Category Archives for "Auditing"

Using Project Management in Audits
Nov 08

Project Management in Audits: Key to Profit

By Charles Hall | Auditing

On the first day of your audit, you’re confident you’ll deliver your report on time. You have visions of a happy client and happy firm partners. But, somewhere along the way, things break down. Your best auditor transfers to another job. You learn–as the audit progresses–that your junior staff member lacks sufficient training. Your client is not providing information as requested. And, additionally, your audit team has unearthed a fraud.

How can you lessen or respond to these problems? Project management. In this post, I’ll tell you what it is and how you can start using project management in audits, including software selection and practical implementation steps.

Project Management in Audits

Using Project Management in Audits

Auditors need to be effective (by complying with professional standards), but we also need to be efficient (if we want to make money). And project management creates efficiency.

Managing resources, identifying impediments to audit processes, responding to scope creep–these are just a few of the issues that we encounter. And these challenges can increase engagement time and decrease profits. Worse yet, that promise regarding timely completion can go unmet. 

Either we will manage our audits, or they will manage us. 

So, what are the keys to using project management in audits?

  • Audit team members
  • Project management software
  • Create a project management plan
  • Be aware
  • Be vigilant

Audit Team Members

The number one ingredient to a successful audit is your team members. Even more important is the person managing the engagement.

Have you noticed that some people–regardless of the obstacles–just get things done? If possible, get and keep people like this on your audit teams. You may be thinking–at this moment–“but our firm has a difficult time hiring and retaining great employees.” Then revisit your hiring and retention practices.

Having great team members is essential, but they need to work together. So, how do we get them to play their roles at the right time? A project management plan defined in project management software.

Project Management Software

There are plenty of useful project management software packages. They include:

Pricing varies. Some are free while others are expensive. So, you’ll need to do your research to determine which solution is best for you. Personally, I use Basecamp. If you want to start with a free application, try Trello or Asana. Another option is Smartsheet (an Excel-spreadsheet-based product). Larger firms may desire to take a look at XCMWorkflow.

I was recently exposed to SuraLink in an engagement where I assisted a city government with its preparation for an audit. The external auditors used SuraLink to request and receive information from the client. I was very impressed with this product. Though I have used Basecamp historically (as you’ll see in a moment), I plan to give SuraLink a hard look. Basecamp is wonderful in terms of use-of-use, but I’m not confident in the security. So I’ve used Basecamp in conjunction with other products such as ShareFile and Box. SuraLink appears to provide you with one product to manage and house documents. 

Regardless of the project management software you use, always think about security since you are uploading and downloading client files. 
Continue reading

fake bank confirmations
Oct 18

Fake Bank Confirmation Responses: $6 Million Theft

By Charles Hall | Auditing

The Western District of North Carolina U.S. Attorney’s Office issued a press release on June 17, 2013, detailing how James Shepherd, an investment company owner, defrauded over 100 investors of approximately $6 million. How? By misusing funds and tricking his company’s external auditors with fake bank confirmation responses.

fake bank confirmations

Hiding Theft with Fake Bank Confirmation Responses

The press release states, “Documents indicate that Shepherd built a $2 million residence in Vass, North Carolina, and used investor money to make mortgage payments on the residence.” The U.S. Attorney’s Office said, “For seven years Shepherd used his investment fund as his personal piggy bank and repeatedly lied to his investors who trusted him with their savings.” The release goes on to say the fraud was concealed as “Shepherd sent to investors certified financial statements…accompanied by an Independent Auditor’s Report.” The fraudulent December 31, 2012, financial statement reflected a $6,041,850 cash balance when in reality the fund had less than $100,000. So, how was Shepherd able to get an independent auditor’s report based on fraudulent numbers?

The auditor sent bank confirmations to a P.O. Box address provided by Shepherd. Additionally, the confirmations were sent to the attention of a “Charles Fisher,” a fictitious bank employee.

And who controlled the P.O. Box? Mr. Shepherd.

According to the U.S. Attorney’s Office, Shepherd would receive the bank confirmations, “forge the name Fisher on a fake bank letter” and “send forged bank statements with fake balances” to the auditor. The responses came in the form of both letters and faxes.

So, how were the forged bank statements created? The press release stated that “Shepherd generated the fraudulent bank statements using a version of Adobe Acrobat that enabled him to type false numbers over true bank statements.”

Given the false bank confirmations, how was Mr. Shepherd ever caught? In March 2013 the auditors “insisted on verifying the cash balance of funds’ bank account electronically through the audit confirmation website www.confirmation.com.” Shepherd then refused to give the accountant authority to utilize the site to verify the cash balance. After that, the auditor notified the National Futures Association that his audit opinion could no longer be relied upon.

Given this cautionary tale, how can auditors combat the threat of false bank contact information?

Designing Confirmations 

A while back, my friend James Ulvog brought to my attention the following clarified auditing section about confirmations.

AU-C Section 505.A7 states:

Determining that requests are properly addressed includes verifying the accuracy of the addresses, including testing the validity of some or all of the addresses on the confirmation requests before they are sent out, regardless of the confirmation method used. When a confirmation request is sent by e-mail, the auditor’s determination that the request is being properly directed to the appropriate confirming party may include performing procedures to test the validity of some or all of the e-mail addresses supplied by management.

Auditors often confirm bank accounts using:

  1. Letters
  2. Emails

Regardless of how an account is confirmed, auditors need to verify the contact information provided by the auditee–at least for some of the confirmations.

Bottom line

Audit standards require that steps be taken to ensure that confirmations are sent to the appropriate persons.

Using Confirmation.com reduces risk related to faulty confirmations. If you don’t use Confirmation.com, then consider checking street addresses by Googling them, or you might call the confirming party–especially for high-risk accounts.

The procedures used to verify mailing addresses, fax numbers, and email addresses should be documented in the auditor’s work papers.

Postscript

On February 11, 2015, Mr. Shepherd was sentenced to 84 months in prison and three years of supervised release. Shepherd pleaded guilty to one count of securities fraud in June 2013.

inherent risk
Oct 04

Inherent Risk: How to Understand

By Charles Hall | Auditing , Risk Assessment

Do you know how to assess inherent risk? Knowing when this risk is low is a key to efficient audits. In this article, I tell you how to assess inherent risk--and how lower risk assessments (potentially) decrease the amount of work you perform. I also provide inherent risk examples, and I define inherent risk.  

inherent risk

While audit standards don't require a separate assessment on inherent risk (IR) and control risk (CR), it's wise to do so. Why? So you know what drives the risk of material misstatement (RMM). 

Many auditors assess control risk at high (after performing their risk assessment procedures). Why? So they don't have to test controls. 

If control risk is high, then inherent risk is the only factor that can lower your risk of material misstatement. For example, a high control risk and a low inherent risk results in a moderate risk of material misstatement. Why is this important? Lower RMMs provide the basis for less substantive work.

The Audit Risk Model

Before we delve deeper into inherent risk assessment, let's do a quick review of the audit risk model. Auditing standards (AU-C 200.14) define audit risk as “The risk that the auditor expresses an inappropriate audit opinion when the financial statements are materially misstated. Audit risk is a function of the risks of material misstatement and detection risk.”

Audit risk is defined as follows:

Audit Risk = IR X CR X Detection Risk

Inherent risk and control risk live within the entity to be audited.

Detection risk lies with the auditor.

A material misstatement may develop within the company because the transaction is risky or complex. Then, controls may not be sufficient to detect and correct the misstatement. 

If the auditor fails to detect the material misstatement, audit failure occurs. The auditor issues an unmodified opinion when a material misstatement is present.

Risk of Material Misstatement

As we plan an audit, we assess the risk of material misstatement. It is defined as follows:

RMM = IR X CR

Auditors assess the risk of material misstatement at the assertion level so they can determine the level of substantive work. Substantive work is the response to risk.

If the RMM is high, more substantive work is needed. Why? To reduce detection risk. 

But if the RMM is low to moderate, less substantive work is needed. 

Inherent Risk Definition

Let’s define inherent risk. It is the susceptibility of an assertion about a class of transaction, account balance, or disclosure to a misstatement that could be material, either individually or when aggregated with other misstatements, before consideration of any related controls.

The following inherent risk video is from my YouTube playlist: Audit Risk Assessment Made Easy. (The videos correspond to each chapter in my risk assessment book by the same name, available on Amazon.)

Inherent Risk Examples

The risk for cash is greater than that of a building. Cash is easily stolen. Buildings are not.  

The risk of a hedge transaction is greater than that of a trade receivable. Hedges can be complicated to compute. Trade receivables are not. 

Post-retirement liabilities are inherently risky. Why? It's a complex accounting area. The numbers usually come from an actuary. There are estimates in the form of assumptions.

Inherent Risk Factors 

Consider factors such as the following in assessing risk:

  • Susceptibility to theft or fraudulent reporting
  • Complex accounting or calculations
  • Accounting personnel’s knowledge and experience
  • Need for judgment
  • Difficulty in creating disclosures
  • Size and volume of accounts balance or transactions
  • Susceptibility to obsolescence
  • Prior year period adjustments

Inherent risk is not an average of the above factors. Just one risk factor can make an account balance or transaction cycle or disclosure high risk.

Inherent Risk at Less Than High

When inherent risk is less than high, you can perform fewer or less rigorous substantive procedures.

An example of a low inherent risk is the existence assertion for payables. If experienced payables personnel accrue payables, then the existence assertion might be assessed at low. (The directional risk of payables is an understatement, not an overstatement.) The lower risk assessment for existence allows the auditor to perform little if any procedures in relation to this assertion. 

Conversely, the completeness assertion for accounts payable is commonly a high inherent risk. Businesses can inflate their profits by accruing fewer payables. Fraudulent reporting of period-end payables is possible. Therefore, the risk of completeness for payables is often high. That's why auditors perform a search for unrecorded liabilities.

Base your risk assessment on factors such as those listed above. If inherent risk is legitimately low, then great. You can perform less substantive work. But if the assertion is high risk, then it should be assessed accordingly--even if that means more work. (The AICPA has included questions in peer review checklists regarding the basis for lower risk assessments. Their concern (I think) is that auditors might manipulate this risk in order to perform less work. I've heard no one from the AICPA say this. But I can see how they might be concerned about this possibility.)

Control Risk

So, what is the relationship between inherent risk and control risk?

Companies develop internal controls to manage areas that are inherently risky.

A business might create internal controls to lessen the risk that payables are understated. Examples of such controls include:

  • The CFO reviews the payables detail at period-end, inquiring about the completeness of the list
  • A payables supervisor reviews all invoices entered into the payables system
  • The payables supervisor inquires of all payables clerks about any unprocessed invoices at period-end
  • A budget to actual report is provided to department heads for review

Inherent risk exists independent of internal controls.

Control risk exists when the design or operation of a control does not remove the risk of misstatement. 

Audit Risk Assessment Update - SAS 145

SAS 145 will be effective for years ending December 31, 2023. This standard provides new inherent risk guidance, particularly in regard to inherent risk factors. See my SAS 145 article for details. 

Audit Risk Assessment Book

My new book, Audit Risk Assessment Made Easy, is now available on Amazon. If you struggle with internal control walkthroughs, preliminary analytics, understanding the entity and its environment, risk assessment and linkage, then this book is for you. Click the book cover to see it now on Amazon. 

Audit risk assessment
SAS 134
Sep 08

SAS 134 Unmodified and Modified Audit Opinions

By Charles Hall | Auditing

In this post, you’ll gain an understanding of unmodified and modified audit opinions using the guidance from AU-C Section 700, Forming an Opinion and Reporting on Financial Statements and AU-C 705, Modifications to the Opinion in the Independent Auditor’s Report. SAS 134 (and other SASs) amended these sections resulting in new audit opinions for periods ending after December 15, 2021. 

There are four potential audit opinions:

  1. Unmodified
  2. Qualified
  3. Disclaimer
  4. Adverse

Video Overview of Audit Opinions

This video provides an overview of the four opinions:

Unmodified Opinion

If there are no material misstatements, then you will issue an unmodified opinion. The unmodified opinion says the financial statements are presented fairly. 

Example SAS 134 Unmodified Opinion

A sample unmodified audit opinion follows:

[Date]

INDEPENDENT AUDITOR’S REPORT

[Appropriate Addressee]

[Entity Name]

Opinion

We have audited the financial statements of [Entity Name], which comprise the balance sheets as of December 31, 2020 and 2019, and the related statements of income, changes in stockholders’ equity, and cash flows for the years then ended, and the related notes to the financial statements.

In our opinion, the accompanying financial statements present fairly, in all material respects, the financial position of [Entity Name] as of December 31, 2020 and 2019, and the results of its operations and its cash flows for the year then ended in accordance with accounting principles generally accepted in the United States of America.

Basis for Opinion

We conducted our audits in accordance with auditing standards generally accepted in the United States of America (GAAS). Our responsibilities under those standards are further described in the Auditor’s Responsibilities for the Audit of the Financial Statements section of our report. We are required to be independent of [Entity Name] and to meet our other ethical responsibilities, in accordance with the relevant ethical requirements relating to our audit. We believe that the audit evidence we have obtained is sufficient and appropriate to provide a basis for our audit opinion.

Responsibilities of Management for the Financial Statements

Management is responsible for the preparation and fair presentation of the financial statements in accordance with accounting principles generally accepted in the United States of America, and for the design, implementation, and maintenance of internal control relevant to the preparation and fair presentation of financial statements that are free from material misstatement, whether due to fraud or error.

In preparing the financial statements, management is required to evaluate whether there are conditions or events, considered in the aggregate, that raise substantial doubt about [Entity Name]’s ability to continue as a going concern for one year after the date that the financial statements are available to be issued.

Auditor’s Responsibilities for the Audit of the Financial Statements

Our objectives are to obtain reasonable assurance about whether the financial statements as a whole are free from material misstatement, whether due to fraud or error, and to issue an auditor’s report that includes our opinion. Reasonable assurance is a high level of assurance but is not absolute assurance and therefore is not a guarantee that an audit conducted in accordance with GAAS will always detect a material misstatement when it exists. The risk of not detecting a material misstatement resulting from fraud is higher than for one resulting from error, as fraud may involve collusion, forgery, intentional omissions, misrepresentations, or the override of internal control. Misstatements are considered material if there is a substantial likelihood that, individually or in the aggregate, they would influence the judgment made by a reasonable user based on the financial statements.

In performing an audit in accordance with GAAS, we:

    • Exercise professional judgment and maintain professional skepticism throughout the audit.
    • Identify and assess the risks of material misstatement of the financial statements, whether due to fraud or error, and design and perform audit procedures responsive to those risks. Such procedures include examining, on a test basis, evidence regarding the amounts and disclosures in the financial statements.
    • Obtain an understanding of internal control relevant to the audit in order to design audit procedures that are appropriate in the circumstances, but not for the purpose of expressing an opinion on the effectiveness of [Entity Name]’s internal control. Accordingly, no such opinion is expressed.
    • Evaluate the appropriateness of accounting policies used and the reasonableness of significant accounting estimates made by management, as well as evaluate the overall presentation of the financial statements.
    • Conclude whether, in our judgment, there are conditions or events, considered in the aggregate, that raise substantial doubt about [Entity Name]’s ability to continue as a going concern for a reasonable period of time.

We are required to communicate with those charged with governance regarding, among other matters, the planned scope and timing of the audit, significant audit findings, and certain internal control-related matters that we identified during the audit.

Firm Signature

Modified Opinions

If material misstatements are present, then a modified audit opinion is necessary. Modifications can also occur when you are unable to obtain sufficient appropriate audit evidence; for instance, when a scope limitation is present. 

Modified Opinion

Definitions

AU-C 705 defines a modified opinion as a (1) qualified opinion, (2) an adverse opinion, or (3) a disclaimer of opinion. 

Another key definition in AU-C 705 is that of pervasiveness. This term is used in the context of misstatements; so if a material misstatements are present, you’ll want to know if they are pervasive. Two factors–material misstatements and pervasiveness–affect the type of opinion to be issued. Additionally, the ability or inability to obtain sufficient appropriate audit evidence affects the type of opinion to be issued. A misstatement (or possible misstatement) is pervasive if:

  • It’s not confined to specific accounts or items of the financial statement, or
  • If confined, the amount represents a substantial portion of the financial statements, or
  • If in relation to disclosures, the information is fundamental to the users’ understanding of the financial statements

For example, if material misstatements are present for inventory, receivables, and debt, they are pervasive. Or if, in another example, inventory makes up 60% of total assets and a material misstatement is present in that area, then it’s pervasive. Lastly, if key disclosures are not appropriately communicated or if they are omitted, then that is pervasive. 

Now, let’s look at the three modified opinions. 

1. Qualified Opinion

Suppose your audit reveals inventories are materially misstated, the client does not record your proposed audit adjustment, and there are no other material misstatements. If this is your situation (a material misstatement exists that is not pervasive), then audit standards allow for the issuance of a qualified opinion.

modified opinion

Here is sample qualified opinion language (this is not the full opinion):

Qualified Opinion

We have audited the financial statements of ABC Company, which comprise the balance sheets as of December 31, 20X1 and 20X0, and the related statements of income, changes in stockholders’ equity, and cash flows for the years then ended, and the related notes to the financial statements.

In our opinion, except for the effects of the matter described in the Basis for Qualified Opinion section of our report, the accompanying financial statements present fairly, in all material respects, the financial position of ABC Company as of December 31, 20X1 and 20X0, and the results of its operations and its cash flows for the years then ended in accordance with accounting principles generally accepted in the United States of America.

Basis for Qualified Opinion

The Company has property with impaired value. The impairment occurred in 20X9. Accounting principles generally accepted in the United States of America require that impaired assets be written down to their fair market value. The Company continues to reflect the property at cost. If the property was stated at fair value upon impairment, total assets and stockholder’s equity would have been reduced by $X,XXX,XXX as of December 31, 20X1 and 20X0, respectively. 

2. Adverse Opinion

Now let’s suppose that you are auditing a consolidated entity, and your client is not willing to include a material subsidiary and which, if included, would have a pervasive impact on the statements.

Adverse opinion

Here is sample adverse opinion language (this is not the full opinion):

Adverse Opinion

We have audited the consolidated financial statements of ABC Company and its subsidiaries, which comprise the consolidated balance sheet as of December 31, 20X1, and the related consolidated statements of income, changes in stockholders’ equity, and cash flows for the year then ended, and the related notes to the financial statements.

In our opinion, because of the significance of the matter discussed in the Basis for Adverse Opinion section of our report, the accompanying consolidated financial statements do not present fairly the financial position of ABC Company and its subsidiaries as of December 31, 20X1, or the results of their operations or their cash flows for the year then ended in accordance with accounting principles generally accepted in the United States of America.

Basis for Adverse Opinion

As described in Note X, The Golfing Company has not consolidated the financial statements of its subsidiary Easy-Go Company that it acquired during 20X1. This investment is accounted for on a cost basis by The Golfing Company. Under accounting principles generally accepted in the United States of America, the subsidiary should have been consolidated. Had Easy-Go Company been consolidated, many elements in the accompanying consolidated financial statements would have been materially affected. The effects on the consolidated financial statements of the failure to consolidate have not been determined.

3. Disclaimer of Opinion

Finally, let’s suppose you are performing an audit in which insufficient audit information is provided with regard to receivables and inventories (both of which are material) and that the misstatements have a pervasive impact on the financial statements as a whole.

disclaimer of opinion

Here is sample disclaimer of opinion language (this is not the full opinion):

Disclaimer of Opinion

We were engaged to audit the financial statements of ABC Company, which comprise the balance sheet as of December 31, 20X1, and the related statements of income, changes in stockholders’ equity, and cash flows for the year then ended, and the related notes to the financial statements.

We do not express an opinion on the accompanying financial statements of ABC Company. Because of the significance of the matters described in the Basis for Disclaimer of Opinion section of our report, we have not been able to obtain sufficient appropriate audit evidence to provide a basis for an audit opinion on these financial statements.

Basis for Disclaimer of Opinion

The Company’s accounting system was hacked during the year by an unknown party, resulting in a series of changes in accounting entries. Additionally, the Company was unable to restore the accounting system. As a result of these matters, we were unable to determine the adjustments that were necessary to correct the balance sheet, statement of income, changes in stockholder’s equity, and cash flow statement as of and for the year ended December 31, 20X1.

Effective Date of SAS 134

The new SAS 134 opinions are required for periods ending on or after December 15, 2021. 

Resolving Conflict with Clients

If, as described above, you have a client that is unwilling to post a material audit adjustment, consider creating a draft of the opinion and providing it to them. This is not a threat, just a way to clearly communicate the effect of not posting the adjustment. 

Before doing anything, allow the client to fully explain their position. A modified opinion may not be necessary once you understand the facts. But if after the discussion, the you are still convinced there is a material misstatement, a modified opinion may be necessary.

In some cases, you may want to consider withdrawing from the engagement. Consult with your legal counsel before doing so.

Audit Opinion Research

Deciding on the opinion is often the most important decision you will make in an audit. So, do your research, and, if needed, consult with others to gain assurance about your decisions. AU-C 705: Modifications to the Opinion in the Independent Auditor’s Report provides several sample opinions; so refer to those as you create any modified opinions including qualified, adverse, or disclaimer. See AU-C 700: Forming an Opinion and Reporting on Financial Statements for information about unmodified opinions. 

If you need to add an emphasis of matter or other matter paragraph for issues such as a lack of consistency, see my article.  

audit documentation
Aug 15

Audit Documentation: Peer Review Finding

By Charles Hall | Auditing

Peer reviewers are saying, “If it’s not documented, it’s not done.” Why? Because standards require sufficient audit documentation in AU-C 230. And if it’s not documented, the peer reviewer can’t give credit. Work papers are your vehicle of communication. 

But what does sufficient documentation mean? What should be in our work papers? How much is necessary? This article answers these questions.

audit documentation

Insufficient Audit Documentation

Insufficient audit documentation has been and continues to be a hot-button peer review issue. And it’s not going away. 

But auditors ask, “What is sufficient documentation?” That’s the problem, isn’t it? The answer is not black and white. We know good documentation when we see it–and poor as well. It’s the middle that is fuzzy. Too often audit files are poor-to-midland. But why? 

First, many times it boils down to profit. Auditors can make more money by doing less work. So, let’s go ahead and state the obvious: Quality documentation takes more time and may lessen profit. But what’s the other choice? Poor work.

Second, the auditor may not understand what the audit requirements are. So, in this case, it’s not motive (make more money), it’s a lack of understanding.

Thirdly, another contributing factor is that firms often bid for work–and low price usually carries the day. Then, when it’s time to do the work, there’s not enough budget (time)–and quality suffers. Corners are cut. Planning is disregarded. Confirmations, walkthroughs, fraud inquiries are omitted. And yes, it’s easier–at least in the short run.

But we all know that quality is the foundation of every good CPA firm. And work papers tell the story–the real story–about a firm’s character. How would you rate your work paper quality? Is it excellent, average, poor? If you put your last audit file on a website and everyone could see it, would you be proud? Or does it need improvement?

Sufficient Audit Documentation According to AU-C 230

Let’s see what constitutes sufficient documentation.

AU-C 230 Audit Documentation defines how auditors are to create audit evidence. It says that an experienced auditor with no connection to the audit should understand:

  • Nature, timing, and extent of procedures performed
  • Results and evidence obtained
  • Significant findings, issues, and professional judgments

While most auditors are familiar with this requirement, the difficulty lies in how to accomplish this. What does it look like? Here are some pointers for complying with AU-C 230. 

Experienced Auditor’s Understanding

Here’s the key: When an experienced auditor reviews the documentation, does she understand the work?

Any good communicator makes it her job to speak or write in an understandable way. The communicator assumes responsibility for clear messages. In creating work papers, we are the communicators. The responsibility for transmitting messages lies with us (the auditors creating work papers).  

A Fog in the Work Papers

So what creates fogginess in work papers? We forget we have an audience. Others will review the audit documentation to understand what was done. As we prepare work papers, we need to think about those who will see our work. All too often, the person creating a work paper understands what he is doing, but the reviewer doesn’t. Why? The message is not clear.

Just because I know why I am doing something does not mean that someone else will. So how can we create clarity?

Creating Clarity

Work papers should include the following:

  • A purpose statement (what is the reason for the work paper?)
  • The source of the information (who provided it? where did they obtain it and how?)
  • An identification of who prepared and reviewed the work paper
  • The audit evidence (what was done)
  • A conclusion (does the audit evidence support the purpose of the work paper?)

When I make these suggestions, some auditors push back saying, “We’ve already documented some of this information in the audit program.” That may be true, but I am telling you–after reviewing thousands of audit files–the message (what is being done and why) can get lost in the audit program. The reviewer often has a difficult time tieing the work back to the audit program and understanding its purpose and whether the documentation provides sufficient audit evidence.

Remember, the work paper preparer is responsible for clear communication. 

And here’s another thing to consider: You (the work paper preparer) might spend six hours on one document, so you are keenly aware of what you did. The reviewer, on the other hand, might spend five minutes–and she is trying (as quickly as she can) to understand your work.

Help Your Reviewers

To help your reviewers:

  1. Tell them what you are doing (purpose statement)
  2. Do it (document the test work)
  3. Then, tell them how it went (the conclusion)

Now let’s move from proper to improper documentation.

Examples of Poor Work Paper Documentation

So, what does insufficient audit documentation look like? In other words, what are some of the signs that we are not complying with AU-C 230?

Here are examples of poor audit work paper documentation:

  • Signing off on audit steps with no supporting work papers (and no explanation on the audit program)
  • Placing a document in a file without explaining why (what is its purpose?)
  • Not signing off on audit steps
  • Failing to reference audit steps to supporting work papers
  • Listing a series of numbers on an Excel spreadsheet without explaining their source (where did they come from? who provided them?)
  • Not signing off on work papers as a preparer
  • Not signing off on work papers as the reviewer
  • Failing to place excerpts of key documents in the file (e.g., debt agreement)
  • Performing fraud inquiries but not documenting who was interviewed (their name) and when (the date)
  • Not documenting the selection of a sample (why and how and the sample size)
  • Failing to explain the basis for low inherent risk assessments
  • Key bank accounts and debt are not confirmed
  • Not documenting the reason for not sending receivable confirmations
  • A lack of retrospective reviews
  • A failure to document the current year walkthroughs for significant transaction cycles (the file contains a generic description of controls with no evidence of a current year review)
  • Not documenting entity-level controls (e.g., tone at the top, management’s risk assessment procedures)
  • A failure to document risk assessments
  • Low control risk assessments without a test of controls
  • A lack of linkage from the risk assessment to the audit plan
  • No independence documentation though nonattest services are provided

This list is not comprehensive, but it provides examples to consider. This list is based on my past experiences. Probably the worst offense (at least in my mind) is signing off on an audit program with no support.

Strangely, however, poor work papers are not the result of insufficient documentation, but too much documentation. 

Too Much Audit Documentation

Many CPAs say to me, “I feel like I do too much,” meaning they believe they are auditing more than is necessary. To which I often respond, “I agree.”

In looking at audit files, I see:

  • The clutter of unnecessary work papers
  • Files received from clients that don’t support the audit opinion
  • Unnecessary work performed on extraneous documents

For whatever reason, clients usually provide more information than we request. And then–for some other reason–we retain those documents, even if not needed.

If auditors add purpose statements to each work paper, then they will discover that some work papers are unnecessary. In writing the purpose statement, we might realize it has none. Which is nice–now, we can eliminate it.

One healthy exercise is to pretend we’ve never audited the company and that we have no prior year audit files. Then, with a blank page, we plan the audit. Once done, we compare the new plan to prior year files. If there’s any fat, start cutting. 

The key to eliminating unnecessary work lies in performing the following steps (in the order presented):

  1. Perform risk assessment
  2. Plan your audit based on the identified risks
  3. Perform the audit procedures

Too often, we roll the prior year file forward and rock on. If the prior year file has extraneous audit procedures, we repeat them. This creates waste year after year after year.

Before I close this article, here is one good work paper suggestion from my friend Jim Bennett of Bennett & Associates: transaction area maps. 

Transaction Area Maps

Include transaction area maps in your file. A summary creates organization and makes it easier to find your work papers. It also provides a birds-eye view of what you have done. Here’s an example:

ACCOUNTS RECEIVABLE WORKPAPER MAP

4-02 Audit Program

4-10 Risk Assessment Analyticals

ACCOUNTS RECEIVABLE AGING

4-20 Customer aging report

4-21 AR break-out of intercompany balances

4-23 AR aging tie in to TB

4-24 Review of AR aging

ACCOUNTS RECEIVABLE CONFIRMATIONS

4-50 Planning worksheet – substantive procedures

4-51 AR confirmation reconciliation

4-52 AR confirmation replies

4-60 Allowance for doubtful accounts

4-70 Intercompany balances and sales to significant customers

4-80 Sales analytics

4-90 Sales cut-off testing

4-95 Revenue recognition 606 support and disclosures

Summary

In summary, audit documentation continues to be a significant peer review problem. We can enhance the quality of our work papers by remembering we are not just auditing. We are communicating. It is our responsibility to provide a clear message. We need to do so to comply with AU-C 230, Audit Documentation

Additional Guidance

The AICPA also provides some excellent guidance regarding work paper documentation. Download their work paper template; it’s very helpful. 

Also, see my article titled 10 Steps to Better Audit Workpapers.

>