip away the technical mumbo-jumbo and make auditing accessible, even for beginners. Moreover, experienced auditors will profit as you revisit what matters (and what does not).
Here’s an overview of the upcoming posts:
In the cartoons I read as a kid, Lucy would say to Charlie Brown, “I will hold the ball, and you kick,” but as Charlie Brown would lean into his launch, she would pull away. And you remember the result: Charlie Brown, lying on his backside.
Some audit procedures (like the invitation to kick) are tempting. They call us (like a familiar friend), but they are a waste of time–even if we have done these steps for years. In the end, they leave us staring at the sky. So, we need to know what is best and what is necessary. Then, we can avoid waste.
This series provides you with what you need to know—without excess baggage. By design, the series is simple. Why? To provide clarity. I want you to understand the basics of auditing.
When you’re done, you’ll understand auditing, possibly in a way you never have. Then you’ll work with greater confidence and effectiveness. So, let’s begin.
By Charles Hall | Accounting
Are you aware of the coming changes in accounting for equity securities?
In the past, FASB required that changes in the fair value of available-for-sale equity investments be parked in accumulated other comprehensive income (an equity account) until realized--that is, until the equity investment was sold. In other words, the unrealized gains and losses of equity investments were not recognized in net income until the investments were sold. This is about to change.
Changes in equity investments will generally be reflected in net income as they occur--even before the equity investments are sold.
On January 5, 2016, FASB issued ASU 2016-01 Recognition and Measurement of Financial Assets and Financial Liabilities. Here's the lowdown.
First, ASU 2016-01 removes the current guidance regarding classification of equity securities into different categories (i.e., trading or available-for-sale).
Secondly, the new standard requires that equity investments generally be measured at fair value with changes in fair value recognized in net income (see exceptions below). Companies will no longer recognize changes in the value of available-for-sale equity investments in other comprehensive income (as we have in the past).
ASU 2016-01 generally requires that equity investments generally be measured at fair value with changes in fair value recognized in net income. There are some equity investments that are not treated in this manner such as equity method investments and those that result in consolidation of the investee.
Is the accounting for equity investments without readily determinable fair values different? It can be.
An entity may choose to measure equity investments that do not have readily determinable fair values at cost minus impairment. This election should be documented at the time of adoption (for existing securities) or at the time of purchase for securities acquired subsequent to the date of adoption. The alternative can be elected on an investment-by-investment basis.
Why make the election to measure equity investments that do not have readily determinable fair values at cost minus impairment? Because of the difficulty of determining the fair value of such investments. This election will probably be used by entities that previously carried investments at cost. (The cost method of accounting is eliminated.)
ASU 2016-01 requires that equity investments without readily determinable fair values undergo a one-step qualitative assessment to identify impairment (similar to what we do with long-lived assets and goodwill).
At each reporting period, an entity that holds an equity security shall make a qualitative assessment considering impairment indicators to evaluate whether the investment is impaired. Impairment indicators that an entity considers include, but are not limited to, the following:
So what happens if there is an impairment?
321-10-35-3 of the FASB Codification states, "An equity security without a readily determinable fair value that does not qualify for the practical expedient to estimate fair value in accordance with paragraph 820-10-35-59...shall be written down to its fair value if a qualitative assessment indicates that the investment is impaired and the fair value of the investment is less than its carrying value." (820-10-35-59 deals with measuring the fair value of investments in certain entities that calculate net asset value per share.)
How is the change in value to be reflected in the income statement?
If an equity security without a readily determinable fair value is impaired, the entity should include the impairment loss in net income equal to the difference between the fair value of the investment and its carrying amount.
Entities are to present their financial assets and liabilities separately in the balance sheet or in the notes to the financial statements. This disaggregated information is to be presented by:
So, financial assets measured at fair value through net income are to be presented separately from assets measured at fair value through other comprehensive income.
U.S. GAAP for classification and measurement of debt securities remains essentially the same. The unrealized holding gains and losses on available-for-sale debt securities are to be shown in other comprehensive income.
ASU 2016-01 removes a prior disclosure requirement. In the past, entities disclosed the fair value of financial instruments measured at amortized cost. Examples include notes receivables, notes payable, and debt securities. ASU 2016-01 removes this disclosure requirement for entities that are not public business entities.
ASU 2016-01 says the following concerning effective dates:
For public business entities, the amendments in this Update are effective for fiscal years beginning after December 15, 2017, including interim periods within those fiscal years.
For all other entities including not-for-profit entities and employee benefit plans within the scope of Topics 960 through 965 on plan accounting, the amendments in this Update are effective for fiscal years beginning after December 15, 2018, and interim periods within fiscal years beginning after December 15, 2019. All entities that are not public business entities may adopt the amendments in this Update earlier as of the fiscal years beginning after December 15, 2017, including interim periods within those fiscal years.
Also, the provision exempting nonpublic entities from the requirement to disclose fair values of financial instruments can be early adopted.
An entity should apply the amendments by means of a cumulative-effect adjustment to the balance sheet as of the beginning of the fiscal year of adoption.
The amendments related to equity securities without readily determinable fair values (including disclosure requirements) should be applied prospectively to equity investments that exist as of the date of adoption of ASU 2016-01.
If you are an external auditor, consider advising your clients about the changes in accounting for equity securities. Entities with certain debt covenants (e.g., net income requirements) could be adversely affected when this standard is adopted, particularly if they have declining equity investments.
