Category Archives for "Auditing"

governmental auditing standards
Oct 04

Governmental Auditing Standards: Understand the Requirements

By Charles Hall | Auditing , GAAS , Single Audit , Yellow Book

If you perform governmental audits, you know that different governmental auditing standards can come into play.

In this video, I explain three essential governmental auditing standards. By understanding these, you can properly plan and perform your engagements to comply with professional standards.

I discuss the following audit standards:

To learn more, click the video below. 

 

YouTube player
Group audit
Aug 19

Demystifying Group Audits: Key Definitions and Requirements

By Charles Hall | Auditing

SAS No. 149Special Considerations — Audits of Group Financial Statements (Including the Work of Component Auditors and Audits of Referred-to Auditors) defines what firms must do in group audits.

Sometimes, auditors have a group audit but don’t know it (as Michael Westervelt pointed out in his JOA article), or they are aware that a group audit is in play but don’t know the requirements. Either way, if your firm doesn’t comply with group audit standards and your peer reviewer notices, you’ve got a problemsometimes a big one.

Group audits raise questions such as who is responsible for what. Below, I explain the responsibilities of the following:

  • Group auditor,
  • Group engagement partner,
  • Component auditor and
  • Referred-to auditor.

I also provide key group audit definitions and communication and documentation requirements.

I will use a question-and-answer format to explain the following:

  • Group audits
  • Group auditor
  • Group audit partner
  • Component auditor
  • Components
  • Component performance materiality
  • Aggregation risk
  • Referred-to auditor
  • Number of audit firms
  • Group audit documentation

Group audit

Group Audits

What is a group audit?

It’s an audit of group financial statements.

But what are group financial statements? They are financial statements that include multiple entities or business units or the aggregation of financial information from entities or business units such as branches or divisions. Group financial statements include aggregating financial information from business units with separate locations, management, or information systems. (See A4 and A5 of SAS 149 for additional information.)

Here are examples of group financial statements:

  1. Consolidated financial statements (e.g., a parent company owns another company)
  2. Combined financial statements (e.g., two companies owned by the same person are combined)
  3. Equity method investment (a company reports an equity method investment on its balance sheet)
  4. Joint venture
  5. A government with a discretely presented component unit
  6. An entity organized by geography (e.g., an entity comprised of American, Mexican, and Canadian operations managed by three national management teams; each national reporting center has its own general ledger)

If you are auditing one of these, you are conducting a group audit, and specific audit requirements apply. If you are directing the audit, you are the group auditor; in some cases, other audit firms might participate.

Group Auditor

So, what is a group auditor?

It’s the group engagement partner and engagement team members other than component auditors (see component auditor definition below).

The group auditor performs duties including the following:

  • Establishes the group audit strategy
  • Develops the group audit plan
  • Determines components to audit
  • Gains an understanding of the group and its environment, reporting framework, and system of internal controls
  • Takes responsibility for assessing group financial statement risks of material misstatement
  • Takes responsibility for the performance of further audit procedures, including the work of component auditors and work related to the consolidation process
  • Determines the resources needed to perform the audit, including any component auditors (see below)
  • Determines the component performance materiality (see below) to address aggregation risk (see below)
  • Directs and supervises component auditors and reviews their work
  • Makes decisions about referencing the audit of a referred-to auditor (see below)
  • Evaluates the conclusions based on audit evidence as a basis for the group audit opinion
  • Evaluates whether sufficient appropriate evidential matter is present to support the group audit opinion (including the work of component auditors or through reference to a referred-to auditor’s opinion)
  • Forms an opinion on the group financial statements based on the audit evidence obtained
  • Communicates with those charged with governance (and management, when appropriate) about audit matters including:
    • an overview of the component auditor’s work
    • decisions to make reference to audits of referred-to auditors
    • any scope limitations
    • fraud or suspected fraud
    • internal control deficiencies
  • Evaluates whether the audit documentation is sufficient to enable an experienced auditor (one with no previous connection with the engagement) to understand the following:
    • Nature, timing, and extent of audit procedures
    • Audit evidence
    • Conclusions about significant matters

When component auditors are in use, the group auditor has specific responsibilities, including the following:

  • Evaluating the adequacy of component auditor communications for the group auditor’s purposes
  • Determining the nature, timing, and extent of the component auditor’s involvement
  • Being sufficiently and appropriately involved in the component auditor’s work
  • Confirming that the component auditor understands and will comply with the ethical requirements
  • Determining the component performance materiality (see below) to lessen aggregation risk (see below)
  • Determining the appropriateness of the further audit procedures performed by the component auditor
  • Reviewing component auditor documentation while taking into account the group financial statement risks of material misstatement and significant risks
  • Evaluating the sufficiency and appropriateness of the audit evidence obtained from all components, including evidence provided by component auditors

The group auditor should communicate the following to component auditors:

  • The component auditor’s responsibilities
  • The relevant ethical requirements
  • Requesting the component auditor to confirm that they will cooperate with the group auditor
  • The need for timely communication during the engagement
  • Risk assessment matters that affect the risk assessment procedures to be performed by the component auditor
  • Matters affecting planned further audit procedures in response to group financial statement risks of material misstatement
  • Significant risks of the group financial statements that have a bearing on the component audit procedures
  • Related party relationships and transactions affecting the component
  • Any events or conditions that may raise substantial doubt about the group’s ability to continue as a going concern (as related to the component auditor’s work)

Group Engagement Partner

Who is the group engagement partner?

The auditor responsible for the group audit.

The group engagement partner’s responsibilities include:

  • Deciding that sufficient appropriate audit evidence can be obtained (including the use of component auditors and referred-to auditors) before accepting the engagement or making the decision to continue providing audit services
  • Being sufficiently and appropriately involved in the group audit, including the work of component auditors
  • Determining that the component auditor has appropriate competence and capabilities 
  • Determining the nature, timing, and extent of the component auditor’s involvement in the group audit
  • Accountability for the group audit and compliance with standards
  • Determining the appropriateness of significant judgments and conclusions
  • Taking responsibility for directing, supervising, and reviewing the work of component auditors

Here are examples of different ways the group engagement partner can direct and supervise component auditors:

  • Have meetings with or make phone calls to the component auditors about risk assessment, findings, or other issues
  • Review the component auditor’s documentation
  • Be a part of the component auditor’s meetings with component management

Group audit

Component Auditor

What is a component auditor?

An auditor that audits a group audit component, such as a business subsidiary.

A component auditor (working with the group auditor) is a part of the audit team.

Component auditors can include:

  • Auditors from a firm network,
  • An audit firm that is not a network firm, or
  • The group auditor’s firm (e.g., another office in the firm of the group auditor)

It is possible that all component auditors are from the group audit firm. It is also possible that component auditors include the group audit firm and audit firms external to the group audit firm.

The group auditor should ask the component auditor to communicate certain component matters, including the following:

  • Matters that might affect the identification and assessment of the risk of material misstatement at the group financial statement level
  • Related party relationships or transactions not previously communicated by the group auditor
  • Identification of the information audited by the component auditor
  • Whether the component auditor performed the requested work
  • Noncompliance with laws and regulations
  • Whether the component auditor complied with ethical requirements
  • Corrected and uncorrected misstatements
  • Possible management bias
  • Deficiencies in the system of internal control
  • Fraud or suspected fraud
  • Any events or conditions that might affect the group’s ability to continue as a going concern for a reasonable period of time
  • Any other significant matters communicated to the component’s management or those charged with governance
  • Overall findings and conclusions of the component auditor

The group audit report should not reference any component auditors when component auditors participate in the group audit.

Components

What are components?

A component is an:

  • Entity
  • Business unit
  • Function
  • Business activity, or
  • Some combination thereof

The group auditor determines how components relate to one another for planning and performing audit procedures.

For instance, the group auditor might decide that the group audit firm will audit entities A, B, and C, and another firm (a component auditor) will audit entity D. In this example, the group audit firm and the component audit firm comprise the audit team.

In another example, the group auditor might decide that the group audit firm will audit entities A, B, and C and reference the audit report of entity D performed by another firm (called the referred-to auditor). The referred-to auditor is not a part of the audit team.

A component auditor needs to know what the component materiality is.

Component Performance Materiality

What is component performance materiality?

It’s the amount the group auditor sets to reduce aggregation risk (see below) to an appropriate level. The component performance materiality must be less than the group performance materiality.

Additionally, the component auditor must communicate any misstatements above a certain amount (component threshold) to the group auditor. The group auditor specifies this component threshold, and it should not exceed the trivial amount in the group financial statement.

For example, the trivial misstatement amount for the ABC Consolidated financial statements might be $75,000 (as set by Cole CPA firm), and the component threshold could be $25,000 for entity B, a component audited by the Gee Whiz CPA firm. If Gee Whiz identifies one misstatement of $15,000 and another for $55,000, it must communicate the second misstatement to Cole CPA firm, the group audit firm.

One unique risk in group audits is aggregation risk.

Aggregation Risk

What is aggregation risk?

It’s the risk that aggregate uncorrected and undetected misstatements might exceed the financial statements’ materiality.

Suppose the group auditor audits companies A and B, and a component auditor audits company C. And say the group audit materiality is $750,000. If company A has a passed adjustment of $300,000 in accounts receivable (an overstatement) and company C has an undetected misstatement in accounts receivable of $600,000 (also an overstatement), the aggregate uncorrected and undetected misstatements is material.

So, the group auditor needs to plan the engagement to keep aggregation risk at an appropriate level. One way to do so is to lower the materiality thresholds for the various components.

Sometimes, another auditor audits a component and issues an opinion on the entity. When this occurs, the group auditor can elect to reference the other auditor’s opinion.

Group audit

Referred-to Auditor

What is a referred-to auditor?

An auditor who audits an entity that the group audit report references.

The group engagement partner can only make reference when the referred-to auditor issues an audit report on a component that is not restricted as to use.

A referred-to auditor is not part of the audit team or a component auditor.

Should the group auditor direct the referred-to auditor’s work? No, the group auditor does not direct or supervise the referred-to auditor or review their work. Even so, the group engagement partner should determine whether the referred-to auditor followed generally accepted auditing standards (GAAS) or the PCAOB standards. Additionally, the group auditor should read the component’s financial statements and the referred-to audit report to see if there are any significant matters.

Referred-to Auditor Example

For example, Big CPA firm might audit ABC Company and XYZ Company. Little CPA firm audits DEF Company and issues an audit opinion on it. Big CPA’s audit report can reference Little CPA’s audit (provided specific requirements are met; see below). Illustration 2 in SAS 149 provides a sample report for this situation.

Here’s a sample referred-to paragraph that would follow the Big CPA firm’s opinion paragraph:

We did not audit the financial statements of DEF Company, a wholly owned subsidiary, whose statements reflect total assets constituting 15 percent and 20 percent, respectively, of consolidated total assets on December 31, 20X1 and 20X0, and total revenues constituting 14 percent and 17 percent, respectively, of consolidated total revenues for the years then ended. Those statements were audited by other auditors, whose report has been furnished to us, and our opinion, insofar as it relates to the amounts included for DEF Company, is based solely on the report of the other auditors.

(Note – I bolded some words to highlight the language in this example paragraph. Standard audit opinions do not bold such wording.)

The purposes of this referred-to paragraph are to communicate:

  • that the group auditor was not involved in the referred-to auditor’s audit, and
  • the source of the audit evidence for the referred-to components

The group auditor can provide the magnitude of the referred-to auditor’s work in percentages or dollar amounts. (The example above uses percentages.)

The group auditor does not direct the audit of the referred-to auditor’s work, so the group auditor says its opinion (concerning that portion of the group financial statements) is based solely on the referred-to auditor’s report.

Referred-to Auditor Communications

What communications should occur between the group auditor and the referred-to auditor?

The group auditor should communicate the related party relationships identified by group management, any other related party, and any related party transactions (that affect the referred-t0 auditor’s work) to the referred-to auditor.

Moreover, the group engagement partner should do the following:

  1. Make the referred-to auditor aware of relevant ethical requirements
  2. Confirm whether the referred-to auditor complied with the ethical requirements
  3. Determine whether the referred-to auditor has appropriate competence and capabilities

Referencing the referred-to auditor’s report may not be suitable if the group auditor believes the referred-to auditor lacks appropriate competence and capabilities or has not complied with ethical requirements.

The group auditor should request the following from the referred-to auditor:

  1. Identification of the component financial information on which the referred-to auditor issues a report
  2. Confirmation that the referred-to auditor will cooperate with the group auditor
  3. Related party relationships not previously identified by the group auditor or group management
  4. The auditor’s report of the referred-to auditor

Number of Audit Firms

So, do group audits always include more than one audit firm?

No, not necessarily. One firm can audit all entities in group audit financial statements. Alternatively, one or more component auditors from other audit firms can audit one or more components.

Here are examples of group audits:

  1. One firm audits all components comprising a consolidated financial statement
  2. One firm audits five entities comprising a consolidated financial statement, and another firm audits two entities included in that same consolidated financial statement
  3. For a governmental audit:
    1. Audit firm A audits seven opinion units
    2. Audit firm B audits a discretely presented component unit (one opinion unit)
  4. One firm audits a company that owns an equity method investment, and another firm audits the equity method investment company
  5. One firm audits all operations of a company in the United States, and another firm audits all operations in England (the company’s financial statements include all operations)

Exhibit A of SAS 149 (titled Relevancy of Requirements in Various Group Audit Scenarios) outlines the paragraphs in this standard that are relevant to various scenarios. The scenarios include the following:

  1. Group auditor – the group auditor carries out the audit, and no component auditors participate
  2. Group auditor and component auditors – component auditors are involved in the group audit
  3. Group auditor and referred-to auditors – the group auditor, in its audit opinion, makes reference to the referred-to auditor’s report, and no component auditor is involved
  4. Group auditor, component auditors, and referred-to auditor – the group auditor, in its audit opinion, makes reference to the referred-to auditor’s report, and component auditors are involved

So, see exhibit A for the pertinent SAS 149 paragraphs when performing a group audit.

Group Audit Documentation

What group audit documentation do you need?

Group audit documentation includes the following (this is not a comprehensive list):

  • The basis for component determinations and how those were used in planning and performing the group audit
  • The basis of component performance materiality and component thresholds for communication
  • Your understanding of the group’s system of internal control
  • The basis for your determination that component auditors possess sufficient competence and capabilities
  • Evidence of the group auditor’s direction and supervision of the component auditor and the review of their work
  • Communications with component auditors, including matters such as fraud, significant matters, or going concern
  • For referred-to auditors:
    • Financial statements of the component
    • Referred-to auditor’s report
    • The basis for your determination that the referred-to auditors possess sufficient competence and capabilities
  • The group auditor’s evaluation of, and actions taken in response to, findings or conclusions from component auditors or referred-to auditors regarding issues that could materially impact the group financial statements

Group Audit Summary

Here are summary points from the above:

  • The group audit standards are often relevant when you audit an entity with multiple entities, divisions, or opinion units (governments).
  • The group auditor (including the group engagement partner) directs a group audit, including a component auditor’s work.
  • The group auditor does not direct the work of a referred-to auditor; a referred-to auditor is not a part of the audit team.

SAS 149 Effective Date

SAS 149 is effective for audits of group financial statements for periods ending on or after December 15, 2026.

Payment fraud tests
Apr 24

Payment Fraud Tests: Five Powerful Ideas

By Charles Hall | Auditing , Fraud

Are you looking for payment fraud tests? Ways to detect fraudulent payments and create unpredictable tests. Here’s your article.

You are leading the audit team discussion concerning disbursements, and a staff member asks, “Why don’t we ever perform fraud tests? It seems like we never introduce elements of unpredictability.”

You respond by saying, “Yes, I know the audit standards require unpredictable tests, but I’m not sure what else to do. Any fresh ideas?”

The staff member sheepishly responds, “I’m not sure.”

And you are thinking, “What can we do?”

Man looking for payment fraud

Five Payment Fraud Tests

Here are five payment fraud tests that you can perform in most any audit.

1. Test for duplicate payments

Why test for duplicate payments?

Theft may occur as the accounts payable clerk generates the same check twice, stealing and converting the second check to cash. The second check may be created in a separate check batch, a week or two later. This threat increases if (1) checks are signed electronically or (2) the check-signer does not normally examine supporting documentation and the payee name.

How can you test for duplicate payments?

Obtain a download of the full check register in Excel. Sort by dollar amount and vendor name. Then investigate same-dollar payments with same-vendor names above a certain threshold (e.g., $25,000).

2. Review the accounts payable vendor file for similar names

Why test for similar vendor names?

Fictitious vendor names may mimic real vendor names (e.g., ABC Company is the real vendor name while the fictitious name is ABC Co.). Additionally, the home address of the accounts payable clerk is assigned to the fake vendor (alternatively, P.O. boxes might be used).

The check-signer will probably not recognize the payee name as fictitious.

How can you test for similar vendor names?

Obtain a download of all vendor names in Excel. Sort by name and visually compare any vendors with similar names. Investigate any near-matches.

3. Check for fictitious vendors

Why test for fictitious vendors?

The accounts payable clerk may add a fictitious vendor. What address will be entered for the fictitious vendor? You guessed it: the payable clerk’s home address (or P.O. Box).

Pay particular attention to new vendors that provide services (e.g., consulting) rather than physical products (e.g., inventory). Physical products leave audit trails; services, less so.

How can you test for fictitious vendors?

Obtain a download in Excel of new vendors and their addresses for a period of time (e.g., month or quarter). Google the business addresses to check for validity. If necessary, call the vendor. Or ask someone familiar with vendors to review the list (preferably someone without vendor set-up capabilities).

YouTube player

4. Compare vendor and payroll addresses

Why compare vendor and payroll addresses?

Those with vendor-setup ability can create fictitious vendors associated with their own home address. If you compare all addresses in the vendor file with addresses in the payroll file, you may find a match. (Careful – sometimes the match is legitimate, such as travel checks being processed through accounts payable.) Investigate any suspicious matches.

How can you test for the same vendor and payroll addresses?

Obtain a download in Excel of (1) vendor names and addresses and (2) payroll names and addresses. Merge the two files; sort the addresses and visually inspect for matches.

5. Scan all checks for proper signatures and payees

Why test checks for proper signatures and payees?

Fraudsters will forge signatures or complete checks with improper payees such as themselves.

How can you test for proper signatures and payees?

Pick a period of time (e.g., two months), obtain the related bank statements, and scan the checks for appropriate signatures and payees. Also, consider scanning endorsements (if available).

Your Payment Fraud Tests

Those are a few of my payment fraud tests. Please share yours.

Need additional ideas regarding how fraud might occur. Check out my post: 25 Ways Fraud Happens.

My fraud book provides more insights into why fraud occurs, how to detect it, and–most importantly–how to prevent it. See The Little Book of Local Government Fraud Prevention. The book focuses on local government fraud, but most of the information is equally applicable to small businesses.

Audit mistakes
Feb 09

Audit Mistakes: Seven Deadly Sins

By Charles Hall | Auditing

Seven deadly audit sins can destroy you. These audit mistakes kill your profits and effectiveness.

You just completed an audit project, and you have another significant write-down. Last year’s audit hours came in well over budget, and—at the time—you thought, This will not happen again. But here it is, and it’s driving you insane.

Insanity: doing the same thing year after year but expecting different results.

Are you ready for better results?

Audit Mistakes

Here are seven deadly (audit) sins that cause our engagements to fail.

Audit mistakes

1. We don’t plan

Rolling over the prior year file does not qualify as planning. Using canned audit programs is not planning.

What do I mean? We don’t know what has changed. Why? Because we have not performed real risk assessment such as current year walkthroughs. We have not (really) thought about current year risks of material misstatement.

Each year, audits have new wrinkles.

Are there any fraud rumors? Has the CFO left without explanation? Have cash balances decreased while profits increased? Does the client have a new accounting program or new staff? Can you still obtain the reports you need? Are there any new audit or accounting standards?

Anticipate issues and be ready for them with a real audit plan.

2. SALY lives

Elvis may not be in the house, but SALY is.

Performing the same audit steps is wasteful. Just because we needed the procedure ten years ago does not mean we need it today. Kill SALY. (No, I don’t mean your staff member; SALY stands for Same As Last Year).

I find that audit files are like closets. We allow old thoughts (clothes) to accumulate without purging. It’s high time for a Goodwill visit. After all, this audit mistake has been with you too long. So ask yourself Are all of the prior audit procedures relevant to this year’s engagement?

Will better planning require us to think more in the early phases of the engagement? Yes. Is this hard work? Yes. Will it result in less overall effort? Yes.

Sometimes the Saly issue occurs because of weak staff.

3. We use weak staff

Staffing your engagement is the primary key to project success. Excellent staff makes a challenging engagement pan out well. Poor staff causes your engagement time to balloon–lots of motion, but few results. Maybe you have smart people, but they need training. Consider AuditSense.

Another audit mistake is weak partner involvement.

4. We don’t monitor

Partners must keep an eye on the project. And I don’t mean just asking, “How’s it going?” Look in the audit file. See what is going on. In-charges will usually tell you what you want to hear. They hope to save the job on the final play, but a Hail Mary often results in a lost game.

As Ronald Reagan once said: Trust but verify.

Engagement partners need to lead and monitor. They also need to provide the right technology tools.

5. We use outdated technology

Are you paperless? Using portable scanners and monitors? Are your auditors well versed in Adobe Acrobat? Are you electronically linking your trial balances to Excel documents? Do you use project management software (e.g., Basecamp)? How about conferencing software (e.g., Zoom)? Do you have secure remote access to audit files? Do you store files securely in the cloud (e.g., Box)? Are you using data mining software such as Idea? Do you send electronic confirmations

Do your staff members fear you so much that they don’t give you the bad news?

6. Staff (intentionally) hide problems

Remind your staff that bad news communicated early is always welcome.

Early communication of bad news should be encouraged and rewarded (yes, rewarded, assuming the employee did not cause the problem).

Sometimes leaders unwittingly cause their staff to hide problems. In the past, we may have gone ballistic on them–now they fear the same.

And here’s one last audit mistake: no post-engagement review.

7. No post-engagement review

Once our audit is complete, we should honestly assess the project. Then make a list of inefficiencies or failures for future reference.

If you are a partner, consider a fifteen-minute meeting with staff to go over the list.

Your ideas to overcome audit mistakes

What do you do to keep your audits within budget?

internal control reporting
Feb 05

Internal Control Reporting When There are No Issues

By Charles Hall | Auditing

In this post, I provide an overview of the internal control reporting requirements when no significant deficiencies or material weaknesses are noted in an audit of the financial statements. I also provide guidance for when such an engagement is subject to the Government Auditing Standards (i.e., Yellow Book). You’ll see a video that shows you what the audit opinion and Yellow Book reports look like when both are in play, and there are no issues. 

internal control reporting

Internal Control Reporting Standards

There are two sets of rules when you perform an audit that is subject to the Yellow Book requirements:

  1. Generally accepted auditing standards from AICPA
  2. Government Auditing Standards (i.e., Yellow Book) from GAO

And only one set of rules if the audit is not subject to the Yellow Book requirements:

  1. Generally accepted auditing standards from AICPA

Consider two scenarios.

1. Perform an audit not subject to Yellow Book 

If you perform an audit (not subject to Yellow Book) and have no significant deficiencies or material weaknesses, then no internal control letter is required (for anyone). I refer to this letter as the “SAS 115 letter” since that’s where the original generally accepted auditing rule came from. Some people opt to issue one anyway. But again, this is not required.

In this scenario, you issue one report:

Audit opinion (and no internal control letter is issued)

2. Perform an audit subject to Yellow Book 

If you perform an audit that is subject to Yellow Book and have no significant deficiencies or material weaknesses, then no SAS 115 internal control letter is requiredSome people opt to issue one anyway.

A Yellow Book report is required (even though there are no significant deficiencies or material weaknesses) and is included in the audited financial statements, usually after the notes to the financial statement. 

You do not need to send this report to anyone separately (i.e., the government) since it’s included in the bound audit report.

So, in this scenario, you issue two reports:

  1. Audit opinion, and
  2. Yellow Book report

But what do these reports look like? 

Yellow Book Report and Amendments to Audit Opinion

Here is a video that shows you what a Yellow Book reports looks like when there are no significant deficiencies or material weaknesses. 

I also show you how to amend your standard audit opinion (governmental example) when the Yellow Book report is provided. 

See my related article about capturing and reporting control deficiencies. I define significant deficiencies and material weaknesses in another post.

YouTube player
1 2 3 16
>