Category Archives for "Auditing"

Audit lessons from a brain tumor
Jan 24

Audit Lessons from a Brain Tumor

By Charles Hall | Auditing

I said to my wife, “Am I driving straight?” I felt as if I was weaving, not quite in control. I felt dizzy and heard clicking noises in my ears.

The mystery only increased over the next two years as I visited three different doctors. They stuck, prodded, and probed me–but no solution.

Frustrating.

Doctor Looking at Head Xray on blue

Picture is courtesy of istockphoto.com

Meanwhile, I felt a growing numbness on the right side of my face. So one night I started Googling health websites (the thing they tell you not to do) and came upon this link: Acoustic Neuroma Association. I clicked it. It was like reading my diary. It couldn’t be. A brain tumor.

The next day I handed my doctor the acoustic neuroma information and said, “I think this is what I have. I want a brain scan.”

Two days after the scan, while on the golf course, I received the doctor’s call: “Mr. Hall, you were right. You have a 2.3-centimeter brain tumor.” (I sent him a bill for my diagnosis but he never paid–just kidding.) My golfing buddies gathered around and prayed for me on the 17th green, and I went home to break the news to my wife. I had two children, two and four at the time. I was concerned.

Shortly after that, I was in a surgeon’s office in Atlanta. The doctor said they’d do a ten-hour operation; there was a 40% chance of paralysis and a 5% chance of death. The tumor was too large for radiation–or so I was told.

I didn’t like the odds, so I prayed more and went back to the Internet. There I located Dr. Jeffrey Williams at Johns Hopkins Hospital in Baltimore. I emailed the good doctor, telling him of the tumor’s size. His response: “I radiate tumors this size every day.” He was a pioneer in fractionated stereotactic radiation, one of the few physicians in the world using this procedure (at the time).

A few days later, I’m lying on an operating table in Baltimore with my head bolted down, ready for radiation. They bolt you down to ensure the cooking of the tumor (and not the brain). Fun, you should try it. Four more times I visited the table. Each time everyone left the room–a sure sign you should not try this at home.

Each day I laid there silently, talking to God and trusting Him.

Three weeks later I returned to work. Twenty years later, I have had two sick days.

I’ve watched my children grow up. They are twenty-four and twenty-six now–both finished college. My wife is still by my side, and I’m thankful for each day.

Cades Cove, Tennessee with my wife

So what does a brain tumor story tell us about audits? (You may, at this point, be thinking: they did cook the wrong part.)

Audit Lessons Learned from a Brain Tumor

1. Pay Attention to Signs

It’s easy to overlook the obvious. Maybe we don’t want to see a red flag (I didn’t want to believe I had a tumor). It might slow us down. But an audit is not purely about finishing and billing. It’s about gathering proper evidential matter to support the opinion. To do less is delinquent and dangerous.

2. Seek Alternatives

If you can’t gain appropriate audit evidence one way, seek another. Don’t simply push forward, using the same procedures year after year. The doctor in Atlanta was a surgeon, so his solution was surgery. His answer was based on his tools, his normal procedures. If you’ve always used a hammer, try a wrench.

3. Seek Counsel

If one answer doesn’t ring true, see what someone else thinks, maybe even someone outside your firm. Obviously, you need to make sure your engagement partner agrees (about seeking outside guidance), but if he or she does, go for it. I often contact the Center for Plain English AccountingI find them helpful and knowledgeable. I also have relationships with other professionals, so I call friends and ask their opinions–and they call me. Check your pride at the door. I’d rather look dumb and be right than to look smart and be wrong.

4. Embrace Change

Fractionated stereotactic radiation was new. Dr. Williams was a pioneer in the technique. The only way your audit processes will get better is to try new techniques: paperless software (we use Caseware), data mining (we use IDEA), real fraud inquiries (I use ACFE techniques), electronic bank confirmations (I use Confirmation.com), project management software (I use Basecamp). If you are still pushing a Pentel on a four-column, it’s time to change.

Postscript

Finally, remember that work is important, but life itself is the best gift. Be thankful for each moment, each hour, each day.

SSAE 19
Jan 11

SSAE 19: Agreed-Upon Procedures Engagements

By Charles Hall | Auditing

On December 19, 2019, the AICPA released SSAE 19, Agreed-Upon Procedures Engagements. This is one of those standards that you'll want to implement early. Why? Greater flexibility. 

Greater AUP Flexibility

CPAs will find the new agreed-upon procedures (AUP) standard (SSAE 19) more flexible that the preceding guidance (SSAE 18 AT-C section 215).

How is it more flexible?

  • You no longer request an assertion from the responsible party
  • You can issue general-use reports 
  • Intended users are not required to take responsibility for the sufficiency of the procedures
  • You can develop or assist in developing the procedures over the course of the engagement

And which of these do I like the best? No requirement for assertions.

Additionally, I like the option to develop AUP procedures as the engagement progresses. In the past, the client might review the draft AUP report (at the end of the engagement) and realize it doesn't meet their needs. Sometimes it's better for practitioners to develop procedures as they perform the AUP. SSAE 19 allows you to do just that.

So, if you develop new procedures, what must you do? Prior to issuance of the AUP report, obtain the engaging party's agreement regarding the procedures. Moreover, obtain their acknowledgement that the procedures are appropriate and that they satisfy the intended purpose of the engagement. In effect, the client reviews the procedures, agrees with them, and expresses satisfaction.

Definition of an Agreed-Upon Procedures Engagement

SSAE 19 defines an agreed-upon procedures engagement as "an attestation engagement in which a practitioner performs specific procedures on subject matter and reports the findings without providing an opinion or conclusion. The subject matter may be financial or nonfinancial information." The standard goes on to say "Because the needs of engaging party may vary widely, the nature, timing, and extend of the procedures may vary, as well."

SSAE 19

Now, let's see what the AUP objectives are.

SSAE 19 Objectives

The objectives of an SSAE 19 engagement include:

  • Applying specific procedures to subject matter
  • Issuing a written practitioner's report that describes the procedures applied and the findings

Next, let's look at the structure of an AUP report.

AUP Report Structure

The structure of the AUP report should be as follows:

  • Procedures
  • Findings

So, the CPA should state what was done and then provide the findings (results). The procedures and findings are placed in the body of the AUP report. 

The description of the procedures should be simple and clear.

Good AUP Procedure and Finding

Here's an example of a good AUP procedure and finding:

Procedure - We obtained the January 2020 check register and the January operating bank account statement. We compared check numbers 2850, 2892, 2933, 2935, 2972 to cleared checks agreeing the payee and the amount. 

Findings - No exceptions were noted.

Now, let's look at a poor example:

Poor AUP Procedure and Finding

Procedure - We scanned the company's 2020 bank statements and talked with the CFO. The books seemed to be in order with the exception of July errors.

Finding - Overall, the check disbursements appear to be okay after our general review.

In this poor example, we see general words or statements. What does the word scanned mean? How about seemed to be in order ? Additionally, the finding is vague: okay after our general review.

SSAE 19 provides examples of acceptable and unacceptable wording.

Acceptable and Unacceptable AUP Wording

SSAE 19 calls the practitioner to clearly define procedures. Moreover, the standard states that practitioners should not perform procedures that are open to varying interpretations or that are vague. 

Unacceptable Terms

.A27 of the standard even provides examples of unacceptable AUP terms such as:

  • General review
  • Evaluate
  • Examine

Acceptable Terms

.A27 also provides examples of acceptable AUP terms such as:

  • Inspect
  • Compare
  • Agree
  • Recalculate

In addition to proper wording, document your engagement in accordance with SSAE 19.

AUP Documentation

SSAE 19 calls for the following documentation:

  • Written agreement with the engaging party regarding the appropriateness of the procedures performed for the intended purpose of the engagement
  • The nature, timing, and extent or procedures performed
  • The results of the procedures

You'll also need a written engagement letter (see paragraph .15 of SSAE 19 for an example) and a representation letter (see paragraph .27 of SSAE 19 for an example).

So what about dating the representation letter? The representation letter date should be the date of the AUP report. Additionally, the representation letter should address the subject matter and periods covered by the practitioner's findings.

By now you may be thinking, "Where can I find AUP report examples?"

SSAE 19 Illustrative AUP Report

SSAE 19 provides four illustrative AUP reports in its exhibit (see .A78). 

The four example AUP reports relate to:

  1. Statement of investment performance statistics
  2. Cash and accounts receivable
  3. Claims of creditors
  4. Procedures specified in regulation

If you're looking for a template to follow, see example 2. Why? The cash and accounts receivable procedures and findings are excellent. Build procedures and findings like these and you'll be in good shape.

I suggest you download SSAE 19 and keep these reports handy.

So, what about independence? Is that required?

Attestation Independence

The practitioner has to be independent in order to perform an AUP.  

One exception exists when the practitioner "is required by law or regulation to accept an agreed-upon procedures engagement and report on the procedures performed and findings obtained."

SSAE 19 Effective Date

The effective date of SSAE 19 is for AUP reports dated on or after July 15, 2021.

Early implementation is permitted.

peer reviewers focus on independence
Aug 05

Peer Reviewers Focus on Independence Documentation

By Charles Hall | Auditing , Preparation, Compilation & Review

Peer reviewers focus on independence documentation. Today I’ll provide you with examples of what peer reviewers are looking for and guidance to keep you out of hot water.

peer reviewers focus on independence

Documentation of Nonattest Services

Peer reviews focus upon nonattest services provided to attest clients. How do we know? Well, see the peer review checklist question below (for an attest engagement).

nonattest services

The big “no-no” is to assume management responsibilities and then perform an attest service. Why? Performing management responsibilities impairs your independence. 

Preparing Financial Statements

Below is another question from the peer review checklists. Notice the first item below: Accepting responsibility for the preparation and fair presentation of the client’s financial statements. The client (not the auditor) must assume responsibility for the financial statements

nonattest1

If the client can’t–or is unwilling to–assume responsibility for the financial statements, then we are not independent, and we cannot perform an audit or a review. This assumption of responsibility does not mean the client has the ability to create financial statements, but it does mean that:

  • that the client will oversee the nonattest service,
  • the client will evaluate the adequacy and results of the nonattest service, and
  • the client will accept responsibility for the nonattest service

If we prepare financial statements and perform an audit, review, or compilation, we have performed a nonattest service and an attest service. Why is this important? Because if we perform a nonattest service and an attest service for the same client, we must assess our independence. And if we are not independent, then we can’t perform an audit or review engagement. (It is permissible to perform the compilation engagement when independence is impaired, but the accountant must say–in the compilation report–that he is not independent.)

Other Peer Review Questions

The peer review checklists also ask for:

  • The name and title of the client personnel overseeing the nonattest service and
  • A description of the accountant’s “assessment and factors leading to your satisfaction that the client personnel overseeing the service had sufficient skills, knowledge and experience.”

Separate Form to Document Independence

So do we need a separate form in our file to document independence?

It certainly would not hurt, and I suggest that you do. PPC and CCH offer such forms (and I am sure other work paper providers do the same). These forms provide a place to document all nonattest services and to assess and document our client’s ability to assume responsibility for the nonattest services.

The PPC and CCH forms also address the cumulative effect of performing multiple nonattest services. The AICPA has stated that the performance of multiple nonattest services can impair independence. So you should document your consideration of whether the cumulative nonattest services create a problem. Peer review checklists ask if we documented this consideration.

Additionally, if significant threats are present, the accountant should document the safeguard(s) used to mitigate the risk. This documentation is particularly crucial in Yellow Book engagements. The PPC and CCH independence forms will assist you with this documentation. Below are peer review checklist questions:

Alignment in Independence Documentation

We should–in the engagement letter–specify the nonattest services and the responsibilities of management. If you are performing an audit or a review engagement, add additional language to the representation letter regarding the nonattest services performed and the client’s responsibility for those services.

So I am suggesting you document the nonattest services in three places:

  • Engagement letter,
  • Independence form, and
  • Representation letter (when relevant)

And when you do, please make sure the nonattest services listed in each document are the same. 

Jul 06

The Why and How of Auditing: My New Book on Amazon

By Charles Hall | Auditing

The Why and How of Auditing

Do you ever feel trapped by an audit? Like you can’t finish. It started so well, but somewhere along the way, something went wrong. The wheels came off.

Maybe it started with your acceptance of a new client that you didn’t feel good about from the beginning.

Or possibly your new staff members don’t understand risk assessment. So they blindly followed last year’s work papers. However, the auditee has new risks, and the audit team failed to address them.

Wow, the audit budget is busted. But you still need to finish the substantive and wrap-up work. Just creating financial statements will take a week.

Additionally, you’re in a peer review year.

The clock is ticking. And how do you feel? Trapped!

Want less stress? Then check out The Why and How of Auditing.

My new book explains the full audit process, from beginning to end, from client acceptance to audit opinion issuance. Also, you’ll find helpful guidance for the audit of transaction cycles such as receivables and revenue, payables and expenses, debt, payroll, and more—all in one easy-to-understand book.

Discover helpful ways to plan, execute, and complete your audit engagements.

Imagine: quality audits finished on time.

Praise for The Why and How of Auditing

Need a quick-reference audit guide? This is it. Charles walks you from the beginning of the audit process all the way to the end, an excellent plain-english guide.

Mark Wiseman, CPA, CMA, Partner
Brown, Edwards & Company, L.L.P. Roanoke, Virginia

This is a great how-to, hands-on guide that will help you conduct a quality audit and provide value to your clients. Go over a chapter a week with your audit team. The book provides the why and how behind your audit programs and workpapers.

James H. Bennett, CPA, Managing Member
Bennett & Associates, CPAs PLLC Ann Arbor, Michigan

Thanks Charles for clarifying what’s important in an audit. Recommended reading for any auditor level.

Jay Miyaki, CPA, Partner
Jay Miyaki, LLC Honolulu, Hawaii

The author steps through each audit area in a simple manner and clearly explains topics that are often complex by providing numerous examples and personal anecdotes. I highly recommended this text to anyone in the financial statement audit profession.

Jacob Gatlin, CPA, PhD
CDPA, PC Athens, Alabama

Charles Hall’s “The Why and How of Auditing” is comprehensive, yet easy to implement. This guide will enhance the effectiveness of your audit engagements.

Armando Balbin, CPA, Partner
Downey, California

I highly recommended Charles Hall’s latest book, “The Why and How of Auditing.” Charles takes a complicated subject and makes it simple. Our team found it particularly useful in the areas of questions to ask, procedures to follow, and work paper examples.

Bill Burke, CPA, Partner
Burke, Worsham and Harrell, LLC Bainbridge, Georgia

A must-read for auditors! The Why and How of Auditing is insightful, practical, and rich with ideas. Charles takes a complex topic and breaks it down into an easy to read, well-defined road map.

Kathryn Fletcher, CPA, MBA, Partner
Draffin Tucker Atlanta, Georgia

Get Your Copy Now!

Click here to see the book on Amazon.

inherent risk
Apr 26

Inherent Risk: How to Save Time by Properly Assessing

By Charles Hall | Auditing , Risk Assessment

Do you know how to assess inherent risk? Knowing when inherent risk is low is a key to efficient audits. In this article, I tell you how to assess inherent risk--and how lower risk assessments (potentially) decrease the amount of work you perform.

inherent risk

While audit standards don't require a separate assessment on inherent risk (IR) and control risk (CR), it's wise to do so. Why? So you know what drives the risk of material misstatement (RMM). 

Many auditors assess control risk at high (after performing their risk assessment procedures). Why? So they don't have to test controls. 

If control risk is high, then inherent risk is the only factor that can lower your risk of material misstatement. For example, a high control risk and a low inherent risk results in a moderate risk of material misstatement. Why is this important? Lower RMMs provide the basis for less substantive work.

The Audit Risk Model

Before we delve deeper into inherent risk assessment, let's do a quick review of the audit risk model. Auditing standards (AU-C 200.14) define audit risk as “The risk that the auditor expresses an inappropriate audit opinion when the financial statements are materially misstated. Audit risk is a function of the risks of material misstatement and detection risk.”

Audit risk is defined as follows:

Audit Risk = IR X CR X Detection Risk

Inherent risk and control risk live within the entity to be audited.

Detection risk lies with the auditor.

A material misstatement may develop within the company because the transaction is risky or complex. Then, controls may not be sufficient to detect and correct the misstatement. 

If the auditor fails to detect the material misstatement, audit failure occurs. The auditor issues an unmodified opinion when a material misstatement is present.

Risk of Material Misstatement

As we plan an audit, we assess the risk of material misstatement. It is defined as follows:

RMM = IR X CR

Auditors assess the risk of material misstatement at the assertion level so they can determine the level of substantive work. Substantive work is the response to risk.

If the RMM is high, more substantive work is needed. Why? To reduce detection risk. 

But if the RMM is low to moderate, less substantive work is needed. 

Inherent Risk

What is inherent risk? The susceptibility of an assertion about a class of transaction, account balance, or disclosure to a misstatement that could be material, either individually or when aggregated with other misstatements, before consideration of any related controls.

Examples

The inherent risk of cash is greater than that of a building. Cash is easily stolen. Buildings are not.  

The inherent risk of a hedge transaction is greater than that of a trade receivable. Hedges can be complicated to compute. Trade receivables are not. 

Post-retirement liabilities are inherently risky. Why? It's a complex accounting area. The numbers usually come from an actuary. There are estimates in the form of assumptions.

Inherent Risk Factors 

Consider factors such as the following in assessing inherent risk:

  • Susceptibility to theft or fraudulent reporting
  • Complex accounting or calculations
  • Accounting personnel’s knowledge and experience
  • Need for judgment
  • Difficulty in creating disclosures
  • Size and volume of accounts balance or transactions
  • Susceptibility to obsolescence
  • Prior year period adjustments

Inherent risk is not an average of the above factors. Just one risk factor can make an account balance or transaction cycle or disclosure high risk.

Inherent Risk at Less Than High

When inherent risk is less than high, you can perform fewer or less rigorous substantive procedures.

An example of a low inherent risk is the existence assertion for payables. If experienced payables personnel accrue payables, then the existence assertion might be assessed at low. (The directional risk of payables is an understatement, not an overstatement.) The lower risk assessment for existence allows the auditor to perform little if any procedures in relation to this assertion. 

Conversely, the completeness assertion for accounts payable is commonly a high inherent risk. Businesses can inflate their profits by accruing fewer payables. Fraudulent reporting of period-end payables is possible. Therefore, the inherent risk of completeness for payables is often high. That's why auditors perform a search for unrecorded liabilities.

Base your risk assessment on factors such as those listed above. If inherent risk is legitimately low, then great. You can perform less substantive work. But if the assertion is high risk, then it should be assessed accordingly--even if that means more work. (The AICPA has included questions in peer review checklists regarding the basis for lower risk assessments. Their concern (I think) is that auditors might manipulate inherent risk in order to perform less work. I've heard no one from the AICPA say this. But I can see how they might be concerned about this possibility.)

Control Risk

So, what is the relationship between inherent risk and control risk?

Companies develop internal controls to manage areas that are inherently risky.

A business might create internal controls to lessen the risk that payables are understated. Examples of such controls include:

  • The CFO reviews the payables detail at period-end, inquiring about the completeness of the list
  • A payables supervisor reviews all invoices entered into the payables system
  • The payables supervisor inquires of all payables clerks about any unprocessed invoices at period-end
  • A budget to actual report is provided to department heads for review

Inherent risk exists independent of internal controls.

Control risk exists when the design or operation of a control does not remove the risk of misstatement. 

Video Demonstration of the Effects of Inherent Risk

1 2 3 12
>