Category Archives for "Auditing"

Tests of Details
Mar 07

Tests of Details: Substantive Procedures

By Charles Hall | Auditing

Tests of details are the auditor's primary responses to risks of material misstatement. Today I tell you what a test of details is and how you can best use this substantive approach..

Tests of Details

Further Audit Procedures

AU-C 330: Performing Audit Procedures in Response to Assessed Risks and Evaluating the Audit Evidence Obtained defines substantive procedures as:

Once you assess your risks of material misstatement you determine your responses. These further audit procedures (responses) include the two substantive procedures listed above as well as test of controls.

So of the three further audit procedures, are certain ones required?

Yes.

A test of controls is necessary if substantive procedures can’t properly address a risk of material misstatement. Think complex information technology processes. For example, when a benefit plan participant changes his investment options in a 401(k). There may be no physical documents to examine. In these circumstances, a test of controls might be your only option.

By contrast, auditors are required to perform tests of details when significant risks are identified. A test of controls alone will not do. So if, for example, you have determined that a complex estimate is a significant risk, then plan and perform a test of details in response. Likewise, if you believe a fraud risk is present, perform a test of details.

Additionally, substantive procedures are required for relevant assertions related to each material class of transactions, account balances, and disclosures. However, for this requirement, the auditor can use:

  • Substantive analytics alone 
  • A tests of details alone
  • A combination of substantive analytics and test of details

This article focuses on tests of details. So, let’s move to that topic.

What is a Test of Details?

Audit standards don't define tests of details. They only say that a test of details is one of two substantive procedure options (the other being substantive analytics). Since there is no definition, here are examples of a test of details:

  • Vouching invoices
  • Tracing bills sent to customers
  • Search for unrecorded liabilities in accounts payable
  • Testing bank reconciliations by examining subsequent month bank statements
  • Sending bank confirmations
  • Sending customer confirmations
  • Agreeing receivables to contracts
  • Vouching subsequent receipts in receivables
  • Reconciling payroll in the general ledger to quarterly payroll tax returns

As you can see, a test of details is just what it says it is. You are digging into the details of transactions. Substantive analytics, by contrast, look at numbers from a broader perspective. For example, the auditor might compute the current ratio or compare this year's debt level with prior years. I provided examples of substantive analytics in a recent article.

Now let's see how you can best select your tests of details procedures.

Tests of Details - Selection of Procedures

So, how do you determine which response is best? 

AU-C 330 tells us to pay attention to the nature of the risk. Doing so allows us to determine the what, when and how of our procedures. The audit standards refer to this as the nature, timing and extent. So, here is the way to design appropriate responses to your client’s risks of material misstatement. 

1. Nature of Evidence

First, let's discuss the type of procedures or, as the audit standards call it, the nature of evidence. If an auditor believes that receivables might be overstated, then she might send confirmations to customers. Why confirmations? To prove the existence of the receivables. And confirmations provide third party evidence which is better than that from within the company. Customers usually have no reason to respond in a dishonest manner, so the third party evidence is more reliable.

Prepaid assets, by contrast, usually has a low risk of material misstatement. They are not complex. The volume of transactions is low. They are not an estimate. So, in this instance, the auditor could use substantive analytics. Again, the nature of the risk drives your response.

Your responses are critical. If your tests don't address the risk of material misstatement, what good are they? 

In addition to the nature of evidence, timing matters as well.

2. Timing of Evidence

So, should you perform interim audit procedures? The answer depends on the reliability of the accounting system. Interim work is more easily done when you audit reliable systems. Consider waiting until period-end to audit unreliable systems. Why? If your interim work yields significant problems, you may not feel comfortable with roll-forward procedures. In other words, you may have to re-perform your interim work at period end. 

Do you perform a search for unrecorded liabilities? Then some time must pass from period-end before you do this procedure. The entity needs time to receive period-end invoices and make payments before you can review them. Likewise, if you are examining subsequent period receivable collections, some time must pass before you do so. Wait at least three or four weeks from period end before you perform these types of procedures.  

In addition to the nature and timing, the quantity of information is critical.

3. Extent of Evidence

The extent or quantity of evidence is another decision. Higher risks call for more evidence. If accounts payable has been materially understated the last two years, then consider lowering your search threshold for unrecorded liabilities. If you've used $10,000, you could, for example, move it to $3,000. The lower threshold will yield more evidence. The main point here is you want more evidential matter as risk increases.

But can you audit too much information? The answer is yes, unless you have an unlimited time budget. So, you want to examine enough information without overdoing it.

A question to ask in designing your quantity is, “Will this test allow me to detect a material misstatement?” For instance, you might plan a sample. But once you total the individually significant items, you see the remaining amount is immaterial. Then test the individually significant items and stop. 

Choosing Your Tests of Details

So there you are. A summary of nature, timing and extent as they relate tests of details. Learning to match your procedures with risks is one of the most important things you'll do as an auditor. Using canned audit programs or the same-as-last-year approach can lead to significant problems. Therefore, know your risks. Then design and perform responsive procedures.

Tests of Details by Account Balance

If you desire to see tests of details by account balances and transaction cycles, see The Why and How of Auditing series. There I provide you with tests of details for accounts such as cash, receivables and debt. 

auditing cash
Mar 05

Auditing Cash: The Why and How Guide

By Charles Hall | Auditing

Auditing cash tends to be straightforward. We usually just obtain the bank reconciliations and test them. We send confirmations and vouch the outstanding reconciling items to the subsequent month’s bank statement. But are such procedures always adequate? Hardly. 

Recall the Parmalat and ZZZZ Best Carpet Cleaning frauds. In those businesses, the theft of cash was covered up with fake bank statements and fake confirmation responses. Millions were lost and reputations we’re sullied.

auditing cash

How to Audit Cash

In this post, we will take a look at the following:

  • Primary cash assertions
  • Cash walkthrough
  • Directional risk for cash
  • Primary risks for cash
  • Common cash control deficiencies
  • Risk of material misstatement for cash
  • Substantive procedures for cash
  • Common cash work papers

Primary Cash Assertions

The primary relevant cash assertions are:

  • Existence
  • Completeness
  • Rights
  • Accuracy
  • Cutoff

Of these assertions, I believe existence, accuracy, and cutoff are most important. The audit client is asserting that the cash balance exists, that it’s accurate, and that only transactions within the period are included.

Classification is normally not a relevant assertion. Cash is almost always a current asset. But when bank overdrafts occur, classification can be in play. The negative cash balance can be presented as cash or as a payable depending on the circumstances. 

Cash Walkthrough

As we perform walkthroughs of cash, we normally look for ways that cash might be overstated (though it can also be understated as well). We are asking, “What can go wrong?” whether intentionally or by mistake.

Cash Walkthrough

In performing cash walkthroughs, ask questions such as:

  • Are timely bank reconciliations performed by competent personnel?
  • Are all bank accounts reconciled?
  • Are the bank reconciliations reviewed by a second person?
  • Are all bank accounts on the general ledger?
  • Are transactions appropriately cut off at period-end (with no subsequent period transactions appearing in the current year)?
  • Is there appropriate segregation between persons handling cash, recording cash, making payments, and  reconciling the bank statements
  • What bank accounts were opened in the period?
  • What bank accounts were closed in the period?
  • Are there any restrictions on the bank accounts?
  • What persons are on the bank signature cards?
  • Who has the authority to open and/or close bank accounts?
  • What is the nature of each bank account (e.g., payroll bank account)?
  • Are there any cash equivalents (e.g., investments of less than three months)
  • Were there any held checks (checks written but unreleased) at period-end?

As we ask questions, we also inspect documents (e.g., bank reconciliations) and make observations (who is doing what?).

If controls weaknesses exist, we create audit procedures to address them. For example, if during the walkthrough we review three monthly bank reconciliations and they all have obvious errors, we will perform more substantive work to prove the year-end bank reconciliation. For example, we might vouch every outstanding deposit and disbursement.

Directional Risk for Cash

What is directional risk? It’s the potential bias that a client has regarding an account balance. A client might desire an overstatement of assets and an understatement of liabilities  since each makes the balance sheet appear healthier.

The directional risk for cash is overstatement. So, in performing your audit procedures, perform procedures such as testing the bank reconciliation to ensure that cash is not overstated.

Primary Risks for Cash

The primary risks are:

  1. Cash is stolen
  2. Cash is intentionally overstated to cover up theft
  3. Not all cash accounts are on the general ledger
  4. Cash is misstated due to errors in the bank reconciliation
  5. Cash is misstated due to improper cutoff

Common Cash Control Deficiencies

In smaller entities, it is common to have the following control deficiencies:

  • One person receipts and/or disburses monies, records those transactions in the general ledger, and reconciles the related bank accounts
  • The person performing the bank reconciliation does not possess the skill to perform the duty
  • Bank reconciliations are not timely performed

Risk of Material Misstatement for Cash

In my smaller audit engagements, I usually assess control risk at high for each assertion. If control risk is assessed at less than high, then controls must be tested to support the lower risk assessment. Assessing risks at high is usually more efficient than testing controls.

Risk of material misstatement for cash

When control risk is assessed at high, inherent risk becomes the driver of the risk of material misstatement (control risk X inherent risk = risk of material misstatement). For example, if control risk is high and inherent risk is moderate, then my RMM is moderate. 

The assertions that concern me the most are existence, accuracy, and cutoff. So my RMM for these assertions is usually moderate to high. 

My response to higher risk assessments is to perform certain substantive procedures: namely, bank confirmations and testing of the bank reconciliations. As RMM increases I examine more of the period-end bank reconciliations and more of the outstanding reconciling items. Also, I am more inclined confirm the balances.

Substantive Procedures for Cash

My customary audit tests are as follows:

  1. Confirm cash balances
  2. Vouch reconciling items to the subsequent month’s bank statement
  3. Ask if all bank accounts are included on the general ledger
  4. Inspect final deposits and disbursements for proper cutoff

The auditor should send confirmations directly to the bank. Some individuals create false bank statements to cover up theft. Those same persons provide false confirmation addresses. Then the confirmation is sent to an individual (the fraudster) rather than a bank. Once received, the fraudster replies to the confirmation as though the bank is doing so. You can lessen the chance of fraudulent confirmations by using Confirmation.com, a company that specializes in bank confirmations. Alternatively, you might Google the confirmation address to verify its existence.

Agree the confirmed bank balance to the period-end bank reconciliation (e.g., December 31, 20X7). Then, agree the reconciling items on the bank reconciliation to the bank statement subsequent to the period-end. For example, examine the January 20X8 bank statement activity when clearing the December 20X7 reconciling items. Finally, agree the reconciled balance to the general ledger cash balance for the period-end (e.g., December 31, 20X7).

Cut-off bank statements (e.g., January 20, 20X8 bank statement) may be used to test the outstanding items. Such statements, similar to bank confirmations, are mailed directly to the auditor. Alternatively, the auditor might examine the reconciling items by viewing online bank statements. (Read-only rights can be given to the auditor.)

Common Cash Work Papers

My cash work papers normally include the following:

  • An understanding of cash-related internal controls 
  • Risk assessment of cash assertions at the assertion level
  • Documentation of any control deficiencies
  • Cash audit program
  • Bank reconciliations for each significant account
  • Bank confirmations

In Summary

We’ve discussed how to perform cash risk assessment procedures, the relevant cash assertions, the cash risk assessments, and substantive cash procedures. 

Next we’ll examine how to audit receivables and revenues.

Get Your Copy of The Why and How of Auditing

Click the book below to see it on Amazon.

Click the book cover to see The Why and How of Auditing on Amazon.

Developing your audit strategy and plan
Mar 01

Audit Planning: Develop Your Audit Plan and Strategy

By Charles Hall | Auditing

This article teaches you how to develop your audit plan and strategy. In the last few posts, we’ve explored the risk assessment process. Now it’s time to link your risk assessment work to your audit plan.

AU-C 300 states, “The objective of the auditor is to plan the audit so that it will be performed in an effective manner.” While effectiveness is important, we also want an efficient engagement. Effectiveness and efficiently are both possible with a good plan. Below I explain how.

Developing your audit strategy and plan

Audit Plan

To be in compliance with audit standards, we need to develop:

  • Our audit strategy
  • Our audit plan

Developing Your Audit Strategy

What’s in the audit strategy? AU-C 300.08 states that the audit strategy should include the following:

  • The characteristics of the engagement (these define its scope)
  • The reporting objectives (these affect the timing of the audit and the nature of the reports to be provided)
  • The significant factors (these determine what the audit team will do)
  • The results of preliminary engagement activities (these inform the auditor’s actions)
  • Whether knowledge gained on other engagements is relevant (these potentially provide additional insight)

Think of the audit strategy as the big picture.

We are documenting:

  • The scope (the boundaries of the work)
  • The objectives (what the deliverables are) 
  • The significant factors (e.g., is this a new or complex entity?)
  • The risk assessment (what are the risk areas?)
  • The planned resources (e.g., the engagement team) 

Much can be achieved with the right strategy—even walking on the moon.

Strategy for Walking on the Moon

When NASA planned to put a man on the moon, a strategy was created. It could have read as follows:

We will put a man on the moon. The significant factors of our mission include mathematical computations, gravitational pull, thrust, and mechanics. The risks include threats to our astronauts’ lives, so we need to provide sufficient food, air, sound communications, and a safe vessel. The deliverable will be the placement of one man on the moon and the safe return of our three astronauts. The engagement team will include three astronauts, launch personnel at Kennedy Space Center, and mission-control employees in Houston, Texas. 

developing your audit strategy and plan

The strategy led to Neil Armstrong’s historic walk on July 20, 1969.

Our audit strategy—in a more pedestrian pursuit—is a summary of objectives, resources, and risk. It’s the big picture. Our strategy leads to the successful issuance of our audit opinion (not quite as exciting as walking on the moon, but still important).

Did NASA perform any risk assessments before creating its strategy and plans? You bet. The lives of Neil Armstrong, Michael Collins, and Buzz Aldrin counted on it. So, the Agency took every precaution. NASA used the risks to define the project details—what we call our audit plan (or audit program). As with all projects, you must know your risks before you develop your plan. Doing so led to “one small step for man, one giant leap for mankind,” and—more importantly—the return of three brave astronauts. In a word: Success.

What’s in an Audit Strategy?

The audit strategy doesn’t have to be complicated or long, especially for smaller entities—it can be a short memo. What are we after? A summary of risks, needed resources, and objectives.

My firm uses an internally-developed strategy form—mainly, to ensure consistency. The form contains structure, such as references to risk assessment work and blank boxes in certain areas—such as partner directions—so it is flexible. As a result, the form has structure and flexibility.

Here are the main areas we cover:

  • Deliverables and deadlines
  • A time budget
  • The audit team
  • Key client contacts
  • New accounting standards affecting the audit
  • Problems encountered in the prior year 
  • Anticipated challenges in the current year 
  • Partner directions regarding key risk areas
  • References to work papers addressing risk

Who Creates the Audit Strategy?

Who should create the strategy? The in-charge can create it with the assistance of the engagement partner, or the partner can do so. 

Audit Strategy as the Central Document

If you want to see one document that summarizes the entire audit, this is it. As you can see, the strategy is general in nature, but you also need a detailed plan to satisfy the demands of the strategy—this is the audit plan (commonly referred to as the audit program). NASA had a mission statement for Apollo 11, but—I’m sure—written guidelines directed the step-by-step execution of the project. 

Audit Plan (or Audit Program)

Now we create the detailed planning steps—the audit program. Think of the audit program as the final stage of audit planning. What have we done to get to this stage of the audit? 

  1. Performed risk assessment procedures
  2. Developed our audit strategy

Now it’s time to create the audit plan.

The audit plan is the linkage between planning and further audit procedures. What are “further audit procedures”? They are the tactical steps to address risk including substantive procedures and test of controls. The audit program links back to the identified risks and points forward to the substantive procedures and test of controls. Substantive procedures include tests of details and substantive analytical procedures.

Creating the Audit Program

How—in a practical sense—do we create the audit programs? Most auditors tailor the prior year audit programs. That works—as long as we revise them to address the current year risks. Audit programs are not—at least, they should not be—static documents. Even so, the current year audit program can be the same as last year—as long as the risks are the same.

Sufficient Audit Steps

How do we know if we have adequate audit program steps? Look at your risks of material misstatement (RMM)—which, hopefully, are assessed at the assertion level (e.g., completeness). Audit steps should address all high and moderate RMMs. 

Integrating Risk Assessment with the Audit Program

How else can we integrate our documentation? Put the relevant assertions next to each audit step—this makes the connections between the RMMs (at the assertion level) and the audit steps clear.

AU-C 330.18 says the auditor is required to apply substantive procedures to all relevant assertions related to each material class of transactions, account balance, and disclosure. So, the audit program should reflect steps for all material areas.

Creating Efficiency in the Audit Plan

Once you complete your risk assessment work, you want to ask, “Which is the more efficient route? Testing controls or performing substantive procedures.” Then go with your instincts. 

Generally, I assess control risk at high. While we can’t default to a high control, we can—once the risk assessment work is complete—decide to assess control risk at high as an efficiency measure. Why? If we assess control risk at below high, we must test the controls as a basis for the lower risk assessment. The testing of controls can—sometimes—take longer than substantive procedures. 

For example, is it better to test the controls related to fixed asset additions or is it more efficient to vouch the invoices for significant additions? Usually, the vouching of the invoices will get you to your desired destination quicker than testing controls. Generally—at least in my opinion—this line of reasoning is less true for more complex organizations. Larger organizations process more transactions and tend to have better controls. So it can be better to test controls for larger entities.

In Summary

There you have it—the creation of the audit strategy and the audit plan. Your strategy includes the risks, needed resources, and objectives. And your audit program contains the tactical steps to address risks. You are set to go. Now it’s time to execute our audit program.

Stay with me. In my upcoming posts, I will delve into the details of auditing by transaction areas. What specific steps should an auditor perform for cash, receivables, payables—for example? In the coming weeks, I will share with you audit approaches for significant transaction cycles. Subscribe below to ensure you don’t miss out.

To see my earlier posts in this series, click here.

Substantive Analytics
Feb 28

Substantive Analytics: Smart Audit Procedures

By Charles Hall | Auditing

Are you using substantive analytics in your audits? Many auditors rely solely on a test of detail when a better option is available. Substantive analytics, in some cases, provide better evidential matter. And they are often more efficient than a test of detail.

Substantive Analytics

This article focuses on substantive analytics. But before we look at what substantive analytics are and how we can use them, let's see how analytics in general are used in an audit.

Analytics in Three Stages

Auditors use analytics in three stages of the audit:

  1. Planning
  2. Final
  3. Substantive

Preliminary analytics are performed as a risk assessment procedure. We use them to locate potential misstatements. If we identify unexpected changes, we plan a response for that difference. For example, if we expect cost of goods sold to go down 5% but our planning analytics reveal an 8% increase, then we plan a response to determine why the change moved in an unexpected manner.

At the completion of the audit, we use final analytics to determine if we have addressed all risks of material misstatement. Here we put our numbers side-by-side and ask, "Have I dealt with all risks of material misstatement?" If yes, fine. If not, then we may need to perform additional substantive procedures. 

So, how do we use substantive analytics? As a substantive procedure.

Substantive Procedures

AU-C 330, Performing Audit Procedures in Response to Assessed risk and Evaluating the Audit Evidence Obtained, defines two substantive procedures:

Substantive analytics can, in certain cases, be more effective and efficient than a test of details.

For example, if the profit margin has been in the range of 46% to 49% for the last five years, then you might decide to use that substantive analytic to prove accuracy and occurrence (assertions) of the cost of goods sold in the current year. (This will probably be more effective than vouching 50 invoices—a test of details--and will certainly take less time.) If you compute the ratio for the current year and it’s 47%, then you have sound evidence that cost of goods sold is accurate and that the transactions occurred.

Are there audit areas where substantive analytics should not be used alone? Yes. When the area is a significant risk. A test of details must be performed in relation to significant risks. A significant risk example is the allowance for loan losses in a bank. It is a highly complex estimate. Therefore, a test of details is required. The auditor could not, for example, just compare the allowance percent to prior years, though such a comparison could be added to the tests of details. 

Now let's consider how auditors use tests of details and substantive analytics to respond to risk.

Responses to Risks of Material Misstatement

Many auditors use a test of details without performing substantive analytics. Why? For many, it's simply habit. We've always tested bank reconciliations, for example. But maybe we've never used analytics to prove revenues or expenses. I think this is the result of the old-school balance sheet audit approach.

Tests of details examples include:

  • Testing a bank reconciliation
  • A search for unrecorded liabilities in payables
  • Confirming cash or debt or investments
  • Vouching additions to plant, property and equipment

Tests of details are usually used in relation to balance sheet accounts such as cash or accounts payable.

Substantive analytics, on the other hand, are usually more fitting for income statement accounts such as revenue or expenses. 

So, if you’re planning a response for accounts payable (a balance sheet account) and expenses (an income statement account), you might use a combined approach. A test of details for accounts payable (e.g., search for unrecorded liabilities) and substantive analytics for expense (e.g., departmental expenses divided by total expenses compared to the prior year).

One overarching principle to consider in your use of substantive analytics: use them in lower risk areas. AU-C 330 tells us that substantive analytics alone are more appropriate when assessed risk is lower. The higher your risk assessment, the more you should use tests of details.

Examples of Substantive Analytics

Here are examples of substantive analytics:

  • Comparison of monthly sales for the current year with that of the preceding year (to test occurrence)
  • Comparison of profit margins for the last few months with those subsequent to year-end (to test cutoff)
  • Percent of expenses to sales compared with the prior year (to test occurrence)
  • A comparison of balance sheet accounts with total assets compared to prior year (to test existence for assets and completeness for liabilities)
  • Current ratio compared to prior year (to test for solvency and going concern)
  • Comparing current year profit margins with prior periods (to test accuracy and occurrence)
  • For pension or postemployment benefit plans: actuarial value of plan assets divided by actuarial accrued liability compared to prior year (to test completeness and accuracy)
  • For debt: total debt divided by total assets compared to prior year (to test the financial strength of the entity and going concern)
  • For inventory: cost of goods sold divided by average inventory compared to prior year (to test existence and occurrence)

Now let's see how to document your substantive analytics.

Documentation of Substantive Analytics

In performing substantive analytics, make sure you document your expectations and conclusions:

Expectation – Document what you expect the result of the computation or comparison to be (you can use a range).

A common peer review finding is the lack of a documented expectation. Prior to computing a ratio or comparing numbers to prior periods, document your expectation.

Conclusion – Document whether the computation or comparison falls within your expectation. If it does not, inquire of the client. You may need to perform a test of details if the substantive analytic result is not within an acceptable range. Regardless, make sure you respond to unexplained results (i.e., those that fall outside an acceptable range) and that you document your response.

Overall Substantive Analytical Considerations

Substantive analytics are not required. So, think of them as an efficient alternative to test of details.

But are there audits where substantive analytics don't work as well? Yes. If the company has weak internal controls or a history of significant errors, you may want to rely more on tests of details. Substantive analytics work better in stable environments.

auditing for fraud
Feb 23

Auditing for Fraud: The Why and How

By Charles Hall | Auditing , Fraud

Auditing for fraud is important, but some auditors ignore this duty.

So what is an auditor’s responsibility for detecting fraud? Today, I answer that question in light of generally accepted auditing standards in the United States. We’ll look specifically at AU-C 240, Consideration of Fraud in a Financial Statement Audit.

Here’s an overview of this article:

  • Auditor’s responsibility for detecting fraud
  • Turning a blind eye to fraud
  • Signs of auditor disregard for fraud
  • Incentives for fraud
  • Discovering fraud opportunities
  • Inquiries required by audit standards
  • The accounting story and big bad wolves
  • Documenting control weaknesses
  • Brainstorming and planning your response to fraud risk 

Auditor’s Responsibility for Detecting Fraud – AU-C 240

I still hear auditors say, “We are not responsible for detecting fraud.” But are we not? The detection of material misstatements whether caused by error or fraud is the heart and soul of an audit. So writing off our responsibility for fraud is not an option. We must plan to look for material fraud.

Audits will not, however, detect every material misstatement—even if the audit is properly planned and conducted. Audits are designed to provide reasonable assurance, not perfect assurance. Some material frauds will not be detected. Why? First, an auditor’s time is limited. He can’t audit forever. Second, complex systems make it extremely difficult to discover fraud. Third, the number of potential fraud schemes (there are thousands) makes it challenging to consider all possibilities. And, finally, some frauds are so well hidden that auditors won’t detect them.

Even so, auditors should not turn a blind eye to fraud.

Turning a Blind Eye to Fraud

Why do auditors not detect fraud?

Think of these reasons as an attitude—a poor one—regarding fraud. This disposition manifests itself in the audit file with signs of disregard for fraud.

Signs of Auditor Disregard for Fraud

A disregard for fraud appears in the following ways:

  • Asking just one or two questions about fraud
  • Limiting our inquiries to as few people as possible (maybe even just one)
  • Discounting the potential effects of fraud (after known theft occurs)
  • Not performing walkthroughs
  • We don’t conduct brainstorming sessions and window-dress related documentation
  • Our files reflect no responses to brainstorming and risk assessment procedures
  • Our files contain vague responses to the brainstorming and risk assessment (e.g., “no means for fraud to occur; see standard audit program” or “company employees are ethical; extended procedures are not needed”)
  • The audit program doesn’t change though control weaknesses are noted

In effect, auditors—at least some—dismiss the possibility of fraud, relying on a balance sheet approach.

So how can we understand fraud risks and respond to them? First, let’s look at fraud incentives.

Incentives for Fraud

The reasons for theft vary by each organization, depending on the dynamics of the business and people who work there. Fraudsters can enrich themselves indirectly (by cooking the books) or directly (by stealing).

Fraud comes in two flavors:

  1. Cooking the books (intentionally altering numbers)
  2. Theft

Two forms of fraud: Auditor's Responsibility for Fraud

Cooking the Books

Start your fraud risk assessment process by asking, “Are there any incentives to manipulate the financial statement numbers.” For example, does the company provide bonuses or promote employees based on profit or other metrics? If yes, an employee can indirectly steal by playing with the numbers. Think about it. The chief financial officer can inflate profits with just one journal entry—not hard to do. While false financial statements is a threat, the more common fraud is theft.

Theft

If employees don’t receive compensation for reaching specific financial targets, they may enrich themselves directly through theft. But employees can only steal if the opportunity is present. And where does opportunity come from? Weak internal controls. So, it’s imperative that auditors understand the accounting system and—more importantly—related controls. 

Discovering Fraud Opportunities

My go-to procedure in gaining an understanding of the accounting system and controls is walkthroughs.  Since accounting systems are varied, and there are no “forms” (practice aids) that capture all processes, walkthroughs can be challenging. So, we may have to “roll up our sleeves,” and “get in the trenches.” 

For most small businesses, performing a walkthrough is not that hard. Pick a transaction cycle; start at the beginning and follow the transaction to the end. Ask questions and note who does what. Inspect the related documents. As you do, ask yourself two questions:

  1. What can go wrong?
  2. Will existing control weakness allow material misstatements?

In more complex companies, break the transaction cycle into pieces. You know the old question, “How do you eat an elephant?” And the answer, “One bite at a time.” So, the process for understanding a smaller company works for a larger one. You just break it down and allow more time.

Discovering fraud opportunities requires the use of risk assessment procedures such as observations of controls, inspections of documents and inquiries. Of the three, the more commonly used is inquiries.

Inquiries Required by Audit Standards

Audit Standards (AU-C 240) state that we should inquire of management regarding:

  • Management’s assessment of the risk that the financial statements may be materially misstated due to fraud, including the nature, extent, and frequency of such assessments
  • Management’s process for identifying, responding to, and monitoring the risks of fraud in the entity, including any specific risks of fraud that management has identified or that have been brought to its attention, or classes of transactions, account balances, or disclosures for which a risk of fraud is likely to exist
  • Management’s communication, if any, to those charged with governance regarding its processes for identifying and responding to the risks of fraud in the entity
  • Management’s communication, if any, to employees regarding its views on business practices and ethical behavior
  • The auditor should make inquiries of management, and others within the entity as appropriate, to determine whether they know of any actual, suspected, or alleged fraud affecting the entity
  • For those entities that have an internal audit function, the auditor should make inquiries of appropriate individuals within the internal audit function to obtain their views about the risks of fraud; determine whether they have knowledge of any actual, suspected, or alleged fraud affecting the entity; whether they have performed any procedures to identify or detect fraud during the year; and whether management has satisfactorily responded to any findings resulting from these procedures

Notice that AU-C 240 requires the auditor to ask management about its procedures for identifying and responding to the risk of fraud. If management has no method of detecting fraud, might this be an indicator of a control weakness? Yes. What are the roles of management and outside auditors regarding fraud?

  • Management develops control systems to lessen the risk of fraud. 
  • Auditors review the accounting system to see if fraud-prevention procedures are designed and operating appropriately.

So, the company creates the accounting system, and the auditor gains an understanding of the same. As auditors gain an understanding of the accounting system and controls, we put together the pieces of a story.

The Accounting Story and Big Bad Wolves

Think of the accounting system as a story. Our job is to understand the narrative of that story. As we describe the accounting system in our work papers, we may find missing pieces. Controls may be inadequate. When they are, we ask more questions to make the story complete.

The purpose of writing the storyline is to identify any “big, bad wolves.”

The Auditor's Responsibility for Fraud - The Big Bad Wolves

The threats in our childhood stories were easy to recognize. The wolves were hard to miss. Not so in walkthroughs. It is only in connecting the dots—the workflow and controls—that the wolves materialize.

So, how long should the story be? That depends on the size of the organization. Scale your documentation. If the transaction cycle is simple, the documentation should be simple. If the cycle is complex, provide more details. By focusing on control weaknesses that allow material misstatements, you’ll avoid distracting details.

But what if control weaknesses are noted?

Documenting Control Weaknesses

I summarize the internal control strengths and weaknesses within the description of the system and controls and highlight the wording “Control weakness.” For example:

Control weakness: The accounts payable clerk (Judy Jones) can add new vendors and can print checks with digital signatures. In effect, she can create a new vendor and have a check sent to that provider without anyone else’s involvement.

Highlighting weaknesses makes them more prominent. Then I can use the identified fraud opportunities to brainstorm about how theft might occur and to develop my responses to the threats.

Brainstorming and Planning Your Responses 

Now, you are ready to brainstorm about how fraud might occur and to plan your audit responses.

The risk assessment procedures provide the fodder for the brainstorming session. 

Armed with knowledge about the company, the industry, fraud incentives, and the control weaknesses, we are ready to be creative. 

In what way are we to be creative? Think like a thief. By thinking like a fraudster, we unearth theft schemes. Why? So we can audit those possibilities. This is the reason for risk assessment procedures in the first place.

What we discover in risk assessment informs the audit plan. In other words, it has bearing on what we do in the days ahead, in the substantive procedures we perform.

The Auditor’s Responsibility for Detecting Fraud – AU-C 240

In conclusion, I started this post saying I’d answer the question, “What is an auditor’s responsibility for detecting fraud?”

Hopefully, you now better understand fraud procedures. But to understand the purpose of them, look at a standard audit opinion:

The procedures selected depend on the auditor’s judgment, including the assessment of the risks of material misstatement of the consolidated financial statements, whether due to fraud or error. In making those risk assessments, the auditor considers internal control relevant to the entity’s preparation and fair presentation of the consolidated financial statements in order to design audit procedures that are appropriate in the circumstances, but not for the purpose of expressing an opinion on the effectiveness of the entity’s internal control. Accordingly, we express no such opinion.

The purpose of fraud risk assessments is not to opine on internal control systems or to discover every fraud. It is to assist the auditor in determining where material misstatements—due to fraud—might occur.

Additionally, even well-performed audits will not detect all material fraud. As we saw above, some frauds are extremely difficult to detect. Audits are designed to provide reasonable assurance, not perfect assurance. The standard audit opinion states:

Our responsibility is to express an opinion on these financial statements based on our audits. We conducted our audits in accordance with auditing standards generally accepted in the United States of America. Those standards require that we plan and perform the audit to obtain reasonable assurance about whether the financial statements are free from material misstatement.

In summary, the auditor should conduct the audit in a manner to detect material fraud. But it is possible that some material frauds will be missed, even when we perform the audit correctly.

The Why and How of Auditing: A Blog Series About Basics

Have you been following my series of posts: The Why and How of Auditing? If not, you may want to review the prior posts:

Also, subscribe to my blog to receive future installments in this series (I have several more coming). This series is a great way for seasoned auditors to refresh their overall audit knowledge and for new auditors to gain a better understanding of the audit process. Join now.

See my book The Why and How of Auditing on Amazon.

>