Category Archives for "Auditing"

quality management
Oct 13

AICPA Quality Management: Why You Need to Start Now

By Charles Hall | Auditing

All firms performing any engagement in an accounting and auditing practice must comply with the new Quality Management (QM) standards, including SQMS No. 1 and SQMS No. 2.

Your quality management system must be designed and implemented by December 15, 2025.

Then, after your new QM process is in place for one year, your managing partner (or other persons with ultimate QM system responsibility) will conclude whether the QM system provides reasonable assurance that objectives are being achieved.

Start your work on this implementation as soon as you can, especially if you perform more complex engagements such as audits and attestations. 

In this article, I explain why quality management is essential, and then I summarize SQMS No. 1 (the firm’s system of QM) and SQMS No. 2 (engagement quality reviews).

I also provide this video (an interview with Jennifer O’Neal) that provides an overview of the QM standards and information about how to get started. 

YouTube player

Why Quality Management?

The purpose of the QM Standards, issued by the American Institute of Certified Public Accountants (AICPA), is to assist accountants with compliance (with professional standards). The QM standards assist with the following:

  1. Compliance with professional standards and
  2. Issuance of appropriate engagement reports

And when firms comply with professional standards and issue correct reports, their peer review results should be good. 

An unstated benefit of the QM standards is risk management (avoiding loss through legal suits). These standards (when used appropriately) lessen the probability that a firm will be sued for deficient work. How? By helping firms identify QM system and engagement deficiencies. Thereafter, firms can create responses to improve their work.

My main point here is the QM standards help protect your accounting firm, lessening the potential for future harm (whether from peer review failures or legal loss).

QM Standards

The QM standards are made up of the following:

Standard Abbreviation Title
Statement of Quality Management Standards No. 1 SQMS No. 1 The Firm’s System of Quality Management
Statement of Quality Management Standards No. 2 SQMS No. 2 Engagement Quality Reviews
Statement of Quality Management Standards No. 3 SQMS No. 3 Amendments to QM Sections 10, A Firm’s System of Quality Management, and 20, Engagement Quality Reviews
Statement on Auditing Standards No. 146 SAS 146 Quality Management for an Engagement Conducted in Accordance With Generally Accepted Auditing Standards
Statement on Standards for Accounting and Review Services 26 SSARS 26 Quality Management for an Engagement Conducted in Accordance With Statements on Standards for Accounting and Review Services

This article addresses SQMS No. 1 and SQMS No. 2.

SQMS No. 1 – The Firm’s System of QM

SQMS No. 1 addresses how a firm’s system of quality management operates and specifies eight components:

  1. Risk assessment process
  2. Governance and leadership
  3. Relevant ethical requirements
  4. Acceptance and continuance
  5. Engagement performance
  6. Resources
  7. Information and communication
  8. Monitoring and remediation process

(1) Risk assessment and (2) information and communication are new components; they were not included in the prior quality control standards. 

Risk assessment, as well as monitoring and remediation, are processes. So, you will not establish quality objectives, quality risks, and responses for these. 

Risk Assessment: Most Significant Change

The risk assessment component is the most significant change. Firms are required to do the following for the six components listed below:

  1. Establish quality objectives
  2. Identify and assess risks to achieving the quality objectives and
  3. Design and implement responses to address the quality risks

Here’s an example:

  1. A quality objective might be that consultation occurs when there are complex or contentious matters.
  2. The risk could be that firm personnel do not consult with persons in or outside the firm regarding complex or contentious issues.
  3. The risk response could be, for example, that the engagement partner is responsible for consultations and documentation.

SQMS No. 1 requires that firms establish quality objectives, quality risks, and responses (the risk assessment process) for the following components:

  1. Governance and leadership
  2. Relevant ethical requirements
  3. Acceptance and continuance
  4. Engagement performance
  5. Resources
  6. Information and communication

Monitoring and Remediation

After establishing objectives, risks, and responses for these six components, the firm will create a monitoring and remediation process. In doing so, firms will consider the reasons for quality risk assessments, the designed responses, changes in the QM system, the results of previous monitoring, and other relevant information such as peer review information.

Holistic QM System

The QM standards are a holistic approach to ensure (1) that firms comply with professional standards and (2) issue appropriate reports. Develop your objectives, risks, and responses in light of these objectives. The eight components should dovetail. In other words, they should work together.

Additionally, the QM system is organic (or at least, it should be). As changes occur in your firm’s accounting and auditing engagements or how it operates, you will reassess your overall system to see if it needs changing.

No longer will we create static quality control documents that sit on the shelf. Real-time changes make sense: your responses (actions to lessen risk) should change as your risks change.

Scalable QM System

The QM system is also scalable. For smaller firms with fewer risks, the QM documentation will be less than that of more complex CPA firms.

Think of a firm that does compilation engagements and nothing else; this firm’s chance of noncompliance with professional standards and issuing incorrect reports is generally less than that of a firm performing audits or attestation services. So, the smaller firm’s QM system will be simpler.

The QM system is like an accordion, expanding for more risk and compressing for less risk.

So, who is responsible for the QM system?

Persons Responsible for QM System

SQMS No. 1 states that your firm will assign ultimate responsibility and accountability to your managing partner, CEO, or managing board. This person or board will evaluate the QM system at a point in time (at least annually) and conclude whether the QM system provides reasonable assurance that objectives are being met.

The conclusion will include one of the following:

  1. The QM system provides reasonable assurance that the system’s objectives are being achieved.
  2. Except for matters related to identified deficiencies, the QM system provides reasonable assurance that the system’s objectives are being achieved.
  3. The QM system does not provide reasonable assurance that the objectives of the QM system are being achieved.

If 2. or 3. is in play, the firm should take prompt and appropriate action and communicate to engagement teams and QM personnel as needed.

SQMS No. 1 also says that firms will assign operational responsibility for the QM system to someone such as a QM partner or director. The person with operational responsibility oversees:

  • Compliance with independence standards
  • Monitoring and remediation process

So, does this person have to perform all QM duties? No, the person with operational responsibility can delegate specific responsibilities to other firm members, such as independence monitoring. Even so, the person with operational responsibility is still responsible for the QM system operations (in this example, independence monitoring).

The standard creates accountability by defining who is responsible for what. In most firms, the managing partner has ultimate responsibility, and the quality control partner/director has operational responsibility. Also, SQMS No. 1 states that the firm should perform periodic performance evaluations of these persons.

QM System Documentation

The firm should document its QM system, including:

  • Person(s) with ultimate responsibility
  • Person(s) with operational responsibility
  • Quality objectives
  • Quality risks
  • Responses
  • How quality risks are addressed
  • Monitoring activities
  • Evaluation of findings
  • Evaluation of identified deficiencies (and their root causes)
  • Remedial actions
  • Communications about monitoring and remediation
  • Conclusions reached
  • Basis for conclusion

This documentation should be retained long enough for the firm and its peer reviewer to monitor the QM system (and to meet any legal and regulatory requirements).

For higher-risk engagements, firms may need an engagement quality review.

Engagements Subject to Engagement Quality Reviews

SQMS No. 1 requires that firms establish policies and procedures that address engagement quality reviews in accordance with SQMS No. 2. Engagement quality reviews are required for the following:

  • Audits or other engagements requiring an engagement quality review due to laws or regulations
  • Audits or other engagements as a response to quality risks as defined by the firm

Not all engagements are subject to an engagement quality review. Riskier engagements (as defined by the firm; see SQMS No. 1 criteria) are more likely to be subject to an engagement quality review.

Next, we look at SQMS No. 2, Engagement Quality Reviews.

SQMS No. 2 – Engagement Quality Reviews

An engagement quality review (EQR) is an objective evaluation of the engagement team’s significant judgments and conclusions. It is not an evaluation of the entire engagement. The review is done at the engagement level, and an engagement quality reviewer performs the EQR before the engagement report is released.

So, who can be an engagement quality reviewer (EQ reviewer)? An engagement quality reviewer can be a:

  • Partner
  • Another individual in the firm, or
  • Someone external to the firm

EQ Reviewer Requirements

The EQ reviewer should understand SQMS No. 2 and apply the requirements. The firm will also define the EQ reviewer qualifications in its policies and procedures, namely that this person must have the competence, capability, and time to perform the review and that the person will be objective.

EQR Policies and Procedures

EQR policies and procedures should address the following:

  • Require the EQ reviewer to take overall responsibility for the EQR
  • Require the EQ reviewer to take overall responsibility for the supervision of persons assisting with the EQR
  • The EQ reviewer (and anyone assisting this person) can’t be a member of the audit team
  • The EQ reviewer (and anyone assisting this person) must have sufficient competence, capabilities, and time to perform their duties
  • The EQ reviewer (and anyone assisting this person) must comply with relevant ethical requirements and laws and regulations
  • Circumstances in which the EQ reviewer’s discussion with the engagement team gives rise to an objectivity threat and actions to take when this happens
  • Circumstances in which the EQ reviewer’s eligibility is impaired, including how a replacement reviewer will be chosen
  • Performance of EQRs during the engagement
  • A prohibition from releasing an engagement report until the EQ reviewer notifies the engagement partner that the EQR is complete

SQMS No. 2 also provides EQR performance requirements.

EQR Performance

The EQR performance should include the following:

  • EQ reviewer talks with the engagement partner (and team, if needed) about significant matters and significant judgments
  • EQ reviewer reviews communications regarding the nature and circumstances of the engagement and the entity
  • EQ reviewer considers the firm’s monitoring and remediation process, including deficiencies relating to significant judgment areas
  • EQ reviewer reviews significant judgment documentation, including the basis for the judgment, and determines:
  • Whether the documents support the conclusion
  • Whether the conclusions are appropriate
  • EQ reviewer evaluates the basis for the engagement partner’s independence determination when applicable
  • EQ reviewer should evaluate whether an appropriate consultation took place for difficult or contentious matters
  • EQ reviewer should determine whether the engagement partner was sufficiently involved when the engagement is subject to generally accepted auditing standards (if not, the engagement partner may not have a sufficient basis for determining that significant judgments and conclusions are appropriate)
  • EQ reviewer should review the financial statements and reports for audits and review engagements
  • EQ reviewer should review the engagement report and the subject matter information (when applicable) for engagements other than audits and review engagements
  • EQ reviewers should notify the engagement partner when they have concerns about significant judgments and conclusions
  • EQ reviewer should notify the engagement partner when the engagement review is complete

SQMS No. 2 includes documentation requirements. Let’s see what those are.

EQR Documentation

The EQR documentation should include:

  • Policies and procedures requiring the EQ reviewer to take responsibility
  • Evidence of the EQ review in the engagement file
  • Names of the EQ reviewers
  • Identification of the engagement reviewed
  • Whether the EQR complies with SQMS No. 2
  • Evidence that the engagement is complete
  • Notification that the reviewer has concerns about judgments and conclusions, if applicable
  • Notification from the EQ reviewer to the engagement partner that the review is complete

EQR Findings

It’s a good idea—though not required by standards—to capture EQR findings in a summary document (e.g., Excel or a database). Then, the firm can use this information in planning and performing its monitoring duties. 

EQR is Scalable

The EQR is scalable depending on the engagement, entity’s nature, and circumstances. Again, less risk will result in less work and documentation than riskier engagements. Fewer significant judgments will likely mean fewer EQR procedures.

Given the EQ reviewer’s involvement, can the engagement partner’s work be reduced? The short answer is no. 

EQR’s Effect on Engagement Partner Responsibilities

The EQR does not change the engagement partner’s responsibilities. For example, an engagement partner should review judgment areas such as complex estimates even though the EQ reviewer does the same.

How EQRs Relate to Monitoring and Remediation

You may be wondering how EQRs relate to monitoring and remediation. For instance, can the person performing an EQR also perform the monitoring on the same engagement? Find in this related article

Conclusion

In conclusion, the QM standards are no small change. As you can see from the above, you have a great deal of work before you. This is especially true if you perform riskier audits and attestation engagements. So, start working on this transition as soon as possible. That way, you’ll have everything in place by December 15, 2025.

The most challenging part of this change is the risk assessment process. You need to document your quality objectives, quality risks, and responses for the six components (those that are not processes, i.e., risk assessment and monitoring) listed above.

Finally, consider whom you will assign the QM system operational responsibility. This person must have the competence, capability, and time to comply with the standards. You may need to hire someone to fill this role or contract with someone outside your firm.

audit or tax
Aug 04

Audit or Tax, Which is the Better Job?

By Charles Hall | Accounting and Auditing , Auditing

Should you work in tax or audit?

If you're near graduation, you may wonder, "Which is best for me? Tax or audit?”

In this article, I provide questions and facts for you to consider as you decide. This decision is one of the most important ones you'll make in your career. 

Audit or tax decision

Tax and Audit Career Decision


Here are some thoughts about that decision:

1. Do you like subjectivity or objectivity? Audits tend to have more subjective elements like risk assessment. Tax, on the other hand, tends to be more objective (it's compliance-oriented).

2. Are you willing to work long hours for four months each year? Tax season is an annual marathon. Auditing also has busy seasons, depending on the industries your firm services, but you can more easily distribute your workload in audits.

3. Do you like to travel? Audits usually involve some travel. Tax CPAs spend most of their time in the office, though not all.

4. Do you like accounting? If you work in public accounting, you must understand accounting well to do audits (and other A&A work). You also need to understand accounting for tax purposes, but tax work is more compliance-oriented.

5. Do you like saving individuals and companies money? Tax allows you to have a direct impact on taxes paid (and your clients will love you if you can save them money).

6. Do you like short-term or long-term projects? Tax work tends to be short-term, and audit work tends to be long-term. For instance, you might complete a tax return in four or five hours (sometimes less). Audits can take several hundred hours.

7. Do you like technology? Audits can involve technology more than tax work, though this is a generalization. With audits, you might, for example, use data mining software or Excel for advanced purposes.

Tax and Audit Compensation


You may be wondering which field offers the more significant compensation opportunities. I've seen auditors and tax folks make plenty of money through the years. So, you can do well with either. But being in the field best suited to you will enhance your ability to generate income. Why? Because happy people are more productive and effective. That's one reason choosing the right field--tax or audit--is critical.

Tax and Audit Work Hours


If you've worked in public accounting, you've seen tax people working late into the evenings and on weekends throughout tax season. The tax deadlines lead to compressed work schedules, especially in the early part of the calendar year. But tax people usually get relief in the summer or late in the year.

Audit personnel tend to have steadier workloads, though their work can also be seasonal. For instance, if you work with a firm that does governmental audits, there may be a substantial number of engagements with June 30 and September 30 year-ends, leading to increased workloads later in the calendar year. So check with the firms you interview with to see how the audit workloads vary.

Talk to Auditors and Tax Persons

Talking to auditors and tax people with real-world experience will give you more insight than almost anything you can do. Make a list of questions and ask them as you interview prospective CPA firms.

Learn About Auditing

If you want to learn about auditing quickly, check out my book The Why and How of Auditing on Amazon. 

Journal Entry Testing
Apr 17

Get a Grip on Journal Entry Testing: AU-C 240

By Charles Hall | Accounting and Auditing , Auditing

Journal entry testing is required in all audits. Why? The use of journal entries to manipulate financial statements is always present–even in accounting systems with good internal controls. Thus the journal entry test requirement in AU-C 240, Consideration of Fraud in a Financial Statement Audit.

In this article, I explain how auditors can understand and test journal entries to ensure management is not cooking the books.  

Testing journal entries

Understand the Journal Entry Process

First, auditors should gain an understanding of the journal entry process. Ask questions such as:

  • Who can post journal entries (see logical access assignments in the software)?
  • How are journal entries posted?
  • Who approves journal entries?
  • Can one person post a journal entry without a second-person approval? If yes, who?
  • How often are journal entries posted, and for what purpose?
  • Have there been any unusual journal entries during the year? 
  • Are estimates adjusted or recorded with journal entries? If yes, who makes those entries, and how often?
  • Does the company have a separate journal entry software package (such as Blackline) that interfaces with the general ledger?
  • What journal entries are made in creating the financial statements, including those after the trial balance is taken from the accounting package (for example, the company downloads the trial balance to Excel)?
  • Are all journal entries in the financial statement creation phase reviewed and approved by a second person? If yes, by whom?  
  • Has management asked anyone to override journal entry controls or protocols?

Inspect sample documents and journal entries. Also, observe who is doing what. Then document your inquiries, the records inspected, and your observations as a part of your walkthrough process. Also, document who you talked with and on what date. 

Scan a Month’s Journal Entries

Consider downloading all journal entries for a particular month and scanning those. Doing so will enable you to see the typical entries made. Most accounting systems differentiate journal entries from other transactions, so it’s usually easy to segregate all journal entries for review.

Scanning a month’s journal entries is not a required procedure, but one that I suggest. 

So, as you scan the journal entries, what are you looking for? What types of entries might imply that fraud is present?

Indicators of Fraud Risk

The following are potential indicators of fraud risk:

  • Nonstandard journal entries made at year-end, especially those for round numbers
  • Entries made to seldom-used accounts
  • Post-closing entries with no explanation
  • Entries made by persons that seldom do so
  • Entries made to force accounts to balance without performing proper reconciling procedures
YouTube player

Plan Your Journal Entry Responses

Plan to test journal entries based on your risk assessment procedures. If you notice particular risks, then audit those areas. 

Here are examples of risks and responses:

  1. Test more entries if one person records journal entries without a second-person approval. Why? There’s more risk.
  2. If you note unusual logical access rights, consider downloading all journal entries and sorting them by persons to see if there are any unusual journal entries.
  3. If significant revenue entries are made in the last month, test those.    
  4. If one person consolidates the financial statements in Excel, making adjustments without a second-person review, test that process. 

Journal entries may be appropriate throughout the year because they are subject to good controls. Even so, someone might inflate the numbers in the financial statement creation process (after exporting the original numbers to a spreadsheet, for example).

Test Journal Entries in Every Audit

AU-C 240, Consideration of Fraud in a Financial Statement Audit, requires auditors to test journal entries in every audit. Why? There is always a possibility that management might override controls, and journal entries are an easy way to make the company look better than it is. Think about it: one journal entry in the last month of the year can increase revenues and receivables by millions. 

Test Entries Late in the Year

It is wise to test journal entries made late in the year. As management approaches year-end, they might realize the company needs to meet specific targets (e.g., a certain level of net income) for them to earn bonuses. If true, management has a potential motivation to manipulate the numbers, especially at year-end. 

See my article about management override of controls for more information about manipulation of financial statements and potential theft. 

SAS 143
Feb 18

SAS 143, Auditing Accounting Estimates

By Charles Hall | Auditing

In this article, I explain SAS 143, Auditing Accounting Estimates and Related Disclosuresa new audit standard applicable for periods ending on or after December 15, 2023.   

We'll look at the objectives of SAS 143, auditor responsibilities (including risk assessment and responses), the nature of estimates, documentation requirements, and overall evaluation of your work to ensure appropriateness and completeness. 

Auditing estimates

Estimate Examples

To get us started, here are a few examples of estimates:

So, what is an accounting estimate? It's a monetary amount for which the measurement is subject to estimation uncertainty. Of course, you need to consider the financial reporting framework as you think about the estimate. For example, an estimate might be significantly different when using GAAP versus a regulatory basis. 

But what is estimation uncertainty? It's the susceptibility of an estimate to an inherent lack of precision in measurement. In layperson's terms, it's an estimate that is hard to pin down.

SAS 143 Objectives

The objective of SAS 143 is to see if the accounting estimate and related disclosures are reasonable by obtaining sufficient appropriate audit evidence. 

Nature of Estimates

Some estimates are simple, while others are difficult. For example, estimating the economic life of a vehicle is straightforward, but computing an allowance for uncollectible receivables might be complex.

But even one type of estimate, such as an allowance for uncollectible, can vary in complexity. For example, the allowance computation for uncollectible receivables is usually more complex for a healthcare entity (e.g., more payor types) than for a small business. Why? Because it is more complex and more challenging to determine. Therefore, the estimation uncertainty for a healthcare entity (with many payor types) is higher than that of a small business with one type of customer. Additionally, the volume of transactions could be higher for a healthcare entity versus a small business. 

Estimation Uncertainty

So, the inherent subjectivity of an estimate creates estimation uncertainty. 

Consider estimation uncertainty in this manner: ask twenty people to compute the allowance for a hospital and then ask them to do the same for the small business's uncollectible estimate. How much variation would you expect? Yes, much more for the hospital because the inherent risk is higher. 

SAS 143 tells us to increase our risk assessment procedures and further audit procedures as the estimation uncertainty increases. We perform more risk assessment work concerning the hospital's allowance than that of the small business. Moreover, we complete more extensive further audit procedures for the hospital's allowance than for the small business's estimate. 

More risk, more work. 

To understand SAS 143, we need to know the underlying concepts.

SAS 143 Concepts

SAS 143

Relevant Assertions

You need to assess the risk of material misstatement at the relevant assertion level. Further, you are required to assess inherent risk and control risk separately. And as you assess inherent risk, you might encounter significant risks. 

The Spectrum of Inherent Risk

Usually, a hospital's valuation assertion related to receivables is relevant, and the inherent risk is often high due to its subjectivity, complexity, and volume of transactions (i.e., inherent risk factors). Therefore, the valuation assertion's risk might fall toward the end of the spectrum of inherent risk. On a ten-point scale, we might assess the inherent risk as a nine or a ten. And if we do, it is a significant risk, affecting our professional skepticism.

Professional Skepticism and Estimates

Our professional skepticism increases as the estimation uncertainty rises (or at least, it should). Why? The potential for management bias may be present since it's easier to manipulate complex estimates. And complexity can be a smokescreen to hide bias, increasing the need for internal controls.

Estimate Controls

As estimates become more complex, entities increase internal controls (or at least, they should). And consequently, auditors need to evaluate the design and implementation of those controls. Additionally, auditors must determine whether they will test the controls for effectiveness. 

Another SAS 143 concept is the reasonableness of the estimate.

Reasonableness of Estimates

For an estimate to be reasonable, the applicable financial reporting framework must be its basis. Additionally, management should consider the facts and circumstances of the entity and the related transactions. In creating a reasonable estimate, management will often use the following:

  • A method
  • Certain assumptions
  • Data

Let's consider these elements using the allowance for uncollectible receivables. 

First, management considers the financial reporting framework. If the entity uses GAAP, it makes sense to create the estimate. No allowance is necessary if the cash basis of accounting is in use. In this example, we'll assume the company is using GAAP.

Estimate Method

In computing an allowance for uncollectible, an entity might calculate the estimate as a total of the following:

  • 20% of receivables outstanding for more than 60 days
  • 60% of receivables outstanding for more than 90 days
  • 90% of receivables outstanding for more than 120 days

Estimate Assumptions

And what assumptions might management consider? Bad debt percentages have stayed the same over time. The company needs to increase the percentages if collectible amounts erode. 

Estimate Data

Finally, consider the allowance data. In this example, it would typically be an aged receivable listing. Such a listing breaks receivables into aging categories (e.g., 0 to 30 days; 31 to 60 days; etc.). Such data should be consistent. Suppose the company purchases new software that computes the aged amounts differently using different data than previously. If this occurs, management and the auditors need to consider the reasonableness of the new data. 

Is the Estimate Reasonable?

Most importantly, estimates need to make sense (to be reasonable) in light of the circumstances. While consistent methods, assumptions, and data are desirable, change, such as a slowdown in the economy, can require new ways of computing estimates.

One more concept is that of management's point estimate and disclosure.

Management's Point Estimate and Disclosure

The auditor will examine management's point estimate and the related disclosures to see if they are reasonable. How? Review the estimate's development (how was it computed?) and the nature, extent, and sources of estimation uncertainty. 

If circumstances are similar to the prior year, then the estimate's method, assumptions, and data will typically be similar. Likewise, the disclosure will be much like the preceding period. 

But if, for example, the economy slows significantly, the percentages applied to the aged receivable categories (see above) may need to increase so that the allowance for uncollectible is higher. The auditor might question the estimate if management did not raise these percentages. 

The company should disclose how the estimate is created and the nature, extent, and sources of estimation uncertainty. 

Now, let's see what the SAS 143 requirements are.

SAS 143 Requirements

SAS 143

The requirements for estimates are conceptually the same as in any area. The auditor does the following:

  • Perform risk assessment procedures
  • Identify and assess the risk of material misstatement
  • Develop responses to the identified risks and carry those out

1. Perform Risk Assessment Procedures for Estimates

As you consider the entity and its environment, consider the following:

  • Transactions and other events that give rise to the need for estimates and changes in estimates
  • The applicable financial reporting framework as it relates to estimates
  • Regulatory factors affecting estimates, if any
  • The nature of estimates and related disclosures

Next, as you consider internal control, ask about the following:

  • Nature and extent of estimate oversight (who oversees the estimate? how often is the estimate being reviewed?)
  • How does management identify the need for specialized skills or knowledge concerning the estimate?
  • How do the entity's risk assessment protocols identify and address risks related to estimates?
  • What are the classes of transactions, events, and conditions giving rise to estimates and related disclosures?
  • How does management identify the estimate's methods, assumptions, and data sources?
  • Regarding the degree of estimation uncertainty, how does management determine the range of potential measurement outcomes?
  • How does management address the estimation uncertainty, including a point estimate and related disclosures?
  • What are the control activities relevant to the estimate? (e.g., second-person review of the computation)
  • Does management review prior estimates and the outcome of those estimates? How does management respond to that review?

Additionally, the auditor reviews the outcome of prior estimates for potential management bias

If there are any significant risks (inherent risk falling toward the end of the spectrum of risk), the auditor should understand the related controls and, after that, see if they are designed appropriately and implemented. 

And finally, the auditor considers if specialized skills or knowledge are needed to perform risk assessment procedures related to estimates. 

Of course, after you do your risk assessment work, it's time to assess the risk.

2. Identify and Assess the Risk of Material Misstatement

SAS 143, as we have already seen, requires a separate assessment of inherent risk and control risk for each relevant assertion.

In assessing inherent risk, the auditor will consider risk factors such as complexity, subjectivity, and change. It's also important to consider the estimate method and the data used in computing management's point estimate. 

Some estimates represent significant risks. So, for example, if the computation of warranty liability is complex or has a high degree of estimation uncertainty, then identify the liability as a significant risk since the valuation assertion is high risk (toward the upper end of the spectrum of inherent risk).

Auditing estimates

3. Responses to Assessed Risk of Material Misstatement

Once the assessment of risk is complete, you are in a position to create responses. As usual, document linkage from the risk level to the planned procedures. Higher risk calls for more extensive actions. 

If, for example, the auditor identifies an estimate as a significant risk, go beyond basic techniques (i.e., more than a basic audit program). 

Additionally, base those responses on the reasons for the assessments. In other words, create audit procedures based on the nature of the risk. Performing more procedures unrelated to the identified risk is of no help. 

Three Responses to Risks Related to Estimates

The audit procedures need to include one or more of the following three steps:

  1. Obtain audit evidence from events occurring up to the date of the auditor's report
  2. Test how management made the accounting estimate by reviewing the following: 
    • Methods in light of: 
      • Reporting framework
      • Potential management bias
      • The estimation computation (is it mathematically correct?)
      • Use of complex modeling, if applicable
      • Maintenance of the assumptions and data integrity (does this information have integrity?)
    • Assumptions; address the following: 
      • Whether the assumptions are appropriate
      • Whether the judgments made in selecting the assumptions give rise to potential bias
      • Whether assumptions are consistent with each other
      • When applicable, whether management has the intent and ability to carry out specific courses of action
    • Data; address the following: 
      • Whether the data is appropriate
      • Whether judgments made in selecting the data give rise to management bias
      • Whether the data is relevant and reliable
      • Whether management appropriately understands and interprets the data
    • Management's point estimate and related disclosure; address the following: 
      • How management understands estimation uncertainty
      • See if management took appropriate steps in developing the point estimate and related disclosure
      • If the auditor believes management has not sufficiently addressed estimation uncertainty, the following should occur: 
        • Request management perform additional procedures to understand the estimation uncertainty; consider disclosing more information about the estimation uncertainty
        • Develop an auditor's point estimate or range if management's response to the auditor's request in the prior step is not sufficient
        • Evaluate whether an internal control deficiency exists
  3. Develop an auditor's point estimate or range; do the following: 
    • Include procedures to evaluate whether methods, assumptions, or data are appropriate
    • When the auditor develops a range,  
      • Determine whether the range includes only amounts supported by sufficient audit evidence and are reasonable in the context of the reporting framework
      • Review disclosures related to estimation uncertainty, design and perform procedures regarding the risk of material misstatement (i.e., determine if the disclosure provides sufficient information regarding estimation uncertainty)

Once you complete your audit work related to estimates, evaluate what you've done. 

Overall Evaluation of Estimate Work

SAS 143

Evaluate the sufficiency of your estimate work by considering the following:

  • Are the risk assessments at the relevant assertion level still appropriate?
  • Do management's decisions regarding recognition, measurement, presentation, and disclosure of the estimates agree with the financial reporting framework? 
  • Has sufficient appropriate evidential matter been obtained?
  • If evidence is lacking, consider the impact on the audit opinion
  • Has management included disclosures beyond those required by the financial reporting framework when needed for fair presentation?

Here are some additional considerations in determining if your work is complete.

Documentation of Estimate Work

SAS 143 says that the auditor's documentation should include the following:

  • The auditor's understanding of the entity and its environment, including internal controls related to estimates
  • Linkage of further audit procedures with the risks of material misstatement at the assertion level
  • Auditor's responses when management has not taken appropriate steps to understand and address estimation uncertainty
  • Indicators of possible management bias related to estimates
  • Significant judgments related to estimates and related disclosures in light of the reporting framework

Governance Communication Regarding Estimates

Finally, consider whether you should communicate estimate matters to those charged with governance, especially if a high estimation uncertainty is present. 

SAS 143 Summary

While SAS 143 requires that auditors understand the estimation process and then perform procedures to ensure the reasonableness of the numbers and disclosures, there's nothing unusual about this. We gain an understanding of the estimates, assess the risk, and create responses. 

Many estimates, such as plant, property, and equipment depreciation, are simple. In those areas, there's little to do. But as always, our risk assessment and responses will increase as complexity and uncertainty increase. 

You may also be interested in my article titled SAS 145: New Risk Assessment Standard.

Over Auditing
Jan 28

Are You Over Auditing and Wasting Time?

By Charles Hall | Auditing

Are you over auditing?

In this article, I explain how you can stop over auditing and wasting precious time. You’ll soon know why to leave in and what to leave out.

Over auditing

Are You Over Auditing?

Ten audit engagements.

Each audit file with a different risk profile.

Each with a different audit plan.

Each file begging for attention in certain areas.

This afternoon I met with two CPAs to discuss ten audits they perform. Specifically we were looking to see what needed to be done, and maybe more importantly, what was not needed.

The concern was “over auditing.”

For as long as I can remember, CPAs have asked, “what am I doing that is not necessary?”

My answer is always the same: audit areas that have a risk of material misstatement. Drop everything else.

Removing Unnecessary Audit Steps

Well, how do you know if an audit procedure is not needed?

Look at the prior year workpaper and ask, “what relevant assertion and in what transaction cycle does this procedure address?” If you can’t connect the workpaper to a risk, then it’s probably not needed.

You can “reverse engineer” an audit by looking at the prior year workpapers and asking this same question over and over again: “what risk of material misstatement does this workpaper address?”

Adding Necessary Audit Steps

Then—and more importantly—“forward engineer” the audit plan by assessing your risk for each relevant assertion and planning (and linking) a procedure to satisfy (lower) the risk of material misstatement.

YouTube player

Brevity of Audit File

An audit file needs to be tight, without waste.

Moreover, let it speak of the important—and nothing else. An audit file is somewhat like a good speech: There are no wasted words.

So, can excessive work papers create problems?

Excessive Work Papers Create (at least) Two Problems

Excessive (or unneeded) work papers can create problems, including:

1. Clutter (which degrades the message)

2. Legal exposure

Why do I say legal exposure? If your work papers are subpoenaed and there are unnecessary work papers, the opposing party may find contradictory information that works against you.

Then you know what would come next: the opposing attorney holding up a damning document as she asks, “did this work paper come from YOUR audit file?”

Keep things lean.

Right Audit Steps

In summary, say what needs to be said, and nothing more.

In other words, follow these steps:

1. First, assess risk.

2. Next, plan responses to those risks.

3. Then, perform those procedures.

4. And finally, don’t do anything else. 

With these steps, your audit file will say what it needs to say—and nothing else. And you will not be over auditing.

See my related article titled Seven Excuses for Unnecessary Audit Work Papers

Check out my book on Amazon: The Why and How of Auditing

1 2 3 4 5 15
>