Audit Planning: Developing Your Audit Strategy and Plan

By Charles Hall | Auditing

This article teaches you how to develop your audit strategy and audit plan. In the last few posts, we’ve explored the risk assessment process. Now it’s time to link your risk assessment work to your audit strategy and plan.

AU-C 300 states, “The objective of the auditor is to plan the audit so that it will be performed in an effective manner.” We also desire—though not an objective of the audit standards—to plan for efficiency, so the engagement is profitable. 

Audit Strategy and Plan

To be in compliance with audit standards, you need to develop:

• Your audit strategy
• Your audit plan

Developing Your Audit Strategy

What’s in the audit strategy? AU-C 300.08 states that the audit strategy should include the following:

• The characteristics of the engagement (these define its scope)
• The reporting objectives (these affect the timing of the audit and the nature of the reports to be provided)
• The significant factors (these determine what the audit team will do)
• The results of preliminary engagement activities (these inform the auditor’s actions)
• Whether knowledge gained on other engagements is relevant (these potentially provide additional insight)

Also, consider the resources necessary to perform the engagement.

Think of the audit strategy as the big picture. You are documenting:

• The scope (the boundaries of the work)
• The objectives (what the deliverables are) 
• The significant factors (e.g., is this a new or complex entity?)
• The risk assessment (what are the risk areas?)
• The planned resources (e.g., the engagement team) 

Strategy for Walking on the Moon

When NASA planned to put a man on the moon, they—I am sure—created a strategy for Apollo 11. It could have read as follows:

We will put a man on the moon. The significant factors of our mission include mathematical computations, gravitational pull, thrust, and mechanics. The risks include threats to our astronauts’ lives, so we need to provide sufficient food, air, sound communications, and a safe vessel. The deliverable will be the placement of one man on the moon and the safe return of our three astronauts. The engagement team will include three astronauts, launch personnel at Kennedy Space Center, and mission-control employees in Houston, Texas. 

The strategy led to Neil Armstrong’s historic walk on July 20, 1969.

Our audit strategy—in a more pedestrian pursuit—is a summary of objectives, resources, and risk. It’s the big picture. Our strategy leads to the successful issuance of our audit opinion (not quite as exciting as walking on the moon, but still important).

Did NASA perform any risk assessments before creating its strategy and plans? You bet. The lives of Neil Armstrong, Michael Collins, and Buzz Aldrin counted on it. So, the Agency took every precaution. NASA used the risks to define the project details—what we call our audit plan (or audit program). As with all projects, you must know your risks before you develop your plan. Doing so led to “one small step for man, one giant leap for mankind,” and—more importantly—the return of three brave astronauts. In a word: Success.

What’s in an Audit Strategy?

The audit strategy doesn’t have to be complicated or long, especially for smaller entities—it can be a short memo. What are we after? A summary of risks, needed resources, and objectives.

My firm uses an internally-developed strategy form—mainly, to ensure consistency. The form contains structure, such as references to risk assessment work and blank boxes in certain areas—such as partner directions—so it is flexible. As a result, the form has structure and flexibility.

Here are the main areas we cover:

• Deliverables and deadlines
• A time budget
• The audit team
• Key client contacts
• New accounting standards affecting the audit
• Problems encountered in the prior year 
• Anticipated challenges in the current year 
• Partner directions regarding key risk areas
• References to work papers addressing risk

Who Creates the Audit Strategy?

Who should create the strategy? The in-charge can create it with the assistance of the engagement partner, or the partner can do so. 

Audit Strategy as the Central Document

If you want to see one document that summarizes the entire audit, this is it. As you can see, the strategy is general in nature, but you also need a detailed plan to satisfy the demands of the strategy—this is the audit plan (commonly referred to as the audit program). NASA had a mission statement for Apollo 11, but—I’m sure—written guidelines directed the step-by-step execution of the project. 

Audit Plan (or Audit Program)

Now we create the detailed planning steps—the audit program. Think of the audit program as the final stage of audit planning. What have we done to get to this stage of the audit? 

1. Performed risk assessment procedures
2. Developed our audit strategy

Now it’s time to create the audit plan.

The audit plan is the linkage between planning and further audit procedures. What are “further audit procedures”? They are the tactical steps to address risk including substantive procedures and test of controls. The audit program links back to the identified risks and points forward to the substantive procedures and test of controls.

Creating the Audit Program

How—in a practical sense—do we create the audit programs? Most auditors tailor the prior year audit programs. That works—as long as we revise them to address the current year risks. Audit programs are not—at least, they should not be—static documents. Even so, the current year audit program can be the same as last year—as long as the risks are the same.

Sufficient Audit Steps

How do we know if we have adequate audit program steps? Look at your risks of material misstatement (RMM)—which, hopefully, are assessed at the assertion level (e.g., completeness). Audit steps should address all high and moderate RMMs. 

Integrating Risk Assessment with the Audit Program

How else can we integrate our documentation? Put the relevant assertions next to each audit step—this makes the connections between the RMMs (at the assertion level) and the audit steps clear.

AU-C 330.18 says the auditor is required to apply substantive procedures to all relevant assertions related to each material class of transactions, account balance, and disclosure. So, the audit program should reflect steps for all material areas.

Creating Efficiency in the Audit Plan

Once you complete your risk assessment work, you want to ask, “Which is the more efficient route? Testing controls or performing substantive procedures.” Then go with your instincts. 

Generally, I assess control risk at high. While we can’t default to a high control, we can—once the risk assessment work is complete—decide to assess control risk at high as an efficiency measure. Why? If we assess control risk at below high, we must test the controls as a basis for the lower risk assessment. The testing of controls can—sometimes—take longer than substantive procedures. 

For example, is it better to test the controls related to fixed asset additions or is it more efficient to vouch the invoices for significant additions? Usually, the vouching of the invoices will get you to your desired destination quicker than testing controls. Generally—at least in my opinion—this line of reasoning is less true for more complex organizations. Larger organizations process more transactions and tend to have better controls. So it can be better to test controls for larger entities.

In Summary

There you have it—the creation of the audit strategy and the audit plan. Your strategy includes the risks, needed resources, and objectives. And your audit program contains the tactical steps to address risks. You are set to go. Now it’s time to execute our audit program.

Stay with me. In my upcoming posts, I will delve into the details of auditing by transaction areas. What specific steps should an auditor perform for cash, receivables, payables—for example? In the coming weeks, I will share with you audit approaches for significant transaction cycles. Subscribe below to ensure you don’t miss out.

To see my earlier posts in this series, click here.

Danger: Hosting Services Impair Independence

By Charles Hall | Auditing

As of September 1, 2018, hosting services impair independence, so says the AICPA. And most firms are providing hosting services (though they may not know it). This article explains why your possession of client records, whether electronic or hard-copy, can affect your independence.

Hosting Services Impair Independence

Starting September 1, 2018, your possession of client documents (e.g., tax records) or information (e.g., the housing of QuickBooks files on our server) can, in some instances, create an independence impairment. (If you temporarily possess original documents (e.g., tax records) but return them to the client in a short period, then the possession of the original documents does not impair your independence.)

The AICPA recently adopted a new interpretation, “Hosting Services,” which appears in the Code of Conduct under nonattest services. See 1.295.143 of the Code.

Why would possessing documents or information potentially impair independence? Because you accepted the responsibility for designing, implementing or maintaining internal controls for the records in your possession. And this is considered a management function.

In effect, the AICPA is saying there is an implicit understanding that you (the CPA) will safeguard the client’s records. And to safeguard the information, you agree to create controls to ensure the safety of the information in your possession.

To understand the actions that would impair your independence, see Catherine Allen’s article in the Journal of Accountancy. Specifically, look at her examples of where independence is impaired and where it is not. 

Continue reading

What I Wish I Had Known About Public Accounting

By Charles Hall | Accounting and Auditing

As I enter the latter part of my career, I look back and see several mistakes I made. Here’s what I wish I had known about public accounting–before I started.

I thought I knew a lot when I graduated from college, but my education was just beginning.

Job #1 – The Lesson of Firm Culture

In my first job, I went to work with a “big eight” public accounting firm in Tampa, Florida. As soon as I moved to my new digs on Tampa Bay, they shipped me out to Jackson, Mississippi where I remained for months (seeing my Tampa apartment twice in three months). Most days I did the expert work of pro-forming work papers—the thing they gave to newbies. Boredom defined. So I had this sexy job with a big firm, but I spent most days dawdling with routine duties. I kept thinking, “I went to college for this?” Surely accounting had to be more interesting.

I felt uncomfortable. This international firm was cold (even if this office was in Florida). I had grown up in a small town where you spoke to everyone and respected all. Soon I left Tampa and headed back home to Georgia.

What I learned: Work in a place that allows you to grow and one where you fit in. Firms have cultures. I needed one that aligned with who I was.

Job #2 – The Lesson of a Niche Practice

Back in Georgia, I landed work with a regional firm. I felt more at home. The work was more challenging than my former job, and my knowledge began to expand rapidly. This particular business had a strong niche practice and was very profitable. The firm used a pooled staffing approach, so I worked for one partner one week, another the next week, and another the next. I did not get a chance to start and finish audit engagements. It stressed me that so many different partners wanted me to complete their work. And each partner felt their work was the priority. After three years, I moved on.

What I learned: Firms that focus on niches perform better than those that don’t. As an employee, it’s better to work with one partner. You get to see engagements from start to finish, and the stress decreases since you know what your (one) boss wants. 

Job #3 – The Lesson of Working for One Boss

My new firm was even smaller than the last, having about thirty people. Here I worked for one partner which was nice, and he worked in one industry which was also pleasant. When I interviewed with the firm, I was told that my assigned partner would retire in three or four years, and I would have the opportunity to take his place. Since I was the audit manager, I learned a great deal, but over time it became apparent to me I was doing most of the work and the partner was receiving most of the pay.

The partner was a wonderful guy, but after eight years (not three or four), the partner was still in plain sight (and had not retired). 

So one day I screwed up my courage and asked, “When are you retiring?” The conversation was difficult (an understatement, he yelled at me). He wouldn’t answer my question. It was clear he had no intention of retiring (even though he was 68). I was angry. I had been duped (at least, I felt that way). 

So I left.

What I learned: I like working for one boss. I knew what he wanted, and I delivered it. When someone makes you a partnership offer, get it in writing (clarify the timetable and how the transition will occur). Don’t allow years to go by without communicating.

Job #4 – The Lesson of a Solo Practice

The next step in my journey was to start a new firm. I bought a small company that was only yielding $200 per month (yes, you read that right—$200 a month). My wife was at home with our kids, so we had no other income. 

About this same time, my two-year-old son was diagnosed with cystic fibrosis. I wondered how we would make it. I’ve never been so low in my life. And then three years into the solo practice, I was diagnosed with a brain tumor. (See my article, Audit Lessons from a Brain Tumor.)

We had an excellent opportunity to exercise faith, so we did, praying often. All I can say is God took care of us. At the end of the first year, my income was equal to my prior year of employment. The following five years were successful.

But after six years of being a sole proprietor (and then as a partner), my father’s health began to fail, and I was called to attend to his needs and…yes, you guessed it, another job.

What I learned: Going solo is one of the hardest things you will ever do. I quickly realized how important it is to have other professionals around me so I can bounce things off them and seek their guidance. Being alone is…lonely. (I brought in a partner in my third year. Having her there was wonderful.) 

Without the economies of scale afforded to larger firms, my overhead ate most of my cash flow. I found it hard to get potential audit clients to take me seriously. They saw me as “small” though my skill level was no different than it was in my previous jobs. When it comes to marketing, perception is everything.

On to the next job.

Job #5 – The Lesson of Learning to Speak and Write

I returned to my first Georgia employer (job #2 above) as their quality control director. I was 42 years old and had never been a quality control guy, so this was all new to me. But I enjoyed the challenge. While the firm had a niche practice, it still afforded me the opportunity to see a wide variety of audits, reviews, and compilations. I also began teaching more continuing education classes and loved doing so. When I taught, I felt “in my element.” The firm did (and still does) an excellent job of marketing. 

After six years in this position, my father passed away, and my wife wanted to move back to middle Georgia to be near her mother. So we did.

What I learned: Exposure to a broad range of work expands your professional abilities. It is easier for niche firms to market themselves as go-to experts. A niche practice generates higher profits since a common client base allows a firm to build repeatable processes and train staff. Also, I was beginning to realize the importance of speaking and writing. 

On a personal note, being there with my Dad was awesome. The conversations we had are some of my most treasured memories.

Job #6 – The Lesson of Staying with a Firm

For the last ten years, I’ve worked as the quality control director and now as the quality control partner for our firm, McNair, McLemore, Middlebrooks & Co. We are well diversified, but we have specialized niches within the company, so no one industry defines us. The diversity of work keeps me on my toes. I deal with accounting and auditing issues for banks, telecommunication companies, nonprofits, governments, small businesses and more. I continue to speak at professional conferences and to our staff, and, as you can see, I write. 

The Main Lessons Learned

One thing I have thought about as I look back over my career: I changed jobs too often.

If I had my career to do over again, I would find a good firm, and I would stay.

What I learned: Finding and staying with a good firm will provide you with significant opportunities.

Speak to groups and write professional articles and blog posts. Doing so will allow you to make new friends and great contacts.

Reflections on the Journey

Finally, let me say this: Finding balance and taking care of ourselves physically and spiritually are keys to success. Sitting at a desk for ten to twelve hours a day—without breaks—will only make us less productive and less healthy.

Praying and running (now walking as I’m older) have been my two biggest allies. At 6:00 every morning, I spend about 30 minutes reading my Bible and praying. I also walk five days a week with my wife and every Saturday with my twin brother (he blogs at ProjectRiskCoach.com).  Praying and walking give me energy and stamina. (See my article How to Create Energy that Sustains You.)

By the way, I mentioned my son with cystic fibrosis. He was three years old when diagnosed. Today he is twenty-four and works as a data scientist at the University of Georgia. Most importantly, he is doing well. And I am so thankful. 

What Lessons Have You Learned?

These are some things I have learned. I’d love to hear about your lessons. Please share one or two career experiences in the comment field below.

The Auditor’s Responsibility for Fraud: The Why and How

By Charles Hall | Auditing , Fraud

What is an auditor’s responsibility for fraud in a financial statement audit? Today, I’ll answer that question. Let’s take a look at the following:

• Auditor’s responsibility for fraud
• Turning a blind eye to fraud
• Signs of auditor disregard for fraud
• Incentives for fraud
• Discovering fraud opportunities
• Inquiries required by audit standards
• The accounting story and big bad wolves
• Documenting control weaknesses
• Brainstorming and planning your response to fraud risk 

Auditor’s Responsibility for Fraud

I still hear auditors say, “We are not responsible for fraud.” But are we not? We know that the detection of material misstatements—whether caused by error or fraud—is the heart and soul of an audit. So writing off our responsibility for fraud is not an option. But auditors often turn a blind eye to it.

Turning a Blind Eye to Fraud

Why do auditors not perceive fraud risks? 

Here are a few reasons:

• We don’t understand fraud, so we avoid it
• We don’t know how to look for control weaknesses
• We believe that auditing the balance sheet is enough

Think of these reasons as an attitude—a poor one—regarding fraud. This disposition manifests itself—in the audit file—with signs of disregard for fraud.

Signs of Auditor Disregard for Fraud

A disregard for fraud appears in the following ways:

• Asking just one or two questions about fraud
• Limiting our inquiries to as few people as possible (maybe even just one)
• Discounting the potential effects of fraud (after known theft occurs)
• Not performing walkthroughs
• We don’t conduct brainstorming sessions and window-dress related documentation
• Our files reflect no responses to brainstorming and risk assessment procedures
• Our files contain vague responses to the brainstorming and risk assessment (e.g., “no means for fraud to occur; see standard audit program” or “company employees are ethical; extended procedures are not needed”)
• The audit program doesn’t change though control weaknesses are noted

In effect, auditors—at least some—dismiss the possibility of fraud, relying on a balance sheet approach.

So how can we understand fraud risks and respond to them? First, let’s look at fraud incentives.

Incentives for Fraud

The reasons for theft vary by each organization, depending on the dynamics of the business and people who work there. Fraudsters can enrich themselves indirectly (by cooking the books) or directly (by stealing).

Fraud comes in two flavors:

1. Cooking the books (intentionally altering numbers)
2. Theft

Cooking the Books

Start your fraud risk assessment process by asking, “Are there any incentives to manipulate the financial statement numbers.” For example, does the company provide bonuses or promote employees based on profit or other metrics? If yes, an employee can indirectly steal by playing with the numbers. Think about it. The chief financial officer can inflate profits with just one journal entry—not hard to do. While false financial statements is a threat, the more common fraud is theft.

Theft

If employees don’t receive compensation for reaching specific financial targets, they may enrich themselves directly through theft. But employees can only steal if the opportunity is present. And where does opportunity come from? Weak internal controls. So, it’s imperative that auditors understand the accounting system and—more importantly—related controls. 

Discovering Fraud Opportunities

My go-to procedure in gaining an understanding of the accounting system and controls is walkthroughs.  Since accounting systems are varied, and there are no “forms” (practice aids) that capture all processes, walkthroughs can be challenging. So, we may have to “roll up our sleeves,” and “get in the trenches”—but the level of the challenge depends on the complexity of the business.

For most small businesses, performing a walkthrough is not that hard. Pick a transaction cycle; start at the beginning and follow the transaction to the end. Ask questions and note who does what. Inspect the related documents. As you do, ask yourself two questions:

1. What can go wrong?
2. Will existing control weakness allow material misstatements?

In more complex companies, break the transaction cycle into pieces. You know the old question, “How do you eat an elephant?” And the answer, “One bite at a time.” So, the process for understanding a smaller company works for a larger one. You just have to break it down—and allow more time.

Discovering fraud opportunities requires the use of risk assessment procedures such as observations of controls, inspections of documents and inquiries. Of the three, the more commonly used is inquiries.

Inquiries Required by Audit Standards

Audit Standards (AU-C 240) state that we should inquire of management regarding:

• Management’s assessment of the risk that the financial statements may be materially misstated due to fraud, including the nature, extent, and frequency of such assessments
• Management’s process for identifying, responding to, and monitoring the risks of fraud in the entity, including any specific risks of fraud that management has identified or that have been brought to its attention, or classes of transactions, account balances, or disclosures for which a risk of fraud is likely to exist
• Management’s communication, if any, to those charged with governance regarding its processes for identifying and responding to the risks of fraud in the entity
• Management’s communication, if any, to employees regarding its views on business practices and ethical behavior
• The auditor should make inquiries of management, and others within the entity as appropriate, to determine whether they have knowledge of any actual, suspected, or alleged fraud affecting the entity
• For those entities that have an internal audit function, the auditor should make inquiries of appropriate individuals within the internal audit function to obtain their views about the risks of fraud; determine whether they have knowledge of any actual, suspected, or alleged fraud affecting the entity; whether they have performed any procedures to identify or detect fraud during the year; and whether management has satisfactorily responded to any findings resulting from these procedures

Notice that AU-C 240 requires the auditor to ask management about its procedures for identifying and responding to the risk of fraud. If management has no method of detecting fraud, might this be an indicator of a control weakness? Yes. What are the roles of management and auditors regarding fraud?

• Management develops control systems to lessen the risk of fraud. 
• Auditors review the accounting system to see if fraud-prevention procedures are designed and operating appropriately.

So, the company creates the accounting system, and the auditor gains an understanding of the same. As auditors gain an understanding of the accounting system and controls, we are putting together the pieces of a story.

The Accounting Story and Big Bad Wolves

Think of the accounting system as a story. Our job is to understand the narrative of that story. As we (attempt to) describe the accounting system, we may find missing pieces. When we do, we’ll go back and ask more questions to make the story complete.

The purpose of writing the storyline is to identify any “big, bad wolves.”

The threats in our childhood stories were easy to recognize—the wolves were hard to miss. Not so in the walkthroughs. It is only in connecting the dots—the workflow and controls—that the wolves materialize. So, how long is the story? That depends on the size of the organization.

Scale your documentation. If the transaction cycle is simple, the documentation should be simple. If the cycle is complex, provide more details. By focusing on control weaknesses that allow material misstatements, you’ll avoid unneeded—and distracting—details.

Documenting Control Weaknesses

I summarize the internal control strengths and weaknesses within the description of the system and controls and highlight the wording “Control weakness.” For example:

Control weakness: The accounts payable clerk (Judy Jones) can add new vendors and can print checks with digital signatures. If effect, she can create a new vendor and have a check sent to that provider without anyone else’s involvement.

Highlighting weaknesses makes them more prominent. Then I can use the identified fraud opportunities to brainstorm about how theft might occur and to develop my responses to the threats.

Brainstorming and Planning Your Responses 

Now, you are ready to brainstorm about how fraud might occur and to plan your audit responses.

The risk assessment procedures—discussed above and in my prior post—provide the fodder for the brainstorming session. 

Armed with knowledge about the company, the industry, fraud incentives, and the control weaknesses, we are ready to be creative. 

In what way are we to be creative? We think like a thief. By thinking like a fraudster, we unearth ways that stealing might occur. And why? So we can audit those possibilities. And this is the reason for the fraud risk assessment procedures in the first place.

What we discover in the risk assessment stage informs the audit plan—in other words, it has bearing upon the audit programs.

The Auditor’s Responsibility for Fraud

In conclusion, I started this post saying I’d answer the question, “What is an auditor’s responsibility for fraud?” Hopefully, you now have a better understanding of the fraud-related procedures we are to perform. But to understand the purpose of these procedures, look at the language in a standard audit opinion:

The procedures selected depend on the auditor’s judgment, including the assessment of the risks of material misstatement of the consolidated financial statements, whether due to fraud or error. In making those risk assessments, the auditor considers internal control relevant to the entity’s preparation and fair presentation of the consolidated financial statements in order to design audit procedures that are appropriate in the circumstances, but not for the purpose of expressing an opinion on the effectiveness of the entity’s internal control. Accordingly, we express no such opinion.

The purpose of fraud risk assessments is not to opine on internal control systems or to discover every fraud. It is to assist the auditor in determining where material misstatements—due to fraud—might occur.

The What and Why of Auditing: A Blog Series About Basics

Have you been following my series of posts: The What and Why of Auditing? If not, you may want to review the prior posts:

• The What and Why of Auditing: A Blog Series about Basics
• The What and Why of Audit Acceptance and Continuance
• The What and Why of Audit Risk Assessment

Also subscribe (below) to my blog to receive future installments in this series (we have several more coming). This series is a great way for seasoned auditors to refresh their overall audit knowledge and for new auditors to gain a better understanding of the audit process. 

Audit Risk Assessment: The Why and the How

By Charles Hall | Auditing

Today we look at one of most misunderstood parts of auditing: audit risk assessment.

Are auditors leaving money on the table by avoiding risk assessment? Can inadequate risk assessment lead to peer review findings? This article shows you how to make more money and create higher quality audit documentation.

Audit Risk Assessment as a Friend

Audit risk assessment can be our best friend, particularly if we desire efficiency, effectiveness, and profit—and who doesn’t?

This step, when properly performed, tells us what to do—and what can be omitted. In other words, risk assessment creates efficiency.

So, why do some auditors (intentionally) avoid audit risk assessment? Here are two reasons:

1. We don’t understand it
2. We're creatures of habit

Too often auditors continue doing the same as last year (commonly referred to as SALY)--no matter what. It’s more comfortable than using risk assessment.

But what if SALY is faulty or inefficient?  

Maybe it’s better to assess risk annually and to plan our work accordingly (based on current conditions).

Are We Working Backwards?

The old maxim “Plan your work, work your plan” is true in audits. Audits—according to standards—should flow as follows:

1. Determine the risks of material misstatements (plan our work)
2. Develop a plan to address those risks (plan our work)
3. Perform substantive procedures (work our plan)
4. Issue an opinion (the result of planning and working)

Auditors sometimes go directly to step 3. and use the prior year audit programs to satisfy step 2. Later, before the opinion is issued, the documentation for step 1. is created “because we have to.”

In other words, we work backwards.

So, is there a better way?

A Better Way to Audit

Audit standards—in the risk assessment process—call us to do the following:

1. Understand the entity and its environment
2. Understand the transaction level controls
3. Use planning analytics to identify risk
4. Perform fraud risk analysis
5. Assess risk

While we may not complete these steps in this order, we do need to perform our risk assessment first (1.-4.) and then assess risk.

Okay, so what procedures should we use?

Audit Risk Assessment Procedures

AU-C 315.06 states:

The risk assessment procedures should include the following:

• ​Inquiries of management, appropriate individuals within the internal audit function (if such function exists), others within the entity who, in the auditor's professional judgment, may have information that is likely to assist in identifying risks of material misstatement due to fraud or error
• ​Analytical procedures
• ​Observation and inspection

I like to think of risk assessment procedures as detective tools used to sift through information and identify risk.

Just as a good detective uses fingerprints, lab results, and photographs to paint a picture, we are doing the same.

First, we need to understand the entity and its environment.

Understand the Entity and Its Environment

The audit standards require that we understand the entity and its environment.

I like to start by asking management this question: "If you had a magic wand that you could wave over the business and fix one problem, what would it be?"

The answer tells me a great deal about the entity's risk.

I want to know what the owners and management think and feel. Every business leader worries about something. And understanding fear illuminates risk.

Think of risks as threats to objectives. Your client's fears tell you what the objectives are--and the threats. 

To understand the entity and its related threats, ask questions such as:

• How is the industry faring?
• Are there any new competitive pressures or opportunities?
• Have key vendor relationships changed?
• Can the company obtain necessary knowledge or products?
• Are there pricing pressures?
• How strong is the company’s cash flow?
• Has the company met its debt obligations?
• Is the company increasing in market share?
• Who are your key personnel and why are they important?
• What is the company’s strategy?
• Does the company have any related party transactions?

As with all risks, we respond based on severity. The higher the risk, the greater the response.

Audit standards require that we respond to risks at these levels:

• Financial statement level
• Transaction level

Responses to risk at the financial statement level are general, such as appointing more experienced staff for complex engagements.

Responses to risk at the transaction level are more specific such as a search for unrecorded liabilities.

But before we determine responses, we must first understand the entity's controls.

Understand Transaction Level Controls

We must do more than just understand transaction flows (e.g., receipts are deposited in a particular bank account). We need to understand the related controls (e.g., Who enters the receipt in the general ledger? Who reviews receipting activity?). 

So, as we perform walkthroughs or other risk assessment procedures, we gain an understanding of the transaction cycle, but—more importantly—we gain an understanding of controls. Without appropriate controls, the risk of material misstatement increases.

---

Peer Review Finding

 AU-C 315.14 requires that auditors evaluate the design of their client's controls and to determine whether they have been implemented. However, AICPA Peer Review Program statistics indicate that many auditors do not meet this requirement. In fact, noncompliance in this area is nearly twice as high as any other requirement of AU-C 315 - Understanding the Entity and Its Environment and Assessing the Risk of Material Misstatement.

Some auditors excuse themselves from this audit requirement saying, "the entity has no controls."  

All entities have some level of controls. For example, signatures on checks are restricted to certain person. Additionally, someone usually reviews the financial statements. And we could go on.

The AICPA has developed a practice audit that you'll find handy in identifying internal controls in small entities.

---

The use of walkthroughs is probably the best way to understand internal controls.

​As you perform your walkthroughs, ask questions such as:

• Who signs checks?
• Who has access to checks (or electronic payment ability)?
• Who approves payments?
• Who initiates purchases?
• Who can open and close bank accounts?
• Who posts payments?
• What software is used? Does it provide an adequate audit trail? Is the data protected? Are passwords used?
• Who receives and opens bank statements? Does anyone have online access? Are cleared checks reviewed for appropriateness?
• Who reconciles the bank statement? How quickly? Does a second person review the bank reconciliation?
• Who creates expense reports and who reviews them?
• Who bills clients? In what form (paper or electronic)?
• Who opens the mail?
• Who receipts monies?
• Are there electronic payments?
• Who receives cash onsite and where?
• Who has credit cards? What are the spending limits?
• Who makes deposits (and how)?
• Who keys the receipts into the software?
• What revenue reports are created and reviewed? Who reviews them?
• Who creates the monthly financial statements? Who receives them?
• Are there any outside parties that receive financial statements? Who are they?

Understanding the company’s controls illuminates risk. The company’s goal is to create financial statements without material misstatement. And a lack of controls threatens this objective.

So, as we perform walkthroughs, we ask the payables clerk (for example) certain questions. And—as we do—we are also making observations about the segregation of duties. Also, we are inspecting certain documents such as purchase orders.

This combination of inquiries, observations, and inspections allows us to understand where the risk of material misstatement is highest.

See my article How to Document Audit Walkthroughs? Also see Should You Perform Audit Walkthroughs Annually? (Hint--the answer is yes.)

Another significant risk identification tool is the use of planning analytics.

Planning Analytics

Use planning analytics to shine the light on risks. How? I like to use:

• Multiple-year comparisons of key numbers (at least three years, if possible)
• Key ratios

In creating planning analytics, use management’s metrics. If certain numbers are important to the company, they should be to us (the auditors) as well—there’s a reason the board or the owners are reviewing particular numbers so closely. (When you read the minutes, ask for a sample monthly financial report; then you’ll know what is most important to management and those charged with governance.)

You may wonder if you can create planning analytics for first-year businesses. Yes, you can. Compare monthly or quarterly numbers. Or you might compute and compare ratios (e.g., gross profit margin) with industry benchmarks. (For more information about first-year planning analytics, see my planning analytics post.)

Sometimes, unexplained variations in the numbers are fraud signals.

Identify Fraud Risks

In every audit, inquire about the existence of theft. In performing walkthroughs, look for control weaknesses that might allow fraud to occur. Ask if any theft has occurred. If yes, how?

Also, we should plan procedures related to:

• Management override of controls, and
• The intentional overstatement of revenues

My next post—in The Why and How of Auditing series—addresses fraud, so this is all I will say about theft, for now. Sometimes the greater risk is not fraud but errors.

Same Old Errors

Have you ever noticed that some clients make the same mistakes—every year? (Johnny--the controller--has worked there for the last twenty years, and he makes the same mistakes every year. Sound familiar?) In the risk assessment process, we are looking for the risk of material misstatement whether by intention (fraud) or by error (accident).

One way to identify potential misstatements due to error is to maintain a summary of the larger audit entries you’ve made over the last three years. If your client tends to make the same mistakes, you’ll know where to look.

Now it’s time to pull the above together.

Creating the Risk Picture

Once all of the risk assessment procedures are completed, we synthesize the disparate pieces of information into a composite image. 

What are we bringing together? Here are examples:

• Control weaknesses
• Unexpected variances in significant numbers
• Entity risk characteristics (e.g., level of competition)
• Large related-party transactions
• Occurrences of theft

Armed with this risk picture, we can now create our audit strategy and audit plan (also called an audit program). Focus these plans on the higher risk areas.

How can we determine where risk is highest? Use the risk of material misstatement (RMM) formula.

Assess the Risk of Material Misstatement

Understanding the RMM formula is key to identifying high-risk areas.

What is the RMM formula?

Put simply, it is:

Risk of Material Misstatement = Inherent Risk X Control Risk

Using the RMM formula, we are assessing risk at the assertion level. While audit standards don’t require a separate assessment of inherent risk and control risk, consider doing so anyway. I think it provides a better representation of your risk of material misstatement.

Once you have completed the risk assessment process, control risk can be assessed at high--simply as an efficiency decision. See my article Assessing Audit Control Risk at High and Saving Time. 

The Input and Output

The inputs in audit planning include all of the above audit risk assessment procedures.

The outputs (sometimes called linkage) of the audit risk assessment process are:

• Audit strategy
• Audit plan (audit programs)

We tailor the strategy and plan based on the risks..

In a nutshell, we identify risks and respond to them.

(In a future post in this series, I will provide a full article concerning the creation of audit strategy and plans.)

Next in the Audit Series

In my next post, we’ll take a look at the Why and How of Fraud Auditing. So, stay tuned.

If you haven’t subscribed to my blog, do so now. See below.

---

Government Auditing Standards 2018 Revision (Hot Off the Press)

By Charles Hall | Auditing , Local Governments

Government Auditing Standards 2018 Revision

The Government Accountability Office just issued the new Yellow Book titled Government Auditing Standards 2018 Revision.

Get Your Free Copy

An electronic version of the 2018 Yellow Book can be accessed on GAO’s Yellow Book web page at http://www.gao.gov/yellowbook.

Major Changes

The introduction to the new Yellow Book summarizes the significant changes as follows:

This revision contains major changes from, and supersedes, the 2011 revision. These changes, summarized below, reinforce the principles of transparency and accountability and strengthen the framework for high quality government audits.

• All chapters are presented in a revised format that differentiates requirements and application guidance related to those requirements.
• Supplemental guidance from the appendix of the 2011 revision is either removed or incorporated into the individual chapters.
• The independence standard is expanded to state that preparing financial statements from a client-provided trial balance or underlying accounting records generally creates significant threats to auditors’ independence, and auditors should document the threats and safeguards applied to eliminate and reduce threats to an acceptable level or decline to perform the service.
• The peer review standard is modified to require that audit organizations comply with their respective affiliated organization’s peer review requirements and GAGAS peer review requirements. Additional requirements are provided for audit organizations not affiliated with recognized organizations.
• The standards include a definition for waste.
• The performance audit standards are updated with specific considerations for when internal control is significant to the audit objectives.

Effective with the implementation dates for the 2018 revision of Government Auditing Standards, GAO is also retiring Government Auditing Standards: Guidance on GAGAS Requirements for Continuing Professional Education (GAO-05-568G, April 2005) and Government Auditing Standards: Guidance for Understanding the New Peer Review Ratings (D06602, January 2014).

Effective Dates

The 2018 revision of Government Auditing Standards is effective for financial audits, attestation engagements, and reviews of financial statements for periods ending on or after June 30, 2020, and for performance audits beginning on or after July 1, 2019.

Early implementation is not permitted.

The 2018 revision of Government Auditing Standards supersedes the 2011 revision (GAO-12-331G, December 2011), the 2005 Government Auditing Standards: Guidance on GAGAS Requirements for Continuing Professional Education (GAO-05-568G, April 2005), and the 2014 Government Auditing Standards: Guidance for Understanding the New Peer Review Ratings (D06602, January 2014). 

Client Acceptance and Continuance: The Why and How

By Charles Hall | Auditing

Client acceptance and continuance may be the most critical step in an audit, but it’s one that gets little attention. A prospective client calls saying, “Can you audit my company?” and we respond, “sure.” While new business can be a good thing, relationships need appropriate vetting. Not doing so can lead to significant (and sometimes disastrous) consequences.

New Relationships

My daughter recently met a young man on Instagram. Not unusual these days. But now the relationship is entering into its third month. They talk every day for two or three hours. So far, they have not been in the same room—and not even in the same city. Skype, yes. Physical presence, no. That’s happening at the end of this month. (He lives eight hours away.)

So what do Mom and Dad think about all of this? Well, it’s fine. My wife checked him out on Facebook (I know you’ve never done this). And my daughter has told us all about the “fella” and his family. We like what we’re hearing. He has similar beliefs. He has a job (Yay!), and he has graduated from college. His family background is like ours.

Why do we want to know all the details about the young man? Because relationships impact people—my daughter, the young man, his family members, and yes, my wife and I. We want everyone to be happy.

Client Acceptance 

And that’s what good relationships create. Happiness. The same is true with clients. As Steven Covey said, “think win, win.” When the customer wins, and your CPA firm wins, everyone is happy. Mutual needs are met.

Careless CPAs accept business with only one consideration: Can I get paid? 

While getting paid is important, other factors are also critical.

Here are a few things to consider:

1. Are they ethical?
2. Are you independent?
3. Do you have the technical ability to serve them?
4. Do you the capacity to serve them?

Are They Ethical?

I want my daughter to marry a guy with beliefs that correspond with who she is. Is he honest? Would he steal? Is he transparent? Who are his associates? What do others think of him? 

We ask similar questions about accepting a new client. Audit standards require us to consider whether the prospective client has integrity. If the company is not morally straight, then there’s no need to move forward. 

Are You Independent?

The time to determine your firm’s independence is the beginning—not at the conclusion of the audit.

Consider what happens—during a peer review—when a firm is not independent, and it has issued an audit opinion. The original audit report will be recalled, and I’ll bet the company asks for and receives a full refund of your audit fee. Now, the company needs to be re-audited.  (Oh, and there’s that impact on the peer review report.)

Pay attention to requested nonattest services—such as preparation of financial statements. If the client has no one with sufficient skill, knowledge, and experience to accept responsibility for such services, you may not be independent. See the AICPA’s Plain English Guide to Independence for more information. 

Do You Have the Technical Ability to Serve Them?

If you can pick up a client in an industry in which you have no experience, should you? Possibly, but it depends on whether you can appropriately understand the client and their industry before you conduct the engagement. Some new customers may not be complicated. In those cases, CPE may get you into position to provide the audit. 

But what if the potential engagement involves a highly sophisticated industry and related accounting standards for which you are ill-equipped? It may be better to let the engagement go and refer it to an audit firm that has the requisite knowledge. Or maybe you can partner with the other firm. 

Do You Have the Capacity to Serve Them?

A prospective client calls saying, “Can you audit my company? We have a December 31 year-end, and we need the audit report by March 31.” After some discussion, I think the fee will be around $75,000. But my staff is already working sixty hours a week during this time of the year. Should I take the engagement? 

My answer would be no unless I can create the capacity. How? I can hire additional personnel or maybe I can contract with another firm to assist. If I can’t build additional capacity, then I may let the opportunity pass. 

Far too many firms accept work without sufficient capacity. When this happens, corners are cut, and staff members and partners suffer. Stuffing—even more—work into a stressful time of the year is not (always) a wise thing. We lose staff. And if the engagement is deficient, peer review results may take a hit.

When you don’t have the capacity to accept new good clients, consider whether you should discontinue service to existing bad customers.

The Continuance Decision

Quality controls standards call for CPAs to not only develop acceptance procedures, but we are to create continuance protocols as well.

I previously said CPAs often don’t give proper attention to acceptance procedures. So, how about continuance decisions? Even worse. 

Picture from AdobeStock.com

Each year, we should ask, “If this was a new client opportunity, would I accept them?” If the answer is no, then why do we continue serving them? 

Here are a few questions to ponder:

• Has the client paid their prior year fees? 
• Am I still independent (consider the new Hosting Services interpretation)?
• Does the client demand more from me than the fee merits?
• Do I enjoy working with this client?
• Is the client’s financial condition creating additional risks for my firm?
• Is the client acting ethically?

Each year, well before the audit starts, ask these questions.

And then consider, is the bottom 10% of my book of business keeping me from accepting better clients? My experience has been that when I have the capacity, new business appears. When capacity is lacking, I don’t. The decision to hold on to bad clients is a decision to close the door to better clients. Don’t be afraid to let go.

Risk Assessment Starts Now

When should we start thinking about risk assessment? Now.

Whether you are going through the initial acceptance procedures or you are making your continuance decision, start thinking about risk assessment now. Assuming you accept the client, you’ll be a step ahead as you begin to develop your audit plan. Ask questions such as:

• How is your cash flow?
• Do you have any debt with covenants?
• Who receives the financial statements?
• Has the company experienced any fraud losses?
• How experienced is management?
• Why are you changing auditors?

Keep these notes for future reference and audit planning. 

Next Post in this Series

The above is the first post in The Why and How of Auditing. My next post will be Audit Risk Assessment: The Why and How. Subscribe to my blog (see below) to make sure you don’t miss anything.

Review Quiz

The Why and How of Auditing: A Blog Series about Basics

By Charles Hall | Auditing

Do you struggle with what needs to be done in an audit–and what does not? Do you perform audit procedures (because they are in a standard audit program) but you’re not sure why? Do you want to be more efficient? You are not alone.

While audit forms—like risk assessment, audit planning, and audit program—are necessary, they can make us feel like a blind man being led by the hand. If you’re like me, you want to see, to know where you’re going and why. To gain sight, we need to go back to the basics. 

Each year, Vince Lombardi (the revered coach of the Green Bay Packers) held a pigskin up and said, “This is a football.” And he did so with the best players in the world. He knew that winning is all about basics: blocking, tackling, passing, running. Understanding fundamentals brings clarity and power. And that’s what I’m after in The Why and How of Auditing. I’ll strip away the technical mumbo-jumbo and make auditing accessible, even for beginners. Moreover, experienced auditors will profit as you revisit what matters (and what does not).

The Why and How of Auditing

Here’s an overview of the upcoming posts:

• The Why and How of Acceptance and Continuance
• The Why and How of Risk Assessment
• The Why and How of Fraud Auditing
• The Why and How of Audit Planning
• The Why and How of Auditing Cash 
• The Why and How of Auditing Receivables/Revenue
• The Why and How of Auditing Property
• The Why and How of Auditing Payables/Expenses
• The Why and How of Auditing Payroll
• The Why and How of Auditing Debt
• The Why and How of Auditing Equity
• The Why and How of Wrapping Up Audits
• The Why and How of Project Management

Moving from Wasteful to Efficient Auditing

In the cartoons I read as a kid, Lucy would say to Charlie Brown, “I will hold the ball, and you kick,” but as Charlie Brown would lean into his launch, she would pull away. And you remember the result: Charlie Brown, lying on his backside. 

Some audit procedures (like the invitation to kick) are tempting. They call us (like a familiar friend), but they are a waste of time–even if we have done these steps for years. In the end, they leave us staring at the sky. So, we need to know what is best and what is necessary. Then, we can avoid waste.

This series provides you with what you need to know—without excess baggage. By design, the series is simple. Why? To provide clarity. I want you to understand the basics of auditing. 

When you’re done, you’ll understand auditing, possibly in a way you never have. Then you’ll work with greater confidence and effectiveness. So, let’s begin.

ASU 2016-01 – Changes in Accounting for Equity Securities

By Charles Hall | Accounting

Are you aware of the coming changes in accounting for equity securities?

In the past, FASB required that changes in the fair value of available-for-sale equity investments be parked in accumulated other comprehensive income (an equity account) until realized--that is, until the equity investment was sold. In other words, the unrealized gains and losses of equity investments were not recognized in net income until the investments were sold. This is about to change.

Changes in equity investments will generally be reflected in net income as they occur--even before the equity investments are sold. 

On January 5, 2016, FASB issued ASU 2016-01 Recognition and Measurement of Financial Assets and Financial Liabilities. Here's the lowdown.

Changes in Accounting for Equity Securities

First, ASU 2016-01 removes the current guidance regarding classification of equity securities into different categories (i.e., trading or available-for-sale). 

Secondly, the new standard requires that equity investments  generally be measured at fair value with changes in fair value recognized in net income (see exceptions below). Companies will no longer recognize changes in the value of available-for-sale equity investments in other comprehensive income (as we have in the past).

Exceptions

ASU 2016-01 generally requires that equity investments generally be measured at fair value with changes in fair value recognized in net income. There are some equity investments that are not treated in this manner such as equity method investments and those that result in consolidation of the investee.

Is the accounting for equity investments without readily determinable fair values different? It can be.

Equity Investments without Readily Determinable Fair Values

An entity may choose to measure equity investments that do not have readily determinable fair values at cost minus impairment.  This election should be documented at the time of adoption (for existing securities) or at the time of purchase for securities acquired subsequent to the date of adoption. The alternative can be elected on an investment-by-investment basis.

Why make the election to measure equity investments that do not have readily determinable fair values at cost minus impairment? Because of the difficulty of determining the fair value of such investments. This election will probably be used by entities that previously carried investments at cost. (The cost method of accounting is eliminated.)

ASU 2016-01 requires that equity investments without readily determinable fair values undergo a one-step qualitative assessment to identify impairment (similar to what we do with long-lived assets and goodwill). 

At each reporting period, an entity that holds an equity security shall make a qualitative assessment considering impairment indicators to evaluate whether the investment is impaired. Impairment indicators that an entity considers include, but are not limited to, the following:

• A significant deterioration in the earnings performance, credit rating, asset quality, or business prospects of the investee
• A significant adverse change in the regulatory, economic, or technological environment of the investee
• A significant adverse change in the general market condition of either the geographical area or the industry in which the investee operates
• A bona fide offer to purchase, an offer by the investee to sell, or a completed auction process for the same or similar investment for an amount less than the carrying amount of that investment
• Factors that raise significant concerns about the investee’s ability to continue as a going concern, such as negative cash flows from operations, working capital deficiencies, or noncompliance with statutory capital requirements or debt covenants.

So what happens if there is an impairment?

321-10-35-3 of the FASB Codification states, "An equity security without a readily determinable fair value that does not qualify for the practical expedient to estimate fair value in accordance with paragraph 820-10-35-59...shall be written down to its fair value if a qualitative assessment indicates that the investment is impaired and the fair value of the investment is less than its carrying value." (820-10-35-59 deals with measuring the fair value of investments in certain entities that calculate net asset value per share.)

​How is the change in value to be reflected in the income statement?

If an equity security without a readily determinable fair value is impaired, the entity should include the impairment loss in net income equal to the difference between the fair value of the investment and its carrying amount.

Presentation of Financial Instruments

Entities are to present their financial assets and liabilities separately in the balance sheet or in the notes to the financial statements. This disaggregated information is to be presented by:

• Measurement category (i.e., cost, fair value-net income, and fair value-OCI
• Form of financial asset (i.e., securities or loans and receivables)

So, financial assets measured at fair value through net income are to be presented separately from assets measured at fair value through other comprehensive income.

Debt Securities Accounting 

U.S. GAAP for classification and measurement of debt securities remains essentially the same. The unrealized holding gains and losses on available-for-sale debt securities are to be shown in other comprehensive income.

Disclosure Eliminated - Financial Instruments Measured at Amortized Cost

ASU 2016-01 removes a prior disclosure requirement. In the past, entities disclosed the fair value of financial instruments measured at amortized cost. Examples include notes receivables, notes payable, and debt securities. ASU 2016-01 removes this disclosure requirement for entities that are not public business entities. 

Effective Dates for ASU 2016-01

ASU 2016-01 says the following concerning effective dates:

For public business entities, the amendments in this Update are effective for fiscal years beginning after December 15, 2017, including interim periods within those fiscal years.

For all other entities including not-for-profit entities and employee benefit plans within the scope of Topics 960 through 965 on plan accounting, the amendments in this Update are effective for fiscal years beginning after December 15, 2018, and interim periods within fiscal years beginning after December 15, 2019. All entities that are not public business entities may adopt the amendments in this Update earlier as of the fiscal years beginning after December 15, 2017, including interim periods within those fiscal years.

Also, the provision exempting nonpublic entities from the requirement to disclose fair values of financial instruments can be early adopted.

Initial Accounting

An entity should apply the amendments by means of a cumulative-effect adjustment to the balance sheet as of the beginning of the fiscal year of adoption.

The amendments related to equity securities without readily determinable fair values (including disclosure requirements) should be applied prospectively to equity investments that exist as of the date of adoption of ASU 2016-01.

Potential Management Letter Comment

If you are an external auditor, consider advising your clients about the changes in accounting for equity securities. Entities with certain debt covenants (e.g., net income requirements) could be adversely affected when this standard is adopted, particularly if they have declining equity investments. 

Livescribe: Note Taking Magic (for CPAs)

By Charles Hall | Accounting and Auditing , Technology

Livescribe: Note taking magic. Here’s an overview of how auditors are making their lives easier using the Livescribe pen.

Have you ever interviewed a client, feverishly taking notes, and straight away forgot critical facts? You wish you had a recording of the conversation. Better yet, you wish you could touch a particular word in your notes and hear the words that were being spoken at that moment. What if I told you, “you can”?

How? Livescribe.

Think about what you could record with such a tool:

• CPE class lectures
• Walkthroughs of transaction cycles
• Board or committee or partnership meetings
• Fraud interviews

Livescribe: Note Taking Magic

What is Livescribe? It’s an electronic pen/recorder. As you write on special coded paper, you simultaneously record the conversation (the recorder is built into the pen). Once done, you touch a particular letter in a word (with the tip of your pen) and you hear–from the pen–the words spoken at that moment. No more forgetting and not being able to retrieve what was said. And it’s efficient since you can go to any particular part of the conversation using your notes as signposts.

To start a recording, you press the tip of the pen to the “record” icon at the bottom of the page.

To stop the recording you press the “stop” icon above.

Once the recording is complete, you simply touch the tip of the pen to any letter and the audio recording will start playing–from the pen–at that point.

You can upload the pen notes and the audio to your computer desktop Livescribe software using a USB cord that connects to the pen. (See below.)

You can also play back notes from your uploaded desktop copy just as you can with your pen. Click a letter with your mouse and the recording will play.

I was surprised by the clarity of the sound from the pen and the audio capacity–200 hours (for the Echo version that you see below).

There are different versions of the pen. I bought the Echo version due to the lower price. You can review the available pens on Amazon. I also bought additional Livescribe notebooks (they come in packs of four) and a portfolio (binder) to hold the notebook and pen.

My Experience with Livescribe

I have used a Livescribe pen for four years. After using to it to record hundreds of hours of audio, I consider my Livescribe pen to be one of my best audit tools. I recommend it.

What if you don’t desire to shell out the $155 for the pen? Consider using the Notability app. 

Another Option 

If you have an iPad, you can buy the Notability app for $9.99 and record conversations with your notes (with play-back similar to Livescribe). You will need a stylus (I use an Apple pen) to take notes since you write on your iPad screen. See my article about using Notability.

One More Thought

If you are performing a walkthrough of a complex transaction cycle, consider using your phone to take pictures of what you are seeing (e.g., computer screens, documents). I use the Scanbot app. Between your notes (with audio) and your pictures, you will have a good understanding of what you have seen and heard.

You might also be interested in my article Four Keys to Better Client Interviews.