Category Archives for "Auditing"

audit and work paper mistakes
Dec 08

Work Paper Mistakes: A List of 40 Common Errors

By Charles Hall | Auditing

Today, I offer you a list of forty work paper mistakes. If you’re an auditor or you perform review engagements or compilations, you’ve seen these–or if you’re like me, you’ve make some of these errors. 

audit and work paper mistakes

The list is based on work paper reviews I’ve done over the last thirty-seven years (and not on any type of formal study).

You will, I think, shake your head in agreement as you read them. Why? Because you’ve seen these too. 

Forty Work Paper Mistakes

Here’s the list of forty work paper mistakes:

  1. No preparer sign-off on a work paper
  2. No evidence of work paper reviews
  3. Placing unnecessary documents in the file (the work paper provides no evidential matter for the audit)
  4. Signing off on unperformed audit program steps
  5. No references to supporting documentation in the audit program
  6. Using canned audit programs that aren’t based on risk assessments for the particular entity
  7. Not documenting expectations for planning analytics
  8. Inadequate explanations for variances in planning analytics (“revenue went up because sales increased”)
  9. Planning analytics with obvious risk of material misstatement indicators, but no change in the audit plan to address the risk (sometimes referred to as linkage)
  10. Not documenting who inquiries were made of
  11. Not documenting when inquiries were made
  12. Significant deficiencies or material weaknesses that are not communicated in written form
  13. Verbally communicating control deficiencies (those not significant deficiencies or material weaknesses) without documenting the conversation
  14. Performing needed substantive tests with no related audit program steps (i.e., the audit program was not amended to include the necessary procedures)
  15. Assessing control risk below high without testing controls
  16. Assessing the risk of material misstatement at low without a basis (reason) for doing so
  17. Documenting significant risks (e.g., allowance for uncollectible receivable estimates in healthcare entities) but no high inherent risks (when inherent risk are separately documented)
  18. Not documenting the predecessor auditor communication in a first-year engagement
  19. Not documenting the qualifications and objectivity of a specialist
  20. Not documenting all nonattest services provided
  21. Not documenting independence
  22. Not documenting the continuance decision before an audit is started
  23. Performing walkthroughs at the end of an engagement rather than the beginning
  24. Not performing walkthroughs or any other risk assessment procedures
  25. Not performing risk assessment procedures for all significant transaction areas (e.g., risk assessment procedures performed for billing and collections but not for payroll which was significant)
  26. Not retaining the support for opinion wording in the file (especially for modifications)
  27. Specific items tested are not identified (e.g., “tested 25 disbursements, comparing amounts in the check register to cleared checks” — we don’t know which particular payments were tested)
  28. Making general statements that can’t be re-performed based on the information provided (e.g., “inquired of three employees about potential fraud” — we don’t know who was interviewed or what was asked or their responses)
  29. Retrospective reviews of estimates are not performed (as a risk assessment procedure)
  30. Going concern indicators are present but no documentation regarding substantial doubt
  31. IT controls are not documented
  32. The representation letter is dated prior to final file reviews by the engagement partner or a quality control partner
  33. Consultations with external or internal experts are not documented
  34. No purpose or conclusion statement on key work papers

35. Tickmarks are not defined (at all)

36. Inadequately defining tickmarks (e.g., ## Tested) — we don’t know what was done

37. No group audit documentation though a subsidiary is included in the consolidated financial statements

38. No elements of unpredictability were performed

39. Not inquiring of those charged with governance about fraud

40. Not locking the file down within 60 days 

That’s my list of workpaper mistakes. What would you add?

Even if you do all of these, have you documented them properly? See my article If It’s Not Documented, It’s Not Done.

How to Identify and Manage Audit Stakeholders
Nov 08

How to Identify and Manage Audit Stakeholders

By Harry Hall | Auditing

This is a guest post by Harry Hall. He is a Project Management Professional (PMP) and a Risk Management Professional (PMI-RMP). See his blog at ProjectRiskCoach.com.

Some auditors perform the same procedures year after year. These individuals know the drill. Their thought is: been there; done that. But, before we start the engagement, we need to identify the audit stakeholders. 

Imagine a partner or an in-charge (i.e., project manager) with this attitude. He does little analysis and makes some costly stakeholder mistakes. As the audit team starts the audit, they encounter surprises:

  • Changes in the client stakeholders – accounting personnel and management
  • Changes in accounting systems and reporting
  • Changes in business processes
  • Changes in third-party vendors
  • Changes in the client’s external stakeholders

Audit Stakeholders

Furthermore, imagine the team returning to your office after the initial work is done. The team has every intention of continuing the audit; however, some members are being pulled for urgent work on a different audit.

These changes create audit risks–both the risk that the team will issue an unmodified opinion when it’s not merited and the risk that engagement profit will diminish. Given these unanticipated factors, the audit will likely take longer and cost more than planned. And here’s another potential wrinkle: Powerful, influential stakeholders may insist on new deliverables late in the project.

So how can you mitigate these risks early in your audit?

Perform a stakeholder analysis.

“Prior Proper Planning Prevents Poor Performance.” – Brian Tracy

Continue reading

Using Project Management in Audits
Nov 08

Project Management in Audits: Key to Profit

By Charles Hall | Auditing

On the first day of your audit, you’re confident you’ll deliver your report on time. You have visions of a happy client and happy firm partners. But, somewhere along the way, things break down. Your best auditor transfers to another job. You learn–as the audit progresses–that your junior staff member lacks sufficient training. Your client is not providing information as requested. And, additionally, your audit team has unearthed a fraud.

How can you lessen or respond to these problems? Project management. In this post, I’ll tell you what it is and how you can start using project management in audits, including software selection and practical implementation steps.

Project Management in Audits

Using Project Management in Audits

Auditors need to be effective (by complying with professional standards), but we also need to be efficient (if we want to make money). And project management creates efficiency.

Managing resources, identifying impediments to audit processes, responding to scope creep–these are just a few of the issues that we encounter. And these challenges can increase engagement time and decrease profits. Worse yet, that promise regarding timely completion can go unmet. 

Either we will manage our audits, or they will manage us. 

So, what are the keys to using project management in audits?

  • Audit team members
  • Project management software
  • Create a project management plan
  • Be aware
  • Be vigilant

Audit Team Members

The number one ingredient to a successful audit is your team members. Even more important is the person managing the engagement.

Have you noticed that some people–regardless of the obstacles–just get things done? If possible, get and keep people like this on your audit teams. You may be thinking–at this moment–“but our firm has a difficult time hiring and retaining great employees.” Then revisit your hiring and retention practices.

Having great team members is essential, but they need to work together. So, how do we get them to play their roles at the right time? A project management plan defined in project management software.

Project Management Software

There are plenty of useful project management software packages. They include:

Pricing varies. Some are free while others are expensive. So, you’ll need to do your research to determine which solution is best for you. Personally, I use Basecamp. If you want to start with a free application, try Trello or Asana. Another option is Smartsheet (an Excel-spreadsheet-based product). Larger firms may desire to take a look at XCMWorkflow.

I was recently exposed to SuraLink in an engagement where I assisted a city government with its preparation for an audit. The external auditors used SuraLink to request and receive information from the client. I was very impressed with this product. Though I have used Basecamp historically (as you’ll see in a moment), I plan to give SuraLink a hard look. Basecamp is wonderful in terms of use-of-use, but I’m not confident in the security. So I’ve used Basecamp in conjunction with other products such as ShareFile and Box. SuraLink appears to provide you with one product to manage and house documents. 

Regardless of the project management software you use, always think about security since you are uploading and downloading client files. 
Continue reading

fake bank confirmations
Oct 18

Fake Bank Confirmation Responses: $6 Million Theft

By Charles Hall | Auditing

The Western District of North Carolina U.S. Attorney’s Office issued a press release on June 17, 2013, detailing how James Shepherd, an investment company owner, defrauded over 100 investors of approximately $6 million. How? By misusing funds and tricking his company’s external auditors with fake bank confirmation responses.

fake bank confirmations

Hiding Theft with Fake Bank Confirmation Responses

The press release states, “Documents indicate that Shepherd built a $2 million residence in Vass, North Carolina, and used investor money to make mortgage payments on the residence.” The U.S. Attorney’s Office said, “For seven years Shepherd used his investment fund as his personal piggy bank and repeatedly lied to his investors who trusted him with their savings.” The release goes on to say the fraud was concealed as “Shepherd sent to investors certified financial statements…accompanied by an Independent Auditor’s Report.” The fraudulent December 31, 2012, financial statement reflected a $6,041,850 cash balance when in reality the fund had less than $100,000. So, how was Shepherd able to get an independent auditor’s report based on fraudulent numbers?

The auditor sent bank confirmations to a P.O. Box address provided by Shepherd. Additionally, the confirmations were sent to the attention of a “Charles Fisher,” a fictitious bank employee.

And who controlled the P.O. Box? Mr. Shepherd.

According to the U.S. Attorney’s Office, Shepherd would receive the bank confirmations, “forge the name Fisher on a fake bank letter” and “send forged bank statements with fake balances” to the auditor. The responses came in the form of both letters and faxes.

So, how were the forged bank statements created? The press release stated that “Shepherd generated the fraudulent bank statements using a version of Adobe Acrobat that enabled him to type false numbers over true bank statements.”

Given the false bank confirmations, how was Mr. Shepherd ever caught? In March 2013 the auditors “insisted on verifying the cash balance of funds’ bank account electronically through the audit confirmation website www.confirmation.com.” Shepherd then refused to give the accountant authority to utilize the site to verify the cash balance. After that, the auditor notified the National Futures Association that his audit opinion could no longer be relied upon.

Given this cautionary tale, how can auditors combat the threat of false bank contact information?

Designing Confirmations 

A while back, my friend James Ulvog brought to my attention the following clarified auditing section about confirmations.

AU-C Section 505.A7 states:

Determining that requests are properly addressed includes verifying the accuracy of the addresses, including testing the validity of some or all of the addresses on the confirmation requests before they are sent out, regardless of the confirmation method used. When a confirmation request is sent by e-mail, the auditor’s determination that the request is being properly directed to the appropriate confirming party may include performing procedures to test the validity of some or all of the e-mail addresses supplied by management.

Auditors often confirm bank accounts using:

  1. Letters
  2. Emails

Regardless of how an account is confirmed, auditors need to verify the contact information provided by the auditee–at least for some of the confirmations.

Bottom line

Audit standards require that steps be taken to ensure that confirmations are sent to the appropriate persons.

Using Confirmation.com reduces risk related to faulty confirmations. If you don’t use Confirmation.com, then consider checking street addresses by Googling them, or you might call the confirming party–especially for high-risk accounts.

The procedures used to verify mailing addresses, fax numbers, and email addresses should be documented in the auditor’s work papers.

Postscript

On February 11, 2015, Mr. Shepherd was sentenced to 84 months in prison and three years of supervised release. Shepherd pleaded guilty to one count of securities fraud in June 2013.

inherent risk
Oct 04

Inherent Risk: How to Understand

By Charles Hall | Auditing , Risk Assessment

Do you know how to assess inherent risk? Knowing when this risk is low is a key to efficient audits. In this article, I tell you how to assess inherent risk--and how lower risk assessments (potentially) decrease the amount of work you perform. I also provide inherent risk examples, and I define inherent risk.  

inherent risk

While audit standards don't require a separate assessment on inherent risk (IR) and control risk (CR), it's wise to do so. Why? So you know what drives the risk of material misstatement (RMM). 

Many auditors assess control risk at high (after performing their risk assessment procedures). Why? So they don't have to test controls. 

If control risk is high, then inherent risk is the only factor that can lower your risk of material misstatement. For example, a high control risk and a low inherent risk results in a moderate risk of material misstatement. Why is this important? Lower RMMs provide the basis for less substantive work.

The Audit Risk Model

Before we delve deeper into inherent risk assessment, let's do a quick review of the audit risk model. Auditing standards (AU-C 200.14) define audit risk as “The risk that the auditor expresses an inappropriate audit opinion when the financial statements are materially misstated. Audit risk is a function of the risks of material misstatement and detection risk.”

Audit risk is defined as follows:

Audit Risk = IR X CR X Detection Risk

Inherent risk and control risk live within the entity to be audited.

Detection risk lies with the auditor.

A material misstatement may develop within the company because the transaction is risky or complex. Then, controls may not be sufficient to detect and correct the misstatement. 

If the auditor fails to detect the material misstatement, audit failure occurs. The auditor issues an unmodified opinion when a material misstatement is present.

Risk of Material Misstatement

As we plan an audit, we assess the risk of material misstatement. It is defined as follows:

RMM = IR X CR

Auditors assess the risk of material misstatement at the assertion level so they can determine the level of substantive work. Substantive work is the response to risk.

If the RMM is high, more substantive work is needed. Why? To reduce detection risk. 

But if the RMM is low to moderate, less substantive work is needed. 

Inherent Risk Definition

Let’s define inherent risk. It is the susceptibility of an assertion about a class of transaction, account balance, or disclosure to a misstatement that could be material, either individually or when aggregated with other misstatements, before consideration of any related controls.

Inherent Risk Examples

The risk for cash is greater than that of a building. Cash is easily stolen. Buildings are not.  

The risk of a hedge transaction is greater than that of a trade receivable. Hedges can be complicated to compute. Trade receivables are not. 

Post-retirement liabilities are inherently risky. Why? It's a complex accounting area. The numbers usually come from an actuary. There are estimates in the form of assumptions.

Inherent Risk Factors 

Consider factors such as the following in assessing risk:

  • Susceptibility to theft or fraudulent reporting
  • Complex accounting or calculations
  • Accounting personnel’s knowledge and experience
  • Need for judgment
  • Difficulty in creating disclosures
  • Size and volume of accounts balance or transactions
  • Susceptibility to obsolescence
  • Prior year period adjustments

Inherent risk is not an average of the above factors. Just one risk factor can make an account balance or transaction cycle or disclosure high risk.

Inherent Risk at Less Than High

When inherent risk is less than high, you can perform fewer or less rigorous substantive procedures.

An example of a low inherent risk is the existence assertion for payables. If experienced payables personnel accrue payables, then the existence assertion might be assessed at low. (The directional risk of payables is an understatement, not an overstatement.) The lower risk assessment for existence allows the auditor to perform little if any procedures in relation to this assertion. 

Conversely, the completeness assertion for accounts payable is commonly a high inherent risk. Businesses can inflate their profits by accruing fewer payables. Fraudulent reporting of period-end payables is possible. Therefore, the risk of completeness for payables is often high. That's why auditors perform a search for unrecorded liabilities.

Base your risk assessment on factors such as those listed above. If inherent risk is legitimately low, then great. You can perform less substantive work. But if the assertion is high risk, then it should be assessed accordingly--even if that means more work. (The AICPA has included questions in peer review checklists regarding the basis for lower risk assessments. Their concern (I think) is that auditors might manipulate this risk in order to perform less work. I've heard no one from the AICPA say this. But I can see how they might be concerned about this possibility.)

Control Risk

So, what is the relationship between inherent risk and control risk?

Companies develop internal controls to manage areas that are inherently risky.

A business might create internal controls to lessen the risk that payables are understated. Examples of such controls include:

  • The CFO reviews the payables detail at period-end, inquiring about the completeness of the list
  • A payables supervisor reviews all invoices entered into the payables system
  • The payables supervisor inquires of all payables clerks about any unprocessed invoices at period-end
  • A budget to actual report is provided to department heads for review

Inherent risk exists independent of internal controls.

Control risk exists when the design or operation of a control does not remove the risk of misstatement. 

Audit Risk Assessment Update - SAS 145

SAS 145 will be effective for years ending December 31, 2023. This standard provides new inherent risk guidance, particularly in regard to inherent risk factors. See my SAS 145 article for details. 

Audit Risk Assessment Book

My new book, Audit Risk Assessment Made Easy, is now available on Amazon. If you struggle with internal control walkthroughs, preliminary analytics, understanding the entity and its environment, risk assessment and linkage, then this book is for you. Click the book cover to see it now on Amazon. 

Audit risk assessment
>