Category Archives for "Auditing"

Developing your audit strategy and plan
Aug 08

Audit Planning: Developing Your Audit Strategy and Plan

By Charles Hall | Auditing

This article teaches you how to develop your audit strategy and audit plan. In the last few posts, we’ve explored the risk assessment process. Now it’s time to link your risk assessment work to your audit strategy and plan.

AU-C 300 states, “The objective of the auditor is to plan the audit so that it will be performed in an effective manner.” We also desire—though not an objective of the audit standards—to plan for efficiency, so the engagement is profitable. 

Developing your audit strategy and plan

Audit Strategy and Plan

To be in compliance with audit standards, you need to develop:

  • Your audit strategy
  • Your audit plan

Developing Your Audit Strategy

What’s in the audit strategy? AU-C 300.08 states that the audit strategy should include the following:

  • The characteristics of the engagement (these define its scope)
  • The reporting objectives (these affect the timing of the audit and the nature of the reports to be provided)
  • The significant factors (these determine what the audit team will do)
  • The results of preliminary engagement activities (these inform the auditor’s actions)
  • Whether knowledge gained on other engagements is relevant (these potentially provide additional insight)

Also, consider the resources necessary to perform the engagement.

Think of the audit strategy as the big picture. You are documenting:

  • The scope (the boundaries of the work)
  • The objectives (what the deliverables are) 
  • The significant factors (e.g., is this a new or complex entity?)
  • The risk assessment (what are the risk areas?)
  • The planned resources (e.g., the engagement team) 

Strategy for Walking on the Moon

When NASA planned to put a man on the moon, they—I am sure—created a strategy for Apollo 11. It could have read as follows:

We will put a man on the moon. The significant factors of our mission include mathematical computations, gravitational pull, thrust, and mechanics. The risks include threats to our astronauts’ lives, so we need to provide sufficient food, air, sound communications, and a safe vessel. The deliverable will be the placement of one man on the moon and the safe return of our three astronauts. The engagement team will include three astronauts, launch personnel at Kennedy Space Center, and mission-control employees in Houston, Texas. 

developing your audit strategy and plan

The strategy led to Neil Armstrong’s historic walk on July 20, 1969.

Our audit strategy—in a more pedestrian pursuit—is a summary of objectives, resources, and risk. It’s the big picture. Our strategy leads to the successful issuance of our audit opinion (not quite as exciting as walking on the moon, but still important).

Did NASA perform any risk assessments before creating its strategy and plans? You bet. The lives of Neil Armstrong, Michael Collins, and Buzz Aldrin counted on it. So, the Agency took every precaution. NASA used the risks to define the project details—what we call our audit plan (or audit program). As with all projects, you must know your risks before you develop your plan. Doing so led to “one small step for man, one giant leap for mankind,” and—more importantly—the return of three brave astronauts. In a word: Success.

What’s in an Audit Strategy?

The audit strategy doesn’t have to be complicated or long, especially for smaller entities—it can be a short memo. What are we after? A summary of risks, needed resources, and objectives.

My firm uses an internally-developed strategy form—mainly, to ensure consistency. The form contains structure, such as references to risk assessment work and blank boxes in certain areas—such as partner directions—so it is flexible. As a result, the form has structure and flexibility.

Here are the main areas we cover:

  • Deliverables and deadlines
  • A time budget
  • The audit team
  • Key client contacts
  • New accounting standards affecting the audit
  • Problems encountered in the prior year 
  • Anticipated challenges in the current year 
  • Partner directions regarding key risk areas
  • References to work papers addressing risk

Who Creates the Audit Strategy?

Who should create the strategy? The in-charge can create it with the assistance of the engagement partner, or the partner can do so. 

Audit Strategy as the Central Document

If you want to see one document that summarizes the entire audit, this is it. As you can see, the strategy is general in nature, but you also need a detailed plan to satisfy the demands of the strategy—this is the audit plan (commonly referred to as the audit program). NASA had a mission statement for Apollo 11, but—I’m sure—written guidelines directed the step-by-step execution of the project. 

Audit Plan (or Audit Program)

Now we create the detailed planning steps—the audit program. Think of the audit program as the final stage of audit planning. What have we done to get to this stage of the audit? 

  1. Performed risk assessment procedures
  2. Developed our audit strategy

Now it’s time to create the audit plan.

The audit plan is the linkage between planning and further audit procedures. What are “further audit procedures”? They are the tactical steps to address risk including substantive procedures and test of controls. The audit program links back to the identified risks and points forward to the substantive procedures and test of controls.

Creating the Audit Program

How—in a practical sense—do we create the audit programs? Most auditors tailor the prior year audit programs. That works—as long as we revise them to address the current year risks. Audit programs are not—at least, they should not be—static documents. Even so, the current year audit program can be the same as last year—as long as the risks are the same.

Sufficient Audit Steps

How do we know if we have adequate audit program steps? Look at your risks of material misstatement (RMM)—which, hopefully, are assessed at the assertion level (e.g., completeness). Audit steps should address all high and moderate RMMs. 

Integrating Risk Assessment with the Audit Program

How else can we integrate our documentation? Put the relevant assertions next to each audit step—this makes the connections between the RMMs (at the assertion level) and the audit steps clear.

AU-C 330.18 says the auditor is required to apply substantive procedures to all relevant assertions related to each material class of transactions, account balance, and disclosure. So, the audit program should reflect steps for all material areas.

Creating Efficiency in the Audit Plan

Once you complete your risk assessment work, you want to ask, “Which is the more efficient route? Testing controls or performing substantive procedures.” Then go with your instincts. 

Generally, I assess control risk at high. While we can’t default to a high control, we can—once the risk assessment work is complete—decide to assess control risk at high as an efficiency measure. Why? If we assess control risk at below high, we must test the controls as a basis for the lower risk assessment. The testing of controls can—sometimes—take longer than substantive procedures. 

For example, is it better to test the controls related to fixed asset additions or is it more efficient to vouch the invoices for significant additions? Usually, the vouching of the invoices will get you to your desired destination quicker than testing controls. Generally—at least in my opinion—this line of reasoning is less true for more complex organizations. Larger organizations process more transactions and tend to have better controls. So it can be better to test controls for larger entities.

In Summary

There you have it—the creation of the audit strategy and the audit plan. Your strategy includes the risks, needed resources, and objectives. And your audit program contains the tactical steps to address risks. You are set to go. Now it’s time to execute our audit program.

Stay with me. In my upcoming posts, I will delve into the details of auditing by transaction areas. What specific steps should an auditor perform for cash, receivables, payables—for example? In the coming weeks, I will share with you audit approaches for significant transaction cycles. Subscribe below to ensure you don’t miss out.

To see my earlier posts in this series, click here.

Hosting Services
Aug 07

Danger: Hosting Services Impair Independence

By Charles Hall | Auditing

(It’s August 14, 2018 as I write this. The AICPA has just delayed the effective date of the Hosting Services rule to July 1, 2019. I have not amended the following post for that change.)

As of September 1, 2018, hosting services impair independence, so says the AICPA. And most firms are providing hosting services (though they may not know it). This article explains why your possession of client records, whether electronic or hard-copy, can affect your independence.

Hosting Services Impair Independence

Starting September 1, 2018, your possession of client documents (e.g., tax records) or information (e.g., the housing of QuickBooks files on our server) can, in some instances, create an independence impairment. (If you temporarily possess original documents (e.g., tax records) but return them to the client in a short period, then the possession of the original documents does not impair your independence.)

hosting services impair independence

The AICPA recently adopted a new interpretation, “Hosting Services,” which appears in the Code of Conduct under nonattest services. See 1.295.143 of the Code.

Why would possessing documents or information potentially impair independence? Because you accepted the responsibility for designing, implementing or maintaining internal controls for the records in your possession. And this is considered a management function.

In effect, the AICPA is saying there is an implicit understanding that you (the CPA) will safeguard the client’s records. And to safeguard the information, you agree to create controls to ensure the safety of the information in your possession.

To understand the actions that would impair your independence, see Catherine Allen’s article in the Journal of Accountancy. Specifically, look at her examples of where independence is impaired and where it is not. 

Continue reading

The Auditor's Responsibility for Fraud
Jul 30

The Auditor’s Responsibility for Fraud: The Why and How

By Charles Hall | Auditing , Fraud

What is an auditor’s responsibility for fraud in a financial statement audit? Today, I’ll answer that question. Let’s take a look at the following:

  • Auditor’s responsibility for fraud
  • Turning a blind eye to fraud
  • Signs of auditor disregard for fraud
  • Incentives for fraud
  • Discovering fraud opportunities
  • Inquiries required by audit standards
  • The accounting story and big bad wolves
  • Documenting control weaknesses
  • Brainstorming and planning your response to fraud risk 

The Auditor's Responsibility for Fraud

Auditor’s Responsibility for Fraud

I still hear auditors say, “We are not responsible for fraud.” But are we not? We know that the detection of material misstatements—whether caused by error or fraud—is the heart and soul of an audit. So writing off our responsibility for fraud is not an option. But auditors often turn a blind eye to it.

Turning a Blind Eye to Fraud

Why do auditors not perceive fraud risks? 

Here are a few reasons:

  • We don’t understand fraud, so we avoid it
  • We don’t know how to look for control weaknesses
  • We believe that auditing the balance sheet is enough

Think of these reasons as an attitudea poor one—regarding fraud. This disposition manifests itself—in the audit file—with signs of disregard for fraud.

Signs of Auditor Disregard for Fraud

A disregard for fraud appears in the following ways:

  • Asking just one or two questions about fraud
  • Limiting our inquiries to as few people as possible (maybe even just one)
  • Discounting the potential effects of fraud (after known theft occurs)
  • Not performing walkthroughs
  • We don’t conduct brainstorming sessions and window-dress related documentation
  • Our files reflect no responses to brainstorming and risk assessment procedures
  • Our files contain vague responses to the brainstorming and risk assessment (e.g., “no means for fraud to occur; see standard audit program” or “company employees are ethical; extended procedures are not needed”)
  • The audit program doesn’t change though control weaknesses are noted

In effect, auditors—at least some—dismiss the possibility of fraud, relying on a balance sheet approach.

So how can we understand fraud risks and respond to them? First, let’s look at fraud incentives.

Incentives for Fraud

The reasons for theft vary by each organization, depending on the dynamics of the business and people who work there. Fraudsters can enrich themselves indirectly (by cooking the books) or directly (by stealing).

Fraud comes in two flavors:

  1. Cooking the books (intentionally altering numbers)
  2. Theft

Two forms of fraud: Auditor's Responsibility for Fraud

Cooking the Books

Start your fraud risk assessment process by asking, “Are there any incentives to manipulate the financial statement numbers.” For example, does the company provide bonuses or promote employees based on profit or other metrics? If yes, an employee can indirectly steal by playing with the numbers. Think about it. The chief financial officer can inflate profits with just one journal entry—not hard to do. While false financial statements is a threat, the more common fraud is theft.

Theft

If employees don’t receive compensation for reaching specific financial targets, they may enrich themselves directly through theft. But employees can only steal if the opportunity is present. And where does opportunity come from? Weak internal controls. So, it’s imperative that auditors understand the accounting system and—more importantly—related controls. 

Discovering Fraud Opportunities

My go-to procedure in gaining an understanding of the accounting system and controls is walkthroughs.  Since accounting systems are varied, and there are no “forms” (practice aids) that capture all processes, walkthroughs can be challenging. So, we may have to “roll up our sleeves,” and “get in the trenches”—but the level of the challenge depends on the complexity of the business.

For most small businesses, performing a walkthrough is not that hard. Pick a transaction cycle; start at the beginning and follow the transaction to the end. Ask questions and note who does what. Inspect the related documents. As you do, ask yourself two questions:

  1. What can go wrong?
  2. Will existing control weakness allow material misstatements?

In more complex companies, break the transaction cycle into pieces. You know the old question, “How do you eat an elephant?” And the answer, “One bite at a time.” So, the process for understanding a smaller company works for a larger one. You just have to break it down—and allow more time.

Discovering fraud opportunities requires the use of risk assessment procedures such as observations of controls, inspections of documents and inquiries. Of the three, the more commonly used is inquiries.

Inquiries Required by Audit Standards

Audit Standards (AU-C 240) state that we should inquire of management regarding:

  • Management’s assessment of the risk that the financial statements may be materially misstated due to fraud, including the nature, extent, and frequency of such assessments
  • Management’s process for identifying, responding to, and monitoring the risks of fraud in the entity, including any specific risks of fraud that management has identified or that have been brought to its attention, or classes of transactions, account balances, or disclosures for which a risk of fraud is likely to exist
  • Management’s communication, if any, to those charged with governance regarding its processes for identifying and responding to the risks of fraud in the entity
  • Management’s communication, if any, to employees regarding its views on business practices and ethical behavior
  • The auditor should make inquiries of management, and others within the entity as appropriate, to determine whether they have knowledge of any actual, suspected, or alleged fraud affecting the entity
  • For those entities that have an internal audit function, the auditor should make inquiries of appropriate individuals within the internal audit function to obtain their views about the risks of fraud; determine whether they have knowledge of any actual, suspected, or alleged fraud affecting the entity; whether they have performed any procedures to identify or detect fraud during the year; and whether management has satisfactorily responded to any findings resulting from these procedures

Notice that AU-C 240 requires the auditor to ask management about its procedures for identifying and responding to the risk of fraud. If management has no method of detecting fraud, might this be an indicator of a control weakness? Yes. What are the roles of management and auditors regarding fraud?

  • Management develops control systems to lessen the risk of fraud. 
  • Auditors review the accounting system to see if fraud-prevention procedures are designed and operating appropriately.

So, the company creates the accounting system, and the auditor gains an understanding of the same. As auditors gain an understanding of the accounting system and controls, we are putting together the pieces of a story.

The Accounting Story and Big Bad Wolves

Think of the accounting system as a story. Our job is to understand the narrative of that story. As we (attempt to) describe the accounting system, we may find missing pieces. When we do, we’ll go back and ask more questions to make the story complete.

The purpose of writing the storyline is to identify any “big, bad wolves.”

The Auditor's Responsibility for Fraud - The Big Bad Wolves

The threats in our childhood stories were easy to recognize—the wolves were hard to miss. Not so in the walkthroughs. It is only in connecting the dots—the workflow and controls—that the wolves materialize. So, how long is the story? That depends on the size of the organization.

Scale your documentation. If the transaction cycle is simple, the documentation should be simple. If the cycle is complex, provide more details. By focusing on control weaknesses that allow material misstatements, you’ll avoid unneeded—and distracting—details.

Documenting Control Weaknesses

I summarize the internal control strengths and weaknesses within the description of the system and controls and highlight the wording “Control weakness.” For example:

Control weakness: The accounts payable clerk (Judy Jones) can add new vendors and can print checks with digital signatures. If effect, she can create a new vendor and have a check sent to that provider without anyone else’s involvement.

Highlighting weaknesses makes them more prominent. Then I can use the identified fraud opportunities to brainstorm about how theft might occur and to develop my responses to the threats.

Brainstorming and Planning Your Responses 

Now, you are ready to brainstorm about how fraud might occur and to plan your audit responses.

The risk assessment procedures—discussed above and in my prior postprovide the fodder for the brainstorming session. 

Armed with knowledge about the company, the industry, fraud incentives, and the control weaknesses, we are ready to be creative. 

In what way are we to be creative? We think like a thief. By thinking like a fraudster, we unearth ways that stealing might occur. And why? So we can audit those possibilities. And this is the reason for the fraud risk assessment procedures in the first place.

What we discover in the risk assessment stage informs the audit plan—in other words, it has bearing upon the audit programs.

The Auditor’s Responsibility for Fraud

In conclusion, I started this post saying I’d answer the question, “What is an auditor’s responsibility for fraud?” Hopefully, you now have a better understanding of the fraud-related procedures we are to perform. But to understand the purpose of these procedures, look at the language in a standard audit opinion:

The procedures selected depend on the auditor’s judgment, including the assessment of the risks of material misstatement of the consolidated financial statements, whether due to fraud or error. In making those risk assessments, the auditor considers internal control relevant to the entity’s preparation and fair presentation of the consolidated financial statements in order to design audit procedures that are appropriate in the circumstances, but not for the purpose of expressing an opinion on the effectiveness of the entity’s internal control. Accordingly, we express no such opinion.

The purpose of fraud risk assessments is not to opine on internal control systems or to discover every fraud. It is to assist the auditor in determining where material misstatements—due to fraud—might occur.

The What and Why of Auditing: A Blog Series About Basics

Have you been following my series of posts: The What and Why of Auditing? If not, you may want to review the prior posts:

Also subscribe (below) to my blog to receive future installments in this series (we have several more coming). This series is a great way for seasoned auditors to refresh their overall audit knowledge and for new auditors to gain a better understanding of the audit process. 

audit risk assessment
Jul 23

Audit Risk Assessment: The Why and the How

By Charles Hall | Auditing

Today we look at one of most misunderstood parts of auditing: audit risk assessment.

Are auditors leaving money on the table by avoiding risk assessment? Can inadequate risk assessment lead to peer review findings? This article shows you how to make more money and create higher quality audit documentation.

risk assessment

Audit Risk Assessment as a Friend

Audit risk assessment can be our best friend, particularly if we desire efficiency, effectiveness, and profit—and who doesn’t?

This step, when properly performed, tells us what to do—and what can be omitted. In other words, risk assessment creates efficiency.

So, why do some auditors (intentionally) avoid audit risk assessment? Here are two reasons:

  1. We don’t understand it
  2. We're creatures of habit

Too often auditors continue doing the same as last year (commonly referred to as SALY)--no matter what. It’s more comfortable than using risk assessment.

But what if SALY is faulty or inefficient?  

Maybe it’s better to assess risk annually and to plan our work accordingly (based on current conditions).

Are We Working Backwards?

The old maxim “Plan your work, work your plan” is true in audits. Audits—according to standards—should flow as follows:

  1. Determine the risks of material misstatements (plan our work)
  2. Develop a plan to address those risks (plan our work)
  3. Perform substantive procedures (work our plan)
  4. Issue an opinion (the result of planning and working)

Auditors sometimes go directly to step 3. and use the prior year audit programs to satisfy step 2. Later, before the opinion is issued, the documentation for step 1. is created “because we have to.”

In other words, we work backwards.

So, is there a better way?

A Better Way to Audit

Audit standards—in the risk assessment process—call us to do the following:

  1. Understand the entity and its environment
  2. Understand the transaction level controls
  3. Use planning analytics to identify risk
  4. Perform fraud risk analysis
  5. Assess risk

While we may not complete these steps in this order, we do need to perform our risk assessment first (1.-4.) and then assess risk.

Okay, so what procedures should we use?

Audit Risk Assessment Procedures

AU-C 315.06 states:

The risk assessment procedures should include the following:

  • Inquiries of management, appropriate individuals within the internal audit function (if such function exists), others within the entity who, in the auditor's professional judgment, may have information that is likely to assist in identifying risks of material misstatement due to fraud or error
  • Analytical procedures
  • Observation and inspection

I like to think of risk assessment procedures as detective tools used to sift through information and identify risk.

Risk assessment

Just as a good detective uses fingerprints, lab results, and photographs to paint a picture, we are doing the same.

First, we need to understand the entity and its environment.

Understand the Entity and Its Environment

The audit standards require that we understand the entity and its environment.

I like to start by asking management this question: "If you had a magic wand that you could wave over the business and fix one problem, what would it be?"

The answer tells me a great deal about the entity's risk.

I want to know what the owners and management think and feel. Every business leader worries about something. And understanding fear illuminates risk.

Think of risks as threats to objectives. Your client's fears tell you what the objectives are--and the threats. 

To understand the entity and its related threats, ask questions such as:

  • How is the industry faring?
  • Are there any new competitive pressures or opportunities?
  • Have key vendor relationships changed?
  • Can the company obtain necessary knowledge or products?
  • Are there pricing pressures?
  • How strong is the company’s cash flow?
  • Has the company met its debt obligations?
  • Is the company increasing in market share?
  • Who are your key personnel and why are they important?
  • What is the company’s strategy?
  • Does the company have any related party transactions?

As with all risks, we respond based on severity. The higher the risk, the greater the response.

Audit standards require that we respond to risks at these levels:

  • Financial statement level
  • Transaction level

Responses to risk at the financial statement level are general, such as appointing more experienced staff for complex engagements.

Responses to risk at the transaction level are more specific such as a search for unrecorded liabilities.

But before we determine responses, we must first understand the entity's controls.

Understand Transaction Level Controls

We must do more than just understand transaction flows (e.g., receipts are deposited in a particular bank account). We need to understand the related controls (e.g., Who enters the receipt in the general ledger? Who reviews receipting activity?). 

So, as we perform walkthroughs or other risk assessment procedures, we gain an understanding of the transaction cycle, but—more importantly—we gain an understanding of controls. Without appropriate controls, the risk of material misstatement increases.


Peer Review Finding

 AU-C 315.14 requires that auditors evaluate the design of their client's controls and to determine whether they have been implemented. However, AICPA Peer Review Program statistics indicate that many auditors do not meet this requirement. In fact, noncompliance in this area is nearly twice as high as any other requirement of AU-C 315 - Understanding the Entity and Its Environment and Assessing the Risk of Material Misstatement.


Some auditors excuse themselves from this audit requirement saying, "the entity has no controls."  


All entities have some level of controls. For example, signatures on checks are restricted to certain person. Additionally, someone usually reviews the financial statements. And we could go on.


The AICPA has developed a practice audit that you'll find handy in identifying internal controls in small entities.


The use of walkthroughs is probably the best way to understand internal controls.

As you perform your walkthroughs, ask questions such as:

  • Who signs checks?
  • Who has access to checks (or electronic payment ability)?
  • Who approves payments?
  • Who initiates purchases?
  • Who can open and close bank accounts?
  • Who posts payments?
  • What software is used? Does it provide an adequate audit trail? Is the data protected? Are passwords used?
  • Who receives and opens bank statements? Does anyone have online access? Are cleared checks reviewed for appropriateness?
  • Who reconciles the bank statement? How quickly? Does a second person review the bank reconciliation?
  • Who creates expense reports and who reviews them?
  • Who bills clients? In what form (paper or electronic)?
  • Who opens the mail?
  • Who receipts monies?
  • Are there electronic payments?
  • Who receives cash onsite and where?
  • Who has credit cards? What are the spending limits?
  • Who makes deposits (and how)?
  • Who keys the receipts into the software?
  • What revenue reports are created and reviewed? Who reviews them?
  • Who creates the monthly financial statements? Who receives them?
  • Are there any outside parties that receive financial statements? Who are they?

Understanding the company’s controls illuminates risk. The company’s goal is to create financial statements without material misstatement. And a lack of controls threatens this objective.

So, as we perform walkthroughs, we ask the payables clerk (for example) certain questions. And—as we do—we are also making observations about the segregation of duties. Also, we are inspecting certain documents such as purchase orders.

This combination of inquiries, observations, and inspections allows us to understand where the risk of material misstatement is highest.

See my article How to Document Audit Walkthroughs? Also see Should You Perform Audit Walkthroughs Annually? (Hint--the answer is yes.)

Another significant risk identification tool is the use of planning analytics.

Planning Analytics

Use planning analytics to shine the light on risks. How? I like to use:

  • Multiple-year comparisons of key numbers (at least three years, if possible)
  • Key ratios

In creating planning analytics, use management’s metrics. If certain numbers are important to the company, they should be to us (the auditors) as well—there’s a reason the board or the owners are reviewing particular numbers so closely. (When you read the minutes, ask for a sample monthly financial report; then you’ll know what is most important to management and those charged with governance.)

You may wonder if you can create planning analytics for first-year businesses. Yes, you can. Compare monthly or quarterly numbers. Or you might compute and compare ratios (e.g., gross profit margin) with industry benchmarks. (For more information about first-year planning analytics, see my planning analytics post.)

Sometimes, unexplained variations in the numbers are fraud signals.

Identify Fraud Risks

In every audit, inquire about the existence of theft. In performing walkthroughs, look for control weaknesses that might allow fraud to occur. Ask if any theft has occurred. If yes, how?

Also, we should plan procedures related to:

  • Management override of controls, and
  • The intentional overstatement of revenues

My next post—in The Why and How of Auditing series—addresses fraud, so this is all I will say about theft, for now. Sometimes the greater risk is not fraud but errors.

Same Old Errors

Have you ever noticed that some clients make the same mistakes—every year? (Johnny--the controller--has worked there for the last twenty years, and he makes the same mistakes every year. Sound familiar?) In the risk assessment process, we are looking for the risk of material misstatement whether by intention (fraud) or by error (accident).

One way to identify potential misstatements due to error is to maintain a summary of the larger audit entries you’ve made over the last three years. If your client tends to make the same mistakes, you’ll know where to look.

Now it’s time to pull the above together.

Creating the Risk Picture

Once all of the risk assessment procedures are completed, we synthesize the disparate pieces of information into a composite image

Synthesis of risks

What are we bringing together? Here are examples:

  • Control weaknesses
  • Unexpected variances in significant numbers
  • Entity risk characteristics (e.g., level of competition)
  • Large related-party transactions
  • Occurrences of theft

Armed with this risk picture, we can now create our audit strategy and audit plan (also called an audit program). Focus these plans on the higher risk areas.

How can we determine where risk is highest? Use the risk of material misstatement (RMM) formula.

Assess the Risk of Material Misstatement

Understanding the RMM formula is key to identifying high-risk areas.

What is the RMM formula?

Put simply, it is:

Risk of Material Misstatement = Inherent Risk X Control Risk

Using the RMM formula, we are assessing risk at the assertion level. While audit standards don’t require a separate assessment of inherent risk and control risk, consider doing so anyway. I think it provides a better representation of your risk of material misstatement.

Once you have completed the risk assessment process, control risk can be assessed at high--simply as an efficiency decision. See my article Assessing Audit Control Risk at High and Saving Time

The Input and Output

The inputs in audit planning include all of the above audit risk assessment procedures.

The outputs (sometimes called linkage) of the audit risk assessment process are:

  • Audit strategy
  • Audit plan (audit programs)
Linking risk assessment to audit planning

We tailor the strategy and plan based on the risks..

In a nutshell, we identify risks and respond to them.

(In a future post in this series, I will provide a full article concerning the creation of audit strategy and plans.)

Next in the Audit Series

In my next post, we’ll take a look at the Why and How of Fraud Auditing. So, stay tuned.

If you haven’t subscribed to my blog, do so now. See below.


Jul 17

Government Auditing Standards 2018 Revision (Hot Off the Press)

By Charles Hall | Auditing , Local Governments

Government Auditing Standards 2018 Revision

The Government Accountability Office just issued the new Yellow Book titled Government Auditing Standards 2018 Revision.

Government Auditing Standards 2018 Revision

Get Your Free Copy

An electronic version of the 2018 Yellow Book can be accessed on GAO’s Yellow Book web page at http://www.gao.gov/yellowbook.

Major Changes

The introduction to the new Yellow Book summarizes the significant changes as follows:

This revision contains major changes from, and supersedes, the 2011 revision. These changes, summarized below, reinforce the principles of transparency and accountability and strengthen the framework for high quality government audits.

  • All chapters are presented in a revised format that differentiates requirements and application guidance related to those requirements.
  • Supplemental guidance from the appendix of the 2011 revision is either removed or incorporated into the individual chapters.
  • The independence standard is expanded to state that preparing financial statements from a client-provided trial balance or underlying accounting records generally creates significant threats to auditors’ independence, and auditors should document the threats and safeguards applied to eliminate and reduce threats to an acceptable level or decline to perform the service.
  • The peer review standard is modified to require that audit organizations comply with their respective affiliated organization’s peer review requirements and GAGAS peer review requirements. Additional requirements are provided for audit organizations not affiliated with recognized organizations.
  • The standards include a definition for waste.
  • The performance audit standards are updated with specific considerations for when internal control is significant to the audit objectives.

Effective with the implementation dates for the 2018 revision of Government Auditing Standards, GAO is also retiring Government Auditing Standards: Guidance on GAGAS Requirements for Continuing Professional Education (GAO-05-568G, April 2005) and Government Auditing Standards: Guidance for Understanding the New Peer Review Ratings (D06602, January 2014).

Effective Dates

The 2018 revision of Government Auditing Standards is effective for financial audits, attestation engagements, and reviews of financial statements for periods ending on or after June 30, 2020, and for performance audits beginning on or after July 1, 2019.

Early implementation is not permitted.

The 2018 revision of Government Auditing Standards supersedes the 2011 revision (GAO-12-331G, December 2011), the 2005 Government Auditing Standards: Guidance on GAGAS Requirements for Continuing Professional Education (GAO-05-568G, April 2005), and the 2014 Government Auditing Standards: Guidance for Understanding the New Peer Review Ratings (D06602, January 2014). 

Client Acceptance and Continuance
Jul 17

Client Acceptance and Continuance: The Why and How

By Charles Hall | Auditing

Client acceptance and continuance may be the most critical step in an audit, but it’s one that gets little attention. A prospective client calls saying, “Can you audit my company?” and we respond, “sure.” While new business can be a good thing, relationships need appropriate vetting. Not doing so can lead to significant (and sometimes disastrous) consequences.

New Relationships

My daughter recently met a young man on Instagram. Not unusual these days. But now the relationship is entering into its third month. They talk every day for two or three hours. So far, they have not been in the same room—and not even in the same city. Skype, yes. Physical presence, no. That’s happening at the end of this month. (He lives eight hours away.)

So what do Mom and Dad think about all of this? Well, it’s fine. My wife checked him out on Facebook (I know you’ve never done this). And my daughter has told us all about the “fella” and his family. We like what we’re hearing. He has similar beliefs. He has a job (Yay!), and he has graduated from college. His family background is like ours.

Why do we want to know all the details about the young man? Because relationships impact people—my daughter, the young man, his family members, and yes, my wife and I. We want everyone to be happy.

Client Acceptance 

And that’s what good relationships create. Happiness. The same is true with clients. As Steven Covey said, “think win, win.” When the customer wins, and your CPA firm wins, everyone is happy. Mutual needs are met.

Careless CPAs accept business with only one consideration: Can I get paid? 

While getting paid is important, other factors are also critical.

Here are a few things to consider:

  1. Are they ethical?
  2. Are you independent?
  3. Do you have the technical ability to serve them?
  4. Do you the capacity to serve them?

Are They Ethical?

I want my daughter to marry a guy with beliefs that correspond with who she is. Is he honest? Would he steal? Is he transparent? Who are his associates? What do others think of him? 

We ask similar questions about accepting a new client. Audit standards require us to consider whether the prospective client has integrity. If the company is not morally straight, then there’s no need to move forward. 

Are You Independent?

The time to determine your firm’s independence is the beginning—not at the conclusion of the audit.

Consider what happens—during a peer review—when a firm is not independent, and it has issued an audit opinion. The original audit report will be recalled, and I’ll bet the company asks for and receives a full refund of your audit fee. Now, the company needs to be re-audited.  (Oh, and there’s that impact on the peer review report.)

Pay attention to requested nonattest services—such as preparation of financial statements. If the client has no one with sufficient skill, knowledge, and experience to accept responsibility for such services, you may not be independent. See the AICPA’s Plain English Guide to Independence for more information. 

Do You Have the Technical Ability to Serve Them?

If you can pick up a client in an industry in which you have no experience, should you? Possibly, but it depends on whether you can appropriately understand the client and their industry before you conduct the engagement. Some new customers may not be complicated. In those cases, CPE may get you into position to provide the audit. 

But what if the potential engagement involves a highly sophisticated industry and related accounting standards for which you are ill-equipped? It may be better to let the engagement go and refer it to an audit firm that has the requisite knowledge. Or maybe you can partner with the other firm. 

Do You Have the Capacity to Serve Them?

A prospective client calls saying, “Can you audit my company? We have a December 31 year-end, and we need the audit report by March 31.” After some discussion, I think the fee will be around $75,000. But my staff is already working sixty hours a week during this time of the year. Should I take the engagement? 

My answer would be no unless I can create the capacity. How? I can hire additional personnel or maybe I can contract with another firm to assist. If I can’t build additional capacity, then I may let the opportunity pass. 

Far too many firms accept work without sufficient capacity. When this happens, corners are cut, and staff members and partners suffer. Stuffingeven morework into a stressful time of the year is not (always) a wise thing. We lose staff. And if the engagement is deficient, peer review results may take a hit.

When you don’t have the capacity to accept new good clients, consider whether you should discontinue service to existing bad customers.

The Continuance Decision

Quality controls standards call for CPAs to not only develop acceptance procedures, but we are to create continuance protocols as well.

I previously said CPAs often don’t give proper attention to acceptance procedures. So, how about continuance decisions? Even worse. 

Continuance Decision

Picture from AdobeStock.com

Each year, we should ask, “If this was a new client opportunity, would I accept them?” If the answer is no, then why do we continue serving them? 

Here are a few questions to ponder:

  • Has the client paid their prior year fees? 
  • Am I still independent (consider the new Hosting Services interpretation)?
  • Does the client demand more from me than the fee merits?
  • Do I enjoy working with this client?
  • Is the client’s financial condition creating additional risks for my firm?
  • Is the client acting ethically?

Each year, well before the audit starts, ask these questions.

And then consider, is the bottom 10% of my book of business keeping me from accepting better clients? My experience has been that when I have the capacity, new business appears. When capacity is lacking, I don’t. The decision to hold on to bad clients is a decision to close the door to better clients. Don’t be afraid to let go.

Risk Assessment Starts Now

When should we start thinking about risk assessment? Now.

Whether you are going through the initial acceptance procedures or you are making your continuance decision, start thinking about risk assessment now. Assuming you accept the client, you’ll be a step ahead as you begin to develop your audit plan. Ask questions such as:

  • How is your cash flow?
  • Do you have any debt with covenants?
  • Who receives the financial statements?
  • Has the company experienced any fraud losses?
  • How experienced is management?
  • Why are you changing auditors?

Keep these notes for future reference and audit planning. 

Next Post in this Series

The above is the first post in The Why and How of Auditing. My next post will be Audit Risk Assessment: The Why and How. Subscribe to my blog (see below) to make sure you don’t miss anything.

Review Quiz

Jul 10

The Why and How of Auditing: A Blog Series about Basics

By Charles Hall | Auditing

Do you struggle with what needs to be done in an audit–and what does not? Do you perform audit procedures (because they are in a standard audit program) but you’re not sure why? Do you want to be more efficient? You are not alone.

While audit forms—like risk assessment, audit planning, and audit program—are necessary, they can make us feel like a blind man being led by the hand. If you’re like me, you want to see, to know where you’re going and why. To gain sight, we need to go back to the basics. 

Each year, Vince Lombardi (the revered coach of the Green Bay Packers) held a pigskin up and said, “This is a football.” And he did so with the best players in the world. He knew that winning is all about basics: blocking, tackling, passing, running. Understanding fundamentals brings clarity and power. And that’s what I’m after in The Why and How of Auditing. I’ll strip away the technical mumbo-jumbo and make auditing accessible, even for beginners. Moreover, experienced auditors will profit as you revisit what matters (and what does not).

The Why and How of Auditing

Here’s an overview of the upcoming posts:

Moving from Wasteful to Efficient Auditing

In the cartoons I read as a kid, Lucy would say to Charlie Brown, “I will hold the ball, and you kick,” but as Charlie Brown would lean into his launch, she would pull away. And you remember the result: Charlie Brown, lying on his backside. 

Some audit procedures (like the invitation to kick) are tempting. They call us (like a familiar friend), but they are a waste of time–even if we have done these steps for years. In the end, they leave us staring at the sky. So, we need to know what is best and what is necessary. Then, we can avoid waste.

This series provides you with what you need to know—without excess baggage. By design, the series is simple. Why? To provide clarity. I want you to understand the basics of auditing. 

When you’re done, you’ll understand auditing, possibly in a way you never have. Then you’ll work with greater confidence and effectiveness. So, let’s begin.

going concern
Jun 20

Going Concern: How to Understand the Accounting and Auditing Standards

By Charles Hall | Accounting , Auditing

Are you preparing financial statements and wondering whether you need to include going concern disclosures? Or maybe you’re the auditor, and you’re wondering if a going concern paragraph should be added to the audit opinion. You’ve heard there are new requirements for both management and auditors, but you’re not sure what they are.

This article summarizes (in one place) the new going concern accounting and auditing standards.

going concern

Going Concern Standards

For many years the going concern standards were housed in the audit standards–thus, the need for FASB to issue accounting guidance (ASU 2014-15). It makes sense that FASB created going concern disclosure guidance. After all, disclosures are an accounting issue. 

Accounting Standard

ASU 2014-15, Disclosure of Uncertainties about an Entity’s Ability to Continue as a Going Concern, provides guidance in preparing financial statements. This standard was effective for years ending after December 15, 2016.

GASB Statement 56, Codification of Accounting and Financial Reporting Guidance Contained in the AICPA Statements on Auditing Standards, is the relevant going concern standard for governments. GASB 56 was issued in March 2009. (GASB 56 requires financial statement preparers to evaluate whether there is substantial doubt about a governmental entity’s ability to continue as a going concern for 12 months beyond the date of the financial statements. As you will see below, this timeframe is different from the one called for under ASU 2014-15. This post focuses on ASU 2014-15 and SAS 132.)

Meanwhile, the Auditing Standards Board issued their own going concern standard in February 2017: SAS 132.

Auditing Standard

Auditors will use SAS 132, The Auditor’s Consideration of an Entity’s Ability to Continue as a Going Concern, to make going concern decisions. This SAS is effective for audits of financial statements for periods ending on or after December 15, 2017. SAS 132 amends SAS 126The Auditor’s Consideration of an Entity’s Ability to Continue as a Going Concern.

So, let’s take a look at how to apply ASU 2014-15 and SAS 132.

Two Stages of Going Concern Decisions

In the past, the going concern decisions were made by auditors in a single step. Now, it is helpful to think of going concern decisions in two stages:

  1. Management decisions concerning the preparation of financial statements 
  2. Auditor decisions concerning the audit of the financial statements

First, we’ll consider management’s decisions.

Stage 1. Management Decisions

 

ASU 2014-15 provides guidance concerning management’s determination of whether there is substantial doubt regarding the entity’s ability to continue as a going concern.

Going Concern

What is Substantial Doubt?

So, how does FASB define substantial doubt? 

Substantial doubt about the entity’s ability to continue as a going concern is considered to exist when aggregate conditions and events indicate that it is probable that the entity will be unable to meet obligations when due within one year of the date that the financial statements are issued or are available to be issued.

What is Probable?

So, how does management determine if “it is probable that the entity will be unable to meet obligations when due within one year”?

Probable means likely to occur

If for example, a company expects to miss a debt service payment in the coming year, then substantial doubt exists. This initial assessment is made without regard to management’s plans to alleviate going concern conditions. 

ASC 205-40-50-4 says:

The evaluation initially shall not take into consideration the potential mitigating effect of management’s plans that have not been fully implemented as of the date that the financial statements are issued (for example, plans to raise capital, borrow money, restructure debt, or dispose of an asset that have been approved but that have not been fully implemented as of the date that the financial statements are issued).

But what factors should management consider?

Factors to Consider

Management should consider the following factors when assessing going concern:

  • The reporting entity’s current financial condition, including the availability of liquid funds and access to credit
  • Obligations of the reporting entity due or new obligations anticipated within one year (regardless of whether they have been recognized in the financial statements)
  • The funds necessary to maintain operations considering the reporting entity’s current financial condition, obligations, and other expected cash flows
  • Other conditions or events that may affect the entity’s ability to meet its obligations

Moreover, management is to consider these factors for one year. But from what date?

Timeframe

The financial statement preparer (i.e., management or a party contracted by management) should assess going concern in light of one year from the date “the financial statements are issued or are available to be issued.”

So, if December 31, 2017, financial statements (for a nonpublic company) are available to be issued on March 15, 2017, the preparer looks forward one year from March 15, 2017. Then, the preparer asks, “Is it probable that the company will be unable to meet its obligations through March 15, 2018?” If yes, substantial doubt is present and disclosures are necessary. If no, then substantial doubt does not exist. As you would expect, the answer to this question determines whether going concern disclosures are to be made and what should be included.

Substantial Doubt Answer Determines Disclosures

If substantial doubt does not exist, then going concern disclosures are not necessary.

If substantial doubt exists, then the company needs to decide if management’s plans alleviate the going concern issue. This decision determines the disclosures to be made. The required disclosures are based upon whether:

  1. Management’s plans alleviate the going concern issue
  2. Management’s plans do not alleviate the going concern issue

1. What if Management’s Plans Alleviate the Going Concern Issue?

If conditions or events raise substantial doubt about an entity’s ability to continue as a going concern, but the substantial doubt is alleviated as a result of consideration of management’s plans, the entity should disclose information that enables users of the financial statements to understand all of the following (or refer to similar information disclosed elsewhere in the footnotes):

  1. Principal conditions or events that raised substantial doubt about the entity’s ability to continue as a going concern (before consideration of management’s plans)
  2. Management’s evaluation of the significance of those conditions or events in relation to the entity’s ability to meet its obligations
  3. Management’s plans that alleviated substantial doubt about the entity’s ability to continue as a going concern

Management’s plans should be considered only if is it probable that they will be effectively implemented. Also, it must be probable that management’s plans will be effective in alleviating substantial doubt.

So, if management’s plans are expected to work, does the company have to explicitly state that management’s plans will alleviate substantial doubt? No. 

When management’s plans alleviate substantial doubt, companies need not use the words going concern or substantial doubt in the disclosures. And as Sears discovered, it may not be wise to do so (their shares dropped 16% after using the term substantial doubt even though management had plans to alleviate the risk). Rather than using the term substantial doubt, consider describing conditions (e.g., cash flows are not sufficient to meet obligations) and management plans to alleviate substantial doubt.

Sample Note – Substantial Doubt Alleviated

An example note follows:

Note 2 – Company Conditions

The Company had losses of $4,525,123 in the year ending March 31, 2017. As of March 31, 2017, its accumulated deficit is $11,325,354. 

Management believes the Company’s present cash flows will not enable it to meet its obligations for twelve months from the date these financial statements are available to be issued. However, management is working to obtain new long-term financing. It is probable that management will obtain new sources of financing that will enable the Company to meet its obligations for the twelve-month period from the date the financial statements are available to be issued.

Notice this example does not use the words substantial doubt.

2. What if Management’s Plans Do Not Alleviate the Going Concern Issue?

If conditions or events raise substantial doubt about an entity’s ability to continue as a going concern, and substantial doubt is not alleviated after consideration of management’s plans, an entity should include a statement in the notes indicating that there is substantial doubt about the entity’s ability to continue as a going concern within one year after the date that the financial statements are available to be issued (or issued when applicable). Additionally, the entity should disclose information that enables users of the financial statements to understand all of the following:

  1. Principal conditions or events that raise substantial doubt about the entity’s ability to continue as a going concern
  2. Management’s evaluation of the significance of those conditions or events in relation to the entity’s ability to meet its obligations
  3. Management’s plans that are intended to mitigate the conditions or events that raise substantial doubt about the entity’s ability to continue as a going concern

Sample Disclosure – Substantial Doubt Not Alleviated

An example disclosure follows:

Note 2 – Going Concern
 
The financial statements have been prepared on a going concern basis which assumes the Company will be able to realize its assets and discharge its liabilities in the normal course of business for the foreseeable future.  The Company had losses of $1,232,555 in the current year. The Company has incurred accumulated losses of $2,891,727 as of March 31, 2017. Cash flows used in operations totaled $555,897 for the year ended March 31, 2017.
 
Management believes these conditions raise substantial doubt about the Company’s ability to continue as a going concern within the next twelve months from the date these financial statements are available to be issued. The ability to continue as a going concern is dependent upon profitable future operations, positive cash flows, and additional financing.
 
Management intends to finance operating costs over the next twelve months with existing cash on hand and loans from its directors. Management is also working to secure new bank financing. The Company’s ability to obtain the new financing is not known at this time.
 
Notice this note includes a statement that substantial doubt is present. Though management’s plans are disclosed, the probability of success is not provided.

ASU 2014-15 Summary

ASU 2014-15 focuses on management’s assessment regarding whether substantial doubt exists. If substantial doubt exists, then disclosures are required. Here’s a short video summarizing 2014-15:

Thus far, we’ve addressed the stage 1. management decisions. As you can see management’s considerations focus on disclosures. By contrast, auditors focus on the audit opinion. Now, let’s look at what auditors must do.

Stage 2. Auditor Decisions

 

SAS 132 provides guidance concerning the auditor’s consideration of an entity’s ability to continue as a going concern.

Going Concern

Objectives of the Auditor

SAS 132, paragraph 10, states the objectives of the auditor are as follows:

  • Obtain sufficient appropriate audit evidence regarding, and to conclude on, the appropriateness of management’s use of the going concern basis of accounting, when relevant, in the preparation of the financial statements
  • Conclude, based on the audit evidence obtained, whether substantial doubt about an entity’s ability to continue as a going concern for a reasonable period of time exists
  • Evaluate the possible financial statement effects, including the adequacy of disclosure regarding the entity’s ability to continue as a going concern for a reasonable period of time
  • Report in accordance with this SAS

These objectives can be summarized as follows:

  1. Conclude about whether the going concern basis of accounting is appropriate
  2. Determine whether substantial doubt is present
  3. Determine whether the going concern disclosures are adequate
  4. Issue an appropriate opinion 

In light of these objectives, certain audit procedures are necessary.

Risk Assessment Procedures

In the risk assessment phase of an audit, the auditor should consider whether conditions or events raise substantial doubt. In doing so, the auditor should examine any preliminary management evaluation of going concern. If such an evaluation was performed, the auditor should review it with management. If no evaluation has occurred, then the auditor should discuss with management the appropriateness of using the going concern basis of accounting (the liquidation basis of accounting is required by ASC 205-30 when the entity’s liquidation is imminent) and whether there are conditions or events that raise substantial doubt. 

The auditor is to consider conditions and events that raise substantial doubt about an entity’s ability to continue as a going concern for a reasonable period of time. What is a reasonable period of time? It is the period of time required by the applicable financial reporting framework or, if no such requirement exists, within one year after the date that the financial statements are issued (or within one year after the date that the financial statements are available to be issued, when applicable). The governmental accounting standards require an evaluation period of “12 months beyond the date of the financial statements.”

Auditors should consider negative financial trends or factors such as:

  • Working capital deficiencies
  • Negative cash flows from operating activities
  • Default on loans
  • A denial of trade credit from suppliers
  • Need to restructure debt
  • Need to dispose of assets
  • Work stoppages or other labor problems
  • Need to significantly revise operations
  • Legal problems
  • Loss of key customers or suppliers
  • Uninsured catastrophes
  • The need for new capital

The risk assessment procedures are a part of planning an audit. You may obtain new information as you perform the engagement.

Remaining Alert Throughout the Audit

The auditor should remain alert throughout the audit for conditions or events that raise substantial doubt. So, after the initial review of going concern issues in the planning stage, the auditor considers the impact of new information gained during the subsequent stages of the engagement.

Audit Procedures When Substantial Doubt is Present

If events or conditions do give rise to substantial doubt, then the audit procedures should include the following (SAS 132, paragraph 16.):

  1. Requesting management to make an evaluation when management has not yet performed an evaluation
  2. Evaluating management’s plans in relation to its going concern evaluation, with regard to whether it is probable that: 
    1. management’s plans can be effectively implemented and 
    2. the plans would mitigate the relevant conditions or events that raise substantial doubt about the entity’s ability to continue as a going concern for a reasonable period of time
  3. When the entity has prepared a cash flow forecast, and analysis of the forecast is a significant factor in evaluating management’s plans: 
    1. evaluating the reliability of the underlying data generated to prepare the forecast and 
    2. determining whether there is adequate support for the assumptions underlying the forecast, which includes considering contradictory audit evidence
  4. Considering whether any additional facts or information have become available since the date on which management made its evaluation

Sometimes management’s plans to alleviate substantial doubt include financial support by third parties or owner-managers (usually referred to as supporting parties). 

Financial Support by Supporting Parties

When financial support is necessary to mitigate substantial doubt, the auditor should obtain audit evidence about the following:

  1. The intent of such supporting parties to provide the necessary financial support, including written evidence of such intent, and
  2. The ability of such supporting parties to provide the necessary financial support

If the evidence in a. is not obtained, then “management’s plans are insufficient to alleviate the determination that substantial doubt exists.”

Intent of Supporting Parties

The intent of supporting parties may be evidenced by either of the following:

  1. Obtaining from management written evidence of a commitment from the supporting party to provide or maintain the necessary financial support (sometimes called a “support letter”)
  2. Confirming directly with the supporting parties (confirmation may be needed if management only has oral evidence of such financial support)

If the auditor receives a support letter, he can still request a written confirmation from the supporting parties. For instance, the auditor may desire to check the validity of the support letter.

If the support comes from an owner-manager, then the written evidence can be a support letter or a written representation.

Support Letter

An example of a third party support letter (when the applicable reporting framework is FASB ASC) is as follows:

(Supporting party name) will, and has the ability to, fully support the operating, investing, and financing activities of (entity name) through at least one year and a day beyond [insert date] (the date the financial statements are issued or available for issuance, when applicable). 

You can specify a date in the support letter that is later than the expected date. That way if there is a delay, you may be able to avoid updating the letter.

The auditor should not only consider the intent of the supporting parties but the ability as well.

Ability of Supporting Parties

The ability of supporting parties to provide support can be evidenced by information such as:

  • Proof of past funding by the supporting party
  • Audited financial statements of the supporting party
  • Bank statements and valuations of assets held by a supporting party

After examining the intent and ability of supporting parties regarding the one-year period, you might identify potential going concern problems that will occur more than one year out.

Conditions and Events After the Reasonable Period of Time

So, should an auditor inquire about conditions and events that may affect the entity’s ability to continue as a going concern beyond management’s period of evaluation (i.e., one year from the date the financial statements are available to be issued or issued, as applicable)? Yes.

Suppose an entity knows it will be unable to meet its November 15, 2018, debt balloon payment. The financial statements are available to be issued on June 15, 2017, so the reasonable period goes through June 15, 2018. But management knows it can’t make the balloon payment, and the bank has already advised that the loan will not be renewed. SAS 132 requires the auditor to inquire of management concerning their knowledge of such conditions or events. 

Why? Only to determine if any potential (additional) disclosures are needed. FASB only requires the evaluation for the year following the date the financial statements are issued (or available to be issued, as applicable). Events following this one year period have no bearing on the current year going concern decisions. Nevertheless, additional disclosures may be merited.

Thus far, the requirements to evaluate the use of the going concern basis of accounting and whether substantial doubt is present have been explained. Now, let’s see what the requirements are for:

  • Written representations from management
  • Communications with those charged with governance
  • Documentation

Written Representations When Substantial Doubt Exists

When substantial doubt exists, the auditor should request the following written representations from management:

  1. A description of management’s plans that are intended to mitigate substantial doubt and the probability that those plans can be effectively implemented
  2. That the financial statements disclose all the matters relevant to the entity’s ability to continue as a going concern including conditions and events and management’s plans

Communications with Those Charged with Governance

Remember that you may need to add additional language to your communication with those charged with governance.

When conditions and events raise substantial doubt about the entity’s ability to continue as a going concern for a reasonable period of time, the auditor should communicate the following (unless those charged with governance manage the entity):

  1. Whether the conditions or events, considered in the aggregate, that raise substantial doubt about an entity’s ability to continue as a going concern for a reasonable period of time constitute substantial doubt
  2. The auditor’s consideration of management’s plans
  3. Whether management’s use of the going concern basis of accounting, when relevant, is appropriate in the preparation of the financial statements
  4. The adequacy of related disclosures in the financial statements
  5. The implications for the auditor’s report

Documentation Requirements

When substantial doubt exists before consideration of management’s plans, the auditor should document the following (SAS 132, paragraph 32.):

  1. The conditions or events that led the auditor to believe that there is substantial doubt about the entity’s ability to continue as a going concern for a reasonable period of time.
  2. The elements of management’s plans that the auditor considered to be particularly significant to overcoming the conditions or events, considered in the aggregate, that raise substantial doubt about the entity’s ability to continue as a going concern, if applicable.
  3. The audit procedures performed to evaluate the significant elements of management’s plans and evidence obtained, if applicable.
  4. The auditor’s conclusion regarding whether substantial doubt about the entity’s ability to continue as a going concern for a reasonable period of time remains or is alleviated. If substantial doubt remains, the auditor should also document the possible effects of the conditions or events on the financial statements and the adequacy of the related disclosures. If substantial doubt is alleviated, the auditor should also document the auditor’s conclusion regarding the need for, and, if applicable, the adequacy of, disclosure of the principal conditions or events that initially caused the auditor to believe there was substantial doubt and management’s plans that alleviated the substantial doubt.
  5. The auditor’s conclusion with respect to the effects on the auditor’s report.

Opinion – Emphasis of Matter Regarding Going Concern

If the auditor concludes that there is substantial doubt concerning the company’s ability to continue as a going concern, an emphasis of a matter paragraph should be added to the opinion.

An example of a going concern paragraph is as follows:

The accompanying financial statements have been prepared assuming that the Company will continue as a going concern. As discussed in Note 2 to the financial statements, the Company has suffered recurring losses from operations, has a net capital deficiency, and has stated that substantial doubt exists about the company’s ability to continue as a going concern. Management’s evaluation of the events and conditions and management’s plans regarding these matters are also described in Note 2. The financial statements do not include any adjustments that might result from the outcome of this uncertainty. Our opinion is not modified with respect to this matter.

The auditor should not use conditional language regarding the existence of substantial doubt about the entity’s ability to continue as a going concern. 

Opinion – Inadequate Going Concern Disclosures

Paragraph 26. of SAS 132 states that an auditor should issue a qualified opinion or an adverse opinion, as appropriate, when going concern disclosures are not adequate.

SAS 132 Summary 

Now, let’s circle back to where we started and review the objectives of SAS 132.

The objectives are as follows:

  • Conclude about whether the going concern basis of accounting is appropriate
  • Determine whether substantial doubt is present
  • Determine whether the going concern disclosures are adequate
  • Issue an appropriate opinion 

Conclusion

As you can see ASU 2014-15 and SAS 132 are complex. So, make sure you are using the most recent updates to your disclosure checklists and audit forms and programs.

Finally, keep in mind that going concern is also relevant to compilation and review engagements.

Audit Planning Analytics
May 01

Audit Planning Analytics: What You Need to Know

By Charles Hall | Auditing

You can identify risks of material misstatement with audit planning analytics. 

Audit Planning Analytics

Audit Planning Analytics

The auditing standards provide four risk assessment procedures: 

  1. Inquiry
  2. Observation
  3. Inspection
  4. Analytical procedures

I previously provided you with information about the first three risk assessment procedures. Today, I provide you with the fourth, analytical procedures.

While analytical procedures should occur at the beginning and the end of an audit, this post focuses on planning analytics.

Below I provide the quickest and best way to develop audit planning analytics

What are Analytics?

If you're not an auditor, you may be wondering, "what are analytics?" Think of analytics as the use of numbers to determine reasonableness. For example, if a company's cash balance at December 31, 2017, was $100 million, is it reasonable for the account to be $5 million at December 31, 2018? Comparisons such as this one assist auditors in their search for errors and fraud.

Overview of this Post

We'll cover the following:

  • The purpose of planning analytics
  • When to create planning analytics (at what stage of the audit)
  • Developing expectations 
  • The best types of planning analytics
  • How to document planning analytics
  • Developing conclusions 
  • Linkage to the audit plan

Purpose of Planning Analytics

The purpose of planning analytics is to identify risks of material misstatement. Your goal as an auditor is to render an opinion regarding the fairness of the financial statements. So, like a good sleuth, you are surveying the accounting landscape to see if material misstatements exist.

A detective investigates a crime scene using various tools: fingerprints, forensic tests, interviews, timelines. Auditors have their own tools: inquiry, observation, inspection, analytical procedures. Sherlock Holmes looks for the culprit. The auditor (and I know this isn't as sexy) looks for material misstatements. 

The detective and the auditor are both looking for the same thing: evidence. And the deft use of tools can lead to success. A key instrument (procedure) available to auditors is planning analytics. 

When to Create Planning Analytics

Create your preliminary analytics after gaining an understanding of the entity. Why? Context determines reasonableness of numbers. And without context (your understanding of the entity), changes in numbers from one year to the next may not look like a red flag--though maybe they should.

Therefore, learn about the entity first. Are there competitive pressures?  What are the company's objectives? Are there cash flow issues? What is the normal profit margin percentage? Does the organization have debt? Context creates meaning.

Additionally, create your comparisons of numbers prior to creating your risk assessments. After all, the purpose of the analytical comparisons is to identify risk.

But before creating your planning analytics, you first need to know what to expect.

Developing Expectations 

Knowing what to expect provides a basis for understanding the changes in numbers from year to year. 

Expectations can include:

  • Increases in numbers
  • Decrease in numbers
  • Stable numbers (no significant change)

In other words, you can have reasons to believe payroll (for example) will increase or decrease. Or you might anticipate that salaries will remain similar to last year.

Examples of Expectations Not Met

Do you expect sales to decrease 5% based on decreases in the last two years? If yes, then an increase of 15% is a flashing light.

Or maybe you expect sales to remain about the same as last year? Then a 19% increase might be an indication of financial statement fraud.

But where does an auditor obtain expectations?

Sources of Expectations

Expectations of changes can come from (for example):

  • Past changes in numbers 
  • Discussions with management about current year operations
  • Reading the company minutes
  • Staffing reductions
  • Non-financial statistics (e.g., decrease the number of widgets sold)
  • A major construction project

While you'll seldom know about all potential changes (and that's not the goal), information--such as that above--will help you intuit whether change (or a lack of change) in an account balance is a risk indicator.

Now, let's discuss the best types of planning analytics. 

The Best Types of Planning Analytics

Auditing standards don't specify what types of planning analytics to use. But some, in my opinion, are better than others. Here's my suggested approach (for most engagements). 

Audit Planning Analytics

First, create your planning analytics at the financial statement reporting level. Why? Well, that's what the financial statement reader sees. So, why not use this level (if you can)? (There is one exception in regard to revenues. See Analytics for Fraudulent Revenue Recognition below.)

The purpose of planning analytics is to ferret out unexpected change. Using more granular information (e.g., trial balance) muddies the water. Why? There's too much information. You might have three hundred accounts in the trial balance and only fifty at the financial statement level. Chasing down trial-balance-level changes can be a waste of time. At least, that's the way I look at it.

Second, add any key industry ratios tracked by management and those charged with governance. Often, you include these numbers in your exit conference with the board (maybe in a slide presentation). If those ratios are important at the end of an audit, then they're probably important in the beginning.

Examples of key industry ratios include:

  • Inventory turnover
  • Return on equity
  • Days cash on hand
  • Gross profit 
  • Debt/Equity 

Okay, so we know what analytics to create, but how should we document them?

Analytics for Fraudulent Revenue Recognition

AU-C 240.22 says, "the auditor should evaluate whether unusual or unexpected relationships that have been identified indicate risks of material misstatement due to fraud. To the extent not already included, the analytical procedures, and evaluation thereof, should include procedures relating to revenue accounts." 

The auditing standards suggest a more detailed form of analytics for revenues. AU-C 240.A25 offers the following:

  • a comparison of sales volume, as determined from recorded revenue amounts, with production capacity. An excess of sales volume over production capacity may be indicative of recording fictitious sales.
  • a trend analysis of revenues by month and sales returns by month, during and shortly after the reporting period. This may indicate the existence of undisclosed side agreements with customers involving the return of goods, which, if known, would preclude revenue recognition.
  • a trend analysis of sales by month compared with units shipped. This may identify a material misstatement of recorded revenues.

In light of these suggested procedures, it may be prudent to create revenue analytics at a more granular level than that shown in the financial statements.

How to Document Planning Analytics

Here are my suggestions for documenting your planning analytics.

  1. Document overall expectations.
  2. Include comparisons of prior-year/current-year numbers at the financial statement level. (You might also include multiple prior year comparisons if you have that information.)
  3. Document key industry ratio comparisons.
  4. Summarize your conclusions. Are there indicators of increased risks of material misstatement? Is yes, say so. If no, say so.

Once you create your conclusions, place any identified risks on your summary risk assessment work paper (where you assess risk at the transaction level--e.g., inventory).

Use Filtered Analytical Reports with Caution (if at all)

Some auditors use filtered trial balance reports for their analytics. For instance, all accounts with changes of greater than $30,000. There is a danger in using such thresholds. 

What if  you expect a change in sales of 20% (approximately $200,000) but your filters include:

  •  all accounts with changes greater than $50,000, and 
  • all accounts with changes of more than 15%

If sales remain constant, then this risk of material misstatement (you expected change of 20%, but it did not happen) fails to appear in the filtered report. The filters remove the sales account because the change was minimal. Now, the risk may go undetected.

Developing Conclusions

I am a believer in documenting conclusions on key work papers. So, how do I develop those conclusions? And what does a conclusion look like on a planning analytics work paper?

First, develop your conclusions. How? Scan the comparisons of prior year/current year numbers and ratios. We use our expectations to make judgments concerning the appropriateness of changes and of numbers that remain stable. Remember this is a judgment, so, there's no formula for this. 

No Risk Identified

Now, you'll document your conclusions. But what if there are no unexpected changes? You expected the numbers to move in the manner they did. Then no identified risk is present. Your conclusion will read, (for example):

Conclusion: I reviewed the changes in the accounts and noted no unexpected changes. Based on the planning analytics, no risks of material misstatement were noted.

Risk Identified

Alternatively, you might see unexpected changes. You thought certain numbers would remain constant, but they moved significantly. Or you expected material changes to occur, but they did not. Again, document your conclusion. For example:

Conclusion: I expected payroll to remain constant since the company's workforce stayed at approximately 425 people. Payroll expenses increased, however, by 15% (almost $3.8 million). I am placing this risk of material misstatement on the summary risk assessment work paper at 0360 and will create audit steps to address the risk.

Now, it's time to place the identified risks (if there are any) on your summary risk assessment form.

Linkage to the Audit Plan

I summarize all risks of material misstatements on my summary risk assessment form. These risks might come from walkthroughs, planning analytics or other risk assessment procedures. Regardless, I want all of the identified risks--those discovered in the risk assessment process--in one place.

The final step in the audit risk assessment process is to link your identified risks to your audit program. 

Overview of Risk Assessment and Linkage

Now, I tailor my audit program to address the risks. Tailoring the audit program to respond to identified risks is known as linkage.

Audit standards call for the following risk assessment process:

  • Risk assessment procedures (e.g., planning analytics)
  • Identification of the risks of material misstatement
  • Creation of audit steps to respond to the identified risks (linkage)

Summary of Planning Analytics Considerations

So, now you know how to use planning analytics to search for risks of material misstatement--and how this powerful tool impacts your audit plan.

Let's summarize what we've covered:

  1. Planning analytics are created for the purpose of identifying risks of material misstatement
  2. Develop your expectations before creating your planning analytics (learn about the entity's operations and objectives; review past changes in numbers for context--assuming you've performed the audit in prior years)
  3. Create analytics at the financial statement level, if possible
  4. Use key industry ratios 
  5. Conclude about whether risks of material misstatement are present
  6. Link your identified risks of material misstatement to your audit program

If you have thoughts or questions about this post, please let me know below in the comments box. Thanks for reading.

First-Year Businesses and Planning Analytics

You may be wondering, "but what if I my client is new?" New entities don't have prior numbers. So, how can you create planning analytics? 

First Option

One option is to compute expected numbers using non-financial information. Then compare the calculated numbers to the general ledger to search for unexpected variances.

Second Option

A second option is to calculate ratios common to the entity’s industry and compare the results to industry benchmarks.

While industry analytics can be computed, I’m not sure how useful they are for a new company. An infant company often does not generate numbers comparable to more mature entities. But we’ll keep this choice in our quiver--just in case.

Third Option

A more useful option is the third: comparing intraperiod numbers. 

Discuss the expected monthly or quarterly revenue trends with the client before you examine the accounting records. The warehouse foreman might say, “We shipped almost nothing the first six months. Then things caught fire. My head was spinning the last half of the year.” Does the general ledger reflect this story? Did revenues and costs of goods sold significantly increase in the latter half of the year?

Fourth Option

The last option we’ve listed is a review of the budgetary comparisons. Some entities, such as governments, lend themselves to this alternative. Others, not so–those that don’t adopt budgets.

Summary

So, yes, it is possible to create useful risk assessment analytics–even for a first-year company.

audit and work paper mistakes
Apr 23

Forty Audit and Work Paper Mistakes

By Charles Hall | Auditing

Today, I offer you a list of forty audit and work paper mistakes.

audit and work paper mistakes

The list is based on my observations from over over thirty years of audit reviews (and not on any type of formal study).

You will, however, shake your head in agreement as you read these. I know you’ve seen them as well. The list is not comprehensive. So, you can add others in the comments section of this post.

Here’s the list.

  1. No preparer sign-off on a work paper
  2. No evidence of work paper reviews
  3. Placing documents in the file with no purpose (the work paper provides no evidential matter for the audit)
  4. Signing off on unperformed audit program steps
  5. No references to supporting documentation in the audit program
  6. Using canned audit programs that aren’t based on risk assessments for the particular entity
  7. Not documenting expectations for planning analytics
  8. Inadequate explanations for variances in planning analytics (“revenue went up because sales increased”)
  9. Planning analytics with obvious risk of material misstatement indicators, but no change in the audit plan to address the risk (sometimes referred to as linking)
  10. Not documenting who inquiries were made of
  11. Not documenting when inquiries were made
  12. Significant deficiencies or material weaknesses that are not communicated in written form
  13. Verbally communicating control deficiencies (those not significant deficiencies or material weaknesses) without documenting the conversation
  14. Performing needed substantive tests with no related audit program steps (i.e., the audit program was not amended to include the necessary procedures)
  15. Assessing control risk below high without testing controls
  16. Assessing the risk of material misstatement at low without a basis (reason) for doing so
  17. Documenting significant risks (e.g., allowance for uncollectible receivable estimates in healthcare entities) but no high inherent risks (when inherent risk are separately documented)
  18. Not documenting the predecessor auditor communication in a first-year engagement
  19. Not documenting the qualifications and objectivity of a specialist
  20. Not documenting all nonattest services provided
  21. Not documenting independence
  22. Not documenting the continuance decision before an audit is started
  23. Performing walkthroughs at the end of an engagement rather than the beginning
  24. Not performing walkthroughs or any other risk assessment procedures
  25. Not performing risk assessment procedures for all significant transaction areas (e.g., risk assessment procedures performed for billing and collections but not for payroll which was significant)
  26. Not retaining the support for opinion wording in the file (especially for modifications)
  27. Specific items tested are not identified (e.g., “tested 25 disbursements, comparing amounts in the check register to cleared checks” — we don’t know which particular payments were tested)
  28. Making general statements that can’t be re-performed based on the information provided (e.g., “inquired of three employees about potential fraud” — we don’t know who was interviewed or what was asked or their responses)
  29. Retrospective reviews of estimates are not performed (as a risk assessment procedure)
  30. Going concern indicators are present but no documentation regarding substantial doubt
  31. IT controls are not documented
  32. The representation letter is dated prior to final file reviews by the engagement partner or a quality control partner
  33. Consultations with external or internal experts are not documented
  34. No purpose or conclusion statement on key work papers
  35. Tickmarks are not defined (at all)
  36. Inadequately defining tickmarks (e.g., ## Tested) — we don’t know what was done
  37. No group audit documentation though a subsidiary is included in the consolidated financial statements
  38. No elements of unpredictability were performed
  39. Not inquiring of those charged with governance about fraud
  40. Not locking the file down after 60 days 

That’s my list. What would you add?

1 2 3 6
>