Category Archives for "Auditing"

Auditing Plant, Property, and Equipment
Mar 29

Auditing Plant, Property, and Equipment

By Charles Hall | Auditing

Today, we talk about auditing plant, property, and equipment (or capital assets if you work with governments).

Plant, property, and equipment is often the largest item on a balance sheet. But the risk is often low to moderate. After all, it’s difficult to steal land or a building. And the accounting is usually not difficult. So the dollar amount can be high but the risk low.

In this post, we’ll answer questions such as, “how should we test additions and retirements of property?” and “what should we do in regard to fair value impairments?” 

Auditing Plant, Property, and Equipment

Auditing Plant, Property, and Equipment — An Overview

I will—at times in this article—refer to plant, property, and equipment as property. Governments use the term capital assets to refer to plant, property and equipment, but again, I will, for the most part, use the term property in this article.

Property is purchased for use in a business. For example, a corporate office might be bought or constructed. The building is an asset that is depreciated over its economic life. As depreciation is recorded, the book value (cost less accumulated depreciation) of the building decreases as depreciation is recognized. In other words, you expense the building as it is used.

In most reporting frameworks, including GAAP, assets are recorded at cost. Appreciation in market value is not recorded, but significant decreases, known as impairments, are booked. Property improvements (e.g., adding a new room to an existing building) are capitalized and depreciated. Repairs (e.g., painting a room) that don’t extend the life of an asset are expensed.

Also, most businesses elect to use a capitalization threshold such as $5,000. For these entities, amounts paid below the threshold are not capitalized, even if they extend the life of the asset. The amounts below the threshold are expensed as incurred.

So, how do most entities track property purchases and compute the related depreciation? They use depreciation software. Then when property is purchased, it is added to the depreciation software and an economic life (e.g., ten years) is assigned.

Below we will cover the following:

  • Primary property assertions
  • Property walkthroughs
  • Directional risk for property
  • Primary risks for property
  • Common property control deficiencies
  • Risk of material misstatement for property
  • Substantive procedures for property
  • Common property work papers

Primary Property Assertions

The primary relevant property assertions are:

  • Existence and occurrence
  • Completeness
  • Valuation
  • Classification

Of these assertions, I believe—in general—existence, occurrence, and classification are most important. So, the client is asserting that property exists, that depreciation expense is appropriate, and that amounts paid for property are capitalized (and not expensed).

Property Walkthroughs

As we perform walkthroughs of property, we are looking for ways that property might be overstated (though understatements can occur as well). 

Auditing plant, property, and equipment

As we perform the property walkthrough, we ask, “what can go wrong, whether intentionally or by mistake?”

In performing the walkthrough, ask questions such as:

  • Are property ledgers reconciled to the general ledger?
  • Does the entity use reasonable and consistent depreciation methods?
  • Are the depreciation methods in accordance with the reporting framework (e.g., straight line for GAAP or accelerated for tax basis)
  • Who records depreciation? 
  • Are the economic lives assigned to property appropriate?
  • What controls ensure that property is recorded in the right period?
  • What controls ensure that capital leases are capitalized as property (if applicable, see GAAP lease standards)?
  • Is there appropriate segregation of duties between persons that purchase, record, reconcile, and physically possess property?
  • What software is used to compute depreciation?
  • Does the company perform periodic physical inventories of property?
  • Are assets removed from the depreciation schedule upon sale?
  • What controls ensure that property purchases are added to the depreciation schedule (and not expensed as repairs and maintenance)?
  • What controls ensure that repair expenses are not capitalized as property?
  • What is the capitalization threshold (e.g., $5,000)?

As we ask questions, we also inspect documents (e.g., depreciation reports) and make observations (e.g., who has access to moveable property?).

If control weaknesses exist, we create audit procedures to respond to them. For example, if—during the walkthrough—we see that one person purchases property, has physical access to equipment, and performs the related accounting, then we will perform theft-related substantive procedures.

Directional Risk for Property

The directional risk for property is overstatement. So, in performing your audit procedures, perform procedures to ensure that property is not overstated. For example, vouch all significant property additions to invoices. See if the amounts added are equal to or greater than the capitalization threshold (e.g., $5,000).

Primary Risks for Property

The primary risks for property are:

  1. Property is intentionally overstated
  2. Repair expenses (or any other expenses) are improperly capitalized as property
  3. Purchases that should be recorded as property are expensed
  4. Depreciation is improperly computed and recorded (e.g., accelerated depreciation is used when straight-line is more appropriate)
  5. Moveable property (e.g., equipment) is stolen

Common Property Control Deficiencies

auditing plant, property, and equipment

In smaller entities, it is common to have the following control deficiencies:

  • One person performs more than one of the following:
    • Authorizes the purchase of property
    • Enters the property in the general ledger and depreciation schedule
    • Has physical custody of the property
    • Has responsibility for reconciling the depreciation schedule to the general ledger
  • The person computing depreciation doesn’t have sufficient knowledge to do so 
  • A second person does not review the depreciation methods for appropriateness and economic lives assigned to each property
  • No one performs surprise audits of property
  • No one performs physical inventories of property
  • There are no controls over the disposal of property
  • Appropriate bidding procedures are not used
  • No one reconciles the depreciation schedule to the general ledger
  • Property is not reviewed for potential impairments of value

(See my article providing you with ways to prevent the theft of capital assets.)

Risk of Material Misstatement for Property

In smaller engagements, I usually assess control risk at high for each assertion. If control risk is assessed at less than high, then controls must be tested to support the lower risk assessment. Assessing risks at high is usually more efficient than testing controls.

When control risk is assessed at high, inherent risk becomes the driver of the risk of material misstatement (controls risk X inherent risk = risk of material misstatement). The assertions that concern me the most are existence (for additions to property), occurrence (for depreciation), and classification (of property). With regard to classification, the business determines whether the amount should be capitalized or expensed. So my RMM for these assertions is usually moderate to high.

My response to higher risk assessments is to perform certain substantive procedures: namely, the vouching of additions to property. As RMM increases I lower the dollar threshold for vouching property additions.  

If controls related to bids are weak, your RMM for existence can be high. Bid rigging or kickbacks—fraudulent vendor actions—can result in overstatements of asset additions. 

Woman auditing equipment

Substantive Procedures for Property

My customary audit tests are as follows:

1. Vouch property additions to related invoices

2. Agree opening property balances in the depreciation schedule to the prior year ending balances

3. Review economic lives assigned to new property for appropriateness

4. Review the selected depreciation method in light of the property’s life

5. Compute a ratio of depreciation to property and compare the result with prior periods

6. Review new lease agreements to determine if they should be capitalized

7. Inquire about potential decreases in the value of property and request valuations if necessary

Common Property Work Papers

My property work papers normally include the following:

  • An understanding of property-related internal controls
  • Risk assessment of property at the assertion level
  • Documentation of control deficiencies related to property
  • Property audit program
  • A copy of the depreciation schedule that agrees to the general ledger
  • A summary of additions and retirements of property in the current audit period
  • Bid documents for significant construction projects or other property purchases
  • A valuation of a significant asset by a valuation specialist, if merited (potential impairment)

In Summary

In this article, we looked at how to perform property risk assessment procedures, the relevant property assertions, the property risk assessments, and substantive property procedures.

Next it’s time to turn our attention to the audit of investments.

See my article Funded Depreciation: How to Become More Profitable.

Bad Audit Habits
Mar 23

Five Dirty, No Good, Terrible, Audit Habits

By Charles Hall | Auditing

Today I describe five dirty, no good, terrible, audit habits. 

Certain peer review deficiencies continue to persist. Today I tell you about a few and how you can stop them.

Have you ever had a bad habit? You eat too much, don't exercise enough, put your make-up on while driving to work (one I've never had, thankfully), spend too much money. Yes, we've all had bad habits.

Auditors have them as well. Some problems seem to never die. The AICPA periodically provides a list of peer review deficiencies. Here are five and what you can do about them. 

Bad Habit 1 - Skipping Risk Assessment 

Do you have the habit of starting your audit by testing bank reconciliations or reconciling equity accounts to the general ledger? 

Solution - Start in the right place. At the beginning. And where is the beginning? First acceptance and continuance. Then risk assessment. Resolve to perform the following before doing any substantive work:

  1. Perform acceptance or continuance procedures
  2. Gain an understanding of the entity and its environment
  3. Perform walkthroughs 
  4. Review prior year estimates for potential bias
  5. Ask questions regarding fraud
  6. Create your planning analytics

Now, assess risk at the financial statement level and at the transaction level by assertion. Once risk assessment is complete, start your substantive work.

In a another bad habit, some auditors create their risk assessments but don't use them.

Bad Habit 2 - Performing But Not Using Risk Assessment

Don't allow another bad habit to persist: Performing risk assessment procedures and ignoring the results. In other words, using the same substantive procedures as last year, though new risks are present. 

Solution - Once a risk is identified, link a response to it. This can be done on your risk assessment summary form.

For example, the revenue recognition standard is effective for many of your December 31, 2019 clients. The standard represents change and can impact your risk of material misstatement for revenue. Change creates risk. And risk calls for a response. Link the risk (that revenue recognition and disclosures may be incorrect) to substantive procedures. Test the revenue recognition in light of Topic 606 and vet the disclosures with an updated disclosure checklist.

In another nasty habit, some auditors ignore controls.

Bad Habit 3 - Ignoring Controls

While a test of controls for effectiveness is not required, reviewing control design and implementation is. This is why we perform walkthroughs. But some auditors ignore or give little attention to this risk assessment procedure. Their attitude is "I already know what I'm going to do, so why waste time?" 

This attitude can be the result on believing a balance sheet audit approach is sufficient. This is the belief that auditing all significant balance sheet accounts is enough. But is it? Suppose the CFO steals $5 million dollars during the year, skimming cash from unbilled receipts. You can audit the year-end bank reconciliation. The bank account can reconcile to the general ledger. But the $5 million is still missing. 

Solution - Gain your understanding of controls early in the audit. Use walkthroughs to do so. 

The next bad habit is an extension of not gaining an understanding of controls.

Bad Habit 4 - Not Reviewing SOC Reports

Putting a service organization controls (SOC) report in the audit file is not enough. We must understand the service organization's controls.

Why? Because the service organization controls are a part of the company's controls. The company's accounting system includes outsourced components.

Your client, for example, may outsource its payroll to ADP. Does that mean the auditor doesn't need to understand ADP's processes and controls? No. Why? Because ADP is acting as an extension of the company's accounting system. The SOC report allows you to see if the payroll controls are designed appropriately and implemented. And this is what we desire whether the accounting is in-house or outsourced.

Solution - Read the SOC report and document your considerations. If control weaknesses are present, determine how those weaknesses impact your risk assessment. 

And what's the last bad habit? Drum roll. Auditors don't identify the significant risks.

Bad Habit 5 - Not Identifying Significant Risks

Every audit has at least one or two significant risks. Consider, for example. management override. Management can manipulate the books to satisfy their needs. 

So, what is a significant risk? Audit standards define it as "An identified and assessed risk of material misstatement that, in the auditor's professional judgment, requires special audit consideration." But what is "special audit consideration"? It's those high risk areas that deserve extra attention. They are the two or three areas (the number varies by audit) that deserve our greatest effort. Understand that not all high risk of material misstatements are significant risks. Significant risks are those areas of an even higher concern. Examples include:

  • Allowance for bad debt in a hospital
  • Management override
  • A fraud risk (because a known material theft exist)

By contrast, a high risk of material misstatement (RMM) for the completeness assertion in payables might not be a significant risk. The RMM might be high but, in this example, it's not a significant risk. 

Solution - Identify significant risks. Do so on your risk assessment summary form. Then link to a response in your audit program. And these responses should be beyond your normal basic procedures. Additionally, they must include a test of details.

AICPA Areas of Focus

Each year the AICPA creates areas of focus in its Enhancing Audit Quality (EAQ) work. You may want to put this in your tickler file. Why? So you'll know the hot-button peer review issues. That way you can build your audit processes in a proactive manner. 

Substantive procedure
Mar 07

Test of Details: Substantive Audit Procedure

By Charles Hall | Auditing

Tests of details, a substantive procedure, is the auditor's primary response to risks of material misstatement. Today I tell you what a test of details is and how you can best use this substantive approach..

Test of Details

Further Audit Procedures

AU-C 330: Performing Audit Procedures in Response to Assessed Risks and Evaluating the Audit Evidence Obtained defines substantive procedures as:

Once you assess your risks of material misstatement you determine your responses. These further audit procedures (responses) include the two substantive procedures listed above as well as test of controls.

So of the three further audit procedures, are certain ones required?

Yes.

A test of controls is necessary if substantive procedures can’t properly address a risk of material misstatement. Think complex information technology processes. For example, when a benefit plan participant changes his investment options in a 401(k). There may be no physical documents to examine. In these circumstances, a test of controls might be your only option.

By contrast, auditors are required to perform tests of details when significant risks are identified. A test of controls alone will not do. So if, for example, you have determined that a complex estimate is a significant risk, then plan and perform a test of details in response. Likewise, if you believe a fraud risk is present, perform a test of details.

Additionally, substantive procedures are required for relevant assertions related to each material class of transactions, account balances, and disclosures. However, for this requirement, the auditor can use:

  • Substantive analytics alone 
  • A tests of details alone
  • A combination of substantive analytics and test of details

This article focuses on tests of details. So, let’s move to that topic.

What is a Test of Details?

The video below explains test of details and comes from my YouTube playlist titled Audit Risk Assessment Made Easy

Audit standards don't define tests of details. They only say that a test of details is one of two substantive procedure options (the other being substantive analytics).

Test of Details Examples

Since there is no definition, here are examples of a test of details:

  • Vouching invoices
  • Tracing bills sent to customers
  • Search for unrecorded liabilities in accounts payable
  • Testing bank reconciliations by examining subsequent month bank statements
  • Sending bank confirmations
  • Sending customer confirmations
  • Agreeing receivables to contracts
  • Vouching subsequent receipts in receivables
  • Reconciling payroll in the general ledger to quarterly payroll tax returns

As you can see, a test of details is just what it says it is. You are digging into the details of transactions. Substantive analytics, by contrast, look at numbers from a broader perspective. For example, the auditor might compute the current ratio or compare this year's debt level with prior years. I provided examples of substantive analytics in a recent article.

Now let's see how you can best select your tests of details procedures.

Tests of Details - Selection of Procedures

So, how do you determine which response is best? 

AU-C 330 tells us to pay attention to the nature of the risk. Doing so allows us to determine the what, when and how of our procedures. The audit standards refer to this as the nature, timing and extent. So, here is the way to design appropriate responses to your client’s risks of material misstatement. 

1. Nature of Evidence

First, let's discuss the type of procedures or, as the audit standards call it, the nature of evidence. If an auditor believes that receivables might be overstated, then she might send confirmations to customers. Why confirmations? To prove the existence of the receivables. And confirmations provide third party evidence which is better than that from within the company. Customers usually have no reason to respond in a dishonest manner, so the third party evidence is more reliable.

Prepaid assets, by contrast, usually has a low risk of material misstatement. They are not complex. The volume of transactions is low. They are not an estimate. So, in this instance, the auditor could use substantive analytics. Again, the nature of the risk drives your response.

Your responses are critical. If your tests don't address the risk of material misstatement, what good are they? 

In addition to the nature of evidence, timing matters as well.

2. Timing of Evidence

So, should you perform interim audit procedures? The answer depends on the reliability of the accounting system. Interim work is more easily done when you audit reliable systems. Consider waiting until period-end to audit unreliable systems. Why? If your interim work yields significant problems, you may not feel comfortable with roll-forward procedures. In other words, you may have to re-perform your interim work at period end. 

Do you perform a search for unrecorded liabilities? Then some time must pass from period-end before you do this procedure. The entity needs time to receive period-end invoices and make payments before you can review them. Likewise, if you are examining subsequent period receivable collections, some time must pass before you do so. Wait at least three or four weeks from period end before you perform these types of procedures.  

In addition to the nature and timing, the quantity of information is critical.

3. Extent of Evidence

The extent or quantity of evidence is another decision. Higher risks call for more evidence. If accounts payable has been materially understated the last two years, then consider lowering your search threshold for unrecorded liabilities. If you've used $10,000, you could, for example, move it to $3,000. The lower threshold will yield more evidence. The main point here is you want more evidential matter as risk increases.

But can you audit too much information? The answer is yes, unless you have an unlimited time budget. So, you want to examine enough information without overdoing it.

A question to ask in designing your quantity is, “Will this test allow me to detect a material misstatement?” For instance, you might plan a sample. But once you total the individually significant items, you see the remaining amount is immaterial. Then test the individually significant items and stop. 

Choosing Your Tests of Details

So there you are. A summary of nature, timing and extent as they relate tests of details. Learning to match your procedures with risks is one of the most important things you'll do as an auditor. Using canned audit programs or the same-as-last-year approach can lead to significant problems. Therefore, know your risks. Then design and perform responsive procedures.

Tests of Details by Account Balance

If you desire to see tests of details by account balances and transaction cycles, see The Why and How of Auditing series. There I provide you with tests of details for accounts such as cash, receivables and debt. 

Why and How of Auditing
Feb 09

The Why and How of Auditing Series

By Charles Hall | Auditing

Do you struggle with what needs to be done in an audit–and what does not? Do you perform audit procedures (because they are in a standard audit program) but you’re not sure why? Do you ever feel like your audit will never end? You are not alone.

While audit forms—like risk assessment, audit planning, and audit program—are necessary, they can make us feel like a blind man being led by the hand. If you’re like me, you want to see, to know where you’re going and why. To gain sight, we need to go back to the basics. 

Each year, Vince Lombardi (the revered coach of the Green Bay Packers) held a pigskin up and said, “This is a football.” And he did so with the best players in the world. He knew that winning is all about basics: blocking, tackling, passing, running. Understanding fundamentals brings clarity and power. And that’s what I’m after in The Why and How of Auditing. I’ll strip away the technical mumbo-jumbo and make auditing accessible, even for beginners. Moreover, experienced auditors will profit as you revisit what matters (and what does not).

The Why and How of Auditing

Here’s an overview of the upcoming posts:

Moving from Wasteful to Efficient Auditing

In the cartoons I read as a kid, Lucy would say to Charlie Brown, “I will hold the ball, and you kick,” but as Charlie Brown would lean into his launch, she would pull away. And you remember the result: Charlie Brown, lying on his backside. 

Some audit procedures (like the invitation to kick) are tempting. They call us (like a familiar friend), but they are a waste of time–even if we have done these steps for years. In the end, they leave us staring at the sky. So, we need to know what is best and what is necessary. Then, we can avoid waste.

This series provides you with what you need to know—without excess baggage. By design, the series is simple. Why? To provide clarity. I want you to understand the basics of auditing. 

When you’re done, you’ll understand auditing, possibly in a way you never have. Then you’ll work with greater confidence and effectiveness. So, let’s begin.

Get the Book

You can find my book The Why and How of Auditing on Amazon. Get your copy now.

Other Audit Articles

I have also written these posts regarding responses to the risk of material misstatement:

peer reviewers focus on independence
Aug 05

Independence in Attest Engagements

By Charles Hall | Auditing , Preparation, Compilation & Review

Independence in attest engagements in critical. 

Peer reviewers continue to focus on independence documentation. Today I’ll provide you with examples of what peer reviewers are looking for and guidance to keep you out of hot water.

independence in attest engagements

Documentation of Nonattest Services

Peer reviews focus upon nonattest services provided to attest clients. How do we know? Well, see the peer review checklist question below (for an attest engagement).

nonattest services

The big “no-no” is to assume management responsibilities and then perform an attest service. Why? Performing management responsibilities impairs your independence. 

Preparing Financial Statements

Below is another question from the peer review checklists. Notice the first item below: Accepting responsibility for the preparation and fair presentation of the client’s financial statements. The client (not the auditor) must assume responsibility for the financial statements

nonattest services

If the client can’t–or is unwilling to–assume responsibility for the financial statements, then we are not independent, and we cannot perform an audit or a review. This assumption of responsibility does not mean the client has the ability to create financial statements, but it does mean that:

  • that the client will oversee the nonattest service,
  • the client will evaluate the adequacy and results of the nonattest service, and
  • the client will accept responsibility for the nonattest service

If we prepare financial statements and perform an audit, review, or compilation, we have performed a nonattest service and an attest service. Why is this important? Because if we perform a nonattest service and an attest service for the same client, we must assess our independence. And if we are not independent, then we can’t perform an audit or review engagement. (It is permissible to perform the compilation engagement when independence is impaired, but the accountant must say–in the compilation report–that he is not independent.)

Other Peer Review Questions

The peer review checklists also ask for:

  • The name and title of the client personnel overseeing the nonattest service and
  • A description of the accountant’s “assessment and factors leading to your satisfaction that the client personnel overseeing the service had sufficient skills, knowledge and experience.”

Independence

Separate Form to Document Independence

So do we need a separate form in our file to document independence?

It certainly would not hurt, and I suggest that you do. PPC and CCH offer such forms (and I am sure other work paper providers do the same). These forms provide a place to document all nonattest services and to assess and document our client’s ability to assume responsibility for the nonattest services.

The PPC and CCH forms also address the cumulative effect of performing multiple nonattest services. The AICPA has stated that the performance of multiple nonattest services can impair independence. So you should document your consideration of whether the cumulative nonattest services create a problem. Peer review checklists ask if we documented this consideration.

Additionally, if significant threats are present, the accountant should document the safeguard(s) used to mitigate the risk. This documentation is particularly crucial in Yellow Book engagements. The PPC and CCH independence forms will assist you with this documentation. Below are peer review checklist questions:

Independence

Alignment in Independence Documentation

We should–in the engagement letter–specify the nonattest services and the responsibilities of management. If you are performing an audit or a review engagement, add additional language to the representation letter regarding the nonattest services performed and the client’s responsibility for those services.

So I am suggesting you document the nonattest services in three places:

  • Engagement letter,
  • Independence form, and
  • Representation letter (when relevant)

And when you do, please make sure the nonattest services listed in each document are the same. 

Nonattest Services and Independence

Here’s a video that explains nonattest services and how to document your independence in regard to them.

1 10 11 12 13 14 15
>