Category Archives for "Auditing"

going concern
Jun 20

Going Concern: How to Understand the Accounting and Auditing Standards

By Charles Hall | Accounting , Auditing

Are you preparing financial statements and wondering whether you need to include going concern disclosures? Or maybe you’re the auditor, and you’re wondering if a going concern paragraph should be added to the audit opinion. You’ve heard there are new requirements for both management and auditors, but you’re not sure what they are.

This article summarizes (in one place) the new going concern accounting and auditing standards.

going concern

Going Concern Standards

For many years the going concern standards were housed in the audit standards–thus, the need for FASB to issue accounting guidance (ASU 2014-15). It makes sense that FASB created going concern disclosure guidance. After all, disclosures are an accounting issue. 

Accounting Standard

ASU 2014-15, Disclosure of Uncertainties about an Entity’s Ability to Continue as a Going Concern, provides guidance in preparing financial statements. This standard was effective for years ending after December 15, 2016.

GASB Statement 56, Codification of Accounting and Financial Reporting Guidance Contained in the AICPA Statements on Auditing Standards, is the relevant going concern standard for governments. GASB 56 was issued in March 2009. (GASB 56 requires financial statement preparers to evaluate whether there is substantial doubt about a governmental entity’s ability to continue as a going concern for 12 months beyond the date of the financial statements. As you will see below, this timeframe is different from the one called for under ASU 2014-15. This post focuses on ASU 2014-15 and SAS 132.)

Meanwhile, the Auditing Standards Board issued their own going concern standard in February 2017: SAS 132.

Auditing Standard

Auditors will use SAS 132, The Auditor’s Consideration of an Entity’s Ability to Continue as a Going Concern, to make going concern decisions. This SAS is effective for audits of financial statements for periods ending on or after December 15, 2017. SAS 132 amends SAS 126The Auditor’s Consideration of an Entity’s Ability to Continue as a Going Concern.

So, let’s take a look at how to apply ASU 2014-15 and SAS 132.

Two Stages of Going Concern Decisions

In the past, the going concern decisions were made by auditors in a single step. Now, it is helpful to think of going concern decisions in two stages:

  1. Management decisions concerning the preparation of financial statements 
  2. Auditor decisions concerning the audit of the financial statements

First, we’ll consider management’s decisions.

Stage 1. Management Decisions

 

ASU 2014-15 provides guidance concerning management’s determination of whether there is substantial doubt regarding the entity’s ability to continue as a going concern.

Going Concern

What is Substantial Doubt?

So, how does FASB define substantial doubt? 

Substantial doubt about the entity’s ability to continue as a going concern is considered to exist when aggregate conditions and events indicate that it is probable that the entity will be unable to meet obligations when due within one year of the date that the financial statements are issued or are available to be issued.

What is Probable?

So, how does management determine if “it is probable that the entity will be unable to meet obligations when due within one year”?

Probable means likely to occur

If for example, a company expects to miss a debt service payment in the coming year, then substantial doubt exists. This initial assessment is made without regard to management’s plans to alleviate going concern conditions. 

ASC 205-40-50-4 says:

The evaluation initially shall not take into consideration the potential mitigating effect of management’s plans that have not been fully implemented as of the date that the financial statements are issued (for example, plans to raise capital, borrow money, restructure debt, or dispose of an asset that have been approved but that have not been fully implemented as of the date that the financial statements are issued).

But what factors should management consider?

Factors to Consider

Management should consider the following factors when assessing going concern:

  • The reporting entity’s current financial condition, including the availability of liquid funds and access to credit
  • Obligations of the reporting entity due or new obligations anticipated within one year (regardless of whether they have been recognized in the financial statements)
  • The funds necessary to maintain operations considering the reporting entity’s current financial condition, obligations, and other expected cash flows
  • Other conditions or events that may affect the entity’s ability to meet its obligations

Moreover, management is to consider these factors for one year. But from what date?

Timeframe

The financial statement preparer (i.e., management or a party contracted by management) should assess going concern in light of one year from the date “the financial statements are issued or are available to be issued.”

So, if December 31, 2017, financial statements (for a nonpublic company) are available to be issued on March 15, 2017, the preparer looks forward one year from March 15, 2017. Then, the preparer asks, “Is it probable that the company will be unable to meet its obligations through March 15, 2018?” If yes, substantial doubt is present and disclosures are necessary. If no, then substantial doubt does not exist. As you would expect, the answer to this question determines whether going concern disclosures are to be made and what should be included.

Substantial Doubt Answer Determines Disclosures

If substantial doubt does not exist, then going concern disclosures are not necessary.

If substantial doubt exists, then the company needs to decide if management’s plans alleviate the going concern issue. This decision determines the disclosures to be made. The required disclosures are based upon whether:

  1. Management’s plans alleviate the going concern issue
  2. Management’s plans do not alleviate the going concern issue

1. What if Management’s Plans Alleviate the Going Concern Issue?

If conditions or events raise substantial doubt about an entity’s ability to continue as a going concern, but the substantial doubt is alleviated as a result of consideration of management’s plans, the entity should disclose information that enables users of the financial statements to understand all of the following (or refer to similar information disclosed elsewhere in the footnotes):

  1. Principal conditions or events that raised substantial doubt about the entity’s ability to continue as a going concern (before consideration of management’s plans)
  2. Management’s evaluation of the significance of those conditions or events in relation to the entity’s ability to meet its obligations
  3. Management’s plans that alleviated substantial doubt about the entity’s ability to continue as a going concern

Management’s plans should be considered only if is it probable that they will be effectively implemented. Also, it must be probable that management’s plans will be effective in alleviating substantial doubt.

So, if management’s plans are expected to work, does the company have to explicitly state that management’s plans will alleviate substantial doubt? No. 

When management’s plans alleviate substantial doubt, companies need not use the words going concern or substantial doubt in the disclosures. And as Sears discovered, it may not be wise to do so (their shares dropped 16% after using the term substantial doubt even though management had plans to alleviate the risk). Rather than using the term substantial doubt, consider describing conditions (e.g., cash flows are not sufficient to meet obligations) and management plans to alleviate substantial doubt.

Sample Note – Substantial Doubt Alleviated

An example note follows:

Note 2 – Company Conditions

The Company had losses of $4,525,123 in the year ending March 31, 2017. As of March 31, 2017, its accumulated deficit is $11,325,354. 

Management believes the Company’s present cash flows will not enable it to meet its obligations for twelve months from the date these financial statements are available to be issued. However, management is working to obtain new long-term financing. It is probable that management will obtain new sources of financing that will enable the Company to meet its obligations for the twelve-month period from the date the financial statements are available to be issued.

Notice this example does not use the words substantial doubt.

2. What if Management’s Plans Do Not Alleviate the Going Concern Issue?

If conditions or events raise substantial doubt about an entity’s ability to continue as a going concern, and substantial doubt is not alleviated after consideration of management’s plans, an entity should include a statement in the notes indicating that there is substantial doubt about the entity’s ability to continue as a going concern within one year after the date that the financial statements are available to be issued (or issued when applicable). Additionally, the entity should disclose information that enables users of the financial statements to understand all of the following:

  1. Principal conditions or events that raise substantial doubt about the entity’s ability to continue as a going concern
  2. Management’s evaluation of the significance of those conditions or events in relation to the entity’s ability to meet its obligations
  3. Management’s plans that are intended to mitigate the conditions or events that raise substantial doubt about the entity’s ability to continue as a going concern

Sample Disclosure – Substantial Doubt Not Alleviated

An example disclosure follows:

Note 2 – Going Concern
 
The financial statements have been prepared on a going concern basis which assumes the Company will be able to realize its assets and discharge its liabilities in the normal course of business for the foreseeable future.  The Company had losses of $1,232,555 in the current year. The Company has incurred accumulated losses of $2,891,727 as of March 31, 2017. Cash flows used in operations totaled $555,897 for the year ended March 31, 2017.
 
Management believes these conditions raise substantial doubt about the Company’s ability to continue as a going concern within the next twelve months from the date these financial statements are available to be issued. The ability to continue as a going concern is dependent upon profitable future operations, positive cash flows, and additional financing.
 
Management intends to finance operating costs over the next twelve months with existing cash on hand and loans from its directors. Management is also working to secure new bank financing. The Company’s ability to obtain the new financing is not known at this time.
 
Notice this note includes a statement that substantial doubt is present. Though management’s plans are disclosed, the probability of success is not provided.

ASU 2014-15 Summary

ASU 2014-15 focuses on management’s assessment regarding whether substantial doubt exists. If substantial doubt exists, then disclosures are required. Here’s a short video summarizing 2014-15:

Thus far, we’ve addressed the stage 1. management decisions. As you can see management’s considerations focus on disclosures. By contrast, auditors focus on the audit opinion. Now, let’s look at what auditors must do.

Stage 2. Auditor Decisions

 

SAS 132 provides guidance concerning the auditor’s consideration of an entity’s ability to continue as a going concern.

Going Concern

Objectives of the Auditor

SAS 132, paragraph 10, states the objectives of the auditor are as follows:

  • Obtain sufficient appropriate audit evidence regarding, and to conclude on, the appropriateness of management’s use of the going concern basis of accounting, when relevant, in the preparation of the financial statements
  • Conclude, based on the audit evidence obtained, whether substantial doubt about an entity’s ability to continue as a going concern for a reasonable period of time exists
  • Evaluate the possible financial statement effects, including the adequacy of disclosure regarding the entity’s ability to continue as a going concern for a reasonable period of time
  • Report in accordance with this SAS

These objectives can be summarized as follows:

  1. Conclude about whether the going concern basis of accounting is appropriate
  2. Determine whether substantial doubt is present
  3. Determine whether the going concern disclosures are adequate
  4. Issue an appropriate opinion 

In light of these objectives, certain audit procedures are necessary.

Risk Assessment Procedures

In the risk assessment phase of an audit, the auditor should consider whether conditions or events raise substantial doubt. In doing so, the auditor should examine any preliminary management evaluation of going concern. If such an evaluation was performed, the auditor should review it with management. If no evaluation has occurred, then the auditor should discuss with management the appropriateness of using the going concern basis of accounting (the liquidation basis of accounting is required by ASC 205-30 when the entity’s liquidation is imminent) and whether there are conditions or events that raise substantial doubt. 

The auditor is to consider conditions and events that raise substantial doubt about an entity’s ability to continue as a going concern for a reasonable period of time. What is a reasonable period of time? It is the period of time required by the applicable financial reporting framework or, if no such requirement exists, within one year after the date that the financial statements are issued (or within one year after the date that the financial statements are available to be issued, when applicable). The governmental accounting standards require an evaluation period of “12 months beyond the date of the financial statements.”

Auditors should consider negative financial trends or factors such as:

  • Working capital deficiencies
  • Negative cash flows from operating activities
  • Default on loans
  • A denial of trade credit from suppliers
  • Need to restructure debt
  • Need to dispose of assets
  • Work stoppages or other labor problems
  • Need to significantly revise operations
  • Legal problems
  • Loss of key customers or suppliers
  • Uninsured catastrophes
  • The need for new capital

The risk assessment procedures are a part of planning an audit. You may obtain new information as you perform the engagement.

Remaining Alert Throughout the Audit

The auditor should remain alert throughout the audit for conditions or events that raise substantial doubt. So, after the initial review of going concern issues in the planning stage, the auditor considers the impact of new information gained during the subsequent stages of the engagement.

Audit Procedures When Substantial Doubt is Present

If events or conditions do give rise to substantial doubt, then the audit procedures should include the following (SAS 132, paragraph 16.):

  1. Requesting management to make an evaluation when management has not yet performed an evaluation
  2. Evaluating management’s plans in relation to its going concern evaluation, with regard to whether it is probable that: 
    1. management’s plans can be effectively implemented and 
    2. the plans would mitigate the relevant conditions or events that raise substantial doubt about the entity’s ability to continue as a going concern for a reasonable period of time
  3. When the entity has prepared a cash flow forecast, and analysis of the forecast is a significant factor in evaluating management’s plans: 
    1. evaluating the reliability of the underlying data generated to prepare the forecast and 
    2. determining whether there is adequate support for the assumptions underlying the forecast, which includes considering contradictory audit evidence
  4. Considering whether any additional facts or information have become available since the date on which management made its evaluation

Sometimes management’s plans to alleviate substantial doubt include financial support by third parties or owner-managers (usually referred to as supporting parties). 

Financial Support by Supporting Parties

When financial support is necessary to mitigate substantial doubt, the auditor should obtain audit evidence about the following:

  1. The intent of such supporting parties to provide the necessary financial support, including written evidence of such intent, and
  2. The ability of such supporting parties to provide the necessary financial support

If the evidence in a. is not obtained, then “management’s plans are insufficient to alleviate the determination that substantial doubt exists.”

Intent of Supporting Parties

The intent of supporting parties may be evidenced by either of the following:

  1. Obtaining from management written evidence of a commitment from the supporting party to provide or maintain the necessary financial support (sometimes called a “support letter”)
  2. Confirming directly with the supporting parties (confirmation may be needed if management only has oral evidence of such financial support)

If the auditor receives a support letter, he can still request a written confirmation from the supporting parties. For instance, the auditor may desire to check the validity of the support letter.

If the support comes from an owner-manager, then the written evidence can be a support letter or a written representation.

Support Letter

An example of a third party support letter (when the applicable reporting framework is FASB ASC) is as follows:

(Supporting party name) will, and has the ability to, fully support the operating, investing, and financing activities of (entity name) through at least one year and a day beyond [insert date] (the date the financial statements are issued or available for issuance, when applicable). 

You can specify a date in the support letter that is later than the expected date. That way if there is a delay, you may be able to avoid updating the letter.

The auditor should not only consider the intent of the supporting parties but the ability as well.

Ability of Supporting Parties

The ability of supporting parties to provide support can be evidenced by information such as:

  • Proof of past funding by the supporting party
  • Audited financial statements of the supporting party
  • Bank statements and valuations of assets held by a supporting party

After examining the intent and ability of supporting parties regarding the one-year period, you might identify potential going concern problems that will occur more than one year out.

Conditions and Events After the Reasonable Period of Time

So, should an auditor inquire about conditions and events that may affect the entity’s ability to continue as a going concern beyond management’s period of evaluation (i.e., one year from the date the financial statements are available to be issued or issued, as applicable)? Yes.

Suppose an entity knows it will be unable to meet its November 15, 2018, debt balloon payment. The financial statements are available to be issued on June 15, 2017, so the reasonable period goes through June 15, 2018. But management knows it can’t make the balloon payment, and the bank has already advised that the loan will not be renewed. SAS 132 requires the auditor to inquire of management concerning their knowledge of such conditions or events. 

Why? Only to determine if any potential (additional) disclosures are needed. FASB only requires the evaluation for the year following the date the financial statements are issued (or available to be issued, as applicable). Events following this one year period have no bearing on the current year going concern decisions. Nevertheless, additional disclosures may be merited.

Thus far, the requirements to evaluate the use of the going concern basis of accounting and whether substantial doubt is present have been explained. Now, let’s see what the requirements are for:

  • Written representations from management
  • Communications with those charged with governance
  • Documentation

Written Representations When Substantial Doubt Exists

When substantial doubt exists, the auditor should request the following written representations from management:

  1. A description of management’s plans that are intended to mitigate substantial doubt and the probability that those plans can be effectively implemented
  2. That the financial statements disclose all the matters relevant to the entity’s ability to continue as a going concern including conditions and events and management’s plans

Communications with Those Charged with Governance

Remember that you may need to add additional language to your communication with those charged with governance.

When conditions and events raise substantial doubt about the entity’s ability to continue as a going concern for a reasonable period of time, the auditor should communicate the following (unless those charged with governance manage the entity):

  1. Whether the conditions or events, considered in the aggregate, that raise substantial doubt about an entity’s ability to continue as a going concern for a reasonable period of time constitute substantial doubt
  2. The auditor’s consideration of management’s plans
  3. Whether management’s use of the going concern basis of accounting, when relevant, is appropriate in the preparation of the financial statements
  4. The adequacy of related disclosures in the financial statements
  5. The implications for the auditor’s report

Documentation Requirements

When substantial doubt exists before consideration of management’s plans, the auditor should document the following (SAS 132, paragraph 32.):

  1. The conditions or events that led the auditor to believe that there is substantial doubt about the entity’s ability to continue as a going concern for a reasonable period of time.
  2. The elements of management’s plans that the auditor considered to be particularly significant to overcoming the conditions or events, considered in the aggregate, that raise substantial doubt about the entity’s ability to continue as a going concern, if applicable.
  3. The audit procedures performed to evaluate the significant elements of management’s plans and evidence obtained, if applicable.
  4. The auditor’s conclusion regarding whether substantial doubt about the entity’s ability to continue as a going concern for a reasonable period of time remains or is alleviated. If substantial doubt remains, the auditor should also document the possible effects of the conditions or events on the financial statements and the adequacy of the related disclosures. If substantial doubt is alleviated, the auditor should also document the auditor’s conclusion regarding the need for, and, if applicable, the adequacy of, disclosure of the principal conditions or events that initially caused the auditor to believe there was substantial doubt and management’s plans that alleviated the substantial doubt.
  5. The auditor’s conclusion with respect to the effects on the auditor’s report.

Opinion – Emphasis of Matter Regarding Going Concern

If the auditor concludes that there is substantial doubt concerning the company’s ability to continue as a going concern, an emphasis of a matter paragraph should be added to the opinion.

An example of a going concern paragraph is as follows:

The accompanying financial statements have been prepared assuming that the Company will continue as a going concern. As discussed in Note 2 to the financial statements, the Company has suffered recurring losses from operations, has a net capital deficiency, and has stated that substantial doubt exists about the company’s ability to continue as a going concern. Management’s evaluation of the events and conditions and management’s plans regarding these matters are also described in Note 2. The financial statements do not include any adjustments that might result from the outcome of this uncertainty. Our opinion is not modified with respect to this matter.

The auditor should not use conditional language regarding the existence of substantial doubt about the entity’s ability to continue as a going concern. 

Opinion – Inadequate Going Concern Disclosures

Paragraph 26. of SAS 132 states that an auditor should issue a qualified opinion or an adverse opinion, as appropriate, when going concern disclosures are not adequate.

SAS 132 Summary 

Now, let’s circle back to where we started and review the objectives of SAS 132.

The objectives are as follows:

  • Conclude about whether the going concern basis of accounting is appropriate
  • Determine whether substantial doubt is present
  • Determine whether the going concern disclosures are adequate
  • Issue an appropriate opinion 

Conclusion

As you can see ASU 2014-15 and SAS 132 are complex. So, make sure you are using the most recent updates to your disclosure checklists and audit forms and programs.

Finally, keep in mind that going concern is also relevant to compilation and review engagements.

Audit Planning Analytics
May 01

Audit Planning Analytics: What You Need to Know

By Charles Hall | Auditing

You can identify risks of material misstatement with audit planning analytics. 

Audit Planning Analytics

Audit Planning Analytics

The auditing standards provide four risk assessment procedures: 

  1. Inquiry
  2. Observation
  3. Inspection
  4. Analytical procedures

I previously provided you with information about the first three risk assessment procedures. Today, I provide you with the fourth, analytical procedures.

While analytical procedures should occur at the beginning and the end of an audit, this post focuses on planning analytics.

Below I provide the quickest and best way to develop audit planning analytics

What are Analytics?

If you're not an auditor, you may be wondering, "what are analytics?" Think of analytics as the use of numbers to determine reasonableness. For example, if a company's cash balance at December 31, 2017, was $100 million, is it reasonable for the account to be $5 million at December 31, 2018? Comparisons such as this one assist auditors in their search for errors and fraud.

Overview of this Post

We'll cover the following:

  • The purpose of planning analytics
  • When to create planning analytics (at what stage of the audit)
  • Developing expectations 
  • The best types of planning analytics
  • How to document planning analytics
  • Developing conclusions 
  • Linkage to the audit plan

Purpose of Planning Analytics

The purpose of planning analytics is to identify risks of material misstatement. Your goal as an auditor is to render an opinion regarding the fairness of the financial statements. So, like a good sleuth, you are surveying the accounting landscape to see if material misstatements exist.

A detective investigates a crime scene using various tools: fingerprints, forensic tests, interviews, timelines. Auditors have their own tools: inquiry, observation, inspection, analytical procedures. Sherlock Holmes looks for the culprit. The auditor (and I know this isn't as sexy) looks for material misstatements. 

The detective and the auditor are both looking for the same thing: evidence. And the deft use of tools can lead to success. A key instrument (procedure) available to auditors is planning analytics. 

When to Create Planning Analytics

Create your preliminary analytics after gaining an understanding of the entity. Why? Context determines reasonableness of numbers. And without context (your understanding of the entity), changes in numbers from one year to the next may not look like a red flag--though maybe they should.

Therefore, learn about the entity first. Are there competitive pressures?  What are the company's objectives? Are there cash flow issues? What is the normal profit margin percentage? Does the organization have debt? Context creates meaning.

Additionally, create your comparisons of numbers prior to creating your risk assessments. After all, the purpose of the analytical comparisons is to identify risk.

But before creating your planning analytics, you first need to know what to expect.

Developing Expectations 

Knowing what to expect provides a basis for understanding the changes in numbers from year to year. 

Expectations can include:

  • Increases in numbers
  • Decrease in numbers
  • Stable numbers (no significant change)

In other words, you can have reasons to believe payroll (for example) will increase or decrease. Or you might anticipate that salaries will remain similar to last year.

Examples of Expectations Not Met

Do you expect sales to decrease 5% based on decreases in the last two years? If yes, then an increase of 15% is a flashing light.

Or maybe you expect sales to remain about the same as last year? Then a 19% increase might be an indication of financial statement fraud.

But where does an auditor obtain expectations?

Sources of Expectations

Expectations of changes can come from (for example):

  • Past changes in numbers 
  • Discussions with management about current year operations
  • Reading the company minutes
  • Staffing reductions
  • Non-financial statistics (e.g., decrease the number of widgets sold)
  • A major construction project

While you'll seldom know about all potential changes (and that's not the goal), information--such as that above--will help you intuit whether change (or a lack of change) in an account balance is a risk indicator.

Now, let's discuss the best types of planning analytics. 

The Best Types of Planning Analytics

Auditing standards don't specify what types of planning analytics to use. But some, in my opinion, are better than others. Here's my suggested approach (for most engagements). 

Audit Planning Analytics

First, create your planning analytics at the financial statement reporting level. Why? Well, that's what the financial statement reader sees. So, why not use this level (if you can)? (There is one exception in regard to revenues. See Analytics for Fraudulent Revenue Recognition below.)

The purpose of planning analytics is to ferret out unexpected change. Using more granular information (e.g., trial balance) muddies the water. Why? There's too much information. You might have three hundred accounts in the trial balance and only fifty at the financial statement level. Chasing down trial-balance-level changes can be a waste of time. At least, that's the way I look at it.

Second, add any key industry ratios tracked by management and those charged with governance. Often, you include these numbers in your exit conference with the board (maybe in a slide presentation). If those ratios are important at the end of an audit, then they're probably important in the beginning.

Examples of key industry ratios include:

  • Inventory turnover
  • Return on equity
  • Days cash on hand
  • Gross profit 
  • Debt/Equity 

Okay, so we know what analytics to create, but how should we document them?

Analytics for Fraudulent Revenue Recognition

AU-C 240.22 says, "the auditor should evaluate whether unusual or unexpected relationships that have been identified indicate risks of material misstatement due to fraud. To the extent not already included, the analytical procedures, and evaluation thereof, should include procedures relating to revenue accounts." 

The auditing standards suggest a more detailed form of analytics for revenues. AU-C 240.A25 offers the following:

  • a comparison of sales volume, as determined from recorded revenue amounts, with production capacity. An excess of sales volume over production capacity may be indicative of recording fictitious sales.
  • a trend analysis of revenues by month and sales returns by month, during and shortly after the reporting period. This may indicate the existence of undisclosed side agreements with customers involving the return of goods, which, if known, would preclude revenue recognition.
  • a trend analysis of sales by month compared with units shipped. This may identify a material misstatement of recorded revenues.

In light of these suggested procedures, it may be prudent to create revenue analytics at a more granular level than that shown in the financial statements.

How to Document Planning Analytics

Here are my suggestions for documenting your planning analytics.

  1. Document overall expectations.
  2. Include comparisons of prior-year/current-year numbers at the financial statement level. (You might also include multiple prior year comparisons if you have that information.)
  3. Document key industry ratio comparisons.
  4. Summarize your conclusions. Are there indicators of increased risks of material misstatement? Is yes, say so. If no, say so.

Once you create your conclusions, place any identified risks on your summary risk assessment work paper (where you assess risk at the transaction level--e.g., inventory).

Use Filtered Analytical Reports with Caution (if at all)

Some auditors use filtered trial balance reports for their analytics. For instance, all accounts with changes of greater than $30,000. There is a danger in using such thresholds. 

What if  you expect a change in sales of 20% (approximately $200,000) but your filters include:

  •  all accounts with changes greater than $50,000, and 
  • all accounts with changes of more than 15%

If sales remain constant, then this risk of material misstatement (you expected change of 20%, but it did not happen) fails to appear in the filtered report. The filters remove the sales account because the change was minimal. Now, the risk may go undetected.

Developing Conclusions

I am a believer in documenting conclusions on key work papers. So, how do I develop those conclusions? And what does a conclusion look like on a planning analytics work paper?

First, develop your conclusions. How? Scan the comparisons of prior year/current year numbers and ratios. We use our expectations to make judgments concerning the appropriateness of changes and of numbers that remain stable. Remember this is a judgment, so, there's no formula for this. 

No Risk Identified

Now, you'll document your conclusions. But what if there are no unexpected changes? You expected the numbers to move in the manner they did. Then no identified risk is present. Your conclusion will read, (for example):

Conclusion: I reviewed the changes in the accounts and noted no unexpected changes. Based on the planning analytics, no risks of material misstatement were noted.

Risk Identified

Alternatively, you might see unexpected changes. You thought certain numbers would remain constant, but they moved significantly. Or you expected material changes to occur, but they did not. Again, document your conclusion. For example:

Conclusion: I expected payroll to remain constant since the company's workforce stayed at approximately 425 people. Payroll expenses increased, however, by 15% (almost $3.8 million). I am placing this risk of material misstatement on the summary risk assessment work paper at 0360 and will create audit steps to address the risk.

Now, it's time to place the identified risks (if there are any) on your summary risk assessment form.

Linkage to the Audit Plan

I summarize all risks of material misstatements on my summary risk assessment form. These risks might come from walkthroughs, planning analytics or other risk assessment procedures. Regardless, I want all of the identified risks--those discovered in the risk assessment process--in one place.

The final step in the audit risk assessment process is to link your identified risks to your audit program. 

Overview of Risk Assessment and Linkage

Now, I tailor my audit program to address the risks. Tailoring the audit program to respond to identified risks is known as linkage.

Audit standards call for the following risk assessment process:

  • Risk assessment procedures (e.g., planning analytics)
  • Identification of the risks of material misstatement
  • Creation of audit steps to respond to the identified risks (linkage)

Summary of Planning Analytics Considerations

So, now you know how to use planning analytics to search for risks of material misstatement--and how this powerful tool impacts your audit plan.

Let's summarize what we've covered:

  1. Planning analytics are created for the purpose of identifying risks of material misstatement
  2. Develop your expectations before creating your planning analytics (learn about the entity's operations and objectives; review past changes in numbers for context--assuming you've performed the audit in prior years)
  3. Create analytics at the financial statement level, if possible
  4. Use key industry ratios 
  5. Conclude about whether risks of material misstatement are present
  6. Link your identified risks of material misstatement to your audit program

If you have thoughts or questions about this post, please let me know below in the comments box. Thanks for reading.

First-Year Businesses and Planning Analytics

You may be wondering, "but what if I my client is new?" New entities don't have prior numbers. So, how can you create planning analytics? 

First Option

One option is to compute expected numbers using non-financial information. Then compare the calculated numbers to the general ledger to search for unexpected variances.

Second Option

A second option is to calculate ratios common to the entity’s industry and compare the results to industry benchmarks.

While industry analytics can be computed, I’m not sure how useful they are for a new company. An infant company often does not generate numbers comparable to more mature entities. But we’ll keep this choice in our quiver--just in case.

Third Option

A more useful option is the third: comparing intraperiod numbers. 

Discuss the expected monthly or quarterly revenue trends with the client before you examine the accounting records. The warehouse foreman might say, “We shipped almost nothing the first six months. Then things caught fire. My head was spinning the last half of the year.” Does the general ledger reflect this story? Did revenues and costs of goods sold significantly increase in the latter half of the year?

Fourth Option

The last option we’ve listed is a review of the budgetary comparisons. Some entities, such as governments, lend themselves to this alternative. Others, not so–those that don’t adopt budgets.

Summary

So, yes, it is possible to create useful risk assessment analytics–even for a first-year company.

audit and work paper mistakes
Apr 23

Forty Audit and Work Paper Mistakes

By Charles Hall | Auditing

Today, I offer you a list of forty audit and work paper mistakes.

audit and work paper mistakes

The list is based on my observations from over over thirty years of audit reviews (and not on any type of formal study).

You will, however, shake your head in agreement as you read these. I know you’ve seen them as well. The list is not comprehensive. So, you can add others in the comments section of this post.

Here’s the list.

  1. No preparer sign-off on a work paper
  2. No evidence of work paper reviews
  3. Placing documents in the file with no purpose (the work paper provides no evidential matter for the audit)
  4. Signing off on unperformed audit program steps
  5. No references to supporting documentation in the audit program
  6. Using canned audit programs that aren’t based on risk assessments for the particular entity
  7. Not documenting expectations for planning analytics
  8. Inadequate explanations for variances in planning analytics (“revenue went up because sales increased”)
  9. Planning analytics with obvious risk of material misstatement indicators, but no change in the audit plan to address the risk (sometimes referred to as linking)
  10. Not documenting who inquiries were made of
  11. Not documenting when inquiries were made
  12. Significant deficiencies or material weaknesses that are not communicated in written form
  13. Verbally communicating control deficiencies (those not significant deficiencies or material weaknesses) without documenting the conversation
  14. Performing needed substantive tests with no related audit program steps (i.e., the audit program was not amended to include the necessary procedures)
  15. Assessing control risk below high without testing controls
  16. Assessing the risk of material misstatement at low without a basis (reason) for doing so
  17. Documenting significant risks (e.g., allowance for uncollectible receivable estimates in healthcare entities) but no high inherent risks (when inherent risk are separately documented)
  18. Not documenting the predecessor auditor communication in a first-year engagement
  19. Not documenting the qualifications and objectivity of a specialist
  20. Not documenting all nonattest services provided
  21. Not documenting independence
  22. Not documenting the continuance decision before an audit is started
  23. Performing walkthroughs at the end of an engagement rather than the beginning
  24. Not performing walkthroughs or any other risk assessment procedures
  25. Not performing risk assessment procedures for all significant transaction areas (e.g., risk assessment procedures performed for billing and collections but not for payroll which was significant)
  26. Not retaining the support for opinion wording in the file (especially for modifications)
  27. Specific items tested are not identified (e.g., “tested 25 disbursements, comparing amounts in the check register to cleared checks” — we don’t know which particular payments were tested)
  28. Making general statements that can’t be re-performed based on the information provided (e.g., “inquired of three employees about potential fraud” — we don’t know who was interviewed or what was asked or their responses)
  29. Retrospective reviews of estimates are not performed (as a risk assessment procedure)
  30. Going concern indicators are present but no documentation regarding substantial doubt
  31. IT controls are not documented
  32. The representation letter is dated prior to final file reviews by the engagement partner or a quality control partner
  33. Consultations with external or internal experts are not documented
  34. No purpose or conclusion statement on key work papers
  35. Tickmarks are not defined (at all)
  36. Inadequately defining tickmarks (e.g., ## Tested) — we don’t know what was done
  37. No group audit documentation though a subsidiary is included in the consolidated financial statements
  38. No elements of unpredictability were performed
  39. Not inquiring of those charged with governance about fraud
  40. Not locking the file down after 60 days 

That’s my list. What would you add?

supplementary information
Apr 11

Supplementary Information, Other Information and Required Supplementary Information

By Charles Hall | Auditing

What’s the difference in supplementary information, additional information, and required supplementary information? What language should be included in the audit opinion when such information is included in the financial statements?  What audit procedures must be performed? Below I provide the answers.

supplementary information

1. Supplementary Information

Supplementary information is defined as information presented outside the basic financial statements, excluding required supplementary information (see below), that is not considered necessary for financial statements to be fairly-presented in accordance with the applicable financial reporting framework (e.g. FASB).  (See AU-C 725 for more guidance about supplementary information.)

Supplementary information may include:

  • Accounting information and
  • Nonaccounting information

Supplementary information examples include:

  • Detail of “Other Income” as shown in the statement of operations*
  • Detail of “General and Administrative” expenses as shown in the statement of operations*
  • Number of employees in a given payroll period**

* Derived from financial statements

** Not derived from the financial statements

Procedures to Perform

Procedures to be performed include:

  • Determine whether the information is fairly stated, in all material respects, in relation to the financial statements as a whole

Sample Opinion Language

Example auditor’s report paragraph:

The [identify accompanying supplementary information] is presented for purposes of additional analysis and is not a required part of the financial statements. Such information is the responsibility of management and was derived from and relates directly to the underlying accounting and other records used to prepare the financial statements. The information has been subjected to the auditing procedures applied in the audit of the financial statements and certain additional procedures, including comparing and reconciling such information directly to the underlying accounting and other records used to prepare the financial statements or to the financial statements themselves, and other additional procedures in accordance with auditing standards generally accepted in the United States of America. In our opinion, the information is fairly stated in all material respects in relation to the financial statements as a whole.

For examples of presenting the supplementary language (1) in the standard opinion or (2) separately, click here.

Notice that an opinion is rendered on supplementary information. No opinion is given in regard to other information.

2. Other Information

Other information is financial and nonfinancial information (other than the financial statements and the audit report) that is included in a document containing audited financial statements and the audit report (e.g., an annual report), excluding required supplementary information. An auditor can use this option when he or she is not engaged to render an opinion on such information. (See AU-C 720 for more guidance about other information.)

Other information examples include:

  • Financial summaries
  • Employment data
  • Planned capital expenditures
  • Names of officers and directors

Procedures to Perform

Procedure to be performed:

  • Reading the other information in order to identify any material inconsistencies with audited financial statements

Sample Opinion Language

The auditor can use an other-matter paragraph to disclaim an opinion regarding other information. Sample language follows:

Our audit was conducted for the purpose of forming an opinion on the basic financial statements as a whole. The [identify the other information] is presented for purposes of additional analysis and is not a required part of the basic financial statements. Such information has not been subjected to the auditing procedures applied in the audit of the basic financial statements, and accordingly, we do not express an opinion or provide any assurance on it.

3. Required Supplementary Information

Required supplementary information (RSI) is information that a designated accounting standard-setter (e.g., FASB, GASB) requires to accompany the basic financial statements. RSI is not part of the basic financial statements. However, the designated accounting standard-setter has determined that the information is an essential part of financial reporting. (See AU-C 730 for more guidance about required supplementary information.)

Required supplementary information examples include:

  • Management discussion and analysis (MD&A) for governments
  • Estimates of current or future costs of future major repairs and replacements for common interest realty associations

Procedures to Perform

Procedures to be performed include:

  • Inquiry of management about methods used to create information
  • Comparing the information for consistency with management responses and the financial statements
  • Obtaining written representations from management

Sample Opinion Language

Example auditor’s report paragraph:

Accounting principles generally accepted in the United States of America require that the [identify the required supplementary information] on page XX be presented to supplement the basic financial statements. Such information, although not a part of the basic financial statements, is required by the Financial Accounting Standards Board who considers it to be an essential part of financial reporting for placing the basic financial statements in an appropriate operational, economic, or historical context. We have applied certain limited procedures to the required supplementary information in accordance with auditing standards generally accepted in the United States of America, which consisted of inquiries of management about the methods of preparing the information and comparing the information for consistency with management’s responses to our inquiries, the basic financial statements, and other knowledge we obtained during our audit of the basic financial statements. We do not express an opinion or provide any assurance on the information because the limited procedures do not provide us with sufficient evidence to express an opinion or provide any assurance.

Some governments exclude the MD&A. Here is sample opinion wording when the MD&A is omitted.

Supplementary Information in Compilations and Review Engagements

You can see information about supplementary information wording for compilation or review reports here. Also, see my post about presenting supplementary information in compilation and preparation engagements.

Hosting Services can impair your independence
Jan 09

Hosting Services Impair a CPA’s Independence

By Charles Hall | Auditing

Hosting services impair a CPA’s independence, so says the AICPA. And most firms are providing hosting services (though they may not know it). This article explains why your possession of client records, whether electronic or hard-copy, can affect your independence.

Hosting Services Impair a CPA’s Independence

Starting September 1, 2018, your possession of client documents (e.g., tax records) or information (e.g., the housing of QuickBooks files on our server) can, in some instances, create an independence impairment. (If you temporarily possess original documents (e.g., tax records) but return them to the client in a short period, then the possession of the original documents does not impair your independence.)

The AICPA recently adopted a new interpretation, “Hosting Services,” which appears in the Code of Conduct under nonattest services. See 1.295.143 of the Code.

Why would possessing documents or information potentially impair independence? Because you accepted the responsibility for designing, implementing or maintaining internal controls for the records in your possession. And this is considered a management function.

In effect, the AICPA is saying there is an implicit understanding that you (the CPA) will safeguard the client’s records. And to safeguard the information, you agree to create controls to ensure the safety of the information in your possession.

To understand the actions that would impair your independence, see Catherine Allen’s article in the Journal of Accountancy. Specifically, look at her examples of where independence is impaired and where it is not. 

Continue reading

Better client interviews
Dec 13

Four Keys to Better Client Interviews

By Charles Hall | Auditing

Many times I have interviewed accounting staff and walked away thinking, “I have no idea what they just said to me.” Do you ever have this problem? If yes, this article is for you. Below I provide four keys to better client interviews.

Better client interviews

In my early years–fresh out of college–I would think: “I must be stupid. It’s obvious, he understands what he just said, but I don’t.” Often my anxiety would increase when I realized the interviewee (e.g, accounts payable clerk) had no college degree (and me, a masters in accounting).

Reasons We Don’t Understand

After years of performing interviews, I realized that I wasn’t dense (at least, not as much as I thought), and that I was encountering what The Art of Explanation calls, the “curse of knowledge.”

What is the “curse of knowledge?” It’s when someone knows a subject very well, and, consequently, has a difficult time imagining what it is like to not know it. I was experiencing the “curse of knowledge.” Those I interviewed thought knew what they knew. As a result, they left out details.

Also, those I interviewed had years of experience doing the same job day after day. Of course they understood what they did. But I had less than an hour, in many cases, to grasp their duties.

Additionally, those I interviewed used a language unique to their office, and I, mistakenly, tried to use a different language—one I had learned in college. The result: we did not understand one another. So how can I communicate and comprehend better?

Four Keys to Interviewing

1. Pay attention to their language and use it.

If they call it a thingy, then I call it a thingy.

2. Seek understanding more than trying to impress.

I often want to impress more than I desire to understand. The remedy: Admit (maybe even out loud) I don’t know everything.

I tell the clerk, “Treat me like I don’t know anything. I’ve never been here, so I need your help in understanding what you do.”

To higher level personnel (e.g., CFO), I might say, “I have worked in this industry for fifteen years, but I need your help to understand how you guys operate.”

3. Repeat what is said to you.

For example, “May I repeat what you just said to make sure I understand? ‘The thingy is created once per week on Mondays to ensure that total receipts agree with deposits.’”

4. Use your cell phone to take pictures and to record parts of the interview.

Just last week, I reviewed a complex accounting system (for about three hours). As I did so, I used my cell phone Evernote app to take pictures of computer screens and printed reports. I also used the app to record parts of the conversation. Later, I summarized the conversation in memo form (complete with pictures).

Scanbot is another useful iPhone app if you take pictures of client information. By using your phone to take pictures, you can leave your physical scanner in your office.

Your Interviewing Ideas

Have I left out any key interviewing ideas? Please share your thoughts.

Check out my series of articles about auditing.

how to capture and communicate internal control deficiencies
Nov 29

How to Capture and Communicate Internal Control Deficiencies

By Charles Hall | Auditing

Too many times auditors fail to capture control deficiencies in the audit process. So, today I’ll show you how to capture and communicate internal control deficiencies.

A Common End-of-Audit Problem

We’re concluding another audit, and it’s time to consider whether we will issue a letter communicating internal control deficiencies. A month ago we noticed some control issues in accounts payable, but presently we’re not clear about how to describe them. We hesitate to call the client to rehash the now-cold walkthrough. After all, the client thinks we’re done, and quite frankly, they are tired of seeing us. We know that boiler-plate language will not clearly communicate the weakness or how to fix it. Now we’re kicking ourselves for not taking more time to document the control deficiencies.

Here’s a post to help capture and document internal control issues as we audit.

How to Capture and Communicate Internal Control Deficiencies

Today, we’ll take a look at the following control weakness objectives:

  1. How to communicate them
  2. How to discover them
  3. How to capture them
how to capture and communicate internal control deficiencies

Picture is courtesy of AdobeStock.com

As we begin, let’s define three types of weaknesses:

  • Material weaknesses – A deficiency, or a combination of deficiencies, in internal control, such that there is a reasonable possibility that a material misstatement of the entity’s financial statements will not be prevented, or detected and corrected, on a timely basis.
  • Significant deficiencies – A deficiency, or a combination of deficiencies, in internal control that is less severe than a material weakness yet important enough to merit attention by those charged with governance.
  • Other deficiencies – For purposes of this blog post, we’ll define other deficiencies as those less than material weaknesses or significant deficiencies.

As we look at these definitions, we see that categorizing control weaknesses is subjective. Notice the following terms:

  • Reasonable possibility
  • Material misstatement
  • Less severe
  • Merits attention by those charged with governance

Categorizing a control weakness is not a science, but an art. With this thought in mind, let’s start our journey with how control weaknesses should be reported.

1. How to Communicate Control Weaknesses

Material weaknesses and significant deficiencies must be communicated in writing to management and those charged with governance. Other deficiencies can be given verbally to management, but you must document those discussions in your work papers.

2. How to Discover Control Weaknesses

Capture control weaknesses as you perform the audit. You might identify control weaknesses in the following audit stages:

  1. Planning – Risk assessment and walkthroughs
  2. Fieldwork – Transaction-level work
  3. Conclusion – Wrapping up

A. Planning Stage

You will discover deficiencies as you perform walkthroughs which are carried out in the early stages of the engagement. Correctly performed walkthroughs allow you to see process shortcomings and where duties are overly concentrated (what auditors refer to as a lack of segregation of duties).

Segregation of Duties

Are accounting duties appropriately segregated with regard to:

  • Custody of assets
  • Reconciliations
  • Authorization
  • Bookkeeping

Notice the first letters of these words spell CRAB (I know it’s cheesy, but it helps me remember).

Auditors often make statements such as, “Segregation of duties is not possible due to the limited number of employees.”

I fear such statements are made only to protect the auditor (should fraud occur in the future). It is better that we be specific about the control weakness and what the potential impact might be. For example:

The accounts payable clerk can add new vendors to the vendor file. Since checks are signed electronically as they are printed, there is a possibility that fictitious vendors could be added and funds stolen. Such amounts could be material.

Such a statement tells the client what the problem is, where it is, and the potential damage. 

Fraud: A Cause of Misstatements

While I just described how a lack of segregation of duties can open the door to theft, the same idea applies to financial statement fraud (or cooking the books). When one person controls the reporting process, there is a higher risk of financial statement fraud. Appropriate segregation lessens the chance that someone will manipulate the numbers.

Within each transaction cycle, accounting duties need to be performed by different people. Doing so lessens the possibility of theft. If one person performs multiple duties, ask yourself, “Is there any way this person could steal funds?” If yes, then the client should add a control in the form of a second-person review.

If possible, the client should have a second person examine reports or other supporting documentation. How often should the review be performed? Daily, if possible. If not daily, as often as possible. Regardless, a company should not allow someone with the ability to steal to work alone without review. The fear of detection lessens fraud.

If a transaction cycle lacks segregation of duties, then consider the potential impact from the control weakness. Three possible impacts exist:

  • Theft that is material (material weakness)
  • Theft that is not material but which deserves the attention of management and the board anyway (significant deficiency)
  • Theft of insignificant amounts (other deficiency)

My experience has been that if any potential theft area exists, the board wants to know about it. But this is a decision you will make as the auditor.

Errors: Another Cause of Misstatements

While auditors should consider control weaknesses that allow fraud, we should also consider whether errors can lead to potential misstatements. So, ask questions such as:

  • Do the monthly financial statements ever contain errors?
  • Are invoices mistakenly omitted from the payable system?
  • Do employees forget to obtain purchase order numbers prior to buying goods?
  • Are new employees ever unintentionally left off the payroll?
  • Do bookkeepers fail to reconcile the bank statements on a timely basis? 

B. Fieldwork Stage

While it is more likely you will discover process control weaknesses in the planning stage of an audit, the results of control deficiencies sometimes surface during fieldwork. How? Audit journal entries. What are audit entries but corrections? And corrections imply a weakness in the accounting system.

When an auditor makes a material journal entry, it’s difficult to argue that a material weakness does not exist. We know the error is “reasonably possible” (it happened). We also know that prevention did not occur on a timely basis.

C. Conclusion Stage

When concluding the audit, review all of the audit entries to see if any are indicators of control weaknesses. Also, review your internal control deficiency work papers (more on this in a moment). If you have not already done so, discuss the noted control weaknesses with management. 

Your firm may desire to have a policy that only managers or partners make these communications. Why? Management can see the auditor’s comments as a criticism of their own work. After all, they designed the accounting system (or at least they oversee it). So, these discussions can be a little challenging.

Now let’s discuss how to capture control weaknesses.

3. How to Capture Control Weaknesses

So, how do you capture the control weakness?

First, and most importantly, document internal control deficiencies as you see them.

Why should you document control weaknesses when you initially see them?

  1. You may not be on the engagement when it concludes (because you are working elsewhere) or
  2. You may not remember the issue (weeks later).

Second, create a standard form (if you don’t already have one) to capture control weaknesses. 

Internal Controls

Picture is courtesy of AdobeStock.com

Internal Control Capture Form

 What should be in the internal control form? At a minimum include the following:

  1.  Check-mark boxes for:
    • Significant deficiency
    • Material weakness
    • Other control deficiency
    • Other issues (e.g., violations of laws or regulations) 
  2. Whether the probability of occurrence is at least reasonably possible and whether the magnitude of the potential misstatement is material
    • If the probability of occurrence is at least reasonably possible and the magnitude of the potential misstatement is material, then the client has a material weakness
  3. Description of the deficiency and the verbal or written communications to the client; also the client’s response
  4. The cause of the condition
  5. The potential effect of the condition
  6. Recommendation to correct the issue
  7. Person who identified the issue and the date when the issue was identified
  8. Whether the issue is a repeat from the prior year
  9. An area for the partner to sign off that he or she agrees with the description of the deficiency and the category assigned to it (e.g., material weakness)
  10. Reference to related documentation in the audit file

Summary

The main points in capturing and communicating internal control deficiencies are:

  1. Capture control weaknesses as soon as you see them
  2. Develop a form to document the control weaknesses

How Do You Capture and Report Control Deficiencies?

Whew! We’ve covered a lot of ground today. How do you capture and report control deficiencies? I’m always looking for new ideas: Please share.

understand and communicate material weaknesses and significant deficiencies
Nov 24

Understand and Communicate Material Weaknesses and Significant Deficiencies

By Charles Hall | Auditing

In today’s post, I tell you how to understand and communicate material weaknesses and significant deficiencies.

How do you categorize a control weakness? Is the weakness a material weakness, a significant deficiency or something less? This seems to be the most significant struggle in addressing internal control issues.

understand and communicate material weaknesses and significant deficiencies

And if you’ve been in the business for any time at all, you know that management can take offense regarding control weakness communications. For instance, a CFO may believe that a material weakness reflects poorly upon him. After all, he controls the design of the accounting system. So, communicating control weaknesses can result in disagreements. Therefore, it’s even more important that these communications be correct.

Before telling you how to distinguish material weaknesses from significant deficiencies, let’s review control weakness definitions.

Definitions of Control Weaknesses

A deficiency in internal control is defined as follows: A deficiency in internal control over financial reporting exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent, or detect and correct, misstatements on a timely basis. A deficiency in design exists when (a) a control necessary to meet the control objective is missing, or (b) an existing control is not properly designed so that, even if the control operates as designed, the control objective would not be met. A deficiency in operation exists when a properly designed control does not operate as designed or when the person performing the control does not possess the necessary authority or competence to perform the control effectively.

Now let’s define (1) material weaknesses, (2) significant deficiencies, and (3) other deficiencies.

  1. Material weakness. A deficiency, or a combination of deficiencies, in internal control, such that there is a reasonable possibility that a material misstatement of the entity’s financial statements will not be prevented, or detected and corrected, on a timely basis.
  2. Significant deficiency. A deficiency, or a combination of deficiencies, in internal control that is less severe than a material weakness yet important enough to merit attention by those charged with governance.
  3. Other deficiencies. For the purposes of this blog post, an other deficiency is a control weakness that is less than a material weakness or a significant deficiency.

How to Categorize a Control Weaknesses

Now that we have defined material weaknesses and significant deficiencies, we can discuss how to distinguish between the two.

Material Weakness

First, ask these two questions:

  1. Is there a reasonable possibility that a misstatement could occur?
  2. Could the misstatement be material?

If your answer to both questions is yes, then the client has a material weakness. (By the way, if you propose a material audit adjustment, it’s difficult to argue that there is no material weakness. As you write your control letter, examine your proposed audit entries.)

Significant Deficiency

If your answer to either of the questions is no, then ask the following:

Is the weakness important enough to merit the attention of those charged with governance? In other words, are there board members who would see the weakness as important.

If the answer is yes, then it is a significant deficiency.

If no, then it is not a significant deficiency or a material weakness.

How to Communicate Material Weaknesses and Significant Deficiencies

The following deficiencies must be communicated in writing to management and to those charged with governance:

  • Material weaknesses
  • Significant deficiencies

The written communication (according to AU-C section 265) must include:

  • the definition of the term material weakness and, when relevant, the definition of the term significant deficiency
  • a description of the significant deficiencies and material weaknesses and an explanation of their potential effects
  • sufficient information to enable those charged with governance and management to understand the context of the communication
  • the fact that the audit included consideration of internal control over financial reporting in order to design audit procedures that are appropriate in the circumstances and that the audit was not for the purpose of expressing an opinion on the effectiveness of internal control
  • the fact that the auditor is not expressing an opinion on the effectiveness of internal control
  • that the auditor’s consideration of internal control was not designed to identify all deficiencies in internal control that might be material weaknesses or significant deficiencies, and therefore, material weaknesses or significant deficiencies may exist that were not identified
  • an appropriate alert, in accordance with section 905, Alert That Restricts the Use of the Auditor’s Written Communication

Next, I explain how to communicate other deficiencies (those that are less than a material weakness or a significant deficiency).

How to Communicate Other Deficiencies

Other deficiencies can be communicated in writing or orally and need only be communicated to management (and not to those charged with governance). The communication must be documented in the audit file. So if you communicate orally, then follow up with a memo to the file addressing who you spoke with, what you discussed, and the date of the discussion.

photo

Stand-alone management letters are often used to communicate other deficiencies. Since there is no authoritative guidance for management letters, you may word them as you wish. Alternatively, you can, if you like, include other deficiencies in your written communication of significant deficiencies or material weaknesses.

A Key Word of Warning

Always provide a draft of any written communications to management before final issuance. It is much better to provide a draft and find out (before issuance) that it contains an error or a miscommunication. Then, corrections can be made.

Additional Information

Writing your internal control letter is a part of the wrap-up process for audits. Click here for additional information concerning wrapping up an audit.

unnecessary work papers
Nov 19

Seven Excuses for Unnecessary Audit Work Papers

By Charles Hall | Auditing

Unnecessary audit work papers create clutter and can create legal problems.

I see two problems in most audit work paper files:

(1) Too much documentation, and
(2) Not enough documentation

I recently wrote a post tilted: Audit Documentation: If It’s Not Documented, It’s Not Done. Since I have already covered the “not enough documentation” issue, today we’ll look at the other problem, too much documentation.

unnecessary audit work papers

Seven Excuses for Unnecessary Audit Work Papers

Over the last thirty years, I have reviewed audit files for CPA firms and have commonly asked this question: Why is this work paper in the file?

Here are a few standard answers.

1. It was there last year.

But is it relevant this year? Resist the temptation just to copy or bring forward work papers from the prior year. Performing a proper audit entails risk assessment (e.g., walkthroughs, analytics), planning (i.e., creating an audit plan), and execution (i.e., carrying out the audit plan). Likewise, compilations and reviews should reflect current year planning and performance.

2. The client gave it to me.

For some reason, young auditors tend to put everything given to them in the file. I think they believe, “if the client gave it to me, it must be important.”

There is one reason to place documentation is the file: It provides audit evidence to support the opinion.

3. I may need it next year.

Then save it—somewhere other than the audit file—for next year. If the information does not provide current year engagement evidence, then it does not belong in the current year file.

Consider setting up a file for next year and placing next year’s information in that file. Or create a folder in the current year file titled: next year’s work papers; then move this section from the current year file as you wrap up the engagement.

4. I might need it this year.

Before going paperless (back in the days of moving work papers with a hand truck), I kept a manila folder titled: File 13. The physical folder was my hang-on-to-it-in-case-I-need-it repository.

Since my files are now paperless, I create an electronic folder titled “Recycle Bin” that sits at the bottom of my file. If I receive information that is not relevant to the current year work, I move it to the recycle bin, and while I am wrapping up the engagement, I dispose of the entire folder.

5. It’s an earlier version of an existing work paper.

Move earlier versions of work papers (e.g., initial financial statements) to your recycle bin.

6. I need it for my tax work.

Then it belongs in the tax file (unless it’s related to your attestation work – e.g., deferred taxes).

7. We missed a fraud ten years ago, so we always include these work papers.

Fraud procedures (and all procedures for that matter) should reflect the current year audit risk assessment and planning.

Closing Comments

The most important reason for minimizing work paper content is to reduce your legal exposure. Excess work papers may provide an attorney ammunition. “Mr. Hall, here’s a work paper from your own audit file that reveals fraud was occurring, and you didn’t see it?” (So don’t, for example, leave the full general ledger in your work papers.)

Hear my podcast based on this post.

What are your thoughts about removing unnecessary audit work papers?

1 2 3 6
>