Category Archives for "Auditing"

Auditing Payroll
May 17

Auditing Payroll: The Why and How Guide

By Charles Hall | Auditing

Auditing payroll is a critical skill. Today I explain how.

While payroll is often seen as a low-risk area, considerable losses can occur here. So, knowing how to audit payroll is important.  

Auditing Payroll

Auditing Payroll - An Overview

Payroll exceeds fifty percent of total expenses in many governments, nonprofits, and small businesses. Therefore, it is often a significant transaction area.

To assist you in understanding how to audit payroll, let me provide you with an overview of a typical payroll process.

First, understand that entities have payroll cycles (e.g., two weeks starting on Monday). Then, payments are made at the end of this period (e.g., the Tuesday after the two-week period). Also, understand that most organizations have salaried and hourly employees. Salaried personnel are paid a standard amount each payroll, and hourly employees earn their wages based on time.

Second, an authorized person (e.g., department head) hires a new employee at a specified rate (e.g., $80,000 per year).

Third, human resources assists the new-hire with the completion of payroll forms, including tax forms and elections to purchase additional benefits such as life insurance. 

Fourth, a payroll department employee enters the approved wage in the accounting system. The employee’s bank account number is entered into the system (if direct deposit is used). 

Fifth, employees clock in and out so that time can be recorded.  

Sixth, once the payroll period is complete, a person (e.g., department supervisor) reviews and approves the recorded time. 

Seventh, a second person (e.g., payroll supervisor) approves the overall payroll. 

Eighth, the payroll department processes payments. Direct deposit payments are made (and everyone is happy). 

In this article, we will cover the following:

  • Primary payroll assertions
  • Payroll walkthroughs
  • Payroll fraud
  • Payroll mistakes
  • Directional risk for payroll
  • Primary risks for payroll
  • Common payroll control deficiencies
  • Risk of material misstatement for payroll
  • Substantive procedures for payroll
  • Common payroll work papers

Primary Payroll Assertions

The primary relevant payroll assertions are:

  • Completeness
  • Cutoff
  • Occurrence

I believe—in general—completeness and cutoff (for accrued payroll liabilities) and occurrence (for payroll expenses) are the most important payroll assertions. When a company accrues payroll liabilities at period-end, it is asserting that they are complete and that they are recorded in the right period. Additionally, the company is saying that recorded payroll expenses are legitimate.

Additionally, payroll auditing requires an understanding of threats in light of these assertions. So how do I gain this knowledge? Payroll walkthroughs.

Payroll Walkthroughs

Perform a walkthrough of payroll to see if there are any control weaknesses. How? Walk transactions from the beginning (the hiring of an employee) to the end (a payroll payment and posting). And ask questions such as the following:

  • Does the company have a separate payroll bank account?
  • How often is payroll processed? What time period does the payroll cover? On what day is payroll paid?
  • Who has the authority to hire and fire employees?
  • What paperwork is required for a new employee? For a terminated employee?
  • Is payroll budgeted?
  • Who monitors the budget to actual reports? How often?
  • Who controls payroll check stock? Where is it stored? Is it secure? 
  • If the company uses direct deposit, who keys the bank account numbers into the payroll system? Who can change those numbers?
  • Do larger salary payments require multiple approvals?
  • Who approves overtime payments?
  • Who monitors compliance with payroll laws and regulations?
  • Who processes payroll and how?
  • Who signs checks or makes electronic payments? If physical checks are used, are they signed electronically (as checks are printed) or physically?
  • How are payroll tax payments made? How often? Who makes them?
  • Who creates the year-end payroll tax documents (e.g., W-2s) and how?
  • What controls ensure the recording of payroll in the appropriate period?
  • Are the following duties assigned to different persons:
    • Approval of each payroll,
    • Processing and recording payroll, 
    • The reconciliation of related bank statements
    • Possession of processed payroll checks
    • Ability to enter or change employee bank account numbers
    • Ability to add employees to the payroll system or to remove them
  • Who can add or remove employees from the payroll system? What is the process for adding and removing employees from the payroll system?
  • Who can change the master pay rate file? Does the computer system provide an audit trail of those changes?
  • Who approves salary rates and how?
  • Who reconciles the payroll bank statements and how often?
  • Who approves bonuses? 
  • What benefits (e.g., retirement accounts) does the company offer? Who pays for the benefits (e.g., employee) and how (e.g., payroll withholding)?
  • Who reconciles the payroll withholding accounts and how often?
  • Are any salaries capitalized rather than expensed? If yes, how and why?
  • Are surprise payroll audits performed? If yes, by whom?
  • Does the company outsource its payroll to a service organization? If yes, does the payroll company provide a service organization control (SOC) report? What are the service organization controls? What are the complementary controls (those performed by the employing company)?

Moreover, as we ask these questions, we need to inspect documents (e.g., payroll ledger) and make observations (e.g., who signs checks or makes electronic payments?).

If controls weaknesses exist, we create audit procedures to respond to them. For example, during the walkthrough, if we see that one person prints and signs checks, records payments, and reconciles the bank statement, then we will plan fraud-related substantive procedures.

As we perform payroll walkthroughs, we are asking, “What can go wrong—whether intentionally or by mistake?”

Payroll Fraud

When payroll fraud occurs, understatements or overstatements of payroll expense may exist.

If a company desires to inflate its profit, it can—using bookkeeping tricks—understate its expenses. As (reported) costs go down, profits go up.

On the other hand, overstatements of payroll can occur when theft is present. For example, if a payroll accountant pays himself twice, payroll expenses are higher than they should be.

Payroll Mistakes

Mistakes also lead to payroll misstatements. Payroll errors can occur when payroll personnel lack sufficient knowledge to carry out their duties. Additionally, misstatements occur when employees fail to perform internal control procedures such as reconciling bank statements. 

Directional Risk for Payroll

auditing payroll

The directional risk for payroll is an understatement. So, audit for completeness (determining that all payroll is recorded). Nevertheless, when payroll theft occurs (e.g., duplicate payments), overstatements can occur. 

Primary Risks for Payroll

The primary payroll risks include:

  1. Payroll is intentionally understated
  2. Inappropriate parties receive payments
  3. Employees receive duplicate payments

As you think about these risks, consider the control deficiencies that allow payroll misstatements.

Common Payroll Control Deficiencies

In smaller entities, it is common to have the following control deficiencies:

  • One person performs two or more of the following: 
    • Approves payroll payments to employees,
    • Enters time or salary rates in the payroll system,
    • Issues payroll checks or makes direct deposit payments, 
    • Adds or removes employees from the payroll system
    • Reconciles the payroll bank account
  • No one reviews and approves recorded time
  • No one reviews and approves payroll before processing
  • No one performs surprise audits of payroll
  • Appropriate procedures for adding and removing employees are not present
  • No one reviews the removal of terminated employees from payroll 
  • No one compares payroll expenses to a budget

(Here are suggestions to make your payroll controls stronger.)

Another key to auditing payroll is understanding the risks of material misstatement.

Risk of Material Misstatement for Payroll

In auditing payroll, the assertions that concern me the most are completeness, occurrence, and cutoff. So my risk of material misstatement for these assertions is usually moderate to high.

My response to higher risk assessments is to perform certain substantive procedures: namely, a reconciliation of payroll in the general ledger to quarterly 941s. Why? The company has an incentive to accurately file 941s since the returns are subject to audit by governmental authorities. So, if the 941s are correct, the reconciliation provides support for recorded payroll.

Additionally, consider theft which can occur in numerous ways, such as duplicate payments or ghost employees. 

In a duplicate payment fraud, the thief, usually a payroll department employee, pays himself twice. 

Ghost employees exist when payroll personnel leave a terminated employee on the payroll. Why would someone in the payroll department intentionally leave a terminated employee in the payroll system? To steal the second payment. How? By changing the terminated employee’s direct deposit bank account number to his own. The result? He receives two payments (his own and that of the terminated employee). 

Once your payroll risk assessment is complete, decide what substantive procedures to perform.

Substantive Procedures for Auditing Payroll

My customary tests for auditing payroll are as follows:

  1. Reconcile 941s to payroll
  2. Recompute accrued payroll liability (amount recorded at period-end)
  3. Review payroll withholding accounts for appropriateness and vouch subsequent payments for any significant amounts
  4. Compare payroll expenses (including benefits) to budget and examine any unexplained variances
  5. When control weaknesses are present, design and perform procedures to address the related risks
  6. Compare accrued vacation to prior periods and current payroll activity

In light of my risk assessment and substantive procedures, what payroll work papers do I normally include in my audit files?

Common Payroll Work Papers

My payroll work papers normally include the following:

  • An understanding of payroll-related internal controls
  • Risk assessment of payroll at the assertion level
  • Documentation of any payroll control deficiencies
  • Payroll audit program
  • Accrued salaries detail at period-end
  • A summary of any significant payroll withholding accounts with supporting information
  • A detail of vacation payable (if material) with comparisons to prior periods
  • Budget to actual payroll reports
  • A reconciliation of payroll in the general ledger to quarterly 941s 
  • Fraud-related payroll work papers (when needed)

In Summary

In this article we looked at the keys to auditing payroll. Those keys include risk assessment procedures, determining relevant assertions, assessing risks, and developing substantive procedures. My go-to substantive procedure is to reconcile payroll to 941s. I also review payroll withholding accounts and recompute salary accruals. Comparisons of payroll expenses are useful. Finally, if merited, I perform fraud-related payroll procedures.

In the next post in this series, we’ll look at how to audit debt.

Auditing accounts payable
May 09

Auditing Accounts Payable and Expenses: A Guide

By Charles Hall | Auditing

Accounts payable is usually one of the more important audit areas. Why? Risk. First, it’s easy to increase net income by not recording period-end payables. Second, many forms of theft occur in the accounts payable area.

Auditing accounts payable

In this post, I’ll answer questions such as, “how should we test accounts payable?” And “should I perform fraud-related expense procedures?” We’ll also take a look at common payables-related risks and how to respond to them. In short, you will learn what you need to know about auditing accounts payable.

Auditing Accounts Payable and Expenses — An Overview

What is a payable? It’s the amount a company owes for services rendered or goods received. Suppose the company you are auditing receives $2,000 in legal services in the last week of December 2019, but the law firm sends the related invoice in January 2020. The company owes $2,000 as of December 31, 2019. The services were provided, but the payment was not made until after the year-end. Consequently, the company should accrue (record) the $2,000 as payable at year-end.

In determining whether payables exist, I like to ask, “if the company closed down at midnight on the last day of the year, would it have a legal obligation to pay for a service or good?” If the answer is yes, then record the payable even if the invoice is received after the year-end. Was a service provided or have goods been received by year-end? If yes (and the amount has not already been paid), accrue a payable.

In this chapter, we will cover the following:

  • Primary accounts payable and expense assertions
  • Accounts payable and expense walkthroughs
  • Directional risk for accounts payable and expenses
  • Primary risks for accounts payable and expenses
  • Common accounts payable and expense control deficiencies
  • Risks of material misstatement for accounts payable and expenses
  • Search for unrecorded liabilities
  • Auditing for accounts payable and expense fraud
  • Substantive procedures for accounts payable and expenses
  • Typical accounts payable and expense work papers

So, let’s begin our journey of auditing accounts payable and expenses.

Primary Accounts Payable and Expense Assertions

The primary relevant accounts payable and expense assertions are:

  • Existence
  • Completeness
  • Cutoff
  • Occurrence

Of these assertions, I believe completeness and cutoff (for payables) and occurrence (for expenses) are usually most important. When a company records its payables and expenses by period-end, it is asserting that they are complete and that they are accounted for in the right period. Additionally, the company is implying that amounts paid are legitimate.

Accounts Payable and Expense Walkthroughs

As we perform walkthroughs of accounts payable and expenses, we are looking for understatements (though they can also be overstated as well). We are asking, “what can go wrong?” whether intentionally or by mistake.

Walkthrough in accounts payable

In performing accounts payable and expense walkthroughs, ask questions such as:

  • Who reconciles the accounts payable summary to the general ledger?
  • Does the company use an annual expense budget?
  • Are budget/expense reports provided to management or others? Who receives these reports?
  • What controls ensure the recording of payables in the appropriate period?
  • Who authorizes purchase orders? Are any purchases authorized by means other than a purchase order? If yes, how?
  • Are purchase orders electronic or physical?
  • Are purchase orders numbered?
  • How does the company vet new vendors?
  • Who codes invoices (specifies the expense account) and how?
  • Are three-way matches performed (comparison of purchase order with the receiving document and the invoice)?
  • Are paid invoices marked “paid”?
  • Does the company have a purchasing policy?
  • Can credit cards be used to bypass standard purchasing procedures? Who has credit cards and what are the limits? Who reviews credit card activity?
  • Are bids required for certain types of purchases or dollar amounts? Who administers the bidding process and how?
  • Do larger payments require multiple approvals?
  • Which employees key invoices into the accounts payable module?
  • Who signs checks or makes electronic payments?
  • Who is on the bank signature card?
  • Are signature stamps used? If yes, who has control of the signature stamps and whose signature is affixed?
  • How are electronic payments made (e.g., ACH)?
  • Is there adequate segregation of duties for persons:
    • Approving purchases,
    • Paying payables,
    • Recording payables, and
    • Reconciling the related bank statements
  • Which persons have access to check stock and where is the check stock stored?
  • Who can add vendors to the payables system?
  • What are the entity’s procedures for payments of travel and entertainment expenses? 
  • Who reconciles the bank statements and how often?

As we ask these questions, we inspect documents (e.g., payables ledger) and make observations (e.g., who signs checks or makes electronic payments?). So, we are inquiring, inspecting, and observing. 

If controls weaknesses exist, we create audit procedures to respond to them. For example, if--during the walkthrough--we see that one person prints and signs checks, records payments, and reconciles the bank statement, then we will perform fraud-related substantive procedures (more about this in a moment).

Here's a short video about risk assessment in accounts payable. 

Directional Risk for Accounts Payable and Expenses

The directional risk for accounts payable and expenses is an understatement. So, perform procedures to ensure that invoices are properly included. For example, perform a search for unrecorded liabilities (see below).

Primary Risks for Accounts Payable and Expenses

The primary risks for accounts payable and expenses are:

  1. Accounts payable and expenses are intentionally understated 
  2. Payments are made to inappropriate vendors
  3. Duplicate payments are made to vendors 

Keep these in mind as you audit accounts payable.

Common Payable and Expense Control Deficiencies

payables control deficiencies

In smaller entities, it is common to have the following control deficiencies:

  • One person performs two or more of the following:
    • Approves purchases,
    • Enters invoices in the accounts payable system,
    • Issues checks or makes electronic payments, 
    • Reconciles the accounts payable bank account,
    • Adds new vendors to the accounts payable system
  • A second person does not review payments before issuance
  • No one performs surprise audits of accounts payable and expenses 
  • Bidding procedures are weak or absent
  • No one reconciles the accounts payable detail to the general ledger
  • New vendors are not vetted for appropriateness
  • The company does not create a budget
  • No one compares expenses to the budget
  • Electronic payments can be made by one person (with no second-person approval or involvement)
  • The bank account is not reconciled on a timely basis
  • When bank accounts are reconciled, no one examines the canceled checks for appropriate payees (the dollar amount on the bank statement is agreed to the general ledger but no one compares the payee name on the cleared check to the vendor name in the general ledger)

When segregation of duties is lacking, consider whether someone can use the expense cycle to steal funds. How? By making payments to fictitious vendors, for example. Or intentionally paying a vendor twice--and then stealing the second check. (See the section titled Auditing for Fraud below.)

Risks of Material Misstatement for Payables and Expenses

In smaller engagements, I usually assess control risk at high for each assertion. When I assess control risk at less than high, I have to test controls to support the lower risk assessment. Therefore, assessing risks at high is usually more efficient (than testing controls).

When control risk is assessed at high, inherent risk becomes the driver of the risk of material misstatement (control risk X inherent risk = risk of material misstatement). The assertions that concern me the most are completeness, occurrence, and cutoff. So my RMM for these assertions is usually moderate to high.

My response to higher risk assessments is to perform certain substantive procedures: namely, a search for unrecorded liabilities and detailed expense analyses. The particular expense accounts that I examine are often the result of my preliminary planning analytics

Here's a short video about auditing accounts payable. I explain linkage (connecting risk assessment with substantive procedures).

Search for Unrecorded Liabilities

How does one perform a search for unrecorded liabilities? Use these steps:

  1. Obtain a complete check register for the period subsequent to your audit period
  2. Pick a dollar threshold ($10,000) for the examination of subsequent payments
  3. Examine the subsequent payments (above the threshold) and related invoices to determine if the payables are suitably included or excluded from the period-end accounts payable detail
  4. Inquire about any unrecorded invoices

As the RMM for completeness increases, vouch payments at a lower dollar threshold.

How should you perform a detailed analysis of expense accounts? First, compare your expenses to budget—if the entity has one—or to prior year balances. If you note any significant variances (that can’t be explained), then obtain a detail of those particular expense accounts and investigate the cause.

Theft can occur in numerous ways—such as fictitious vendors or duplicate payments. If control weaknesses are present, consider performing fraud-related procedures. When fraud-related control weaknesses exist, assess the RMM for the occurrence assertion at high. Why? There is a risk that the expense (the occurrence) is fraudulent. 

So, how should you respond to such risks?

Auditing for Fraud

Auditing accounts payable

An example of a fraud-related test is one for duplicate payments. How?

  • Obtain a check register in Excel
  • Sort by the vendor
  • Scan the check register for payments made to the same vendor for the same amount
  • Inquire about payments made to the same vendor for the same amount

In a duplicate payment fraud, the thief intentionally pays an invoice twice. He steals the second check and converts it to cash.

This is just one example of expense fraud. There are dozens of such schemes. 

(See White Collar Crime is Knocking at Your Door: Are You Prepared?)

Substantive Procedures for Accounts Payable and Expenses

My customary audit tests are as follows:

  1. Vouch subsequent payments to invoices using the steps listed above (in Search for Unrecorded Liabilities)
  2. Compare expenses to budget and examine any unexplained variances
  3. When control weaknesses are present, design and perform fraud detection procedures

If there are going concern issues, you may need to examine the aged payables listing. Why? Management can fraudulently shorten invoice due dates. Doing so makes the company appear more current. For example, suppose the business has three unpaid invoices totaling $1.3 million that were due over ninety days ago. The company changes the due dates in the accounts payable system, causing the invoices to appear as though they were due just thirty days ago. Now the aged payables listing looks better than it would have. 

Typical Payable and Expense Work Papers

My accounts payable and expense work papers usually include the following:

  • An understanding of internal controls as they relate to accounts payable and expenses
  • Risk assessment of accounts payable and expenses at the assertion level
  • Documentation of any accounts payable and expense control deficiencies
  • Accounts payable and expense audit program
  • An aged accounts payable detail at period-end
  • A search for unrecorded liabilities work paper
  • Budget to actual expense reports and, if unexpected variances are noted, a detailed analysis of those accounts 
  • Fraud-related expense work papers (if significant control weaknesses are present)

So, now you learned about auditing accounts payable. My next post addresses auditing payroll.

In some entities such as governments, payroll makes up over 50% of total expenses. Consequently, knowing how to audit payroll expenses is of great importance. My next post is titled The Why and How of Auditing Payroll. So, stay tuned.

See my prior posts in The Why and How of Auditing.

Get Your Copy of the Why and How of Auditing

Click the book cover below to go to Amazon.

Get your copy of the Why and How of Auditing.

test of controls
Apr 27

Test of Controls: The Why, How, and When

By Charles Hall | Auditing

A test of controls is a response to the risk a material misstatement. Today, I tell you when to use this response and how. 

test of controls

Three Responses to the Risk of Material Misstatement

The audit standards provide three potential responses to the risk of material misstatement:

  1. Test of details
  2. Substantive analytical procedures
  3. Test of controls

Today we look at the third option.

Why Test Controls?

Which response to a risk of material misstatement (RMM) is best? That depends on what you discover in risk assessment.

If, for example, your client consistently fails to record payables, then assess the completeness assertion for control risk at high. Your response? Perform a search for unrecorded liabilities, a test of details.

By contrast, if controls for receivables are strong, then assess the existence assertion for control risk at less than high. And test controls. 

Many auditors assess control risk at high (after risk assessment is complete) and use a fully substantive approach. That is fine, especially in audits of smaller entities. Why? Because smaller entities tend to have weaker controls. As a result, controls may not be effective. And you may not be able to assess control risk at less than high. (Nevertheless, most entities do have some controls that are effective.)

Control risk assessments of less than high must be supported with a test of controls. Why? To prove effectiveness. But if controls are not effective, you must assess control risk at high. This is why you might bypass control testing. You know, either from prior experience or from current-year walkthroughs, that controls are not effective. And if you test controls and find they are ineffective, you are back to square one: a control risk assessment of high.  And now you must respond with either a test of details or substantive analytics, or a combination of the two. Testing ineffective controls is a waste of time. 

Nevertheless, if controls are effective, why not test them? Doing so allows you to reduce your substantive procedures (test of details or substantive analytics).

Once risk assessment is complete, the decision regarding responses is largely based on efficiency. If control testing takes less time, then test controls. If substantive procedures takes less time, then perform a test of details or use a substantive analytical approach. But, regardless of efficiency considerations, address all risks with appropriate responses.

Next, we'll assume that controls are anticipated to be effective. And we'll look at how to test controls.

How to Test Controls 

So you've decided to test controls for effectiveness. But how? Let's look at an example starting with risk assessment.

Risk Assessment

Your approach to testing controls depends on risk identified during risk assessment. For example, your walkthrough reveals appropriate segregation of duties. And you also see that the client issues receipts for each payment. Additionally, total daily cash inflows are reconciled to the bank statement. In other words, controls are designed properly and they have been implemented. Also, as an example, you've determined completeness is a relevant assertion. Why? Theft is a concern. 

Control Test Supports Effectiveness

Now, it's time to test for effectiveness. You've already determined segregation of duties is present. If necessary, make additional observations regarding who is doing what. And document those observations. If the client has an accounting handbook, see if there were any amendments to the control system during the period being audited. Why? You want to know if the segregation of duties was present throughout the year. Make additional inquires, if needed.

Additionally, re-perform the receipt controls on a sample basis. But before doing so, determine the controls you are testing and the sample size. For example, your sample size might be 60 receipts and the control being tested is the issuance of a receipt by an authorized person. Additionally, you might sample 25 daily reconciliations to the bank statement. Document this information including how you determined your sample sizes. Now perform your tests and document whether the controls are effective. If yes, leave your control risk at less than high. You have support for that lower risk assessment. Additionally, you can now perform fewer substantive tests. 

Test Doesn't Support Effectiveness

If your test does not support effectiveness, expand your sample size and test additional receipts. Or you can punt on the testing controls and move to a substantive approach. Regardless, if controls are not effective, consider the need to communicate the control deficiency

So, when should you test controls?

When to Test Controls

Here are two situations where you are required to test controls:

  • When there is a significant risk and you are placing reliance on controls related to that risk
  • When substantive procedures don't properly address a risk of material misstatement

Allow me to explain.

Required Test of Controls

Auditing standards allow a three-year rotation for testing controls, as long as the area tested is not a significant risk. But if the auditor plans to rely on a test of controls related to a significant risk, operating effectiveness must be tested in the current period. Additionally, the auditor should perform substantive procedures responsive to the significant risk. And those substantive procedures must include a test of details.

Also a test of controls is necessary if substantive procedures don’t properly address a risk of material misstatement. For example, consider the controls related to reallocation of investments in a 401(k). The participant goes online and moves funds from one account to another. There are no humans involved in the process, other than the participant. When processes are fully automated, substantive procedures may not provide sufficient audit evidence. If that is your situation, you must test of controls. Thankfully, a type 2 service organization control report is usually available in audits of 401(k)s. Such a report provides evidence that controls have already been tested by the service organization's auditor. And you can leverage (place reliance upon) those tests.

Three Year Rotation

As I said earlier, audit standards allow a three-year rotation for testing effectiveness. For example, if you test accounts payable controls in 2020, then you can wait until 2023 to test them again. In 2021 and 2022, you need to ensure that these controls have not changed. You also want to determine that those controls have continuing relevance in the current audit. How? See if the controls continue to address a risk of material misstatement. And as you perform your annual walkthroughs, inquire about changes, observe the controls, and inspect documents. Why? You want to know that everything is working as before. And, yes, you do need to perform those walkthroughs annually, if that is how you corroborate your understanding of controls.

In short, testing for effectiveness can occur every three years, in most cases. But risk assessment procedures (e.g., walkthroughs) must be performed annually.

So should tests occur at interim or after year-end?

Interim or Year-End Tests

Some auditors test after the period has ended. Others at interim. Which should you choose?

It depends.

If it fits better into your work schedule, perform interim test of controls. Here's an example: You perform an interim test of controls on November 1, 2019. Later, say in February 2020, consider whether controls have changed during the last two months of the year. See if the same people are performing those controls. And consider performing an additional tests of controls for the November 1 to December 31 period. Once done, determine if the controls are effective. 

But testing on an interim date is not always the answer. For example, if management is inclined to manipulate earnings near year-end, then interim tests may not be appropriate. 

If you choose to test after year-end, then you'll examine controls for the full period being audited. Your sample should be representative of that timeframe.

So should you ever test at a point in time and not over a period of time? Yes, sometimes. For example, you might test inventory count controls at year-end.

Conclusion

Well, can you see why testing controls is confusing? There's a lot to think about. 

As I said above, many auditors tend to rely fully on substantive responses to the risks of material misstatement. But, in some cases, that may not be the best or wisest approach. If controls are designed well and functioning, why not test them? Especially if it takes less time than substantive procedures.

Finally, take a look at my two related articles regarding responses to the risk of material misstatement: (1) Test of Details: Substantive Procedures and (2) Substantive Analytics: Smart Audit Procedures.

Identifying audit stakeholders
Apr 04

How to Identify and Manage Audit Stakeholders

By Harry Hall | Auditing

This is a guest post by Harry Hall. He is a Project Management Professional (PMP) and a Risk Management Professional (PMI-RMP). He blogs at ProjectRiskCoach. You can also follow Harry on Twitter.

Some auditors perform the same procedures year after year. These individuals know the drill. Their thought is: been there; done that.

Imagine a partner or an in-charge (i.e., project manager) with this attitude. He does little analysis and makes some costly stakeholder mistakes. As the audit team starts the audit, they encounter surprises:

  • Changes in the client stakeholders – accounting personnel and management
  • Changes in accounting systems and reporting
  • Changes in business processes
  • Changes in third-party vendors
  • Changes in the client’s external stakeholders
Identifying audit stakeholders

Picture from AdobeStock.com

Furthermore, imagine the team returning to your office after the initial work is done. The team has every intention of continuing the audit; however, some members are being pulled for urgent work on a different audit.

These changes create audit risks–both the risk that the team will issue an unmodified opinion when it’s not merited and the risk that engagement profit will diminish. Given these unanticipated factors, the audit will likely take longer and cost more than planned. And here’s another potential wrinkle: Powerful, influential stakeholders may insist on new deliverables late in the project.

So how can you mitigate these risks early in your audit?

Perform a stakeholder analysis.

“Prior Proper Planning Prevents Poor Performance.” – Brian Tracy

Continue reading

auditing investments
Apr 04

Auditing Investments: The Why and How Guide

By Charles Hall | Auditing

Want to know how to audit investments? You're in the right place. 

Below I provide a comprehensive look at how you can audit investments effectively and efficiently.

The complexity of auditing investments varies. For entities with simple investment instruments, auditing is easy. Your main audit procedure might be to confirm balances. Complex investments, however, require additional work such as auditing values. As investment complexity increases, so will your need for stronger audit team members (those that understand unusual investments). Regardless, you need an audit methodology.

So, here we go.

auditing investments

How to Audit Investments

In this post, we will take a look at:

  • Primary investment assertions
  • Investment walkthroughs
  • Directional risk for investments
  • Primary risks for investments
  • Common investment control deficiencies
  • Risk of material misstatement for investments
  • Substantive procedures for investments
  • Common investment work papers

Primary Investments Assertions

First, let’s look at assertions.

Primary relevant investment assertions include:

  • Existence
  • Accuracy
  • Valuation
  • Cutoff

The audit client is asserting that the investment balances exist, that they are accurate and properly valued, and that only investment activity within the period is recorded

While investment balances in the financial statements are important, disclosures are also vital, especially when the entity owns complex instruments

Investment Walkthroughs

Second, perform your risk assessment work in light of the relevant assertions.

As you perform walkthroughs of investments, you normally look for ways that investments might be overstated (though investments can be understated as well). You are asking, “What can go wrong?” whether intentionally or by mistake. You want to know if:

  • The controls were appropriately designed, and 
  • The controls were implemented (in use)

Walkthrough Questions

In performing investment walkthroughs, ask questions such as:

  • What types of investments are owned?
  • Are there any unusual investments? If yes, how are they valued?
  • Is a specialist used to determine investment values?
  • Who determines the classification of investments (e.g., trading, available for sale, held to maturity) and how
  • Do the persons accounting for investment activity have sufficient knowledge to do so?
  • Are timely investment reconciliations performed by competent personnel?
  • Are all investment accounts reconciled (from the investment statements to the general ledger)?
  • Who reconciles the investment accounts and when?
  • Are the reconciliations reviewed by a second person?
  • Are all investment accounts on the general ledger?
  • How does the entity ensure that all investment activity is included in the general ledger (appropriate cutoff)?
  • Who has the ability to transfer investment funds and what are the related controls?
  • Is there appropriate segregation of duties for:
    • Persons that record investments, 
    • Persons that buy and sell investments, and
    • Persons that reconcile the investment statements
  • What investment accounts were opened in the period?
  • What investment accounts were closed in the period? 
  • Who has the authority to open or close investment accounts?
  • Are there any investment restrictions (externally or internally)?
  • What persons are authorized to buy and sell investments?
  • Does the entity have a written investment policy? 
  • Does the company use an investment advisor? If yes, how often does management interact with the advisor? How are investment fees determined?
  • Are there any investment impairments?
  • Who is responsible for investment disclosures and do they have sufficient knowledge to carry out this duty?
  • Are there any cost or equity-method investments?

As we ask questions, we also inspect documents (e.g., investment statements) and make observations (e.g., who reconciles the investment statements to the general ledger?).

If control weaknesses exist, we create audit procedures to address them. For example, if during the walkthrough we note that there are improperly classified investments, then will plan audit procedures to address that risk.

Directional Risk for Investments

Third, consider the directional risk of investments.

The directional risk for investments is that they are overstated. So, in performing your audit procedures, perform procedures to ensure that balances are properly stated.

Primary Risks for Investments

Fourth, think about the risks related to investments.

auditing investments

Primary risks include:

  1. Investments are stolen
  2. Investments are intentionally overstated to cover up theft
  3. Investments accounts are intentionally omitted from the general ledger
  4. Investments are misstated due to errors in the investment reconciliations 
  5. Investments are improperly valued due to their complexity and management’s lack of accounting knowledge
  6. Investments are misstated due to improper cutoff
  7. Investment disclosures are not accurate or complete

Common Investment Control Deficiencies

Fifth, think about control deficiencies noted during your walkthroughs and other risk assessment work.

It is common to have the following investment control deficiencies:

  • One person buys and sells investments, records those transactions, and reconciles the investment activity
  • The person overseeing investment accounting does not possess sufficient knowledge or skill to properly perform the duty
  • Investment reconciliations are not performed timely or improperly
  • The company does not employ sufficient assistance in valuing complex assets such as hedges or alternative investments

Risk of Material Misstatement for Investments

Sixth, now its time to assess your risks.

In my smaller audit engagements, I usually assess control risk at high for each assertion. (You may, however, assess control risk at less than high, provided your walkthrough reveals that controls are appropriately designed and that they were implemented. If control risk is assessed at below high, you must test controls for effectiveness to support the lower risk assessment.)

When control risk is assessed at high, inherent risk becomes the driver of the risk of material misstatement (control risk X inherent risk = risk of material misstatement). For example, if control risk is high and inherent risk is moderate, then my RMM is moderate. 

Important Assertions

The assertions that concern me the most are existence, accuracy, valuation, and cutoff.

The assertions that concern me the most are existence, accuracy, valuation, and cutoff. So my RMM for these assertions is usually moderate to high.

My response to higher risk assessments is to perform certain substantive procedures: namely, confirming investments, testing investment reconciliations, testing values, and vetting investment disclosures.

Substantive Procedures for Investments

And finally, it’s time to determine your substantive procedures in light of your identified risks.

My customary audit tests include:

  1. Confirming investment balances agreeing them to the general ledger
  2. Inspecting period-end activity for proper cutoff
  3. Using an investment specialist to value complex instruments (if any)
  4. Vetting investment disclosures with a current disclosure checklist

I don’t normally test controls related to investments. If controls are tested and you determine they are effective, then some of the substantive procedures may not be necessary. 

Common Investment Work Papers

My investments work papers normally include the following:

  • An understanding of investment-related internal controls 
  • Risk assessment of investments at the assertion level
  • Documentation of any control deficiencies
  • Investment audit program
  • Investment reconciliations 
  • Investment confirmations
  • Valuations performed by specialists
  • Documentation of the specialist’s experience, competence, and objectivity
  • Disclosure checklist

Auditing Investments - A Simple Summary

  • The primary relevant investment assertions include existence, accuracy, valuation, and cutoff
  • Perform a walkthrough of investments by making inquiries, inspecting documents, and making observations
  • The directional risk for investments is an overstatement
  • Primary risks for investments include:
    • Investments are stolen
    • Investments are intentionally overstated to cover up theft
    • Investments accounts are intentionally omitted from the general ledger
    • Investments are misstated due to errors in the investment reconciliations
    • Investments are improperly valued due to their complexity and management’s lack of accounting knowledge
    • Investments are misstated due to improper cutoff
    • Investments disclosures are not accurate or complete
  • The substantive procedures for investments should be responsive to the identified risks; common procedures include:
    • Confirming investments 
    • Inspecting period-end activity for proper cutoff
    • Using an investment specialist to value complex instruments 
    • Vetting investment disclosures with a current disclosure checklist

Now you know how to audit investments. 

Next, we’ll see how to audit payables and expenses.

This post is a part of my series The Why and How of Auditing. Check my other posts.

>