Not performing risk assessment procedures for all significant transaction areas (e.g., risk assessment procedures performed for billing and collections but not for payroll which was significant)
Not retaining the support for opinion wording in the file (especially for modifications)
Specific items tested are not identified (e.g., “tested 25 disbursements, comparing amounts in the check register to cleared checks” — we don’t know which particular payments were tested)
Making general statements that can’t be re-performed based on the information provided (e.g., “inquired of three employees about potential fraud” — we don’t know who was interviewed or what was asked or their responses)
Seven deadly audit sins can destroy you. These audit mistakes kill your profits and effectiveness.
You just completed an audit project, and you have another significant write-down. Last year’s audit hours came in well over budget, and—at the time—you thought, This will not happen again. But here it is, and it’s driving you insane.
Insanity: doing the same thing year after year but expecting different results.
Are you ready for better results?
Here are seven deadly (audit) sins that cause our engagements to fail.
1. We don’t plan
Rolling over the prior year file does not qualify as planning. Using canned audit programs is not planning.
What do I mean? We don’t know what has changed. Why? Because we have not performed real risk assessment such as current year walkthroughs. We have not (really) thought about current year risks of material misstatement.
Each year, audits have new wrinkles.
Are there any fraud rumors? Has the CFO left without explanation? Have cash balances decreased while profits increased? Does the client have a new accounting program or new staff? Can you still obtain the reports you need? Are there any new audit or accounting standards?
Anticipate issues and be ready for them with a real audit plan.
2. SALY lives
Elvis may not be in the house, but SALY is.
Performing the same audit steps is wasteful. Just because we needed the procedure ten years ago does not mean we need it today. Kill SALY. (No, I don’t mean your staff member; SALY stands for Same As Last Year).
I find that audit files are like closets. We allow old thoughts (clothes) to accumulate without purging. It’s high time for a Goodwill visit. After all, this audit mistake has been with you too long. So ask yourself Are all of the prior audit procedures relevant to this year’s engagement?
Will better planning require us to think more in the early phases of the engagement? Yes. Is this hard work? Yes. Will it result in less overall effort? Yes.
Sometimes the Saly issue occurs because of weak staff.
3. We use weak staff
Staffing your engagement is the primary key to project success. Excellent staff makes a challenging engagement pan out well. Poor staff causes your engagement time to balloon–lots of motion, but few results. Maybe you have smart people, but they need training. Consider AuditSense.
Another audit mistake is weak partner involvement.
4. We don’t monitor
Partners must keep an eye on the project. And I don’t mean just asking, “How’s it going?” Look in the audit file. See what is going on. In-charges will usually tell you what you want to hear. They hope to save the job on the final play, but a Hail Mary often results in a lost game.
As Ronald Reagan once said: Trust but verify.
Engagement partners need to lead and monitor. They also need to provide the right technology tools.
5. We use outdated technology
Are you paperless? Using portable scanners and monitors? Are your auditors well versed in Adobe Acrobat? Are you electronically linking your trial balances to Excel documents? Do you use project management software (e.g., Basecamp)? How about conferencing software (e.g., Zoom)? Do you have secure remote access to audit files? Do you store files securely in the cloud (e.g., Box)? Are you using data mining software such as Idea? Do you send electronic confirmations?
Do your staff members fear you so much that they don’t give you the bad news?
6. Staff (intentionally) hide problems
Remind your staff that bad news communicated early is always welcome.
Early communication of bad news should be encouraged and rewarded (yes, rewarded, assuming the employee did not cause the problem).
Sometimes leaders unwittingly cause their staff to hide problems. In the past, we may have gone ballistic on them–now they fear the same.
And here’s one last audit mistake: no post-engagement review.
7. No post-engagement review
Once our audit is complete, we should honestly assess the project. Then make a list of inefficiencies or failures for future reference.
If you are a partner, consider a fifteen-minute meeting with staff to go over the list.
As an auditor, you often use the work of specialists such as actuaries, appraisers, and engineers. Such work can seem mystical, like something conjured up from a mathematical soup. And since we don’t always understand their incantations, we wonder, “Can we rely on the information?” and “How do I document my use of an expert?” Thankfully, the audit standards provide guidance in AU-C 500 (management’s specialist) and AU-C 620 (auditor’s specialist). Below I unpack these requirements.
Picture is courtesy of DollarPhotoClub.com
Who Hires the Specialist?
A specialist can be hired by your audit firm or by management. If you audit banks, you might hire an appraiser to assist with loan collateral reviews–an example of an auditor’s specialist. If your client uses an actuary, then you will obtain audit evidence from a specialist hired by management.
As we begin our look into the use of experts, here are two definitions to help differentiate the types.
AU-C 620 defines an auditor’s specialist and management’s specialist. Both definitions include “expertise in a field other than accounting and auditing.”
An auditor’s specialist can include an internal person such as a partner or staff member or an external contract person. This person works for the audit firm.
Information from a management specialist is used by the entity in the preparation of their financial statements. This person works for the audit client.
Now, let’s take a look at each.
1. Auditor’s Specialist
AU-C Section 620–Using the Work of an Auditor’s Specialist provides guidance.
Is the Specialist Needed?
AU-C 620 states that auditors should consider the use of a specialist when expertise in a field other than accounting or auditing is needed. Before using the services of a specialist, consider the significance of the information for which you might need such a person. If the information has little impact on the financial statements, then usage of their reports or skills is of less importance.
AU-C 620 Considerations
AU-C 620 also says the auditor should evaluate the competence, capability, and objectivity of the specialist. So if you hire an investment pricing expert, you want to know if she is reputable, what her experience is, whether she can perform the work appropriately, and whether she is objective.
Picture is courtesy of Adobe Stock
According to AU-C 620, information regarding the competence, capabilities, and objectivity may come from sources such as the following:
Personal experience with previous work of the expert
By talking to the specialist
Talking with other auditors or others who are familiar with their work
Knowledge of their qualifications, professional memberships, licenses to practice, or other forms of recognition (often available on their website)
Books or other publications of the expert
If you’ve previously worked with the aforementioned pricing expert, you have personal experience with her work. This helps. You might call her with regard to current year issues, and since you already know her, you probably know her qualifications.
Regarding objectivity, the auditor should inquire about any relationships that the specialist may have with the client. And if necessary, obtain a signed representation letter concerning their objectivity. Continuing with our pricing expert example, you want to ask her if she has any business relationships with the auditee. Are there any family relationships? Is there anything that might impair her objectivity?
Additionally, if the expert is hired by your firm, consider an engagement letter.
Engagement Letter with Specialist
Though not required, the auditor can use a written engagement letter to define the work of the specialist. AU-C 620 provides suggestions for the engagement letter such as:
Nature, scope, and objectives of the assistance
The roles and responsibilities of the auditor and the specialist
How information will be communicated
The need for confidentiality
Document the specialist’s work in a memorandum if an engagement letter is not obtained.
Adequacy of Work
Auditors must evaluate the adequacy of the work.
AU-C 620 requires that you evaluate the adequacy of the work, including the reasonableness of the findings and conclusions, the reasonableness of assumptions and methods, and the relevance and accuracy of the information.
Bottom line: Does the work of the expert provide sufficient and appropriate audit evidence with regard to the issue at hand (e.g., investment pricing)?
When should an auditor begin thinking about specialist usage? Before the engagement is accepted. Why? If we accept an audit without the necessary skill sets, we have a problem. As you consider the acceptance of an audit engagement, think about whether a specialist is needed, and whether such a person is available at a reasonable price.
Reference to a Specialist in an Auditor’s Opinion
AU-C 620 states that an auditor should not refer to the work of an auditor’s specialist in an unmodified audit opinion. The auditor can, however, make reference to a specialist when the opinion is modified (to explain the reason for the modification). But, if reference is made, the audit opinion should state the auditor’s responsibility is not lessened.
What does this mean? Regardless of the situation, the opinion is the auditor’s (and not the specialist’s). We may use the expert’s work as audit evidence, but the audit opinion (and the corresponding responsibility) belongs to us.
Confidentiality Language in the Client Engagement Letter
When an auditor hires an external specialist, should the audit engagement letter change?
When an audit firm hires an external specialist, the firm should follow the Code of Conduct section ET 1.700.040, Disclosing Information to a Third-Party Service Provider. How can you comply with this ethical requirement? By including additional language in your engagement letter advising the client that you might provide confidential information to an outside party. Ineffect, you are gaining consent to share client information. If you are not using an outside person, but someone who works for your firm, then no such consent is necessary.
Now, let’s take a look at management’s specialist.
2. Management’s Specialist
AU-C Section 500, Audit Evidence, provides guidance on the use of information from a management specialist.
Your audit client might use their own expert such as a pension plan actuary. To rely on the actuary, you need to know if she is competent and objective. You also need to understand–at least in a general sense–what the actuary does. You do not need to recompute the actuarial computations, for example. But a review of assumptions for reasonableness is appropriate.
AU-C 500 Considerations
AU-C 500 requires considerations similar to those of an auditor’s specialist. For instance, you need to evaluate the competence and objectivity of management’s expert. Obtain an understanding of their work, and evaluate it in light of relevant assertions. For example, is the pension disclosure, based on actuarial information, understandable and accurate?
As with an auditor’s specialist, the sources of information regarding a management specialist can come from prior experience with the person, discussions with the expert, and knowledge of their certifications and experience.
Additionally, consider including relevant language in management’s representation letter.
AU-C 580, Written Representations, provides the following example of language that an auditor might include in the representation letter:
We agree with the findings of specialists in evaluating the [describe assertion] and have adequately considered the qualifications of the specialists in determining the amounts and disclosures used in the financial statements and the underlying accounting records. We did not give or cause any instructions to be given to specialists with respect to the values or amounts derived in an attempt to bias their work, and we are not otherwise aware of any matters that have had an effect on the independence or objectivity of the specialists.
So how do you document your use of these experts? As you can tell, the audit standards provide a framework, and the documentation will vary depending on the type of specialist used and the importance of the information. At a minimum, consider documenting:
Why you need the expert (or their work product)
What they are doing
Their abilities, reputation, and experience
The adequacy of the work provided
Peer review checklists include questions regarding your documentation of such information. Therefore, you need to make sure you do so.
At the end of the day, auditing is all about obtaining reasonable assurance by obtaining audit evidence. As you consider the use of these experts, ask yourself how their work impacts your risk assessment, your audit procedures, and finally your opinion.
In this article I explain how you can use unpredictable audit procedures.
The audit standards require elements of unpredictability. Why? So clients can’t guess what the auditor is going to do. Clients naturally observe and learn what auditors normally do. The client’s knowledge of what is audited (and what is not) makes it easier to steal. The client takes from unaudited areas. This knowledge also enables the company to manipulate numbers. The client alters unaudited balances.
The purpose of the unpredictable element is to create uncertainty–in the client’s mind–regarding audit procedures. We do so by using unpredictable audit procedures.
Elements of Unpredictability – The Audit Standards
In determining overall responses to address the assessed risks of material misstatement due to fraud at the financial statement level, the auditor should…incorporate an element of unpredictability in the selection of the nature, timing, and extent of audit procedures.
AU-C 240.A42 states:
Incorporating an element of unpredictability in the selection of the nature, timing, and extent of audit procedures to be performed is important because individuals within the entity who are familiar with the audit procedures normally performed on engagements may be better able to conceal fraudulent financial reporting. This can be achieved by, for example,
performing substantive procedures on selected account balances and assertions not otherwise tested due to their materiality or risk.
adjusting the timing of audit procedures from that otherwise expected.
using different sampling methods.
performing audit procedures at different locations or at locations on an unannounced basis.
Unpredictable Audit Procedures
To introduce elements of unpredictability, perform procedures such as these:
Examine payments less than your normal threshold in your search for unrecorded liabilities (e.g., in the last three years your threshold was $7,000; this year, it’s $3,000)
Perform a surprise unannounced review of teller cash (for a bank client)
Make a physical visit to the inventory location one month after the end of the year and review inventory records (assuming you don’t normally do so)
Review payroll salary authorization sheets for ten employees and agree to amounts in the payroll master table (in the payroll software)
Test a bank reconciliation for the seventh month in the year being audited (in addition to the year-end bank reconciliation)
Confirm an immaterial bank account that you haven’t confirmed in the past
Pick ten vendors at random and perform procedures to verify their existence (as a test for fictitious vendors)
Document Your Unpredictable Audit Procedures
Since unpredictable tests are required in every audit, document where you performed this procedure. Reference your audit program step for unpredictable tests to the work performed. Title your work paper, “Unpredictable Test,” and then add a purpose statement such as, “Purpose: To confirm the immaterial bank account with ABC Bank as an unpredictable test.” Doing so will eliminate the potential for a peer reviewer to say, “that’s a normal procedure.” You are overtly stating the purpose of the test is to satisfy the unpredictable test requirement.
Change Your Unpredictable Tests Annually
Change your unpredictable tests annually. Otherwise, they will–over time–become predictable.
Over the last thirty-five years, I have reviewed audit files for CPA firms and have commonly asked this question: Why is this work paper in the file?
Here are a seven answers I’ve received.
1. It was there last year.
But is it relevant this year? Resist the temptation to mindlessly bring forward work papers from the prior year. Performing a proper audit entails risk assessment (e.g., walkthroughs, analytics), planning (i.e., creating an audit plan), and execution (i.e., carrying out the audit plan). Likewise, compilations and reviews should reflect current year planning and performance.
2. The client gave it to me.
Inexperienced auditors tend to put everything given to them in the file. Some auditors believe “if the client gave it to me, it must be important.” But this is not necessarily true. Every work paper needs a purpose.
3. I may need it next year.
Then save it for next year—somewhere other than in the current file. If the information does not provide current year engagement evidence, then it does not belong in the file.
Consider creating a file for next year and placing next year’s information in that file. Or create a folder in the current year file titled: Nextyear’s work papers. Then move this section to next year’s file as you close the engagement.
4. I might need it this year.
Before going paperless (back in the prehistoric days when we moved work papers with hand trucks ), I kept a manila folder titled: File 13. The physical folder was my hang-on-to-it-in-case-I-need-it repository.
Since my files are now paperless, I create an electronic folder titled Recycle Bin that sits at the bottom of my file. If I receive information that is not relevant to the current year (but there is a chance I will need it), I move it to the recycle bin, and when I am wrapping up the engagement, I dispose of the folder.
5. It’s an earlier version of a work paper.
Move earlier versions of work papers to your recycle bin—or delete them.
6. I need it for my tax work.
Then it belongs in the tax file (unless it’s related to your attest work – e.g., deferred taxes).
7. We always do this.
But why is it being done this year? Maybe a fraud was missed ten years ago and the partner said, from now on we will…
The most important reason for minimizing work paper content is to reduce your legal exposure. Excess work papers may provide ammunition to an opposing attorney: “Mr. Hall, here’s a work paper from your own audit file that reveals fraud was occurring, and you didn’t see it?” (So don’t, for example, leave the full general ledger in your work papers.)
What are your thoughts about removing unnecessary audit work papers?