Category Archives for "Auditing"

SAS 143
Feb 18

SAS 143, Auditing Accounting Estimates

By Charles Hall | Auditing

In this article, I explain SAS 143, Auditing Accounting Estimates and Related Disclosuresa new audit standard applicable for periods ending on or after December 15, 2023.   

We'll look at the objectives of SAS 143, auditor responsibilities (including risk assessment and responses), the nature of estimates, documentation requirements, and overall evaluation of your work to ensure appropriateness and completeness. 

SAS 143

Estimate Examples

To get us started, here are a few examples of estimates:

So, what is an accounting estimate? It's a monetary amount for which the measurement is subject to estimation uncertainty. Of course, you need to consider the financial reporting framework as you think about the estimate. For example, an estimate might be significantly different when using GAAP versus a regulatory basis. 

But what is estimation uncertainty? It's the susceptibility of an estimate to an inherent lack of precision in measurement. In layperson's terms, it's an estimate that is hard to pin down.

SAS 143 Objectives

The objective of SAS 143 is to see if the accounting estimate and related disclosures are reasonable by obtaining sufficient appropriate audit evidence. 

Nature of Estimates

Some estimates are simple, while others are difficult. For example, estimating the economic life of a vehicle is straightforward, but computing an allowance for uncollectible receivables might be complex.

But even one type of estimate, such as an allowance for uncollectible, can vary in complexity. For example, the allowance computation for uncollectible receivables is usually more complex for a healthcare entity (e.g., more payor types) than for a small business. Why? Because it is more complex and more challenging to determine. Therefore, the estimation uncertainty for a healthcare entity (with many payor types) is higher than that of a small business with one type of customer. Additionally, the volume of transactions should be higher for a healthcare entity versus a small business.

Estimation Uncertainty

So, the inherent subjectivity of an estimate creates estimation uncertainty. 

Consider estimation uncertainty in this manner: ask twenty people to compute the allowance for a hospital and then ask them to do the same for the small business's uncollectible estimate. How much variation would you expect? Yes, much more for the hospital because the inherent risk is higher. 

SAS 143 tells us to increase our risk assessment procedures and further audit procedures as the estimation uncertainty increases. We perform more risk assessment work concerning the hospital's allowance than that of the small business. Moreover, we complete more extensive further audit procedures for the hospital's allowance than for the small business's estimate. 

More risk, more work. 

To understand SAS 143, we need to know the underlying concepts.

SAS 143 Concepts

SAS 143

Relevant Assertions

You need to assess the risk of material misstatement at the relevant assertion level. Further, you are required to assess inherent risk and control risk separately. And as you assess inherent risk, you might encounter significant risks. 

The Spectrum of Inherent Risk

Usually, a hospital's valuation assertion related to receivables is relevant, and the inherent risk is often high due to its subjectivity, complexity, and volume of transactions (i.e., inherent risk factors). Therefore, the valuation assertion's risk might fall toward the end of the spectrum of inherent risk. On a ten-point scale, we might assess the inherent risk as a nine or a ten. And if we do, it is a significant risk, affecting our professional skepticism.

Professional Skepticism and Estimates

Our professional skepticism increases as the estimation uncertainty rises (or at least, it should). Why? The potential for management bias may be present since it's easier to manipulate complex estimates. And complexity can be a smokescreen to hide bias, increasing the need for internal controls.

Estimate Controls

As estimates become more complex, entities increase internal controls (or at least, they should). And consequently, auditors need to evaluate the design and implementation of those controls. Additionally, auditors must determine whether they will test the controls for effectiveness. 

Another SAS 143 concept is the reasonableness of the estimate.

Reasonableness of Estimates

For an estimate to be reasonable, the applicable financial reporting framework must be its basis. Additionally, management should consider the facts and circumstances of the entity and the related transactions. In creating a reasonable estimate, management will often use the following:

  • A method
  • Certain assumptions
  • Data

Let's consider these elements using the allowance for uncollectible receivables. 

First, management considers the financial reporting framework. If the entity uses GAAP, it makes sense to create the estimate. No allowance is necessary if the cash basis of accounting is in use. In this example, we'll assume the company is using GAAP.

Estimate Method

In computing an allowance for uncollectible, an entity might calculate the estimate as a total of the following:

  • 20% of receivables outstanding for more than 60 days
  • 60% of receivables outstanding for more than 90 days
  • 90% of receivables outstanding for more than 120 days

Estimate Assumptions

And what assumptions might management consider? Bad debt percentages have stayed the same over time. The company needs to increase the percentages if there if collectible amounts erode. 

Estimate Data

Finally, consider the allowance data. In this example, it would typically be an aged receivable listing. Such a listing breaks receivables into aging categories (e.g., 0 to 30 days; 31 to 60 days; etc.). Such data should be consistent. Suppose the company purchases new software that computes the aged amounts differently using different data than previously. If this occurs, management and the auditors need to consider the reasonableness of the new data. 

Is the Estimate Reasonable?

Most importantly, estimates need to make sense (to be reasonable) in light of the circumstances. While consistent methods, assumptions, and data are desirable, change, such as a slowdown in the economy, can require new ways of computing estimates.

One more concept is that of management's point estimate and disclosure.

Management's Point Estimate and Disclosure

The auditor will examine management's point estimate and the related disclosures to see if they are reasonable. How? Review the estimate's development (how was it computed?) and the nature, extent, and sources of estimation uncertainty. 

If circumstances are similar to the prior year, then the estimate's method, assumptions, and data will typically be similar. Likewise, the disclosure will be much like the preceding period. 

But if, for example, the economy slows significantly, the percentages applied to the aged receivable categories (see above) may need to increase so that the allowance for uncollectible is higher. The auditor might question the estimate if management did not raise these percentages. 

The company should disclose how the estimate is created and the nature, extent, and sources of estimation uncertainty. 

Now, let's see what the SAS 143 requirements are.

SAS 143 Requirements

SAS 143

The requirements for estimates are conceptually the same as in any area. The auditor does the following:

  • Perform risk assessment procedures
  • Identify and assess the risk of material misstatement
  • Develop responses to the identified risks and carry those out

1. Perform Risk Assessment Procedures for Estimates

As you consider the entity and its environment, consider the following:

  • Transactions and other events that give rise to the need for estimates and changes in estimates
  • The applicable financial reporting framework as it relates to estimates
  • Regulatory factors affecting estimates, if any
  • The nature of estimates and related disclosures

Next, as you consider internal control, ask about the following:

  • Nature and extent of estimate oversight (who oversees the estimate? how often is the estimate being reviewed?)
  • How does management identify the need for specialized skills or knowledge concerning the estimate?
  • How do the entity's risk assessment protocols identify and address risks related to estimates?
  • What are the classes of transactions, events, and conditions giving rise to estimates and related disclosures?
  • How does management identify the estimate's methods, assumptions, and data sources?
  • Regarding the degree of estimation uncertainty, how does management determine the range of potential measurement outcomes?
  • How does management address the estimation uncertainty, including a point estimate and related disclosures?
  • What are the control activities relevant to the estimate? (e.g., second-person review of the computation)
  • Does management review prior estimates and the outcome of those estimates? How does management respond to that review?

Additionally, the auditor reviews the outcome of prior estimates for potential management bias

If there are any significant risks (inherent risk falling toward the end of the spectrum of risk), the auditor should understand the related controls and, after that, see if they are designed appropriately and implemented. 

And finally, the auditor considers if specialized skills or knowledge are needed to perform risk assessment procedures related to estimates. 

Of course, after you do your risk assessment work, it's time to assess the risk.

2. Identify and Assess the Risk of Material Misstatement

SAS 143, as we have already seen, requires a separate assessment of inherent risk and control risk for each relevant assertion.

In assessing inherent risk, the auditor will consider risk factors such as complexity, subjectivity, and change. It's also important to consider the estimate method and the data used in computing management's point estimate. 

Some estimates represent significant risks. So, for example, if the computation of warranty liability is complex or has a high degree of estimation uncertainty, then identify the liability as a significant risk since the valuation assertion is high risk (toward the upper end of the spectrum of inherent risk).

3. Responses to Assessed Risk of Material Misstatement

Once the assessment of risk is complete, you are in a position to create responses. As usual, document linkage from the risk level to the planned procedures. Higher risk calls for more extensive actions. 

If, for example, the auditor identifies an estimate as a significant risk, go beyond basic techniques (i.e., more than a basic audit program). Higher risk calls for more responses.

Additionally, base those responses on the reasons for the assessments. In other words, create audit procedures based on the nature of the risk. No good comes from performing more procedures unrelated to the identified risk. 

Three Responses to Risks Related to Estimates

The audit procedures need to include one or more of the following three steps:

  1. Obtain audit evidence from events occurring up to the date of the auditor's report
  2. Test how management made the accounting estimate by reviewing the following: 
    • Methods in light of: 
      • Reporting framework
      • Potential management bias
      • The estimation computation (is it mathematically correct?)
      • Use of complex modeling, if applicable
      • Maintenance of the assumptions and data integrity (does this information have integrity?)
    • Assumptions; address the following: 
      • Whether the assumptions are appropriate
      • Whether the judgments made in selecting the assumptions give rise to potential bias
      • Whether assumptions are consistent with each other
      • When applicable, whether management has the intent and ability to carry out specific courses of action
    • Data; address the following: 
      • Whether the data is appropriate
      • Whether judgments made in selecting the data give rise to management bias
      • Whether the data is relevant and reliable
      • Whether management appropriately understands and interprets the data
    • Management's point estimate and related disclosure; address the following: 
      • How management understands estimation uncertainty
      • See if management took appropriate steps in developing the point estimate and related disclosure
      • If the auditor believes management has not sufficiently addressed estimation uncertainty, the following should occur: 
        • Request management perform additional procedures to understand the estimation uncertainty; consider disclosing more information about the estimation uncertainty
        • Develop an auditor's point estimate or range if management's response to the auditor's request in the prior step is not sufficient
        • Evaluate whether an internal control deficiency exists
  3. Develop an auditor's point estimate or range; do the following: 
    • Include procedures to evaluate whether methods, assumptions, or data are appropriate
    • When the auditor develops a range,  
      • Determine whether the range includes only amounts supported by sufficient audit evidence and are reasonable in the context of the reporting framework
      • Regarding disclosures related to estimation uncertainty, design and perform procedures regarding the risk of material misstatement (i.e., determine if the disclosure provides sufficient information regarding estimation uncertainty)

Once you complete your audit work related to estimates, evaluate what you've done. 

Overall Evaluation of Estimate Work

SAS 143

Evaluate the sufficiency of your estimate work by considering the following:

  • Are the risk assessments at the relevant assertion level still appropriate?
  • Do management's decisions regarding recognition, measurement, presentation, and disclosure of the estimates agree with the financial reporting framework? 
  • Has sufficient appropriate evidential matter been obtained?
  • If evidence is lacking, consider the impact on the audit opinion
  • Has management included disclosures beyond those required by the financial reporting framework when needed for fair presentation?

Here are some additional considerations in determining if your work is complete.

Documentation of Estimate Work

SAS 143 says that the auditor's documentation should include the following:

  • The auditor's understanding of the entity and its environment, including internal controls related to estimates
  • Linkage of further audit procedures with the risks of material misstatement at the assertion level
  • Auditor's responses when management has not taken appropriate steps to understand and address estimation uncertainty
  • Indicators of possible management bias related to estimates
  • Significant judgments related to estimates and related disclosures in light of the reporting framework

Governance Communication Regarding Estimates

Finally, consider whether you should communicate estimate matters to those charged with governance, especially if a high estimation uncertainty is present. 

SAS 143 Summary

While SAS 143 requires that auditors understand the estimate process and then perform procedures to ensure the reasonableness of the numbers and disclosures, there's nothing unusual about this. We gain an understanding of the estimates, assess the risk, and create responses. 

Many estimates, such as plant, property, and equipment depreciation, are simple. In those areas, there's little to do. But as always, our risk assessment and responses will increase as complexity and uncertainty increase. 

You may also be interested in my article titled SAS 145: New Risk Assessment Standard.

Over Auditing
Jan 28

Are You Over Auditing and Wasting Time?

By Charles Hall | Auditing

Are you over auditing?

In this article, I explain how you can stop over auditing and wasting precious time. You’ll soon know why to leave in and what to leave out.

Over Auditing

Are You Over Auditing?

Ten audit engagements.

Each audit file with a different risk profile.

Each with a different audit plan.

Each file begging for attention in certain areas.

This afternoon I met with two CPAs to discuss ten audits they perform. Specifically we were looking to see what needed to be done, and maybe more importantly, what was not needed.

The concern was “over auditing.”

For as long as I can remember, CPAs have asked, “what am I doing that is not necessary?”

My answer is always the same: audit areas that have a risk of material misstatement. Drop everything else.

Removing Unnecessary Audit Steps

Well, how do you know if an audit procedure is not needed?

Look at the prior year workpaper and ask, “what relevant assertion and in what transaction cycle does this procedure address?” If you can’t connect the workpaper to a risk, then it’s probably not needed.

You can “reverse engineer” an audit by looking at the prior year workpapers and asking this same question over and over again: “what risk of material misstatement does this workpaper address?”

Adding Necessary Audit Steps

Then—and more importantly—“forward engineer” the audit plan by assessing your risk for each relevant assertion and planning (and linking) a procedure to satisfy (lower) the risk of material misstatement.

https://youtu.be/KQczfKFvSIc

Brevity of Audit File

An audit file needs to be tight, without waste.

Moreover, let it speak of the important—and nothing else. An audit file is somewhat like a good speech: There are no wasted words.

So, can excessive work papers create problems?

Excessive Work Papers Create (at least) Two Problems

Excessive (or unneeded) work papers can create problems, including:

1. Clutter (which degrades the message)
2. Legal exposure

Why do I say legal exposure? If your work papers are subpoenaed and there are unnecessary work papers, the opposing party may find contradictory information that works against you.

Then you know what would come next: the opposing attorney holding up a damning document as she asks, “did this work paper come from YOUR audit file?”

Keep things lean.

Right Audit Steps

In summary, say what needs to be said, and nothing more.

In other words, follow these steps:

1. First, assess risk.

2. Next, plan responses to those risks.

3. Then, perform those procedures.

4. And finally, don’t do anything else. 

With these steps, your audit file will say what it needs to say—and nothing else. And you will not be over auditing.

See my related article titled Seven Excuses for Unnecessary Audit Work Papers

Check out my book on Amazon: The Why and How of Auditing

Segregation of Duties
Sep 30

Segregation of Duties: How to Overcome

By Charles Hall | Auditing , Fraud

Segregation of duties is key to reducing fraud. But smaller entities may not be able to do so. Today, I tell you how overcome this problem, regardless of the entity’s size.

Segregation of duties

The Environment of Fraud

Darkness is the environment of wrongdoing.

Why?

No one sees us. Or so we think.

Fraud occurs in darkness.

In J.R.R. Tolkien’s Hobbit stories, Sméagol, a young man murders another to possess a golden ring, beautiful in appearance but destructive in nature. The possession of the ring transforms Sméagol into a hideous creature–Gollum.

And what does this teach us? That which is alluring in the beginning can be destructive in the end.

Fraud opportunities have those same properties: they are alluring and harmful. And, yes, darkness is the environment where fraud happens.

What’s the solution? Transparency. It protects businesses, governments, and nonprofits.

But while we desire open and understandable processes, our businesses often have just a few employees that perform the accounting duties. And, many times, no one else understands how the system works.

It is desirable to divide accounting duties among various employees, so no one person controls the whole process. This division of responsibility creates transparency. How? By providing multiple eyes to see what’s going on.

But this segregation of duties is not always possible.

Lacking Segregation of Duties

Some people says here are three key duties that must always be separated under a good system of internal controls: (1) custody of assets, (2) record keeping or bookkeeping, and (3) authorization. I add a fourth: reconciliation. The normal recommendation for lack of segregation of duties is to separate these four accounting duties to different personnel. But many organizations are unable to do so, usually due to a limited number of employees.

Some small organizations believe they can’t overcome this problem. But is this true? I don’t think so.

Here’s two easy steps to create greater transparency and safety when the separation of accounting duties is not possible.

1. Bank Account Transparency

First, consider this simple control: Provide all bank statements to someone other than the bookkeeper. Allow this second person to receive the bank statements before the bookkeeper. While no silver bullet, it has power.

Persons who might receive the bank statements first (before the bookkeeper) include the following:

  • A nonprofit board member
  • The mayor of a small city
  • The owner of a small business
  • The library director
  • A church leader

What is the receiver of the bank statements to do? Merely open the bank statements and review the contents for appropriateness (mainly cleared checks).

In many small entities, accounting processes are a mystery to board members or owners. Why? Only one person (the bookkeeper) understands the disbursement process, the recording of journal entries, billing and collections, and payroll.

Relying on a trusted bookkeeper is not a good thing. So how can you shine the light?

Allow a second person to see the bank statements.

Segregation of duties

Fraud decreases when the bookkeeper knows someone is watching. Suppose the bookkeeper desires to write a check to himself but realizes that a board member will see the cleared check. Is this a deterrent? You bet.

Don’t want to send the bank statements to a second person? Request that the bank provide read-only online access to the second person. And let the bookkeeper know.

Even the appearance of transparency creates (at least some) safety. Suppose the second person reviewer opens the bank statements (before providing them to the bookkeeper) and does nothing else. The perception of a review enhances safety. I am not recommending that the review not be performed. But if the bookkeeper even thinks someone is watching, fraud will lessen.

When you audit cash, see if these types of controls are in place.

Now, let’s look at the second step to overcome a lack of segregation of duties. Surprise audits.

2. Surprise Audits

Another way to create small-entity transparency is to perform surprise audits. These reviews are not opinion audits (such as those issued by CPAs). They involve random inspections of various areas such as viewing all checks clearing the May bank statement. Such a review can be contracted out to a CPA. Or they can be performed by someone in the company. For example, a board member.

Additionally, adopt a written policy stating that the surprise inspections will occur once or twice a year.

The policy could be as simple as:

Twice a year a board member (or designee other than the bookkeeper) will inspect the accounting system and related documents. The scope and details of the inspection will be at the judgment of the board member (or designee). An inspection report will be provided to the board.

Why word the policy this way? You want to make the system general enough that the bookkeeper has no idea what will be examined but distinct enough that a regular review occurs. 

Segregation of duties

Surprise Audit Ideas

Here are some surprise audit ideas:

  • Inspect all cleared checks that clear a particular month for appropriate payees and signatures and endorsements
  • Agree all receipts to the deposit slip for three different time periods
  • Review all journal entries made in a two week period and request an explanation for each
  • Inspect two bank reconciliations for appropriateness
  • Review one monthly budget to actual report (look for unusual variances)
  • Request a report of all new vendors added in the last six months and review for appropriateness

The reviewer may not perform all of the procedures and can perform just one. What is done is not as important as the fact that something is done. In other words, the primary purpose of the surprise audit is to make the bookkeeper think twice about whether he or she can steal and not get caught.

I will say it again. Having multiple people involved reduces the threat of fraud.

Segregation of Duties Summary

In summary, the beauty of these two procedures (bank account transparency and surprise audits) is they are straightforward and cheap to implement. Even so, they are powerful. So shine the light.

What other procedures do you recommend?

For more information about preventing fraud, check out my book: The Little Book of Local Government Fraud Prevention.

unpaid fees
Sep 08

Unpaid Fees and Attest Independence

By Charles Hall | Auditing

Unpaid fees can impair your independence in attest engagements. This article explains changes in the Unpaid Fees interpretation in the AICPA Code of Conduct

Peer review checklists ask if fees have been paid prior to issuance of attest reports. Why? A loan to an attest client can impair independence. The thought here is that the CPA may have a self-interest in the client; namely, the collection of unpaid fees. And this self-interest could potentially lead the CPA to assist the client by issuing inappropriate attest reports. 

So, has there been a change in the unpaid fees section of the Code of Conduct? Yes. 

The old rule of just looking back one year is no longer the sole consideration in determining your independence in regard to unpaid fees; current year fees, if significant, can also affect independence.

unpaid fees

The bolded fonts and underlines below are added by the blogger. 

Unpaid Fees Interpretation

The independence interpretation (1.230.010) in the Code of Conduct says:

Threats to the covered member’s compliance with the “Independence Rule” [1.200.001] are at an acceptable level if, when the current-year attest report is issued, unpaid fees are both clearly insignificant to the covered member and relate to professional services provided less than one year prior to the date of the current-year attest report.

Alternatively, threats would not be at an acceptable level if, when the current-year attest report is issued, unpaid fees are both significant to the covered member and relate to professional services provided more than one year prior to the issue date of the current-year attest report.

That guidance provides factors to consider in evaluating your independence.

Unpaid Fees Factors to Consider

Factors to consider (ET 1.230.010.02) when evaluating whether threats are at an acceptable level include the following:

a. The significance of the unpaid fees to the covered member

b. The length of time the fees have been due from the attest client

c. The attest client’s agreement to pay the unpaid fees

d. The covered member’s assessment of factors affecting the ability of the attest client to pay the fees

So, what should you do if a significant threat is present? Consider safeguards. 

Unpaid Fees Safeguards

You may use safeguards (ET 1.230.010.04) to mitigate the independence threat:

a. Have an appropriate reviewer who has not provided attest or nonattest services to the attest client review the attest work performed before the current-year attest report is issued.

b. Obtain partial payment of the unpaid fees balance before the current year attest report is issued such that the remaining unpaid balance is insignificant to the covered member.

c. Obtain an agreement from the attest client to a payment schedule before the current-year attest report is issued.

d. Suspend further work on current attest engagements and not accept new engagements with this attest client.

ET 1.230.010.05 goes on to say:

Communication with those charged with governance regarding evaluation of the unpaid fees and safeguards applied is not a sufficient safeguard when applied alone; however, it may be considered a safeguard when supplemented by other safeguard(s).

If the safeguards are not sufficient, you are not independent.

So, how do we define unpaid fees?

Unpaid Fees Defined

Unpaid fees include billed and unbilled services. 

If you provide a service whereby you expect payment, it’s a fee–whether you billed it or not. The issue is whether the client owes you for the service.

Not Applicable for Attest Clients in Bankruptcy

ET 1.230.010.06 says that this interpretation does not apply to attest clients in bankruptcy.

Collection Incentive

Oddly, the potential impairment of independence may assist you (the CPA) in collecting past-due accounts. If the client needs the current year attest report, and the CPA can’t provide it without payment, then the client may find a way to come up with the money for past fees.

Still Not Sure

If after doing the above, you’re still not sure whether your independence is impaired, consider contacting the AICPA to get their thoughts. You can email them at ethics@aicpa.org. 

Video Overview

Here’s my YouTube video explaining unpaid fees.

internal control weaknesses
Jul 25

Internal Control Weakness Reporting

By Charles Hall | Auditing

Auditors often fail to capture and communicate internal control weaknesses, even though such communications are required by the audit standards.

But making our clients aware of control weaknesses can help them. How? It allows them to improve their accounting system. The result: prevention of future fraud and errors.

In this article, I’ll show you how to capture and communicate internal control deficiencies. By doing so, you’ll add value to your audit services and you’ll help your client protect their business.

At the end of the post, you’ll also see a video that summarizes this information.

internal control weaknesses

A Common End-of-Audit Problem

You are concluding another audit, and it’s time to consider whether you will issue a letter communicating internal control deficiencies. A month ago you noticed some control issues in accounts payable, but presently you’re not sure how to describe them. You hesitate to call the client to rehash the now-cold walkthrough. After all, the client thinks you’re done. But you know that boiler-plate language will not clearly communicate the weakness or tell the client how to fix the problem. Now you’re kicking yourself for not taking more time to document the control weakness (back when you initially saw it).

Here’s a post to help you capture and document internal control issues as you audit.

Capture and Communicate Internal Control Deficiencies

Today, we’ll take a look at the following control weakness objectives:

  1. How to discover them
  2. How to capture them
  3. How to communicate them

As we begin, let’s define three types of weaknesses:

  • Material weaknesses – A deficiency, or a combination of deficiencies, in internal control, such that there is a reasonable possibility that a material misstatement of the entity’s financial statements will not be prevented, or detected and corrected, on a timely basis.
  • Significant deficiencies – A deficiency, or a combination of deficiencies, in internal control that is less severe than a material weakness yet important enough to merit attention by those charged with governance.
  • Other deficiencies – For purposes of this blog post, we’ll define other deficiencies as those less than material weaknesses or significant deficiencies.

As we look at these definitions, we see that categorizing control weaknesses is subjective. Notice the following terms:

  • Reasonable possibility
  • Material misstatement
  • Less severe
  • Merits attention by those charged with governance

Now let’s take a look at discovering, capturing, and communicating control weaknesses. 

Internal control

1. Discover Control Weaknesses

Capture control weaknesses as you perform the audit. You might identify control weaknesses in the following audit stages:

  1. Planning – Risk assessment and walkthroughs
  2. Fieldwork – Transaction-level work
  3. Conclusion – Wrapping up

A. Planning Stage

You will discover deficiencies as you perform walkthroughs which are carried out in the early stages of the engagement. Correctly performed walkthroughs allow you to see process shortcomings and where duties are overly concentrated (what auditors refer to as a lack of segregation of duties).

Segregation of Duties

Are accounting duties appropriately segregated with regard to:

  • Custody of assets
  • Reconciliations
  • Authorization
  • Bookkeeping

Notice the first letters of these words spell CRAB (I know it’s cheesy, but it helps me remember).

Auditors often make statements such as, “Segregation of duties is not possible due to the limited number of employees.”

I fear such statements are made only to protect the auditor (should fraud occur in the future). It is better that we be specific about the control weakness and what the potential impact might be. For example:

The accounts payable clerk can add new vendors to the vendor file. Since checks are signed electronically as they are printed, there is a possibility that fictitious vendors could be added and funds stolen. Such amounts could be material.

Such a statement tells the client what the problem is, where it is, and the potential damage. 

Fraud: A Cause of Misstatements

While I just described how a lack of segregation of duties can open the door to theft, the same idea applies to financial statement fraud (or cooking the books). When one person controls the reporting process, there is a higher risk of financial statement fraud. Appropriate segregation lessens the chance that someone will manipulate the numbers.

Within each transaction cycle, accounting duties need to be performed by different people. Doing so lessens the possibility of theft. If one person performs multiple duties, ask yourself, “Is there any way this person could steal funds?” If yes, then the client should add a control in the form of a second-person review.

If possible, the client should have a second person examine reports or other supporting documentation. How often should the review be performed? Daily, if possible. If not daily, as often as possible. Regardless, a company should not allow someone with the ability to steal to work alone without review. The fear of detection lessens fraud.

If a transaction cycle lacks segregation of duties, then consider the potential impact from the control weakness. Three possible impacts exist:

  • Theft that is material (material weakness)
  • Theft that is not material but which deserves the attention of management and the board anyway (significant deficiency)
  • Theft of insignificant amounts (other deficiency)

My experience has been that if any potential theft area exists, the board wants to know about it. But this is a decision you will make as the auditor.

Errors: Another Cause of Misstatements

While auditors should consider control weaknesses that allow fraud, we should also consider whether errors can lead to potential misstatements. So, ask questions such as:

  • Do the monthly financial statements ever contain errors?
  • Are invoices mistakenly omitted from the payable system?
  • Do employees forget to obtain purchase order numbers prior to buying goods?
  • Do bookkeepers fail to reconcile the bank statements on a timely basis? 

B. Fieldwork Stage

While it is more likely you will discover process control weaknesses in the planning stage of an audit, the results of control deficiencies sometimes surface during fieldwork. How? Audit journal entries. What are audit entries but corrections? And corrections imply a weakness in the accounting system.

When an auditor makes a material journal entry, it’s difficult to argue that a material weakness does not exist. We know the error is “reasonably possible” (it happened). We also know that prevention did not occur on a timely basis.

C. Conclusion Stage

When concluding the audit, review all of the audit entries to see if any are indicators of control weaknesses. Also, review your internal control deficiency work papers (more on this in a moment). If you have not already done so, discuss the noted control weaknesses with management. 

Your firm may desire to have a policy that only managers or partners make these communications. Why? Management can see the auditor’s comments as a criticism of their own work. After all, they designed the accounting system (or at least they oversee it). So, these discussions can be a little challenging.

Now let’s discuss how to capture control weaknesses.

Internal control

2. Capture Internal Control Weaknesses

So, how do you capture the control deficiencies?

First, and most importantly, document internal control deficiencies as you see them.

Why should you document control weaknesses when you initially see them?

  1. You may not be on the engagement when it concludes (because you are working elsewhere) or
  2. You may not remember the issue (weeks later).

Second, create a standard form (if you don’t already have one) to capture control weaknesses. 

Internal Control Capture Form

What should be in the internal control form? At a minimum include the following:

  1.  Check-mark boxes for:
    • Significant deficiency
    • Material weakness
    • Other control deficiency
    • Other issues (e.g., violations of laws or regulations) 
  2. Whether the probability of occurrence is at least reasonably possible and whether the magnitude of the potential misstatement is material
  3. Description of the deficiency and the verbal or written communications to the client; also the client’s response
  4. The cause of the condition
  5. The potential effect of the condition
  6. Recommendation to correct the issue
  7. Person identifying the issue and the date of discovery
  8. Whether the issue is a repeat from the prior year
  9. An area for the partner to sign off that he or she agrees with the description of the deficiency and the category assigned to it (e.g., material weakness)
  10. Reference to related documentation in the audit file

After capturing the weaknesses, it’s time to communicate them. 

3. Communicate Control Weaknesses

Material weaknesses and significant deficiencies must be communicated in writing to management and those charged with governance. Other deficiencies can be given verbally to management, but you must document those discussions in your work papers.

Provide a draft of any written communications to management before issuing your final letter. That way if something is incorrect (your client will let you know), you can make it right–before it’s too late. Additionally, discuss the control weakness with relevant personnel when you initially discover it. You don’t want to surprise the client with adverse communications in the written internal control letter. 

Internal Control Video Summary

Here’s a video that summarizes the information above.

Summary

The main points in capturing and communicating internal control deficiencies are:

  1. Capture control weaknesses as soon as you see them
  2. Develop a form to document the control weaknesses
  3. Communicate significant deficiencies and material weaknesses in writing

These communications can be somewhat challenging since you’re telling management they need to make improvements. So make sure all information is correct and let your senior personnel do the communicating.

How Do You Capture and Report Control Deficiencies?

Whew! We’ve covered a lot of ground today. How do you capture and report control deficiencies? I’m always looking for new ideas: Please share.

1 2 3 14
>