Category Archives for "Auditing"

audit and work paper mistakes
Feb 19

Audit and Work Paper Mistakes: A List of 40

By Charles Hall | Auditing

Today, I offer you a list of forty audit and work paper mistakes.

audit and work paper mistakes

The list is based on my observations from over over thirty-five years of audit reviews (and not on any type of formal study).

You will, however, shake your head in agreement as you read these. I know you’ve seen them as well. The list is not comprehensive. So, you can add others in the comments section of this post.

Here’s the list.

  1. No preparer sign-off on a work paper
  2. No evidence of work paper reviews
  3. Placing unnecessary documents in the file (the work paper provides no evidential matter for the audit)
  4. Signing off on unperformed audit program steps
  5. No references to supporting documentation in the audit program
  6. Using canned audit programs that aren’t based on risk assessments for the particular entity
  7. Not documenting expectations for planning analytics
  8. Inadequate explanations for variances in planning analytics (“revenue went up because sales increased”)
  9. Planning analytics with obvious risk of material misstatement indicators, but no change in the audit plan to address the risk (sometimes referred to as linkage)
  10. Not documenting who inquiries were made of
  11. Not documenting when inquiries were made
  12. Significant deficiencies or material weaknesses that are not communicated in written form
  13. Verbally communicating control deficiencies (those not significant deficiencies or material weaknesses) without documenting the conversation
  14. Performing needed substantive tests with no related audit program steps (i.e., the audit program was not amended to include the necessary procedures)
  15. Assessing control risk below high without testing controls
  16. Assessing the risk of material misstatement at low without a basis (reason) for doing so
  17. Documenting significant risks (e.g., allowance for uncollectible receivable estimates in healthcare entities) but no high inherent risks (when inherent risk are separately documented)
  18. Not documenting the predecessor auditor communication in a first-year engagement
  19. Not documenting the qualifications and objectivity of a specialist
  20. Not documenting all nonattest services provided
  21. Not documenting independence
  22. Not documenting the continuance decision before an audit is started
  23. Performing walkthroughs at the end of an engagement rather than the beginning
  24. Not performing walkthroughs or any other risk assessment procedures
  25. Not performing risk assessment procedures for all significant transaction areas (e.g., risk assessment procedures performed for billing and collections but not for payroll which was significant)
  26. Not retaining the support for opinion wording in the file (especially for modifications)
  27. Specific items tested are not identified (e.g., “tested 25 disbursements, comparing amounts in the check register to cleared checks” — we don’t know which particular payments were tested)
  28. Making general statements that can’t be re-performed based on the information provided (e.g., “inquired of three employees about potential fraud” — we don’t know who was interviewed or what was asked or their responses)
  29. Retrospective reviews of estimates are not performed (as a risk assessment procedure)
  30. Going concern indicators are present but no documentation regarding substantial doubt
  31. IT controls are not documented
  32. The representation letter is dated prior to final file reviews by the engagement partner or a quality control partner
  33. Consultations with external or internal experts are not documented
  34. No purpose or conclusion statement on key work papers

35. Tickmarks are not defined (at all)

36. Inadequately defining tickmarks (e.g., ## Tested) — we don’t know what was done

37. No group audit documentation though a subsidiary is included in the consolidated financial statements

38. No elements of unpredictability were performed

39. Not inquiring of those charged with governance about fraud

40. Not locking the file down within 60 days 

That’s my list of audit and workpaper mistakes. What would you add?

Even if you do all of these, have you documented them properly? See my article If It’s Not Documented, It’s Not Done.

Accountant’s ipad
Jan 30

Audit Mistakes: Seven Deadly Sins

By Charles Hall | Auditing

Seven deadly audit sins can destroy you. These audit mistakes kill your profits and effectiveness.

You just completed an audit project, and you have another significant write-down. Last year’s audit hours came in well over budget, and—at the time—you thought, This will not happen again. But here it is, and it’s driving you insane.

Insanity: doing the same thing year after year but expecting different results.

Are you ready for better results?

Audit Mistakes

Here are seven deadly (audit) sins that cause our engagements to fail.

Audit mistakes

1. We don’t plan

Rolling over the prior year file does not qualify as planning. Using canned audit programs is not planning.

What do I mean? We don’t know what has changed. Why? Because we have not performed real risk assessment such as current year walkthroughs. We have not (really) thought about current year risks of material misstatement.

Each year, audits have new wrinkles.

Are there any fraud rumors? Has the CFO left without explanation? Have cash balances decreased while profits increased? Does the client have a new accounting program or new staff? Can you still obtain the reports you need? Are there any new audit or accounting standards?

Anticipate issues and be ready for them with a real audit plan.

2. SALY lives

Elvis may not be in the house, but SALY is.

Performing the same audit steps is wasteful. Just because we needed the procedure ten years ago does not mean we need it today. Kill SALY. (No, I don’t mean your staff member; SALY stands for Same As Last Year).

I find that audit files are like closets. We allow old thoughts (clothes) to accumulate without purging. It’s high time for a Goodwill visit. After all, this audit mistake has been with you too long. So ask yourself Are all of the prior audit procedures relevant to this year’s engagement?

Will better planning require us to think more in the early phases of the engagement? Yes. Is this hard work? Yes. Will it result in less overall effort? Yes.

Sometimes the Saly issue occurs because of weak staff.

3. We use weak staff

Staffing your engagement is the primary key to project success. Excellent staff makes a challenging engagement pan out well. Poor staff causes your engagement time to balloon–lots of motion, but few results. Maybe you have smart people, but they need training. Consider AuditSense.

Another audit mistake is weak partner involvement.

4. We don’t monitor

Partners must keep an eye on the project. And I don’t mean just asking, “How’s it going?” Look in the audit file. See what is going on. In-charges will usually tell you what you want to hear. They hope to save the job on the final play, but a Hail Mary often results in a lost game.

As Ronald Reagan once said: Trust but verify.

Engagement partners need to lead and monitor. They also need to provide the right technology tools.

5. We use outdated technology

Are you paperless? Using portable scanners and monitors? Are your auditors well versed in Adobe Acrobat? Are you electronically linking your trial balances to Excel documents? Do you use project management software (e.g., Basecamp)? How about conferencing software (e.g., Zoom)? Do you have secure remote access to audit files? Do you store files securely in the cloud (e.g., Box)? Are you using data mining software such as Idea? Do you send electronic confirmations

Do your staff members fear you so much that they don’t give you the bad news?

6. Staff (intentionally) hide problems

Remind your staff that bad news communicated early is always welcome.

Early communication of bad news should be encouraged and rewarded (yes, rewarded, assuming the employee did not cause the problem).

Sometimes leaders unwittingly cause their staff to hide problems. In the past, we may have gone ballistic on them–now they fear the same.

And here’s one last audit mistake: no post-engagement review.

7. No post-engagement review

Once our audit is complete, we should honestly assess the project. Then make a list of inefficiencies or failures for future reference.

If you are a partner, consider a fifteen-minute meeting with staff to go over the list.

Your ideas to overcome audit mistakes

What do you do to keep your audits within budget?

Use of a specialist
Jan 23

Use of a Specialist: How to Document

By Charles Hall | Auditing

As an auditor, you often use the work of specialists such as actuaries, appraisers, and engineers. Such work can seem mystical, like something conjured up from a mathematical soup. And since we don’t always understand their incantations, we wonder, “Can we rely on the information?” and “How do I document my use of an expert?” Thankfully, the audit standards provide guidance in AU-C 500 (management’s specialist) and AU-C 620 (auditor’s specialist). Below I unpack these requirements. 

Use of a specialist

Picture is courtesy of DollarPhotoClub.com

Who Hires the Specialist?

A specialist can be hired by your audit firm or by management. If you audit banks, you might hire an appraiser to assist with loan collateral reviews–an example of an auditor’s specialist. If your client uses an actuary, then you will obtain audit evidence from a specialist hired by management.

As we begin our look into the use of experts, here are two definitions to help differentiate the types.

Specialist Definitions

AU-C 620 defines an auditor’s specialist and management’s specialist. Both definitions include “expertise in a field other than accounting and auditing.” 

An auditor’s specialist can include an internal person such as a partner or staff member or an external contract person. This person works for the audit firm. 

Information from a management specialist is used by the entity in the preparation of their financial statements. This person works for the audit client. 

Now, let’s take a look at each.

1. Auditor’s Specialist

AU-C Section 620–Using the Work of an Auditor’s Specialist provides guidance.

Is the Specialist Needed?

AU-C 620 states that auditors should consider the use of a specialist when expertise in a field other than accounting or auditing is needed. Before using the services of a specialist, consider the significance of the information for which you might need such a person. If the information has little impact on the financial statements, then usage of their reports or skills is of less importance.

AU-C 620 Considerations

AU-C 620 also says the auditor should evaluate the competence, capability, and objectivity of the specialist. So if you hire an investment pricing expert, you want to know if she is reputable, what her experience is, whether she can perform the work appropriately, and whether she is objective.

Use of a Specialist

Picture is courtesy of Adobe Stock

According to AU-C 620, information regarding the competence, capabilities, and objectivity may come from sources such as the following:

  • Personal experience with previous work of the expert
  • By talking to the specialist
  • Talking with other auditors or others who are familiar with their work
  • Knowledge of their qualifications, professional memberships, licenses to practice, or other forms of recognition (often available on their website)
  • Books or other publications of the expert

If you’ve previously worked with the aforementioned pricing expert, you have personal experience with her work. This helps. You might call her with regard to current year issues, and since you already know her, you probably know her qualifications.

Regarding objectivity, the auditor should inquire about any relationships that the specialist may have with the client. And if necessary, obtain a signed representation letter concerning their objectivity. Continuing with our pricing expert example, you want to ask her if she has any business relationships with the auditee. Are there any family relationships? Is there anything that might impair her objectivity?

Additionally, if the expert is hired by your firm, consider an engagement letter. 

Engagement Letter with Specialist

Though not required, the auditor can use a written engagement letter to define the work of the specialist. AU-C 620 provides suggestions for the engagement letter such as:

  • Nature, scope, and objectives of the assistance
  • The roles and responsibilities of the auditor and the specialist
  • How information will be communicated
  • The need for confidentiality

Document the specialist’s work in a memorandum if an engagement letter is not obtained.

Adequacy of  Work

Auditors must evaluate the adequacy of the work.

AU-C 620 requires that you evaluate the adequacy of the work, including the reasonableness of the findings and conclusions, the reasonableness of assumptions and methods, and the relevance and accuracy of the information. 

Bottom line: Does the work of the expert provide sufficient and appropriate audit evidence with regard to the issue at hand (e.g., investment pricing)?

When should an auditor begin thinking about specialist usage? Before the engagement is accepted. Why? If we accept an audit without the necessary skill sets, we have a problem. As you consider the acceptance of an audit engagement, think about whether a specialist is needed, and whether such a person is available at a reasonable price.

Reference to a Specialist in an Auditor’s Opinion

AU-C 620 states that an auditor should not refer to the work of an auditor’s specialist in an unmodified audit opinion. The auditor can, however, make reference to a specialist when the opinion is modified (to explain the reason for the modification). But, if reference is made, the audit opinion should state the auditor’s responsibility is not lessened. 

What does this mean? Regardless of the situation, the opinion is the auditor’s (and not the specialist’s). We may use the expert’s work as audit evidence, but the audit opinion (and the corresponding responsibility) belongs to us.

Confidentiality Language in the Client Engagement Letter

When an auditor hires an external specialist, should the audit engagement letter change?

When an audit firm hires an external specialist, the firm should follow the Code of Conduct section ET 1.700.040, Disclosing Information to a Third-Party Service Provider. How can you comply with this ethical requirement? By including additional language in your engagement letter advising the client that you might provide confidential information to an outside party. In effect, you are gaining consent to share client information. If you are not using an outside person, but someone who works for your firm, then no such consent is necessary.

Now, let’s take a look at management’s specialist. 

2. Management’s Specialist

AU-C Section 500, Audit Evidence, provides guidance on the use of information from a management specialist.

Your audit client might use their own expert such as a pension plan actuary. To rely on the actuary, you need to know if she is competent and objective. You also need to understand–at least in a general sense–what the actuary does. You do not need to recompute the actuarial computations, for example. But a review of assumptions for reasonableness is appropriate.

AU-C 500 Considerations

AU-C 500 requires considerations similar to those of an auditor’s specialist. For instance, you need to evaluate the competence and objectivity of management’s expert. Obtain an understanding of their work, and evaluate it in light of relevant assertions. For example, is the pension disclosure, based on actuarial information, understandable and accurate?

As with an auditor’s specialist, the sources of information regarding a management specialist can come from prior experience with the person, discussions with the expert, and knowledge of their certifications and experience. 

Additionally, consider including relevant language in management’s representation letter.

Representation Letter

AU-C 580, Written Representations, provides the following example of language that an auditor might include in the representation letter:

We agree with the findings of specialists in evaluating the [describe assertion] and have adequately considered the qualifications of the specialists in determining the amounts and disclosures used in the financial statements and the underlying accounting records. We did not give or cause any instructions to be given to specialists with respect to the values or amounts derived in an attempt to bias their work, and we are not otherwise aware of any matters that have had an effect on the independence or objectivity of the specialists.

Conclusion

So how do you document your use of these experts? As you can tell, the audit standards provide a framework, and the documentation will vary depending on the type of specialist used and the importance of the information. At a minimum, consider documenting:

  1. Why you need the expert (or their work product)
  2. What they are doing
  3. Their abilities, reputation, and experience 
  4. Their objectivity 
  5. The adequacy of the work provided

Peer review checklists include questions regarding your documentation of such information. Therefore, you need to make sure you do so. 

At the end of the day, auditing is all about obtaining reasonable assurance by obtaining audit evidence. As you consider the use of these experts, ask yourself how their work impacts your risk assessment, your audit procedures, and finally your opinion.

Unpredictable audit procedure
Jan 13

Unpredictable Audit Procedures

By Charles Hall | Auditing

In this article I explain how you can use unpredictable audit procedures.

The audit standards require elements of unpredictability. Why? So clients can’t guess what the auditor is going to do. Clients naturally observe and learn what auditors normally do. The client’s knowledge of what is audited (and what is not) makes it easier to steal. The client takes from unaudited areas. This knowledge also enables the company to manipulate numbers. The client alters unaudited balances.

The purpose of the unpredictable element is to create uncertainty–in the client’s mind–regarding audit procedures. We do so by using unpredictable audit procedures.

Unpredictable audit procedureElements of Unpredictability – The Audit Standards

AU-C 240.29 states the following:

In determining overall responses to address the assessed risks of material misstatement due to fraud at the financial statement level, the auditor should…incorporate an element of unpredictability in the selection of the nature, timing, and extent of audit procedures.

AU-C 240.A42 states:

Incorporating an element of unpredictability in the selection of the nature, timing, and extent of audit procedures to be performed is important because individuals within the entity who are familiar with the audit procedures normally performed on engagements may be better able to conceal fraudulent financial reporting. This can be achieved by, for example,

  • performing substantive procedures on selected account balances and assertions not otherwise tested due to their materiality or risk.
  • adjusting the timing of audit procedures from that otherwise expected.
  • using different sampling methods.
  • performing audit procedures at different locations or at locations on an unannounced basis.

Unpredictable Audit Procedures 

To introduce elements of unpredictability, perform procedures such as these:

  • Examine payments less than your normal threshold in your search for unrecorded liabilities (e.g., in the last three years your threshold was $7,000; this year, it’s $3,000)
  • Perform a surprise unannounced review of teller cash (for a bank client)
  • Make a physical visit to the inventory location one month after the end of the year and review inventory records (assuming you don’t normally do so)
  • Review payroll salary authorization sheets for ten employees and agree to amounts in the payroll master table (in the payroll software)
  • Test a bank reconciliation for the seventh month in the year being audited (in addition to the year-end bank reconciliation)
  • Confirm an immaterial bank account that you haven’t confirmed in the past
  • Pick ten vendors at random and perform procedures to verify their existence (as a test for fictitious vendors)

Document Your Unpredictable Audit Procedures

Since unpredictable tests are required in every audit, document where you performed this procedure. Reference your audit program step for unpredictable tests to the work performed. Title your work paper, “Unpredictable Test,” and then add a purpose statement such as, “Purpose: To confirm the immaterial bank account with ABC Bank as an unpredictable test.” Doing so will eliminate the potential for a peer reviewer to say, “that’s a normal procedure.” You are overtly stating the purpose of the test is to satisfy the unpredictable test requirement.

Change Your Unpredictable Tests Annually

Change your unpredictable tests annually. Otherwise, they will–over time–become predictable.

Excuses for unnecessary workpapers
Nov 29

Seven Excuses for Unnecessary Audit Work Papers

By Charles Hall | Auditing

Unnecessary audit work papers create clutter and potential legal problems.

I see two problems in most work paper files:

(1) Too much documentation, and
(2) Too little documentation

I have written an article titled: Audit Documentation: If It’s Not Documented, It’s Not Done. Since I’ve already addressed the too little documentation issue, I’ll now speak to the other problem: too much documentation.

unnecessary audit work papers

Unnecessary Audit Work Papers

Over the last thirty-five years, I have reviewed audit files for CPA firms and have commonly asked this question: Why is this work paper in the file?

Here are a seven answers I’ve received.

1. It was there last year.

But is it relevant this year? Resist the temptation to mindlessly bring forward work papers from the prior year. Performing a proper audit entails risk assessment (e.g., walkthroughs, analytics), planning (i.e., creating an audit plan), and execution (i.e., carrying out the audit plan). Likewise, compilations and reviews should reflect current year planning and performance.

2. The client gave it to me.

Inexperienced auditors tend to put everything given to them in the file. Some auditors believe “if the client gave it to me, it must be important.” But this is not necessarily true. Every work paper needs a purpose.

3. I may need it next year.

Then save it for next year—somewhere other than in the current file. If the information does not provide current year engagement evidence, then it does not belong in the file.

Consider creating a file for next year and placing next year’s information in that file. Or create a folder in the current year file titled: Next year’s work papers. Then move this section to next year’s file as you close the engagement.

4. I might need it this year.

Before going paperless (back in the prehistoric days when we moved work papers with hand trucks ), I kept a manila folder titled: File 13. The physical folder was my hang-on-to-it-in-case-I-need-it repository.

Since my files are now paperless, I create an electronic folder titled Recycle Bin that sits at the bottom of my file. If I receive information that is not relevant to the current year (but there is a chance I will need it), I move it to the recycle bin, and when I am wrapping up the engagement, I dispose of the folder.

5. It’s an earlier version of a work paper.

Move earlier versions of work papers to your recycle bin—or delete them.

6. I need it for my tax work.

Then it belongs in the tax file (unless it’s related to your attest work – e.g., deferred taxes).

7. We always do this.

But why is it being done this year? Maybe a fraud was missed ten years ago and the partner said, from now on we will…

Are these procedures still relevant?

The test of details, substantive analytics, and test of controls should be in response to the current year audit risk assessment and planning.

Reducing Legal Exposure

The most important reason for minimizing work paper content is to reduce your legal exposure. Excess work papers may provide ammunition to an opposing attorney: “Mr. Hall, here’s a work paper from your own audit file that reveals fraud was occurring, and you didn’t see it?” (So don’t, for example, leave the full general ledger in your work papers.)

What are your thoughts about removing unnecessary audit work papers?

>