Category Archives for "Auditing"

control risk
Jan 14

Control Risk: Financial Statement Audits

By Charles Hall | Auditing , Risk Assessment

Control risk continues to create confusion in audits. Some auditors assess control risk at less than high when they shouldn't. Others assess control risk at high when it would be better if they did not. The misunderstandings about this risk can result in faulty audits and problems in peer review. In this article, I explain what control risk is and how you can best leverage it to perform quality audits in less time. 

control risk

Control Risk Defined

What is control risk? It’s the chance that an entity’s internal controls will not prevent or detect material misstatements in a timely manner. 

Companies develop internal controls to manage inherent risk. The greater the inherent risk, the greater the need for controls.

Audit Risk Model

As we begin this article, think about control risk in the context of the audit risk model:

Audit risk = Inherent risk X Control risk X Detection risk

Recall the client’s risk is made up of inherent risk and control risk. And the remainder, detection risk, is what the auditor controls. Auditors gain an understanding of inherent risk and control risk. Why? To develop their audit plan and lower their detection risk (the risk that the audit will not detect material misstatements). Put more simply, the auditor understands the client’s risk in order to lower her own.

Further Audit Procedures

And how does the auditor reduce detection risk? With further audit procedures. Those include test of controls and substantive procedures (test of details or substantive analytics). 

After the auditor gains an understanding of the entity and its environment, including internal controls, control risk is often assessed at high. Why? Two reasons: one has to do with efficiency and the other with weak internal controls.

 

Assessing Control Risk at High

Consider the first reason for high control risk assessments: efficiency

Control risk can be assessed at high, even if—during your walkthroughs— you see that controls are properly designed and in use. But why would you assess this risk at high when controls are okay? 

Let me answer that question with a billing and collection example. 

Risk At High: Efficiency Decision

You can test billing and collection internal controls for effectiveness (assuming your walkthrough reveals appropriate controls). But if this test takes eight hours and a substantive approach takes five hours, which is more efficient? Obviously, the substantive approach. And if you use a fully substantive approach, you must assess control risk at high for all relevant assertions. 

At this point, you may still be thinking, But, Charles, if controls are appropriately designed and implemented, why is control risk high? Because a test of controls is required for control risk assessments below high: the auditor needs a basis (evidence) for the lower assessment. And a walkthrough is not (in most cases) considered a test of controls for effectiveness: it does not provide a sufficient basis for the lower risk assessment. A walkthrough provides an initial impression about controls, but that impression can be wrong. That’s why a test of controls is necessary when control risk is below high, to prove the effectiveness of the control.

In our example above, a substantive approach is more efficient than testing controls. So we plan a substantive approach and assess control risk at high for all relevant assertions. 

Risk at High: Weak Controls

Now, let’s look at the second reason for high control risk assessments: weak internal controls. Here again, allow me to explain by way of example. 

If the billing and collection cycle walkthrough reveals weak internal controls, then control risk is high. Why? Because the controls are not designed appropriately or they are not in use. In other words, they would not prevent or detect a material misstatement. You could test those controls for effectiveness. But why would you? They are ineffective. Consequently, risk has to be high. Why? Again, because there is no basis for the lower risk assessment. (Even if you tested controls, the result would not support a lower risk assessment: the controls are not working.)

If, on the other hand, controls are appropriate, then you might test them (though you are not required to). 

Assessing Control Risk at Less than High

What if, based on your walkthrough, controls are okay. And you believe the test of controls will take four hours while a substantive approach will take eight hours? Then you can test controls for effectiveness. And if the controls are effective, you can assess the risk at less than high. Now you have support for the lower risk assessment. 

But what if you test controls for effectiveness and the controls are not working? Then a substantive approach is your only choice. 

Many auditors don’t test controls for this reason: they are afraid the test of controls will prove the controls are ineffective. For example, if you test sixty transactions for the issuance of a purchase order, and seven transactions are without purchase orders, the sample does not support effectiveness. The result: the test of controls is a waste of time. 

Some auditors mistakenly believe they don’t need an understanding of controls because they plan to use a fully substantive audit approach. But is this true?

Fully Substantive Audit Approach

Weak internal controls can result in more substantive procedures, even if you normally use a substantive approach

Suppose you assess control risk at high for all billing and collection cycle assertions and plan to use a fully substantive approach. Now, consider two scenarios, one where the entity has weak controls, and another where controls are strong.

Billing and Collection Cycle - Weak Controls

Think about a business that has a cash receipt process with few internal controls. Suppose the following is true:

  • Two employees receipt cash  
  • They both work from one cash drawer 
  • The two employees provide receipts to customers, but only if requested
  • They apply the payments to the customer’s accounts, but they also have the ability to adjust (reduce or write off) customer balances 
  • At the end of the day, one of the two employees creates a deposit slip and deposits the money at a local bank (though this is not always done in a timely manner)
  • These same employees also create and send bills to customers 
  • Additionally, they reconcile the related bank account 

Obviously, a segregation of duties problem exists and theft could occur. For example, the clerks could steal money and write off the related receivables. Child’s play. 

Billing and Collection Cycle - Strong Controls

But suppose the owner detects theft and fires the two employees. He does background checks on the replacements. Now the following is true:

  • A separate cash drawer is assigned to each clerk
  • The controller is required to review customer account adjustments on a daily basis (the controller can’t adjust receivable accounts)
  • The cash receipt clerks reconcile their daily activity to a customer receipts report, and the money along with the report is provided to the controller 
  • The controller counts the daily funds received and reconciles the money to the cash receipts report
  • Then the controller creates a deposit slip and provides the funds and deposit slip to a courier
  • Once the deposit is made, the courier gives the bank deposit receipt to the controller
  • A fourth person (that does not handle cash) reconciles the bank statement in a timely manner
  • The monthly customer bills are created and mailed by someone not involved in the receipting process
  • Moreover, the owner reviews a monthly cash receipts report 

Now, let me ask you: would you use the same substantive audit procedures for each of the above scenarios? Hopefully not. The first situation begs for a fraud test. For example, we might test the adjustments to receivables on a sample basis. Why? To ensure the clerks are not writing off customer balances and stealing cash. 

Audit Procedures: Basic and Extended

Basic audit procedures for the billing and collection cycle might include:

  • Test the period-end bank reconciliation
  • Create substantive analytics for receivable balances and revenues
  • Confirm receivable accounts and examine subsequent receipts

We perform these basic procedures whether controls are good or weak. But we would add—when controls are weak and might allow theft—extended substantive procedures such as testing accounts receivable adjustments. 

Do you see how the understanding of controls impacts planning (even when control risk is assessed at high)? If we were unaware of the control weaknesses, we would not plan the needed fraud detection procedures. 

In summary, we need to understand controls even if we plan to use a fully substantive approach, and even if risks are assessed at high for all assertions. More risk means more audit work. 

A Simple Summary

  • Control risk is the probability that an entity’s internal controls will not prevent or detect material misstatements in a timely manner
  • Internal control weaknesses may require a control risk assessment of high
  • Control risk can only be assessed below high when a test of control proves the control to be effective (the test of control provides the basis for the lower risk assessment)
  • If walkthroughs show controls to be appropriately designed and implemented, the auditor can (1) assess control risk at high and use a fully substantive approach, or (2) assess control risk below high and test controls for effectiveness, whichever is most efficient
  • Even if an auditor intends to use a fully substantive approach, walkthroughs are necessary to determine if additional substantive tests are needed; additional substantive procedures may be necessary when material fraud is possible due to internal control weaknesses

See my inherent risk article here

For additional information about risk assessment, see the AICPA's SAS 145, Understanding the Entity and Its Environment and Assessing the Risk of Material Misstatement The guidance was issued in October 2021. 

SAS 145
Jan 10

SAS 145: New Risk Assessment Standard

By Charles Hall | Auditing

Statement on Auditing Standards No. 145 (SAS 145), Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement, updates the risk assessment standards. Auditors need to be aware of these upcoming changes. 

Conceptually, risk assessment remains the same, but some particulars are different and significantly affect how you audit. SAS 145 is voluminous, but below I summarize the salient points to make it easy for you to digest--or, at least, as easy as I could. 

SAS 145

SAS 143, Auditing Accounting Estimates and Related Disclosures, introduced some concepts used in SAS 145. Those concepts include:

  • Inherent risk factors
  • Spectrum of inherent risk
  • Separate assessments of inherent risk and control risk

You’ll see several new definitions below. Understanding those is critical to understanding SAS 145. 

SAS 145 Topics

This article addresses the following SAS 145 topics:

  • Separate inherent and control risk assessments
  • Assessing control risk at the maximum level
  • Significant risks
  • Inherent risk factors and spectrum of risk
  • Relevant assertions
  • Significant classes of transactions, account accounts, and disclosures
  • Stand-back requirement
  • Scalability
  • Professional skepticism
  • Information technology (IT) controls
  • System of internal control
  • Increasing complexity of entities and auditing
  • Documentation requirements
  • Effective date of SAS 145

Separate Inherent and Control Risk Assessments

Most auditors have assessed inherent and control risk separately for some time, but those separate assessments were previously not required. SAS 145, however, requires that auditors individually assess these two risks at the assertion level. Interestingly, documenting a combined inherent and control risk assessment is not required. 

You can assess inherent risk and control risk in various ways; the standard does not specify a particular means of doing so. For instance, you might use high, moderate, or low; or use a scale of one to ten (more about this in a moment). 

Assessing Control Risk at the Maximum Level

Many auditors assess control risk at high or maximum, regardless of the internal control structure--whether the controls are designed appropriately and implemented or not. You might plan to use a fully substantive approach; for example, when substantive procedures take less time than testing controls for effectiveness.

If you decide not to test controls for effectiveness, SAS 145 requires that you assess control risk at the maximum (or high) so that the risk of material misstatement is the same as the inherent risk assessment.

So, if control risk is assessed at maximum, can the evaluation of the design and implementation of controls (i.e., walkthroughs) still impact the planned audit procedures? Yes. Increased risk leads to a change in nature, timing, and extent of planned audit procedures. For example, if your walkthrough reveals a lack of segregation of duties, you may need to add more substantive procedures to address fraud risk.   

On the other hand, if a test of controls for effectiveness supports a lower control risk, you can bring the assessment below maximum. But you cannot lower control risk without the support of a test of controls for effectiveness. 

Your inherent risk assessment is crucial if you use a fully substantive approach. Why? Because SAS 145 requires that inherent risk be the same as the risk of material misstatement. If your inherent risk is assessed higher than it should be, you’ll perform unnecessary work to address the risk and waste time. 

Significant Risks

The Auditing Standards Board provides a new definition for significant risks. The first part of the definition (see paragraph 12 of SAS 145 for the full definition) is as follows:

A significant risk is an identified risk of material misstatement for which the assessment of inherent risk is close to the upper end of the spectrum of inherent risk due to the degree to which inherent risk factors affect the combination of the likelihood of a misstatement occurring and the magnitude of the potential misstatement should that misstatement occur. 

(Note - the blog author bolded some words in the definition above for emphasis.)

significant risks

The prior significant risk definition focused on the response to the risk, not the risk itself. That guidance said it was a risk that needed special audit consideration

The new definition focuses on the risk itself. To be clear, the risk of material misstatement. Notice the new definition requires consideration of likelihood and magnitude. In other words, probability and dollar impact. Also, notice the description is based solely on inherent risk, with no consideration of control risk. (See my article about significant risks.)

Inherent Risk Factors and Spectrum of Risk

SAS 145 defines inherent risk factors as:

Characteristics of events or conditions that affect the susceptibility to misstatement, whether due to fraud or error, of an assertion about a class of transactions, account balance, or disclosure, before consideration of controls. Such factors may be qualitative or quantitative and include complexity, subjectivity, change, uncertainty, or susceptibility to misstatement due to management bias or other fraud risk factors insofar as they affect inherent risk. 

Depending on the degree to which the inherent risk factors affect the susceptibility of an assertion to misstatement, the level of inherent risk varies on a scale that is referred to as the spectrum of inherent risk.

(Note - the blog author bolded some words in the definition above for emphasis.)

Inherent Risk Factors

Consider the likelihood of misstatement in light of the inherent risk factors, including:

  • Complexity
  • Subjectivity
  • Change
  • Uncertainty
  • Susceptibility to misstatement due to management bias or other fraud risk factors (in terms of how they affect inherent risk)

So as you consider the inherent risk of an assertion, use these factors to determine the likelihood of misstatement. Then consider the magnitude of the potential misstatement. If the risk is close to the upper end of the spectrum of risk (for inherent risk) and the potential misstatement is material, then the entity has a significant risk. 

Ten-Point Scale, An Example

I like to evaluate significant risks on a ten-point scale, with ten being the highest risk. While SAS 145 does not use such an illustration, a nine or a ten is a significant risk, provided it can lead to a material misstatement. For example, a bank’s allowance for loan losses is usually a significant risk because it is a complex estimate in a material account balance. In making this assessment, we disregard internal controls. 

One additional change is SAS 145 removes the requirement to determine whether there are significant risks at the financial statement level. 

The term relevant assertion has also changed. 

Relevant Assertions

Using SAS 145, relevant assertions are based on classes of transactions, account balances, and disclosures with an identified risk of material misstatement.

Before SAS 145, we looked at relevant assertions as they related to material classes of transactions, account balances, and disclosures. And relevant assertions were those that had a meaningful bearing on whether an account was fairly stated. (I never knew what meaningful bearing meant.)

The new relevant assertion definition is clearer. Assertions are considered in light of:

  • Likelihood of misstatement
  • Magnitude of misstatement

Relevant Assertion Definition

In SAS 145, a relevant assertion is defined as:

An assertion about a class of transactions, account balance, or disclosure is relevant when it has an identified risk of material misstatement. A risk of material misstatement exists when (a) there is a reasonable possibility of a misstatement occurring (that is, its likelihood), and (b) if it were to occur, there is a reasonable possibility of the misstatement being material (that is, its magnitude). The determination of whether an assertion is a relevant assertion is made before consideration of any related controls (that is, the determination is based on inherent risk).

(Note - the blog author bolded some words in the definition above for emphasis.)

Probability and Dollar Impact

A relevant assertion is an identified risk of material misstatement when a reasonable possibility of its occurrence is present. Reasonable possibility means a more than a remote chance of happening. And if it happens, a material misstatement must be possible. Again we see an emphasis upon probability and dollar impact. And again, internal controls are ignored in making this determination. That is, inherent risk is the basis for determining which assertions are relevant.

Inventory Example

As an example, suppose high-technology components comprise inventory that becomes obsolete quickly. Your valuation assertion is inherently risky, and if inventory is a significant account balance, then valuation is a relevant assertion. Notice we made this determination without regard for the related controls. Moreover, we believe there is a reasonable possibility of obsolescence. 

Once again, we see that inherent risk is vital in SAS 145.

We said that relevant assertions relate to significant classes of transactions, account balances, and disclosures. But what are significant classes?

Significant Classes of Transactions, Account Balances, and Disclosures

In SAS 145, significant classes of transactions, account balances, or disclosures are defined in the following manner:

Significant class of transactions, account balance, or disclosure. A class of transactions, account balance, or disclosure for which there is one or more relevant assertions.

So a significant class is one with a relevant assertion--one where the likelihood of material misstatement is more than remote. 

So, if an account balance like receivables, for example, has a relevant assertion, it’s a significant class.

Purpose of the Definition

The purpose of this definition is to provide clarification concerning the scope of the auditor’s work. In other words, this definition tells us where to focus. We’ll perform risk assessment procedures and assess risk in the significant classes of transactions, account balances, and disclosures. It is in these areas where we will plan responses to the identified risks therein. SAS 145 requires substantive procedures for each significant class of transactions, account balances, and disclosures with relevant assertions. 

Consider this: if plant, property, and equipment (PP&E) is material, but there is no relevant assertion for the account balance, it is not a significant area. Suppose a company has $10 million in PP&E (a material balance) and it purchases no new capital assets during the year. There is only one PP&E asset, a building, which has appreciated. Is there a relevant assertion? Probably not. Why? There is little likelihood of material misstatement. 

Now change the scenario and suppose the building suffers an earthquake. Is PP&E a significant class? Yes, if substantial damage occurred. Why? Because you now have a relevant assertion: valuation.  

Stand-Back Requirement

Once you have designated all significant classes of transactions, account balances, and disclosures, evaluate all remaining material areas to see if the initial scope determination is appropriate. Is there a remaining account balance, transaction class, or disclosure that needs our attention, even though it did not qualify as a significant area? If yes, then plan audit procedures accordingly. 

SAS 145

The main point here is that the auditor focuses upon significant classes of transactions, account balances, and disclosures first (those with relevant assertions) and then remaining material amounts (which don’t have relevant assertions). For instance, say you choose cash, receivables/revenues, payables/expenses, and payroll as your significant areas, but not plant, property, and equipment (PP&E) because it has no relevant assertion. In the stand-back phase, ask yourself if PP&E deserves audit scrutiny. If it does, plan PP&E audit procedures. 

A company might have disclosures that are not significant (e.g., executive compensation), but you decide to audit it anyway. Why? You believe the scope of your planned audit is incomplete without it. 

The purpose of the stand-back provision is to ensure completeness of the auditor’s identification of transactions, account balances, and disclosures--the areas the auditor plans to audit. 

Scalability

The complexity of an entity’s activities and environment drive the scalability of applying SAS 145. 

Size and complexity do not necessarily correlate. Smaller entities tend to be less complex, but some are not--they are complex. Larger entities tend to be more complicated, but some are not. So consider the accounting system, the industry, the internal controls including information technology, and other factors in applying SAS 145. Complexity, not the entity’s size, determines how you use this standard. 

Some entities may lack formal internal control policies. Even so, such a system of internal controls can still be functional. Therefore, auditors can vet these informal controls with inquiries, observations, and inspection of documents. In other words, risk assessment works even in small entities with informal controls

The nature and extent of risk assessment procedures will vary depending upon the nature and circumstances of the entity. Therefore, auditors should exercise judgment in determining the nature and extent of risk assessment procedures. For example, risk assessment procedures can be less for a non-complex business with simple processes. In such a company, the auditor might have fewer inquiries to understand the business and fewer preliminary analytics. 

Audit procedures in an initial audit may be more extensive. After the initial audit period, the auditor can focus on changes since then. (Even so, auditors still need to annually review the design and implementation of key controls related to significant transaction classes, account balances, disclosures.)

Professional Skepticism

Understanding the entity and its environment, including its reporting framework, is a foundation for professional skepticism. Auditors determine the evidence needed for risk assessment in light of the entity’s nature and accounting system.

SAS 145 highlights the need for auditors to maintain professional skepticism during the engagement team discussion.

Professional skepticism allows the auditor to:

  • Appropriately deal with contradictory information
  • Evaluate the responses received from management and those charged with governance
  • Be alert to potential misstatement due to fraud or error
  • Consider audit evidence in light of the entity’s nature and circumstances

Professional skepticism is necessary for evaluating audit information in an unbiased manner, leading to better identification and assessment of risks of material misstatement.

Information Technology (IT) Controls

SAS 145 emphasizes IT controls as they affect the risk of material misstatement. The standard introduces a new term: risk arising from the use of IT. And it defines general IT controls

IT risks

So what IT controls are you to consider? Those that affect the risk of material misstatement at the assertion level. 

Here’s how I think about this: 

  1. Start with the risk of material misstatement at the assertion level
  2. Determine the IT applications that affect the assertion
  3. Review the general IT controls that affect the IT applications

IT Relevant Assertion Example

For example, say occurrence is a relevant assertion for expenses. Then you might consider an IT control that requires a three-way match for invoice processing; the software will not allow a disbursement without matching the invoice amount, the purchase order amount, and the quantity in the receiving document. In such a system, the IT application is the payables module in the software.

An example of a general control (see definition below) for this application is the password for access to the payables module.

Why is the general IT control (the password) important? If a password was not necessary, then anyone could process payments. And this affects the occurrence assertion.  

As the auditor performs a walkthrough for payables, she will (for example):

  1. Inspect the three-way match documents.
  2. Observe the payables module in use.
  3. Inspect the logical access records from IT, showing who has access to the payables module.
  4. Observe the entry of a password by a payables clerk. 

You don’t need to review all general controls, only those related to risks arising from the use of IT

Risk Arising from the Use of IT 

SAS 145 defines risk arising from the use of IT as:

Susceptibility of information-processing controls to ineffective design or operation, or risks to the integrity of information in the entity’s information system, due to ineffective design or operation of controls in the entity’s IT processes.

Lower IT Risk

Entities are less likely to be subject to risks arising from the use of IT when they:

  • Use stand-alone applications
  • Have low volumes of transactions
  • Have transactions supported by hard-copy documents

Higher IT Risks

Entities are more likely to be subject to risks arising from the use of IT when they:

  • Have interfaced applications
  • Have high volumes of transactions
  • Have applications that automatically initiate transactions

General IT Controls 

SAS 145 defines general IT controls as: 

Controls over the entity’s IT processes that support the continued proper operation of the IT environment, including the continued effective functioning of information-processing controls and the integrity of information in the entity’s information system.

Examples of general IT controls include firewalls, backup and restoration, intrusion detection, passwords, physical security, and antivirus protection. 

Increasing Complexity of Entities and Auditing

SAS 145 recognizes the increasing complexity of entities and auditing. It does so by highlighting audit methods and tools such as:

  • Remote observation of assets using drones or video cameras
  • Use of data analytics software and visualization techniques to identify risks of material misstatement
  • Performing risk assessment on large volumes of data, including analysis, recalculations, reperformance, and reconciliations

System of Internal Control

SAS 145 replaces the term internal control with system of internal control. It defines system of control as:

The system designed, implemented, and maintained by those charged with governance, management, and other personnel to provide reasonable assurance about the achievement of an entity’s objectives with regard to reliability of financial reporting, effectiveness and efficiency of operations, and compliance with applicable laws and regulations. For purposes of GAAS, the system of internal control consists of five interrelated components: 

i. Control environment 

ii. The entity’s risk assessment process 

iii. The entity’s process to monitor the system of internal control 

iv. The information system and communication 

v. Control activities

It appears the Auditing Standards Board is highlighting the holistic nature of internal controls by including all five of the COSO control elements

SAS 145 Documentation Requirements 

Auditors must document their evaluation of the design of identified controls and their determination of whether such controls were implemented

Additionally, auditors must document their rationale for significant judgments regarding identified and assessed risks of material misstatement. In other words, how did you identify a risk of material misstatement, and why did you assess it as you did?

What is the criterion for determining whether the risk assessment documentation is appropriate? As in the past, it’s whether an experienced auditor having no previous experience with the audit understands the nature, timing, and extent of the risk assessment procedures. So, document the rationale for your risk assessment work and your conclusions

Effective Date of SAS 145

SAS 145 is effective for audits of financial statements for periods ending on or after December 15, 2023.

Related party transaction
Dec 22

Related Party Transactions: Fraud

By Charles Hall | Auditing , Financial Statement Fraud , Fraud

Related party transactions can be a means to fraudulent financial reporting. Yet, auditors often don't detect the financial statement manipulation, leading to audit failure. This article explains how to understand and find fraudulent related party transactions. 

Related party transaction

Related Party Transaction

What is a related-party transaction?

It’s a transaction between two parties that have a close association. For example, two commonly owned businesses sell services or goods to one another. In another example, a business buys property from a board member or from the owner. 

Normal Related Party Transactions

Related party transactions are typical and often expected. For example, a business might rent real estate from a commonly owned entity. In such an arrangement, the rental rate can be at fair value. So if a company pays for twelve months' rent at a standard rate, everything is fine. No manipulation is occurring. 

Reason for Related Party Fraud

But in some cases, companies use related party transactions to deceive financial statement readers. Why? Because the business is not performing as well as desired, or maybe the company is not in compliance with debt covenants. (Noncompliance can trigger a call for repayment, or the loan can become a current liability based on accounting standards.) 

Fraudulent Increase in Net Income

Imagine this scene. It's December 15th, and management is reviewing its annual financial results. The CEO and CFO receive substantial bonuses if the company's net profit is over $10 million. At present, it looks as if the business is just short, with an expected net income of $9.7 million. They need another $300,000. 

So they develop a related party transaction whereby a commonly owned company pays their business $350,000 for bogus reasons--what auditors call a transaction outside the normal course of business. Since the CEO and CFO also manage the related entity, they control the accounting for both entities.  

Management performs the trick on December 27th, and soon they are toasting drinks in the back room. The bonus enables the CEO to buy his wife a new Tesla and the CFO to take a one-month trip to Europe. And it was so easy. 

In considering related party transactions, know that they are more likely with smaller entities, especially when one person owns several entities. So you'll want to know if associated businesses are making payments or loans to commonly owned companies.

Related Party Audit Procedures

As you begin your audit, request a list of all related-party transactions. Also, pay attention to such activity in the company's minutes. Additionally, electronically search company receipts, payments, and journal entry descriptions using the related party names. Then investigate any abnormal transactions outside the normal course of business, especially if they involve round-dollar amounts (e.g., $350,000). 

In performing your fraud inquires, ask about related party transactions and if any unusual transactions occurred during the year (or after the year-end). And make sure you interview persons responsible for initiating, approving, or recording transactions. In other words, inquire of the CEO and CFO, but also ask questions of others such as the cash receipts or the accounts payable supervisor. The CEO and CFO might hide the bogus transaction, but, hopefully, the cash receipts supervisor will not. 

As you can tell in the above example, you want to be aware of incentives for fraud, such as bonuses or the need to comply with debt covenants. 

Does It Make Sense?

If you see an unusual transaction, request supporting information to determine its legitimacy. I once saw a $5 million transaction at year-end, and when I asked for support, the journal entry said, "for prior services provided." You might receive some mumbo jumbo explanation for such a payment. But know this: vague reasons usually imply fraudulent activity. 

So, see if the economics make sense. Would a company pay that much for the services or products received? If not, you may need to propose an audit entry to correct the misstatement. 

Representation Letter

And, by the way, having the client sign a management representation letter saying the transaction is legitimate does not absolve the auditor. Either the payment is economically supportable, or it is not. 

Fraudulent Decrease in Net Income

Strangely, some companies desire to deflate their earnings. For example, maybe the company has had an unusually good year and wants to defer some net income for the future. So it is possible that related party payments are made to decrease earnings, and then the company might receive the same amount in the future from the related entity.  The result: expenses in the current year and revenue in the subsequent year. Again, we as auditors need to understand the goals and incentives of the company to understand how and why fraud might occur. 

Related Party Disclosures

Even if related party transactions are legitimate, businesses are required to disclose them. The related party disclosure should include the reason the other entity is a related party and the amount of the transactions. 

Financial Statement Fraud

The easiest way to fraudulently report financial activity--at least in my opinion--is to post deceptive journal entries. Those can be created without the use of related parties. For example, an entity might fraudulently debit receivables and credit revenue for $350,000. No revenue is earned but the entry is made anyway. 

The second easiest way—explained in this article—is fraudulent related party transactions. 

Either method can magically create millions in fraudulent revenue. So be on guard as you consider the possibility of transactions outside the normal course of business. 

Make sure you:

  1. Obtain a list of related parties
  2. Review minutes for related party activity
  3. Search records electronically for related party names
  4. Inquire of management and others about related party activity

See AU-C 550 Related Parties for AICPA guidance. 

internal control weaknesses
Dec 12

Internal Control Weakness Reporting

By Charles Hall | Auditing

Auditors often fail to capture and communicate internal control weaknesses, but doing so is sometimes required by audit standards. Additionally, your client’s awareness of control weaknesses allows them to improve their accounting system. The result: prevention of future fraud and errors. In this article, I’ll show you how to capture and communicate internal control deficiencies. By doing so, you’ll add value to your audit services and you’ll help your client protect their business. 

internal control weaknesses

A Common End-of-Audit Problem

You are concluding another audit, and it’s time to consider whether you will issue a letter communicating internal control deficiencies. A month ago you noticed some control issues in accounts payable, but presently you’re not sure how to describe them. You hesitate to call the client to rehash the now-cold walkthrough. After all, the client thinks you’re done. But you know that boiler-plate language will not clearly communicate the weakness nor tell the client how to fix the problem. Now you’re kicking yourself for not taking more time to document the control weakness (back when you did the initial walkthrough).

Here’s a post to help you capture and document internal control issues as you audit.

Capture and Communicate Internal Control Deficiencies

Today, we’ll take a look at the following control weakness objectives:

  1. How to discover them
  2. How to capture them
  3. How to communicate them

As we begin, let’s define three types of weaknesses:

  • Material weaknesses – A deficiency, or a combination of deficiencies, in internal control, such that there is a reasonable possibility that a material misstatement of the entity’s financial statements will not be prevented, or detected and corrected, on a timely basis.
  • Significant deficiencies – A deficiency, or a combination of deficiencies, in internal control that is less severe than a material weakness yet important enough to merit attention by those charged with governance.
  • Other deficiencies – For purposes of this blog post, we’ll define other deficiencies as those less than material weaknesses or significant deficiencies.

As we look at these definitions, we see that categorizing control weaknesses is subjective. Notice the following terms:

  • Reasonable possibility
  • Material misstatement
  • Less severe
  • Merits attention by those charged with governance

Now let’s take a look at discovering, capturing, and communicating control weaknesses. 

1. Discover Control Weaknesses

Capture control weaknesses as you perform the audit. You might identify control weaknesses in the following audit stages:

  1. Planning – Risk assessment and walkthroughs
  2. Fieldwork – Transaction-level work
  3. Conclusion – Wrapping up

A. Planning Stage

You will discover deficiencies as you perform walkthroughs which are carried out in the early stages of the engagement. Correctly performed walkthroughs allow you to see process shortcomings and where duties are overly concentrated (what auditors refer to as a lack of segregation of duties).

Segregation of Duties

Are accounting duties appropriately segregated with regard to:

  • Custody of assets
  • Reconciliations
  • Authorization
  • Bookkeeping

Notice the first letters of these words spell CRAB (I know it’s cheesy, but it helps me remember).

Auditors often make statements such as, “Segregation of duties is not possible due to the limited number of employees.”

I fear such statements are made only to protect the auditor (should fraud occur in the future). It is better that we be specific about the control weakness and what the potential impact might be. For example:

The accounts payable clerk can add new vendors to the vendor file. Since checks are signed electronically as they are printed, there is a possibility that fictitious vendors could be added and funds stolen. Such amounts could be material.

Such a statement tells the client what the problem is, where it is, and the potential damage. 

Fraud: A Cause of Misstatements

While I just described how a lack of segregation of duties can open the door to theft, the same idea applies to financial statement fraud (or cooking the books). When one person controls the reporting process, there is a higher risk of financial statement fraud. Appropriate segregation lessens the chance that someone will manipulate the numbers.

Within each transaction cycle, accounting duties need to be performed by different people. Doing so lessens the possibility of theft. If one person performs multiple duties, ask yourself, “Is there any way this person could steal funds?” If yes, then the client should add a control in the form of a second-person review.

If possible, the client should have a second person examine reports or other supporting documentation. How often should the review be performed? Daily, if possible. If not daily, as often as possible. Regardless, a company should not allow someone with the ability to steal to work alone without review. The fear of detection lessens fraud.

If a transaction cycle lacks segregation of duties, then consider the potential impact from the control weakness. Three possible impacts exist:

  • Theft that is material (material weakness)
  • Theft that is not material but which deserves the attention of management and the board anyway (significant deficiency)
  • Theft of insignificant amounts (other deficiency)

My experience has been that if any potential theft area exists, the board wants to know about it. But this is a decision you will make as the auditor.

Errors: Another Cause of Misstatements

While auditors should consider control weaknesses that allow fraud, we should also consider whether errors can lead to potential misstatements. So, ask questions such as:

  • Do the monthly financial statements ever contain errors?
  • Are invoices mistakenly omitted from the payable system?
  • Do employees forget to obtain purchase order numbers prior to buying goods?
  • Do bookkeepers fail to reconcile the bank statements on a timely basis? 

B. Fieldwork Stage

While it is more likely you will discover process control weaknesses in the planning stage of an audit, the results of control deficiencies sometimes surface during fieldwork. How? Audit journal entries. What are audit entries but corrections? And corrections imply a weakness in the accounting system.

When an auditor makes a material journal entry, it’s difficult to argue that a material weakness does not exist. We know the error is “reasonably possible” (it happened). We also know that prevention did not occur on a timely basis.

C. Conclusion Stage

When concluding the audit, review all of the audit entries to see if any are indicators of control weaknesses. Also, review your internal control deficiency work papers (more on this in a moment). If you have not already done so, discuss the noted control weaknesses with management. 

Your firm may desire to have a policy that only managers or partners make these communications. Why? Management can see the auditor’s comments as a criticism of their own work. After all, they designed the accounting system (or at least they oversee it). So, these discussions can be a little challenging.

Now let’s discuss how to capture control weaknesses.

2. Capture Internal Control Weaknesses

So, how do you capture the control deficiencies?

First, and most importantly, document internal control deficiencies as you see them.

Why should you document control weaknesses when you initially see them?

  1. You may not be on the engagement when it concludes (because you are working elsewhere) or
  2. You may not remember the issue (weeks later).

Second, create a standard form (if you don’t already have one) to capture control weaknesses. 

Internal Control Capture Form

What should be in the internal control form? At a minimum include the following:

  1.  Check-mark boxes for:
    • Significant deficiency
    • Material weakness
    • Other control deficiency
    • Other issues (e.g., violations of laws or regulations) 
  2. Whether the probability of occurrence is at least reasonably possible and whether the magnitude of the potential misstatement is material
  3. Description of the deficiency and the verbal or written communications to the client; also the client’s response
  4. The cause of the condition
  5. The potential effect of the condition
  6. Recommendation to correct the issue
  7. Person identifying the issue and the date of discovery
  8. Whether the issue is a repeat from the prior year
  9. An area for the partner to sign off that he or she agrees with the description of the deficiency and the category assigned to it (e.g., material weakness)
  10. Reference to related documentation in the audit file

After capturing the weaknesses, it’s time to communicate them. 

3. Communicate Control Weaknesses

Material weaknesses and significant deficiencies must be communicated in writing to management and those charged with governance. Other deficiencies can be given verbally to management, but you must document those discussions in your work papers.

Provide a draft of any written communications to management before issuing your final letter. That way if something is incorrect you can make it right (before it’s too late). And you’ll want to have verbal communications earlier (e.g., when you discover the control weakness); you don’t want the client to see a deficiency for the first time in the internal control letter. 

Summary

The main points in capturing and communicating internal control deficiencies are:

  1. Capture control weaknesses as soon as you see them
  2. Develop a form to document the control weaknesses

These communications can be somewhat challenging since you’re telling management they need to make improvements. So make sure all information is correct and let your senior personnel do the communicating.

How Do You Capture and Report Control Deficiencies?

Whew! We’ve covered a lot of ground today. How do you capture and report control deficiencies? I’m always looking for new ideas: Please share.

audit and work paper mistakes
Dec 08

Work Paper Mistakes: A List of 40 Common Errors

By Charles Hall | Auditing

Today, I offer you a list of forty work paper mistakes. If you’re an auditor or you perform review engagements or compilations, you’ve seen these–or if you’re like me, you’ve make some of these errors. 

audit and work paper mistakes

The list is based on work paper reviews I’ve done over the last thirty-seven years (and not on any type of formal study).

You will, I think, shake your head in agreement as you read them. Why? Because you’ve seen these too. 

Forty Work Paper Mistakes

Here’s the list of forty work paper mistakes:

  1. No preparer sign-off on a work paper
  2. No evidence of work paper reviews
  3. Placing unnecessary documents in the file (the work paper provides no evidential matter for the audit)
  4. Signing off on unperformed audit program steps
  5. No references to supporting documentation in the audit program
  6. Using canned audit programs that aren’t based on risk assessments for the particular entity
  7. Not documenting expectations for planning analytics
  8. Inadequate explanations for variances in planning analytics (“revenue went up because sales increased”)
  9. Planning analytics with obvious risk of material misstatement indicators, but no change in the audit plan to address the risk (sometimes referred to as linkage)
  10. Not documenting who inquiries were made of
  11. Not documenting when inquiries were made
  12. Significant deficiencies or material weaknesses that are not communicated in written form
  13. Verbally communicating control deficiencies (those not significant deficiencies or material weaknesses) without documenting the conversation
  14. Performing needed substantive tests with no related audit program steps (i.e., the audit program was not amended to include the necessary procedures)
  15. Assessing control risk below high without testing controls
  16. Assessing the risk of material misstatement at low without a basis (reason) for doing so
  17. Documenting significant risks (e.g., allowance for uncollectible receivable estimates in healthcare entities) but no high inherent risks (when inherent risk are separately documented)
  18. Not documenting the predecessor auditor communication in a first-year engagement
  19. Not documenting the qualifications and objectivity of a specialist
  20. Not documenting all nonattest services provided
  21. Not documenting independence
  22. Not documenting the continuance decision before an audit is started
  23. Performing walkthroughs at the end of an engagement rather than the beginning
  24. Not performing walkthroughs or any other risk assessment procedures
  25. Not performing risk assessment procedures for all significant transaction areas (e.g., risk assessment procedures performed for billing and collections but not for payroll which was significant)
  26. Not retaining the support for opinion wording in the file (especially for modifications)
  27. Specific items tested are not identified (e.g., “tested 25 disbursements, comparing amounts in the check register to cleared checks” — we don’t know which particular payments were tested)
  28. Making general statements that can’t be re-performed based on the information provided (e.g., “inquired of three employees about potential fraud” — we don’t know who was interviewed or what was asked or their responses)
  29. Retrospective reviews of estimates are not performed (as a risk assessment procedure)
  30. Going concern indicators are present but no documentation regarding substantial doubt
  31. IT controls are not documented
  32. The representation letter is dated prior to final file reviews by the engagement partner or a quality control partner
  33. Consultations with external or internal experts are not documented
  34. No purpose or conclusion statement on key work papers

35. Tickmarks are not defined (at all)

36. Inadequately defining tickmarks (e.g., ## Tested) — we don’t know what was done

37. No group audit documentation though a subsidiary is included in the consolidated financial statements

38. No elements of unpredictability were performed

39. Not inquiring of those charged with governance about fraud

40. Not locking the file down within 60 days 

That’s my list of workpaper mistakes. What would you add?

Even if you do all of these, have you documented them properly? See my article If It’s Not Documented, It’s Not Done.

>