Category Archives for "Auditing"

Audit Lessons from a Brain Tumor
May 20

Audit Lessons from a Brain Tumor

By Charles Hall | Auditing

Did you know you can learn audit lessons from a brain tumor? Here’s my story.

One day while driving, I said to my wife, “Am I weaving?” I did not feel in control, and I was hearing clicking noises in my ears. My conditions worsened and the mystery grew over the next two years as I visited three doctors. They stuck, prodded, and probed me, but no solution.

Frustrating.

Audit Lessons from a Brain Tumor

As time passed, I felt a growing numbness on the right side of my face. So one night I started Googling health websites (the thing they tell you not to do) and came upon this link: Acoustic Neuroma Association. I clicked and read, having never heard of an acoustic neuroma. While reading about the symptoms, it was as though I was staring at my diary. My next thought was “it can’t be a brain tumor.” I turned to my wife behind me and said, “this is what I have.”

The next day I handed the acoustic neuroma information to my doctor, asking, “Would you please order a brain scan?”

Two days after the MRI, I received my doctor’s call while on a golf course. He said, “Mr. Hall, you were right. You have a 2.3-centimeter brain tumor.” (I sent him a bill for my diagnosis, but was never paid–just kidding.) My golfing buddies gathered around and prayed for me on the 17th green, and I went home to break the news to my wife. We had two children at the time, ages two and four. Having just started my own CPA business six years before, I was forty-one years old. So, as you can imagine, I was concerned about my family and business, but strangely, I was completely at peace.

Shortly after that, I was in a surgeon’s office in Atlanta. The doctor said they’d do a ten-hour operation; there was a 40% chance of paralysis and a 5% chance of death. The tumor was too large for radiation–or so I was told.

I didn’t like the odds, so I prayed more and went back to the Internet. There I located Dr. Jeffrey Williams at Johns Hopkins Hospital in Baltimore. I emailed the good doctor, telling him of the tumor’s size. His response: “I radiate tumors like yours every day.” He was a pioneer in fractionated stereotactic radiation, one of the few physicians in the world (at that time) using this procedure.

A few days later, I’m lying on an operating table in Baltimore with my head bolted down, ready for radiation. They bolt you down to ensure the cooking of the tumor (and not your brain). Fun, you should try it. Four more times I visited the table, and I kept noticing everyone left the room–a sure sign you should not try this at home.

Each day I laid there silently, talking to God and trusting in Him. And my wife sat outside, lifting me up in prayer.

Three weeks later I returned to work. Twenty-two years later, I have had two sick days.

I’ve watched my children grow up. They are twenty-six and twenty-eight now–both finished college at the University of Georgia (Go Dawgs!). And a year and a half ago, my daughter had our first grandchild. My wife is still by my side, and I’m thankful for each day. Here’s a recent picture of my family at one of our favorite places: Cades Cove, Tennessee.

So what does a brain tumor story tell us about audits? (You may, at this point, be thinking, “they did cook his brain.”)

Audit Lessons Learned from a Brain Tumor

1. Pay Attention to Signs

It’s easy to overlook the obvious. Maybe we don’t want to see a red flag (I didn’t want to believe I had a tumor). It might slow us down. But an audit is not purely about finishing and billing. It’s about gathering proper evidential matter to support the opinion. To do less is delinquent and dangerous.

2. Seek Alternatives

If you can’t gain appropriate audit evidence one way, seek another. Don’t simply push forward, using the same procedures year after year. The doctor in Atlanta was a surgeon, so his solution was surgery. His answer was based on his tools, his normal procedures. If you’ve always used a hammer, try a wrench.

3. Seek Counsel

If one answer doesn’t ring true, see what someone else thinks, maybe even someone outside your firm. Obviously, you need to make sure your engagement partner agrees (about seeking outside guidance), but if he or she does, go for it. I often contact the Center for Plain English AccountingI find them helpful and knowledgeable. I also have relationships with other professionals, so I call friends and ask their opinions–and they call me. Check your pride at the door. I’d rather look dumb and be right than to look smart and be wrong.

4. Embrace Change

Fractionated stereotactic radiation was new. Dr. Williams was a pioneer in the technique. The only way your audit processes will get better is to try new techniques: paperless software (we use CCH Prosystem Engagement), data mining (we use TeamMate Analytics), real fraud inquiries (I use ACFE techniques), electronic bank confirmations (I use Confirmation.com), project management software (I use Basecamp). If you are still pushing a Pentel on a four-column, it’s time to change.

Postscript

Finally, remember that work is important, but life itself is the best gift. Be thankful for each moment, each hour, each day. 

Auditing Debt
Apr 25

Auditing Debt: The Why and How Guide

By Charles Hall | Auditing

What are the keys to auditing debt?

While auditing debt can be simple, sometimes it’s tricky.  For instance, classification issues can arise when debt covenant violations occur. Should the debt be classified as current or noncurrent? Likewise, some forms of debt (with detachable warrants) have equity characteristics, again leading to classification issues. Is it debt or equity—or both? Additionally, leases can create debt, even if that is not the intent. 

Most of the time, however, auditing debt is simple. A company borrows money. An amortization schedule is created. And thereafter, debt service payments are made and recorded. 

Either way, whether complicated or simple, below I show you how to audit debt.

Auditing Debt

Auditing Debt — An Overview

In many governments, nonprofits, and small businesses, debt is a significant part of total liabilities. Consequently, it is often a significant transaction area.

In this post, we will cover the following:

  • Primary debt assertions
  • Debt walkthroughs
  • Debt-related fraud
  • Debt mistakes
  • Directional risk for debt
  • Primary risks for debt
  • Common debt control deficiencies
  • Risk of material misstatement for debt
  • Substantive procedures for debt
  • Common debt work papers

Primary Debt Assertions

The primary relevant debt assertions include:

  • Completeness
  • Classification
  • Obligation

I believe, in general, completeness and classification are the most important debt assertions. When a company shows debt on its balance sheet, it is asserting that it is complete and classified correctly. By classification, I mean it is properly displayed as either short-term or long-term. I also mean the instrument is debt and recorded as such (and not equity). By obligation, I mean the debt is legally owed by the company and not another entity.

Keep these three assertions in mind as you perform your transaction cycle walkthroughs.

Debt Walkthroughs

Early in your audit, perform a walkthrough of debt to see if there are any control weaknesses. As you perform this risk assessment procedure, what questions should you ask? What should you observe? What documents should you inspect? Here are a few suggestions.

Debt Walkthrough

As you perform your debt walkthrough ask or perform the following:

  • Are there any debt covenant violations?
  • If the company has violations, is the debt classified appropriately (usually current)?
  • Is someone reconciling the debt in the general ledger to a loan amortization schedule?
  • Inspect amortization schedules.
  • Does the company have any unused lines of credit or other credit available?
  • Inspect loan documents.
  • Has the company refinanced its debt with another institution? Why?
  • Who approves the borrowing of new money?
  • Who approves new leases? Who handles lease accounting and are they competent?
  • Does the company have any leases that should be recorded as debt?
  • Inspect new loan and lease approvals. 
  • How are debt service payments made (e.g., by check or wire)? Who makes those payments?
  • Are there any sinking funds? If yes, who is responsible for making deposits and how is this done?
  • Observe the segregation of duties for persons:
    • Approving new loans,
    • Receipting loan proceeds,
    • Recording debt in the general ledger, and
    • Reconciling the debt in the general ledger to the loan amortization schedules
  • Is the company required to file periodic (e.g., quarterly) reports with the lender? Inspect sample debt-related reports, if applicable.
  • Does the company have any convertible debt or debt with detachable warrants? Are they properly recorded?
  • Is the company following reporting framework requirements (e.g., FASB Codification) for debt?
  • Has collateral been pledged? If yes, what?
  • What are the terms of the debt agreements?
  • Has all debt of the company been recorded in the general ledger?
  • Have debt issuance costs been accounted for properly based on the reporting framework requirements? (FASB requires the netting of such costs with debt.)
  • Has the company guaranteed the debt of another entity?

If control weaknesses exist, create audit procedures to address them. For example, if—during the walkthrough—we see that one person approves loans, deposits loan proceeds, and records the related debt, then we will perform fraud-related substantive procedures.

Debt-Related Fraud

A company can fraudulently inflate its equity by intentionally omitting debt from its balance sheet. (Total assets equal liabilities plus equity. Therefore, if debt is not reported, equity increases.) 

As we saw with Enron, some entities place their debt on another company’s balance sheet. (Enron did so using special purpose entities.) So auditors need to consider that companies can intentionally omit debt from their balance sheets.

Another potential fraudulent presentation is showing short-term debt as long-term. When might this happen? When debt covenant violations occur. Such violations can trigger a requirement to classify the debt as current. If accounting personnel are aware of the requirement to classify debt as current and don’t do so, then the reporting can be considered fraudulent.  

Additionally, mistakes can lead to errors in debt accounting.

Debt Mistakes

Errors in accounting for debt can occur when debt service payments are misclassified as expenses rather than a reduction of debt. Also, debt can—in error—be presented as long-term when it is current. Why? Maybe the company’s accountant doesn’t understand the accounting rules.

Some forms of debt, such as leases, can be difficult to interpret. Consequently, a company might errantly fail to record debt when required. 

So, what is the directional risk for debt? An overstatement or an understatement?

Directional Risk for Debt

Auditing Debt

The directional risk for debt is an understatement. So, audit for completeness (and determine that all debt is recorded).

Primary Risks for Debt

Primary risks for debt include:

  1. Debt is intentionally understated (or omitted)
  2. Debt is recorded as noncurrent (due more than one year from the balance sheet date) though the amount is current (due within one year of the balance sheet date)

It’s obvious why a company might want to understate its debt. The company looks healthier. But why would a business desire to classify current debt as noncurrent? For the same reason: to make the company look stronger. By recording current debt as noncurrent, the company’s working capital ratio (current assets divided by current liabilities) improves. 

As you think about the above risks, consider the control deficiencies that allow debt misstatements.

Common Debt Control Deficiencies

In smaller entities, it is common to have the following control deficiencies:

  • One person performs two or more of the following:
    • Approves the borrowing of new funds,
    • Enters the new debt in the accounting system, 
    • Deposits funds from the debt issuance
  • Funds are borrowed without appropriate approval
  • Debt postings are not agreed to amortization schedules
  • Accounting personnel don’t understand the accounting standards for debt (including lease accounting)

Another key to auditing debt is understanding the risks of material misstatement.

Risk of Material Misstatement for Debt

In auditing debt, the assertions that concern me the most are classification, completeness, and obligation. So my risk of material misstatement for these assertions is usually moderate to high. 

Auditing Debt

My response to the higher risk assessments is to perform certain substantive procedures: namely, a review of debt covenant compliance and a review of debt and lease agreements—and the related accounting. Why?

As we saw above, debt covenant violations may require the company to reclassify debt from noncurrent to current. Doing so can be significant. The loan could be called by the lender, depending on the loan agreement. So, proper classification of debt can be critical. 

Also, some leases should be recorded as debt. If such leases are not recorded, the company looks healthier than it is. Our audit should include procedures that address the completeness of debt and the obligations of the company.

Once your risk assessment is complete, decide what substantive procedures to perform.

Substantive Procedures for Debt

My customary tests for auditing debt are as follows:

  1. Summarize and test debt covenants
  2. Review new leases to determine if debt should be recorded
  3. Confirm all significant debt with lenders
  4. Determine if all debt is classified appropriately (as current or noncurrent)
  5. Agree the end-of-period balances in the general ledger to the amortization schedules
  6. Agree future debt service payment summaries to amortization schedules 
  7. Review accruals of any significant interest 
  8. Review interest expense (usually comparing current and prior year interest)

In light of my risk assessment and substantive procedures, what debt work papers do I normally include in my audit files?

Common Debt Work Papers

My debt work papers normally include the following:

  • An understanding of debt-related internal controls 
  • Documentation of any internal control deficiencies related to debt
  • Risk assessment of debt at the assertion level
  • Debt audit program
  • A copy of all significant debt agreements (including lease and line-of-credit agreements)
  • Minutes reflecting the approval of new debt
  • A summary of debt activity (beginning balance plus new debt minus principal payments and ending balance)
  • Amortization schedules for each debt
  • Summary of all debt information for disclosure purposes (e.g., future debt service to be paid, interest rates, types of debt, collateral, etc.) 

If there are questions regarding debt agreements and their presentation, I include additional language in the representation letter to address the issues. For example, if an owner loans funds to the company but there is no written  debt agreement, the owner or management might verbally explain the arrangement. In such cases, I include language in the management representation letter to cover the verbal responses.

In Summary

In this article we’ve looked at the keys to auditing debt. Those keys include risk assessment procedures, determining relevant assertions, creating risk assessments, and developing substantive procedures. The most important issues to address are usually (1) the classification of debt (especially if debt covenant violations exist) and (2) lease accounting.

To understand the new lease standard (ASC 842) from the lessee’s perspective, see my lease article: Account for Finance and Operating Leases

Next we’ll look at how to audit equity.


auditing investments
Apr 04

Auditing Investments: A Guide

By Charles Hall | Auditing

Auditing investments is important, especially when an auditee has large balances. Below I provide a comprehensive look at how you can audit investments effectively and efficiently.

The complexity of auditing investments varies. For entities with simple investment instruments, auditing is easy. Your main audit procedure might be to confirm balances. Complex investments, however, require additional work such as auditing values. As investment complexity increases, so will your need for stronger audit team members (those that understand unusual investments). Regardless, you need an audit methodology.

auditing investments

How to Audit Investments

In this post, we will take a look at:

  • Primary investment assertions
  • Investment walkthroughs
  • Directional risk for investments
  • Primary risks for investments
  • Common investment control deficiencies
  • Risk of material misstatement for investments
  • Substantive procedures for investments
  • Common investment work papers

Primary Investments Assertions

First, let’s look at assertions.

Primary relevant assertions for investments include:

  • Existence
  • Accuracy
  • Valuation
  • Cutoff

The audit client is asserting that the investment balances exist, that they are accurate and properly valued, and that only investment activity within the period is recorded

While investment balances in the financial statements are important, disclosures are also vital, especially when the entity owns complex instruments

Investment Walkthroughs

Second, perform your risk assessment work in light of the relevant assertions.

As you perform walkthroughs of investments, you normally look for ways that investments might be overstated (though investments can be understated as well). You are asking, “What can go wrong?” whether intentionally or by mistake. You want to know if:

  • The controls were appropriately designed, and 
  • The controls were implemented (in use)

Walkthrough Questions

In performing investment walkthroughs, ask questions such as:

  • What types of investments are owned?
  • Are there any unusual investments? If yes, how are they valued?
  • Is a specialist used to determine investment values?
  • Who determines the classification of investments (e.g., trading, available for sale, held to maturity) and how
  • Do the persons accounting for investment activity have sufficient knowledge to do so?
  • Are timely investment reconciliations performed by competent personnel?
  • Are all investment accounts reconciled (from the investment statements to the general ledger)?
  • Who reconciles the investment accounts and when?
  • Are the reconciliations reviewed by a second person?
  • Are all investment accounts on the general ledger?
  • How does the entity ensure that all investment activity is included in the general ledger (appropriate cutoff)?
  • Who has the ability to transfer investment funds and what are the related controls?
  • Is there appropriate segregation of duties for:
    • Persons that record investments, 
    • Persons that buy and sell investments, and
    • Persons that reconcile the investment statements
  • What investment accounts were opened in the period?
  • What investment accounts were closed in the period? 
  • Who has the authority to open or close investment accounts?
  • Are there any investment restrictions (externally or internally)?
  • What persons are authorized to buy and sell investments?
  • Does the entity have a written investment policy? 
  • Does the company use an investment advisor? If yes, how often does management interact with the advisor? How are investment fees determined?
  • Are there any investment impairments?
  • Who is responsible for investment disclosures and do they have sufficient knowledge to carry out this duty?
  • Are there any cost or equity-method investments?

As we ask questions, we also inspect documents (e.g., investment statements) and make observations (e.g., who reconciles the investment statements to the general ledger?).

If control weaknesses exist, we create audit procedures to address them. For example, if during the walkthrough we note that there are improperly classified investments, then will plan audit procedures to address that risk.

Directional Risk for Investments

Third, consider the directional risk of investments.

The directional risk for investments is that they are overstated. So, in performing your audit procedures, perform procedures to ensure that balances are properly stated.

Primary Risks for Investments

Fourth, think about the risks related to investments.

auditing investments

Primary risks include:

  1. Investments are stolen
  2. Investments are intentionally overstated to cover up theft
  3. Investments accounts are intentionally omitted from the general ledger
  4. Investments are misstated due to errors in the investment reconciliations 
  5. Investments are improperly valued due to their complexity and management’s lack of accounting knowledge
  6. Investments are misstated due to improper cutoff
  7. Investment disclosures are not accurate or complete

Common Investment Control Deficiencies

Fifth, think about control deficiencies noted during your walkthroughs and other risk assessment work.

It is common to have the following investment control deficiencies:

  • One person buys and sells investments, records those transactions, and reconciles the investment activity
  • The person overseeing investment accounting does not possess sufficient knowledge or skill to properly perform the duty
  • Investment reconciliations are not performed timely or improperly
  • The company does not employ sufficient assistance in valuing complex assets such as hedges or alternative investments

Risk of Material Misstatement for Investments

Sixth, now its time to assess your risks.

In my smaller audit engagements, I usually assess control risk at high for each assertion. (You may, however, assess control risk at less than high, provided your walkthrough reveals that controls are appropriately designed and that they were implemented. If control risk is assessed at below high, you must test controls for effectiveness to support the lower risk assessment.)

When control risk is assessed at high, inherent risk becomes the driver of the risk of material misstatement (control risk X inherent risk = risk of material misstatement). For example, if control risk is high and inherent risk is moderate, then my RMM is moderate. 

Important Assertions

The assertions that concern me the most are existence, accuracy, valuation, and cutoff.

The assertions that concern me the most are existence, accuracy, valuation, and cutoff. So my RMM for these assertions is usually moderate to high.

My response to higher risk assessments is to perform certain substantive procedures: namely, confirming investments, testing investment reconciliations, testing values, and vetting investment disclosures.

Substantive Procedures for Investments

And finally, it’s time to determine your substantive procedures in light of your identified risks.

My customary audit tests include:

  1. Confirming investment balances agreeing them to the general ledger
  2. Inspecting period-end activity for proper cutoff
  3. Using an investment specialist to value complex instruments (if any)
  4. Vetting investment disclosures with a current disclosure checklist

I don’t normally test controls related to investments. If controls are tested and you determine they are effective, then some of the substantive procedures may not be necessary. 

Common Investment Work Papers

My investments work papers normally include the following:

  • An understanding of investment-related internal controls 
  • Risk assessment of investments at the assertion level
  • Documentation of any control deficiencies
  • Investment audit program
  • Investment reconciliations 
  • Investment confirmations
  • Valuations performed by specialists
  • Documentation of the specialist’s experience, competence, and objectivity
  • Disclosure checklist

Auditing Investments - A Simple Summary

  • The primary relevant investment assertions include existence, accuracy, valuation, and cutoff
  • Perform a walkthrough of investments by making inquiries, inspecting documents, and making observations
  • The directional risk for investments is an overstatement
  • Primary risks for investments include:
    • Investments are stolen
    • Investments are intentionally overstated to cover up theft
    • Investments accounts are intentionally omitted from the general ledger
    • Investments are misstated due to errors in the investment reconciliations
    • Investments are improperly valued due to their complexity and management’s lack of accounting knowledge
    • Investments are misstated due to improper cutoff
    • Investments disclosures are not accurate or complete
  • The substantive procedures for investments should be responsive to the identified risks; common procedures include:
    • Confirming investments 
    • Inspecting period-end activity for proper cutoff
    • Using an investment specialist to value complex instruments 
    • Vetting investment disclosures with a current disclosure checklist

Now you know how to audit investments. 

See my next post regarding how to audit payables and expenses.

This post is a part of my series The Why and How of Auditing. Check my other posts.

Auditing Receivables and Revenues
Mar 23

Auditing Receivables and Revenues: A Guide

By Charles Hall | Auditing

Today we take a look at auditing receivables and revenues.

Revenues are the lifeblood of any organization. Without cash inflows, the entity may cease to exist. So, it’s important that each business generate sales or some type of revenue. For you, the auditor, it’s important to verify the revenue.  

Along with revenues, auditors need to prove receivables. Why? Some companies manipulate their earnings by inflating their period-end receivables.  When trade receivables increase, revenues increase. So, a company can increase its net income by recording nonexistent receivables.

In this post, we’ll answer questions such as, “should I confirm receivables or examine subsequent receipts?” and “why should I assume that revenues are overstated?"

Auditing Receivables and Revenues

How to Audit Receivables and Revenues — An Overview

In this post, we will cover the following:

  1. Primary accounts receivable and revenue assertions
  2. Accounts receivable and revenue walkthrough
  3. Directional risk for accounts receivable and revenues
  4. Primary risks for accounts receivable and revenues
  5. Common accounts receivable and revenue control deficiencies
  6. Risk of material misstatement for accounts receivable and revenues
  7. Substantive procedures for accounts receivable and revenues
  8. Common accounts receivable and revenue work papers

Primary Assertions

First, let’s look at assertions.

The primary relevant accounts receivable and revenue assertions are:

  • Existence and occurrence
  • Completeness
  • Accuracy
  • Valuation
  • Cutoff

Of these assertions, I believe—in general—existence (of receivables), occurrence (of revenues) and valuation (of receivables) are most important. So, clients assert that:

  • Receivables exist 
  • Receivables are properly valued, and 
  • Revenues occurred

Accuracy comes into play if the customer has complex receivable transactions. Additionally, the cutoff assertion is often relevant, especially if the client has incentives to inflate the receivables balance (e.g., bonuses triggered at certain income levels).

When auditing receivables and revenues, consider these assertions.

Accounts Receivable and Revenue Walkthrough

Second, think about performing your risk assessment work in light of the relevant assertions.

As we perform walkthroughs of accounts receivable and revenue, we are looking for ways they are overstated (though they can also be understated as well). We are asking, “What can go wrong, whether intentionally or by mistake?”

In performing accounts receivable and revenue walkthroughs, ask questions such as:

  • Are receivables subsidiary ledgers reconciled to the general ledger?
  • Is a consistent allowance methodology used?
  • What method is used to compute the allowance and is it reasonable?
  • Who records and approves the allowance?
  • Who reviews aged receivables?
  • What controls ensure that revenues are recorded in the right period?
  • Is there adequate segregation of duties between persons recording, billing, and collecting payments? Who reconciles the related records?
  • What software is used to track billings and collections?
  • Are there any decentralized collection locations?
  • When are revenues recognized and is the recognition in accordance with the reporting framework?
  • What receivables and revenue reports are provided to the owners or the governing body?

As we ask questions, we also inspect documents (e.g., aged receivable reports) and make observations (e.g., who collects the payments?).

If controls weaknesses exist, we create audit procedures to respond to them. For example, if—during the walkthrough—we see inconsistent allowance methods, we will perform more substantive work to prove the allowance balances.

Directional Risk for Accounts Receivable and Revenues

Third, consider directional risk when auditing receivables and revenues.

How to audit receivables

The directional risk for accounts receivable and revenue is an overstatement. So, in performing your audit procedures, perform procedures to ensure that accounts receivables and revenues are not overstated. For example, review the cutoff procedures at period-end. Be sure that no subsequent period revenues are recorded in the current fiscal year. 

Audit standards require that auditors review estimates for management bias. So, consider the current year allowance and bad debt write-offs in light of the prior year allowance. This retrospective review allows the auditor to see if the current estimate is fair. The threat is that management might reduce allowances to inflate earnings.

Moreover, the audit standards state there is a presumption (unless rebutted) that revenues are overstated. Therefore, we are to assume revenues are overstated, unless we can explain why they are not.

Primary Risks for Accounts Receivable and Revenues

Fourth, think about the risks related to receivables and revenues.

The main risks are:

  1. The company intentionally overstates accounts receivable and revenue 
  2. Company employees steal collections 
  3. Without proper cutoff, an overstatement of accounts receivables and revenue occurs 
  4. Allowances are understated
  5. Revenue recognition

Risks related to revenue also vary from company to company. For example, one telecommunications company might sell bundled services while another may not. Revenue recognition is more complex (risky) for the company selling bundled services.

Also, revenue risks vary from industry to industry. For example, the allowance for uncollectible is normally a high risk area for healthcare entities, but may not be so for other industries.

Common Accounts Receivable and Revenue Control Deficiencies

Fifth, think about the control deficiencies noted during your walkthroughs and other risk assessment work.

In smaller entities, the following control deficiencies are common:

  • One person performs one or more of the following: 
    • bills customers
    • receipts monies
    • makes deposits 
    • records those payments in the general ledger
    • reconciles the related bank account
  • The person computing allowances doesn’t possess sufficient knowledge to do so correctly
  • No surprise audits of receivables and revenues 
  • Multiple people work from one cash drawer
  • Receipts are not appropriately issued
  • Receipts are not reconciled to daily collections
  • Daily receipts are not reviewed by a second person
  • No one reconciles subsidiary receivable ledgers to the general ledger
  • Individuals with the ability to adjust customer receivable accounts (with no second-person approval or review) also collect cash 
  • Inconsistent bad debt recognition with no second-person review process
  • The revenue recognition policy may not be clear and may not be in accordance with the reporting framework

Risk of Material Misstatement for Accounts Receivable and Revenues

Sixth, now it’s time to assess your risks.

In smaller engagements, I usually assess control risk at high for each assertion. Controls must be tested to support any lower control risk assessments. Assessing risks at high is often more efficient than testing controls.

When control risk is assessed at high, inherent risk becomes the driver of the risk of material misstatement (inherent risk X control risk = risk of material misstatement). The assertions that concern me the most (those with higher inherent risks) are existence, occurrence, and valuation. So my RMM for these assertions is usually moderate to high.

My response to higher risk assessments is to perform certain substantive procedures: namely, receivable confirmations and tests of subsequent collections. As RMM increases, I send more confirmations and examine more subsequent collections.

Additionally, I thoroughly test management’s allowance computation. I pay particular attention to uncollected amounts beyond 90 days. Uncollected amounts beyond 90 days should usually be heavily reserved. And amounts beyond 120 days should—generally—be fully reserved.  

Substantive Procedures 

And finally, it’s time to determine your substantive procedures in light of your identified risks.

how to audit receivables

My customary audit procedures when auditing receivables and revenues are as follows:

  1. Confirm accounts receivable balances (especially larger amounts)
  2. Vouch subsequent period collections, making sure the subsequent collections relate to the period-end balances (sampling can be used)
  3. Thoroughly review allowance computations to see if they are consistent with prior years; compare allowance percentages to industry averages; agree to supporting documentation (e.g., histories of uncollectible amounts); recompute the related numbers
  4. Create comparative summaries of all significant revenue accounts, comparing the current year amounts with historical data (three or more years if possible)
  5. Create summaries of average per customer income and compare with prior years (you may want to do this by specific revenue categories)
  6. Compute average profit margins by sales categories and compare with previous years

Additionally, I add extended procedures to my audit program if there are high risks of material misstatement such as significant risks. For example, if a company sells bundled goods, I test how the company apportions the revenue recognition. Or if there are no segregation of duties, I add fraud-related procedures such as testing daily cash collections. The additional procedures address the root of the identified risks. 

Common Work Papers

My accounts receivable and revenue work papers frequently include the following:

  • An understanding of accounts receivable and revenue-related internal controls
  • Risk assessment of accounts receivable and revenue at the assertion level
  • Documentation of any control deficiencies
  • Accounts receivable and revenue audit program
  • A detail of receivables comprising amounts on the general ledger
  • Copies of confirmations sent
  • A summary of confirmations received
  • Subsequent collections work papers
  • Allowance work paper
  • Revenue comparison work papers

In Summary

In this chapter, we’ve looked at the following for receivables and revenues:

  • How to perform risk assessment procedures, 
  • Relevant assertions, 
  • Risk assessments (as a result of the risk assessment procedures), and
  • Substantive procedures

Next, we’ll see how to audit investments.

Get Your Copy of The Why and the How of Auditing

Click the book cover below to see the book on Amazon.

The Why and How of Auditing

Get your copy on Amazon; click the book image.

auditing cash
Mar 11

Auditing Cash: The Why and How Guide

By Charles Hall | Auditing

Auditing cash tends to be straightforward. We usually just obtain the bank reconciliations and test them. We send confirmations and vouch the outstanding reconciling items to the subsequent month’s bank statement. But are such procedures always adequate? Hardly. 

Recall the Parmalat and ZZZZ Best Carpet Cleaning frauds. In those businesses, the theft of cash was covered up with fake bank statements and fake confirmation responses. Millions were lost and reputations we’re sullied.

auditing cash

How to Audit Cash

In this post, we will take a look auditing cash including:

  • Primary cash assertions
  • Cash walkthrough
  • Directional risk for cash
  • Primary risks for cash
  • Common cash control deficiencies
  • Risk of material misstatement for cash
  • Substantive procedures for cash
  • Common cash work papers

Primary Cash Assertions

The primary relevant cash assertions are:

  • Existence
  • Completeness
  • Rights
  • Accuracy
  • Cutoff

Of these assertions, I believe existence, accuracy, and cutoff are most important. The audit client is asserting that the cash balance exists, that it’s accurate, and that only transactions within the period are included.

Classification is normally not a relevant assertion. Cash is almost always a current asset. But when bank overdrafts occur, classification can be in play. The negative cash balance can be presented as cash or as a payable depending on the circumstances.

Cash Walkthrough

As we perform walkthroughs of cash, we normally look for ways that cash might be overstated (though it can also be understated as well). We are asking, “What can go wrong?” whether intentionally or by mistake.

In performing cash walkthroughs, ask questions such as:

  • Are timely bank reconciliations performed by competent personnel?
  • Are all bank accounts reconciled?
  • Are the bank reconciliations reviewed by a second person?
  • Are all bank accounts on the general ledger?
  • Are transactions appropriately cut off at period-end (with no subsequent period transactions appearing in the current year)?
  • Is there appropriate segregation between persons handling cash, recording cash, making payments, and  reconciling the bank statements
  • What bank accounts were opened in the period?
  • What bank accounts were closed in the period?
  • Are there any restrictions on the bank accounts?
  • What persons are on the bank signature cards?
  • Who has the authority to open and/or close bank accounts?
  • What is the nature of each bank account (e.g., payroll bank account)?
  • Are there any cash equivalents (e.g., investments of less than three months)
  • Were there any held checks (checks written but unreleased) at period-end?

As we ask questions, we also inspect documents (e.g., bank reconciliations) and make observations (who is doing what?).

If controls weaknesses exist, we create audit procedures to address them. For example, if during the walkthrough we review three monthly bank reconciliations and they all have obvious errors, we will perform more substantive work to prove the year-end bank reconciliation. For example, we might vouch every outstanding deposit and disbursement.

Directional Risk for Cash

What is directional risk in auditing cash? It’s the potential bias that a client has regarding an account balance. A client might desire an overstatement of assets and an understatement of liabilities  since each makes the balance sheet appear healthier.

The directional risk for cash is overstatement. So, in performing your audit procedures, perform procedures such as testing the bank reconciliation to ensure that cash is not overstated.

Primary Risks for Cash

The primary risks are:

  1. Cash is stolen
  2. Cash is intentionally overstated to cover up theft
  3. Not all cash accounts are on the general ledger
  4. Cash is misstated due to errors in the bank reconciliation
  5. Cash is misstated due to improper cutoff

Common Cash Control Deficiencies

In smaller entities, it is common to have the following control deficiencies:

  • One person receipts and/or disburses monies, records those transactions in the general ledger, and reconciles the related bank accounts
  • The person performing the bank reconciliation does not possess the skill to perform the duty
  • Bank reconciliations are not timely performed

Risk of Material Misstatement for Cash

In my smaller audit engagements, I usually assess control risk at high for each assertion. If control risk is assessed at less than high, then controls must be tested to support the lower risk assessment. Assessing risks at high is usually more efficient than testing controls.

When control risk is assessed at high, inherent risk becomes the driver of the risk of material misstatement (control risk X inherent risk = risk of material misstatement). For example, if control risk is high and inherent risk is moderate, then my RMM is moderate.

The assertions that concern me the most are existence, accuracy, and cutoff. So my RMM for these assertions is usually moderate to high.

My response to higher risk assessments is to perform certain substantive procedures: namely, bank confirmations and testing of the bank reconciliations. As RMM increases I examine more of the period-end bank reconciliations and more of the outstanding reconciling items. Also, I am more inclined confirm the balances.

Substantive Procedures for Cash

My customary audit tests are as follows:

  1. Confirm cash balances
  2. Vouch reconciling items to the subsequent month’s bank statement
  3. Ask if all bank accounts are included on the general ledger
  4. Inspect final deposits and disbursements for proper cutoff

The auditor should send confirmations directly to the bank. Some individuals create false bank statements to cover up theft. Those same persons provide false confirmation addresses. Then the confirmation is sent to an individual (the fraudster) rather than a bank. Once received, the fraudster replies to the confirmation as though the bank is doing so. You can lessen the chance of fraudulent confirmations by using Confirmation.com, a company that specializes in bank confirmations. Alternatively, you might Google the confirmation address to verify its existence.

Agree the confirmed bank balance to the period-end bank reconciliation (e.g., December 31, 20X7). Then, agree the reconciling items on the bank reconciliation to the bank statement subsequent to the period-end. For example, examine the January 20X8 bank statement activity when clearing the December 20X7 reconciling items. Finally, agree the reconciled balance to the general ledger cash balance for the period-end (e.g., December 31, 20X7).

Cut-off bank statements (e.g., January 20, 20X8 bank statement) may be used to test the outstanding items. Such statements, similar to bank confirmations, are mailed directly to the auditor. Alternatively, the auditor might examine the reconciling items by viewing online bank statements. (Read-only rights can be given to the auditor.)

Common Cash Work Papers

My cash work papers normally include the following:

  • An understanding of cash-related internal controls
  • Risk assessment of cash assertions at the assertion level
  • Documentation of any control deficiencies
  • Cash audit program
  • Bank reconciliations for each significant account
  • Bank confirmations

Auditing Cash 

We’ve discussed how to perform cash risk assessment procedures, the relevant cash assertions, the cash risk assessments, and substantive cash procedures.

Next we’ll examine how to audit receivables and revenues.

Get Your Copy of The Why and How of Auditing

Click the book below to see it on Amazon.

Click the book cover to see The Why and How of Auditing on Amazon.

1 2 3 13
>