Category Archives for "Auditing"

audit risk assessment
Aug 14

Audit Risk Assessment: The Why and the How

By Charles Hall | Auditing

Today we look at one of most misunderstood parts of auditing: audit risk assessment.

Are auditors leaving money on the table by avoiding risk assessment? Can inadequate risk assessment lead to peer review findings? This article shows you how to make more money and create higher quality audit documentation. Below you’ll see how to use risk assessment procedures to identify risks of material misstatement. You’ll also learn about the risk of material misstatement formula and how you can use it to plan your engagements. 

risk assessment

Audit Risk Assessment as a Friend

Audit risk assessment can be our best friend, particularly if we desire efficiency, effectiveness, and profit—and who doesn’t?

This step, when properly performed, tells us what to do—and what can be omitted. In other words, risk assessment creates efficiency.

So, why do some auditors (intentionally) avoid audit risk assessment? Here are two reasons:

  1. We don’t understand it
  2. We're creatures of habit

Too often auditors continue doing the same as last year (commonly referred to as SALY)--no matter what. It’s more comfortable than using risk assessment.

But what if SALY is faulty or inefficient?  

Maybe it’s better to assess risk annually and to plan our work accordingly (based on current conditions).

Are We Working Backwards?

The old maxim “Plan your work, work your plan” is true in audits. Audits—according to standards—should flow as follows:

  1. Determine the risks of material misstatements (plan our work)
  2. Develop a plan to address those risks (plan our work)
  3. Perform substantive procedures (work our plan) and tests controls for effectiveness (if planned)
  4. Issue an opinion (the result of planning and working)

Auditors sometimes go directly to step 3. and use the prior year audit programs to satisfy step 2. Later, before the opinion is issued, the documentation for step 1. is created “because we have to.”

In other words, we work backwards.

So, is there a better way?

A Better Way to Audit

During the initial planning phase of an audit, an auditor should do the following:

  1. Understand the entity and its environment
  2. Understand entity-level controls
  3. Understand the transaction level controls
  4. Use preliminary analytical procedures to identify risk
  5. Perform fraud risk analysis
  6. Assess risk

While we may not complete these steps in this order, we do need to perform our risk assessment first (1.-4.) and then assess risk.

Okay, so what procedures should we use?

Audit Risk Assessment Procedures

AU-C 315.06 states:

The risk assessment procedures should include the following:

  • Inquiries of management, appropriate individuals within the internal audit function (if such function exists), others within the entity who, in the auditor's professional judgment, may have information that is likely to assist in identifying risks of material misstatement due to fraud or error
  • Analytical procedures
  • Observation and inspection

I like to think of risk assessment procedures as detective tools used to sift through information and identify risk.

Risk assessment

Just as a good detective uses fingerprints, lab results, and photographs to paint a picture, we are doing the same.

First, we need to understand the entity and its environment.

Understand the Entity and Its Environment

The audit standards require that we understand the entity and its environment.

I like to start by asking management this question: "If you had a magic wand that you could wave over the business and fix one problem, what would it be?"

The answer tells me a great deal about the entity's risk.

I want to know what the owners and management think and feel. Every business leader worries about something. And understanding fear illuminates risk.

Think of risks as threats to objectives. Your client's fears tell you what the objectives are--and the threats. 

To understand the entity and its related threats, ask questions such as:

  • How is the industry faring?
  • Are there any new competitive pressures or opportunities?
  • Have key vendor relationships changed?
  • Can the company obtain necessary knowledge or products?
  • Are there pricing pressures?
  • How strong is the company’s cash flow?
  • Has the company met its debt obligations?
  • Is the company increasing in market share?
  • Who are your key personnel and why are they important?
  • What is the company’s strategy?
  • Does the company have any related party transactions?

As with all risks, we respond based on severity. The higher the risk, the greater the response.

Audit standards require that we respond to risks at these levels:

  • Financial statement level
  • Transaction level

Responses to risk at the financial statement level are general, such as appointing more experienced staff for complex engagements.

Responses to risk at the transaction level are more specific such as a search for unrecorded liabilities.

But before we determine responses, we must first understand the entity's controls.

Understand Transaction Level Controls

We must do more than just understand transaction flows (e.g., receipts are deposited in a particular bank account). We need to understand the related controls (e.g., Who enters the receipt in the general ledger? Who reviews receipting activity?). 

So, as we perform walkthroughs or other risk assessment procedures, we gain an understanding of the transaction cycle, but—more importantly—we gain an understanding of controls. Without appropriate controls, the risk of material misstatement increases.


 AU-C 315.14 requires that auditors evaluate the design of their client's controls and to determine whether they have been implemented. However, AICPA Peer Review Program statistics indicate that many auditors do not meet this requirement. In fact, noncompliance in this area is nearly twice as high as any other requirement of AU-C 315 - Understanding the Entity and Its Environment and Assessing the Risk of Material Misstatement.


Some auditors excuse themselves from this audit requirement saying, "the entity has no controls."  


All entities have some level of controls. For example, signatures on checks are restricted to certain person. Additionally, someone usually reviews the financial statements. And we could go on.


The AICPA has developed a practice aid that you'll find handy in identifying internal controls in small entities.


The use of walkthroughs is probably the best way to understand internal controls.

Sample Walkthrough Questions 

As you perform your walkthroughs, ask questions such as:

  • Who signs checks?
  • Who has access to checks (or electronic payment ability)?
  • Who approves payments?
  • Who initiates purchases?
  • Who can open and close bank accounts?
  • Who posts payments?
  • What software is used? Does it provide an adequate audit trail? Is the data protected? Are passwords used?
  • Who receives and opens bank statements? Does anyone have online access? Are cleared checks reviewed for appropriateness?
  • Who reconciles the bank statement? How quickly? Does a second person review the bank reconciliation?
  • Who creates expense reports and who reviews them?
  • Who bills clients? In what form (paper or electronic)?
  • Who opens the mail?
  • Who receipts monies?
  • Are there electronic payments?
  • Who receives cash onsite and where?
  • Who has credit cards? What are the spending limits?
  • Who makes deposits (and how)?
  • Who keys the receipts into the software?
  • What revenue reports are created and reviewed? Who reviews them?
  • Who creates the monthly financial statements? Who receives them?
  • Are there any outside parties that receive financial statements? Who are they?

Understanding the company’s controls illuminates risk. The company’s goal is to create financial statements without material misstatement. And a lack of controls threatens this objective.

So, as we perform walkthroughs, we ask the payables clerk (for example) certain questions. And—as we do—we are also making observations about the segregation of duties. Also, we are inspecting certain documents such as purchase orders.

This combination of inquiries, observations, and inspections allows us to understand where the risk of material misstatement is highest.

In a AICPA study regarding risk assessment deficiencies, 40% of the identified violations related to a failure to gain an understanding of internal controls.

40%
failure to gain understanding of internal controls

Need help with risk assessment walkthroughs?

Click here to see it on Amazon. 

Another significant risk identification tool is the use of planning analytics.

Preliminary Analytical Procedures

Use planning analytics to shine the light on risks. How? I like to use:

  • Multiple-year comparisons of key numbers (at least three years, if possible)
  • Key ratios

In creating preliminary analytics, use management’s metrics. If certain numbers are important to the company, they should be to us (the auditors) as well—there’s a reason the board or the owners are reviewing particular numbers so closely. (When you read the minutes, ask for a sample monthly financial report; then you’ll know what is most important to management and those charged with governance.)

You may wonder if you can create planning analytics for first-year businesses. Yes, you can. Compare monthly or quarterly numbers. Or you might compute and compare ratios (e.g., gross profit margin) with industry benchmarks. (For more information about, see my preliminary analytics post.)

Sometimes, unexplained variations in the numbers are fraud signals.

Identify Fraud Risks

In every audit, inquire about the existence of theft. In performing walkthroughs, look for control weaknesses that might allow fraud to occur. Ask if any theft has occurred. If yes, how?

Also, we should plan procedures related to:

  • Management override of controls, and
  • The intentional overstatement of revenues

My next post—in The Why and How of Auditing series—addresses fraud, so this is all I will say about theft, for now. Sometimes the greater risk is not fraud but errors.

Same Old Errors

Have you ever noticed that some clients make the same mistakes—every year? (Johnny--the controller--has worked there for the last twenty years, and he makes the same mistakes every year. Sound familiar?) In the risk assessment process, we are looking for the risk of material misstatement whether by intention (fraud) or by error (accident).

One way to identify potential misstatements due to error is to maintain a summary of the larger audit entries you’ve made over the last three years. If your client tends to make the same mistakes, you’ll know where to look.

Now it’s time to pull the above together.

Creating the Risk Picture

Once all of the risk assessment procedures are completed, we synthesize the disparate pieces of information into a composite image

Synthesis of risks

What are we bringing together? Here are examples:

  • Control weaknesses
  • Unexpected variances in significant numbers
  • Entity risk characteristics (e.g., level of competition)
  • Large related-party transactions
  • Occurrences of theft

Armed with this risk picture, we can now create our audit strategy and audit plan (also called an audit program). Focus these plans on the higher risk areas.

How can we determine where risk is highest? Use the risk of material misstatement (RMM) formula.

Assess the Risk of Material Misstatement

Understanding the risk of material misstatement formula is key to identifying high-risk areas.

What is the risk of material misstatement formula?

Put simply, it is:

Risk of Material Misstatement = Inherent Risk X Control Risk

Using the RMM formula, we are assessing risk at the assertion level. While audit standards don’t require a separate assessment of inherent risk and control risk, consider doing so anyway. I think it provides a better representation of your risk of material misstatement.

Here's a short video about assessing inherent risk.

And another video regarding control risk assessment.

Once you have completed the risk assessment process, control risk can be assessed at high--simply as an efficiency decision. See my article Assessing Audit Control Risk at High and Saving Time

The Input and Output

The inputs in audit planning include all of the above audit risk assessment procedures.

The outputs (sometimes called linkage) of the audit risk assessment process are:

Linking risk assessment to audit planning

We tailor the strategy and plan based on the risks..

In a nutshell, we identify risks and respond to them.

Next in the Audit Series

In my next post, we’ll take a look at Auditing for Fraud: The Why and How.

Audit Risk Assessment Made Easy - My New Book

My new book titled Audit Risk Assessment Made Easy is now available on Amazon. I’ve been working on this for over a year and a half. I think you’ll find it to be a valuable resource in understanding, documenting, planning, and performing risk assessment procedures. 

Audit risk assessment


auditing for fraud
Aug 08

Auditing for Fraud: The Why and How

By Charles Hall | Auditing , Fraud

Auditing for fraud is important, but some auditors ignore this duty. Even so, fraud risk is often present. 

So what is an auditor’s responsibility for detecting fraud? Today, I answer that question in light of generally accepted auditing standards in the United States. We’ll look specifically at AU-C 240, Consideration of Fraud in a Financial Statement Audit.

Here’s an overview of this article:

  • Auditor’s responsibility for detecting fraud
  • Turning a blind eye to fraud
  • Signs of auditor disregard for fraud
  • Incentives for fraud
  • Discovering fraud opportunities
  • Inquiries required by audit standards
  • The accounting story and big bad wolves
  • Documenting control weaknesses
  • Brainstorming and planning your response to fraud risk 

Auditor’s Responsibility for Detecting Fraud – AU-C 240

I still hear auditors say, “We are not responsible for detecting fraud.” But are we not? The detection of material misstatements whether caused by error or fraud is the heart and soul of an audit. So writing off our responsibility for fraud is not an option. We must plan to look for material fraud.

Audits will not, however, detect every material misstatement—even if the audit is properly planned and conducted. Audits are designed to provide reasonable assurance, not perfect assurance. Some material frauds will not be detected. Why? First, an auditor’s time is limited. He can’t audit forever. Second, complex systems make it extremely difficult to discover fraud. Third, the number of potential fraud schemes (there are thousands) makes it challenging to consider all possibilities. And, finally, some frauds are so well hidden that auditors won’t detect them.

Even so, auditors should not turn a blind eye to fraud.

Turning a Blind Eye to Fraud

Why do auditors not detect fraud?

Think of these reasons as an attitude—a poor one—regarding fraud. This disposition manifests itself in the audit file with signs of disregard for fraud.

Signs of Auditor Disregard for Fraud

A disregard for fraud appears in the following ways:

  • Asking just one or two questions about fraud
  • Limiting our inquiries to as few people as possible (maybe even just one)
  • Discounting the potential effects of fraud (after known theft occurs)
  • Not performing walkthroughs
  • We don’t conduct brainstorming sessions and window-dress related documentation
  • Our files reflect no responses to brainstorming and risk assessment procedures
  • Our files contain vague responses to the brainstorming and risk assessment (e.g., “no means for fraud to occur; see standard audit program” or “company employees are ethical; extended procedures are not needed”)
  • The audit program doesn’t change though control weaknesses are noted

In effect, auditors—at least some—dismiss the possibility of fraud, relying on a balance sheet approach.

So how can we understand fraud risks and respond to them? First, let’s look at fraud incentives.

Incentives for Fraud

The reasons for theft vary by each organization, depending on the dynamics of the business and people who work there. Fraudsters can enrich themselves indirectly (by cooking the books) or directly (by stealing).

Fraud comes in two flavors:

  1. Cooking the books (intentionally altering numbers)
  2. Theft

Two forms of fraud: Auditor's Responsibility for Fraud

Cooking the Books

Start your fraud risk assessment process by asking, “Are there any incentives to manipulate the financial statement numbers.” For example, does the company provide bonuses or promote employees based on profit or other metrics? If yes, an employee can indirectly steal by playing with the numbers. Think about it. The chief financial officer can inflate profits with just one journal entry—not hard to do. While false financial statements is a threat, the more common fraud is theft.

Theft

If employees don’t receive compensation for reaching specific financial targets, they may enrich themselves directly through theft. But employees can only steal if the opportunity is present. And where does opportunity come from? Weak internal controls. So, it’s imperative that auditors understand the accounting system and—more importantly—related controls. 

Discovering Fraud Opportunities

My go-to procedure in gaining an understanding of the accounting system and controls is walkthroughs.  Since accounting systems are varied, and there are no “forms” (practice aids) that capture all processes, walkthroughs can be challenging. So, we may have to “roll up our sleeves,” and “get in the trenches.” 

For most small businesses, performing a walkthrough is not that hard. Pick a transaction cycle; start at the beginning and follow the transaction to the end. Ask questions and note who does what. Inspect the related documents. As you do, ask yourself two questions:

  1. What can go wrong?
  2. Will existing control weakness allow material misstatements?

In more complex companies, break the transaction cycle into pieces. You know the old question, “How do you eat an elephant?” And the answer, “One bite at a time.” So, the process for understanding a smaller company works for a larger one. You just break it down and allow more time.

Discovering fraud opportunities requires the use of risk assessment procedures such as observations of controls, inspections of documents and inquiries. Of the three, the more commonly used is inquiries.

Inquiries Required by Audit Standards

Audit Standards (AU-C 240) state that we should inquire of management regarding:

  • Management’s assessment of the risk that the financial statements may be materially misstated due to fraud, including the nature, extent, and frequency of such assessments
  • Management’s process for identifying, responding to, and monitoring the risks of fraud in the entity, including any specific risks of fraud that management has identified or that have been brought to its attention, or classes of transactions, account balances, or disclosures for which a risk of fraud is likely to exist
  • Management’s communication, if any, to those charged with governance regarding its processes for identifying and responding to the risks of fraud in the entity
  • Management’s communication, if any, to employees regarding its views on business practices and ethical behavior
  • The auditor should make inquiries of management, and others within the entity as appropriate, to determine whether they know of any actual, suspected, or alleged fraud affecting the entity
  • For those entities that have an internal audit function, the auditor should make inquiries of appropriate individuals within the internal audit function to obtain their views about the risks of fraud; determine whether they have knowledge of any actual, suspected, or alleged fraud affecting the entity; whether they have performed any procedures to identify or detect fraud during the year; and whether management has satisfactorily responded to any findings resulting from these procedures

Notice that AU-C 240 requires the auditor to ask management about its procedures for identifying and responding to the risk of fraud. If management has no method of detecting fraud, might this be an indicator of a control weakness? Yes. What are the roles of management and outside auditors regarding fraud?

  • Management develops control systems to lessen the risk of fraud. 
  • Auditors review the accounting system to see if fraud-prevention procedures are designed and operating appropriately.

So, the company creates the accounting system, and the auditor gains an understanding of the same. As auditors gain an understanding of the accounting system and controls, we put together the pieces of a story.

The Accounting Story and Big Bad Wolves

Think of the accounting system as a story. Our job is to understand the narrative of that story. As we describe the accounting system in our work papers, we may find missing pieces. Controls may be inadequate. When they are, we ask more questions to make the story complete.

The purpose of writing the storyline is to identify any “big, bad wolves.”

The Auditor's Responsibility for Fraud - The Big Bad Wolves

The threats in our childhood stories were easy to recognize. The wolves were hard to miss. Not so in walkthroughs. It is only in connecting the dots—the workflow and controls—that the wolves materialize.

So, how long should the story be? That depends on the size of the organization. Scale your documentation. If the transaction cycle is simple, the documentation should be simple. If the cycle is complex, provide more details. By focusing on control weaknesses that allow material misstatements, you’ll avoid distracting details.

But what if control weaknesses are noted?

Documenting Control Weaknesses

I summarize the internal control strengths and weaknesses within the description of the system and controls and highlight the wording “Control weakness.” For example:

Control weakness: The accounts payable clerk (Judy Jones) can add new vendors and can print checks with digital signatures. In effect, she can create a new vendor and have a check sent to that provider without anyone else’s involvement.

Highlighting weaknesses makes them more prominent. Then I can use the identified fraud opportunities to brainstorm about how theft might occur and to develop my responses to the threats.

Brainstorming and Planning Your Responses 

Now, you are ready to brainstorm about how fraud might occur and to plan your audit responses.

The risk assessment procedures provide the fodder for the brainstorming session. 

Armed with knowledge about the company, the industry, fraud incentives, and the control weaknesses, we are ready to be creative. 

In what way are we to be creative? Think like a thief. By thinking like a fraudster, we unearth theft schemes. Why? So we can audit those possibilities. This is the reason for risk assessment procedures in the first place.

[Tweet “We think like a thief. By thinking like a fraudster, we unearth theft schemes.”]

What we discover in risk assessment informs the audit plan. Now we are ready to perform our fraud risk assessment. With the information gained in from the risk assessment procedures, we know where the risks are. If, for example, there is a risk that fictitious vendors are present, we might assess the risk of material misstatement at high for the expense occurrence assertion. (Our risks of material misstatement should be assessed at the assertion level.) Then we plan our response which might be testing new vendors added to determine if they are legitimate. So the fraud risk assessment occurs after we perform our risk assessment procedures. This tells us where the risks of material misstatement are. 

The Auditor’s Responsibility for Detecting Fraud – AU-C 240

In conclusion, I started this post saying I’d answer the question, “What is an auditor’s responsibility for detecting fraud?”

Hopefully, you now better understand fraud procedures. But to understand the purpose of them, look at a standard audit opinion:

The procedures selected depend on the auditor’s judgment, including the assessment of the risks of material misstatement of the consolidated financial statements, whether due to fraud or error. In making those risk assessments, the auditor considers internal control relevant to the entity’s preparation and fair presentation of the consolidated financial statements in order to design audit procedures that are appropriate in the circumstances, but not for the purpose of expressing an opinion on the effectiveness of the entity’s internal control. Accordingly, we express no such opinion.

The purpose of fraud risk assessments is not to opine on internal control systems or to discover every fraud. It is to assist the auditor in determining where material misstatements—due to fraud—might occur.

Additionally, even well-performed audits will not detect all material fraud. As we saw above, some frauds are extremely difficult to detect. Audits are designed to provide reasonable assurance, not perfect assurance. The standard audit opinion states:

Our responsibility is to express an opinion on these financial statements based on our audits. We conducted our audits in accordance with auditing standards generally accepted in the United States of America. Those standards require that we plan and perform the audit to obtain reasonable assurance about whether the financial statements are free from material misstatement.

In summary, the auditor should conduct the audit in a manner to detect material fraud. But it is possible that some material frauds will be missed, even when we perform the audit correctly.

The Why and How of Auditing: A Blog Series About Audit Basics

Check out my series of posts: The Why and How of Auditing?

You’ll see how to audit cash, receivables/revenues, payables/expenses, investments, and other transaction cycles. You’ll also see how to perform risk assessment procedures before you plan your further audit procedures. 

Also, see my book The Why and How of Auditing on Amazon.

test of controls
May 29

Test of Controls: When to Perform and How

By Charles Hall | Auditing

Most auditors don’t perform a test of controls? But should they? Below I explain when such a test is required. I also explain why some auditors choose to use this test even when not required. 

test of controls

Once risk assessment is complete, auditors have three further audit procedures they can use to respond to identified risks:

  1. Test of details 
  2. Substantive analytics
  3. Test of controls

This article focuses on the third option.

Below you will see:

  • The Right Response
  • Not Testing Controls (including video about the same)
  • The Decision Regarding Testing 
  • How to Test Controls
  • Required Tests
  • Which Controls to Test
  • Three-year Rotation of Testing
  • Interim or Period-End Testing

The Right Response 

Which responses to risks of material misstatement are best? That depends on what you discover in risk assessment.

If, for example, your client consistently fails to record payables, then assess control risk for completeness at high and perform a search for unrecorded liabilities (a substantive procedure).

By contrast, if the internal controls for receivables are strong, then assess control risk for the existence assertion at less than high, and test controls for effectiveness. (You do, however, have the option to perform substantive tests rather than test controls, even when controls are appropriate. More about this in a moment.)

Not Testing Controls

Many auditors assess control risk at high (after risk assessment is complete) and use a fully substantive approach. That is fine, especially in audits of smaller entities. Why? Because smaller entities tend to have weaker controls. As a result, controls may not be effective. Therefore, you may not be able to assess control risk at less than high. 

Control risk assessments of less than high must be supported with a test of controls to prove their effectiveness. But if controls are not effective, you must assess control risk at high. This is one reason why you might bypass testing controls: you know, either from prior experience or from current-year walkthroughs, that controls are not effective. If your test reveals ineffectiveness, you are back to square one: a control risk assessment of high. Then substantive procedures are your only option. In such a situation, the initial test was a waste of time. 

The Decision Regarding Testing 

But if controls are effective, why not test them? Doing so allows you to reduce your substantive procedures. There is one reason, however, why you might not test controls even though they appear appropriate: substantive tests may take less time.

Once risk assessment is complete, your responses—the further audit procedures—are based on efficiency and effectiveness. If control testing takes less time, then use this option. If substantive procedures takes less time, then perform a test of details or use substantive analytics. But, regardless of efficiency considerations, address all risks with appropriate responses.

How to Test Controls 

Suppose you’ve decided to test controls for effectiveness. But how? Let’s look at an example starting with risk assessment.

control testing

Risk Assessment

Your approach to testing controls depends on risk. 

For example, suppose your billing and collections walkthrough reveals appropriate segregation of duties. You see that authorized personnel issue receipts for each payment received. Additionally, you determine that total daily cash inflows are reconciled by the collections supervisor to the online bank statement, and she signs off on a reconciliation sheet as evidence of this procedure. Lastly, you note that a person not involved in cash collections reconciles the monthly bank statement. In other words, controls are properly designed and in use. 

Furthermore, you believe completeness is a relevant assertion. Why? Theft of incoming cash is a concern since the business handles a high volume of customer checks. If checks are stolen, cash collections would not be complete. Consequently, the inherent risk for completeness is high. The fraud risk is a significant risk which requires a test of details in addition to the test of controls.

Test Supports Effectiveness

Now it’s time to test for effectiveness. 

Test the receipt controls on a sample basis. But before doing so, document the controls you desire to test and the sample size determinations. (See AICPA’s Audit Sampling standard, AU-C 530.)

The first control you are testing is the issuance of receipts by an authorized person and your sample size might be sixty. 

The second control you are testing is the daily reconciliation of cash to the bank statement. For example, you could agree total daily receipts to the bank statement for twenty-five days. As you do so, you review the daily sign-offs on the reconciliation sheets. Why? The collection supervisor’s sign-off is the evidence that the control was performed. 

The third control you are reviewing is the reconciliation of the bank account by a person not involved in the receipting process. So, you review the year-end bank reconciliation and confirm that the person that reconciled the bank statement was not involved in cash collections. 

Once the tests are performed, determine whether the controls are effective. If they are, assess control risk for the completeness assertion at less than high. Now you have support for that lower assessment. 

And what about substantive tests?

You need to perform a test of details since a significant risk (the fraud risk) is present. You might, for example, reconcile the daily total receipts to the general ledger for a month.

Test Doesn’t Support Effectiveness

If your tests do not support effectiveness, expand your sample size and examine additional receipts. Or skip the tests (if you believe the controls are not effective) and move to a fully substantive approach. Regardless, if controls are not effective, consider the need to communicate the control deficiency to management and those charged with governance. 

So, when should you test controls? First let’s look at required tests and then optional ones. 

Required Audit Tests of Controls

Here are two situations where you must test controls:

  • When there is a significant risk and you are placing reliance on controls related to that risk
  • When substantive procedures don’t properly address a risk of material misstatement

Let me explain.

Auditing standards allow a three-year rotation for control testing, as long as the area tested is not a significant risk. But if the auditor plans to rely on a test of controls related to a significant risk, operating effectiveness must be tested annually. 

Also a test of controls is necessary if substantive procedures don’t properly address a risk of material misstatement. For example, consider the controls related to reallocation of investments in a 401(k). The participant goes online and moves funds from one account to another. Other than the participant, there are no humans involved in the process. When processes are fully automated, substantive procedures may not provide sufficient audit evidence. If that is your situation, you must test of controls. Thankfully, a type 2 service organization control report is usually available in audits of 401(k)s. Such a report provides evidence that controls have already been tested by the service organization’s auditor. And you can place reliance upon those tests. In most cases, substantive procedures can properly address risks of material misstatement. So this test requirement is usually not relevant. 

Optional Audit Test of Controls

We just covered the two situations when testing is required. All other control testing is optional.

internal controls

Prior to making the decision about testing, consider the following:

  • Do you anticipate effectiveness? There’s no need to test an ineffective control. 
  • Does the control relate to an assertion for which you desire a lower control risk? 
  • Will it take less time to test the control than to perform a substantive procedure? Sometimes you may not know the answer to this question until you perform the test of controls. If the initial test does not prove effectiveness, then you have to expand your sample or just punt—in other words, use a fully substantive approach. 
  • Will you use the control testing in conjunction with a test of details or substantive analytics? How would effective controls reduce these substantive tests? In other words, how much substantive testing time would you save if the control is effective?
  • Is the control evidence physical or electronic? For example, are the entity’s receipts in a physical receipt book or in a computer? It’s usually easier to test electronic evidence.
  • How large will your sample size be? Some controls occur once a month. Others, thousands of times in the period. The larger the population, the larger the sample. And, of course, the larger the sample size, the more time it will take to perform the test. 
  • Can you test the population as a whole without sampling? Data analytics software—in some instances—can be used to test the entire population. For example, if a purchase order is required for all payments above $5,000, it might be easy to compare all payments above the threshold to purchase orders, assuming the purchase orders are electronic. 

Three-Year Rotation of Testing

As I said earlier, audit standards allow a three-year rotation for testing. For example, if you test accounts payable controls in 2020, then you can wait until 2023 to test them again. In 2021 and 2022, you need to ensure that these controls have not changed. You also want to determine that those controls have continuing relevance in the current audit. How? See if the controls continue to address a risk of material misstatement. And as you perform your annual walkthroughs, inquire about changes, observe the controls, and inspect documents. Why? You want to know that everything is working as it was in 2020, when the initial test was performed. And, yes, you do need to perform those walkthroughs annually, if that is how you corroborate your understanding of controls.

In short, testing for effectiveness can, in most cases, occur every three years. But walkthroughs are necessary each year. If you tested sixty transactions for an appropriate purchase order in 2020, then you can wait until 2023 to do so again. But review of the purchase order process each year in your annual walkthroughs. 

So should you test controls at interim or after year-end?

Interim or Period-End Testing

Some auditors test controls after the period-end (after year-end in most cases). Others at interim. Which is best?

It depends.

interim audit test

Perform interim tests if this fits better in your work schedule. Here’s an example: You perform an interim test on November 1, 2021. Later, say in February 2022, consider whether controls have changed during the last two months of the year. See if the same people are performing those controls. And consider performing additional tests for the November 1 to December 31 period. Once done, determine if the controls are effective. 

Testing on an interim date is not always the answer. For example, if management is inclined to manipulate earnings near year-end, then interim tests may not be appropriate

If you choose to test after period-end, then do so for the full period being audited. Your sample should be representative of that timeframe.

So should you ever test controls at a point in time and not over a period of time? Yes, sometimes. For example, test inventory count controls at year-end only. Why? Well those controls are only relevant to the year-end count, a point in time. Most controls, however, are in use throughout the period you are auditing. Therefore, you need to test those controls over that period of time (e.g., year).

Conclusion

As I said above, many auditors tend to rely fully on substantive responses to the risks of material misstatement. But, in some cases, that may not be the best or wisest approach. If controls are designed well and functioning, why not test them? Especially if it takes less time than substantive procedures.

Finally, take a look at my two related articles regarding responses to the risk of material misstatement: (1) Test of Details: Substantive Procedures and (2) Substantive Analytical Procedures: Power Up.

Substantive Analytical Procedures
May 06

Substantive Analytical Procedures: Power Up

By Charles Hall | Auditing

Are you using substantive analytical procedures in your audits? Many auditors rely solely on tests of details when a better option is available. Substantive analytics, in some cases, provide better evidential matter. And they are often more efficient than tests of details.

In this article, I provide:

  • Substantive Analytics – A Video Overview
  • Analytics in Three Stages
  • Substantive Analytics
  • Responses to Risk of Material Misstatement
  • Substantive Analytical Assurance Level
  • Examples of Substantive Analytics
  • Documenting Substantive Analytical Procedures
  • Other Substantive Analytical Considerations

Professional standards define analytical procedures as evaluations of financial and non-financial data with plausible relationships. An example of such a relationship is salaries may be expected to be a certain percent of total expenses. In other words, numbers behave in particular ways. Because they do, we can use these relationships as evidential matter for our audit opinions.

Substantive Analytics – A Video Overview

The video below provides an overview of substantive analytical procedures. It comes from my YouTube playlist Audit Risk Assessment Made Easy.

Before we look at what substantive analytics are and how we use them, let’s see how analytical procedures are used in audits.

Analytics in Three Stages

Auditors use analytics in three stages:

  1. Preliminary (risk assessment)
  2. Final (wrap up)
  3. Substantive (response to risk of misstatement)

Preliminary analytics are performed as a risk assessment procedure. We use them to locate potential material misstatements. And if we identify unexpected activity, we plan a response. For example, if we expect payroll to go up 5% but it goes down 8%, then we plan further audit procedures to see why: these can include tests of details, substantive analytics, and test of controls. 

At the completion of the audit, we use final analytics to determine if we have addressed all risks of material misstatement. Here we compare our numbers and ask, “Have we dealt with all risks of material misstatement?” If yes, fine. If not, then we may need to perform additional further audit procedures. 

Less precision is necessary for preliminary and final analytics as compared to substantive analytics. Preliminary analytics locate misstatements and final analytics confirm the results of the audit. But substantive analytics are used to prove material misstatements are not present. 

Substantive Analytics

Substantive analytical procedures can, in certain cases, be more effective and efficient than a test of details. 

For example, if the ratio of salaries to total expenses has been in the 46% to 48% range for the last few years, then you can use this ratio as a substantive analytic to prove the payroll occurrence assertion. If your expectation is that payroll would be in this range and your computation yields 48%, then your substantive analytic provides evidence that salaries occurred. And this is much easier than a test of details such as a test of forty payroll transactions (where you might agree hours paid to time records and payroll rates to authorized amounts). 

Disaggregation of Data

For a small entity with six employees, one payroll substantive analytic might be sufficient, but you may need to disaggregate the payroll information for a larger company with six hundred people. For instance, you might divide departmental salaries by total salaries and compare those ratios to the prior year. Disaggregation adds more precision to the analytic, resulting in better evidential matter. 

Another example of disaggregation is in relation to revenues. If the company has four major sources of revenue, disaggregate the substantive analytical revenue sources. You might use a trend analysis by revenue source for the last three years. Or you might recompute an estimate of one or more revenue sources based of units sold or property rented. 

The type of substantive analytic is dependent on the nature of the transaction or account balance. If a company rents fifty apartments at the same monthly rate, computing an estimate of revenue is easy. But if a company sells fifty different products at different prices, you may need to disaggregate the substantive analytical data. 

Additionally, consider disaggregating substantive analytics by region if the company has different geographic locations. 

Not for Significant Risk Areas (at least not alone)

Are there audit areas where substantive analytical procedures should not be used alone? Yes. When responding to a significant risk. A test of details must be used when a significant risk is present. For example, a bank’s allowance for loan losses. This allowance is a highly complex estimate; therefore, a test of details is required. You could not solely compare the allowance to prior years,  for example, though such a comparison could complement a test of details. In other words, you could perform a test of details and use a substantive analytic. But a substantive analytic alone would not do. 

Now let’s consider how auditors use substantive analytics to respond to the risk of material misstatement.

Responses to Risks of Material Misstatement

Once you identify a risk of material misstatement, you plan further audit procedures including (1) test of details, (2) substantive analytical procedures, and (3) test of controls. Many auditors use a test of details without performing substantive analytics. Why? For many, it’s habit. We’ve always tested bank reconciliations, for example, so we continue to do so. But maybe we’ve never used substantive analytics to prove revenues or expenses. 

A test of details is often used in relation to balance sheet accounts such as cash, receivables, and debt. 

Substantive Analytical Procedures as a Response

Substantive analytics, on the other hand, are sometimes more fitting for income statement accounts such as revenue or expenses. Why? Because income statement accounts tend to be more consistent from year to year. Here are some examples:

  • Depreciation expense
  • Payroll expense
  • Lease revenue
  • Property tax revenue (in a government)

So consider using substantive analytics when the volume of transactions is high and the account balance is predictable over time. Additionally, use substantive analytics in lower risk areas, including some balance sheet accounts such as: 

  • Plant, property, and equipment (if no significant additions or retirements)
  • Debt (if no new debt or early payoffs)
  • Prepaid assets (e.g., prepaid insurance)

Audit standards tell us that substantive analytics are more appropriate when the risk of misstatement is lower. The higher the risk of misstatement, the more you should use a test of details. For instance, it’s better to use tests of details for significant receivable accounts. But substantive analytics may work well for prepaid insurance. 

Additionally, substantive analytics can be combined with a test of details or a test of controls. If, for example, you’re planning a risk response for accounts payable and expenses, you might use a combined approach: a test of details for accounts payable (e.g., search for unrecorded liabilities) and substantive analytics for expense (e.g., departmental expenses divided by total expenses compared to the prior year).

Another common combined approach is a test of details sample along with substantive analytics. If the substantive analytics are effective, you can reduce the sample size, making the overall approach more efficient. 

Substantive Analytical Assurance Level

Certain substantive analytics provide higher levels of assurance. For example, computing expected rental income provides high assurrance. If your client rents fifty identical apartments at $2,000 a month, the computation is easy and the assurance is high. 

How to Increase Assurance When Using Substantive Analytics

Other types of analytics provide lower assurance: topside ratios or period-to-period comparisons at the financial statement level, as examples. You can, however, increase the substantive analytical assurance level by taking actions such as:

  • Using more comparative periods (e.g., years or months)
  • Comparing ratios to independently published industry statistics 
  • Disaggregating the data (e.g., revenues by product line and units sold)
  • Documenting expectations prior to creating the analytics (to remove bias)
  • Documenting client responses regarding differences along with the follow up procedures and results

Comparing balances with a prior period and providing no explanations is not sufficient as a substantive analytic. Also, if the activity is unexpected, solely documenting client responses to questions is not sufficient. For example, these client answers will not do:

  • Client expected revenues to go up
  • Numbers declined because sales activity went down
  • Client said it’s reasonable

Vague responses are not evidential matter and can result in audit failure, or—worse yet—litigation against your firm. 

Substantive analytics can be used in a wide variety of ways. 

substantive analytical procedures

Examples of Substantive Analytics

Here are examples of substantive analytics:

  • Comparison of monthly sales for the current year with that of the preceding year (to test occurrence)
  • Comparison of profit margins for the last few months of the audit period with those subsequent to period-end (to test cutoff)
  • Percent of expenses to sales compared with the prior year (to test occurrence)
  • Current ratio compared to prior year (to test for solvency and going concern)
  • Comparing current year profit margins with prior periods (to test accuracy and occurrence)
  • For pension or postemployment benefit plans: actuarial value of plan assets divided by actuarial accrued liability compared to prior year (to test completeness and accuracy)
  • For debt: total debt divided by total assets compared to prior year (to test the financial strength of the entity and going concern)
  • For inventory: cost of goods sold divided by average inventory compared to prior year (to test existence and occurrence)

Now let’s see how to document your substantive analytics.

Documenting Substantive Analytical Procedures

In performing substantive analytical procedures, document the following:

1. The reliability of the data 

Document why you believe the data is trustworthy. Reasons could include your prior experience with the client’s accounting system and internal controls related to the information you are using. Though a walkthrough sheds light on those controls, a test of controls for effectiveness provides even greater support for the reliability of the data. Testing controls is optional, however. 

2. Assessed risk of material misstatement by assertion 

Document the assertions being addressed and the related risks of material misstatement. 

3. Expectation 

Document a sufficiently precise expected result of the computation or comparison. You can use a range. Document the expectation prior to examining the recorded numbers. Why? To reduce bias. If the current year expectation is different from the prior year, explain why. For example, if payroll has been stable over the last three years but is expected to increase eight percent in the current year, document why. A less precise expectation may be acceptable if a test of details is performed along with the substantive analytic. 

4. Approach 

Document if the substantive analytic is to be used alone or in conjunction with a test of details. 

5. Acceptable difference 

The acceptable difference is the amount that requires no further investigation. So, for example, if the analytic is $30,000 different from the recorded amount and the acceptable difference is $50,000, you are done. No additional work is necessary. Unacceptable differences require further investigation such as inquiries of management and other audit procedures. Consider the performance materiality for the transaction or account balance as you develop the acceptable difference amount. Also, consider the assessed risk of material misstatement. Higher risk requires a lower acceptable difference. 

6. Conclusion 

Document whether the computation or comparison falls within your expectation. Perform and document other procedures performed if the result is not within your acceptable difference. Your conclusion should include a statement regarding whether you believe the account or transaction balance is materially correct. After all, that’s the purpose of the substantive analytic. 

Here are some concluding thoughts about substantive analytics. 

Other Substantive Analytical Considerations

Substantive analytics are not required. So, think of them as an efficient alternative to test of details.

If the company has weak internal controls or a history of significant misstatements, rely more on tests of details. Substantive analytics work better in stable environments. Additionally, if you, as the auditor, expect to make several material audit adjustments, record those prior to creating substantive analytics. This will help reduce the distortion from those misstatements. 

Testing of controls for effectiveness lends strength to substantive analytics. If the controls are effective, you’ll have more confidence in the substantive analytics. For example, if you test the disbursement approval controls and find them to be effective, the expense analytics will be more trustworthy. If you are testing controls for effectiveness, you may want to do so before creating any related substantive analytics. 

You may also want to see AU-C 520, Analytical Procedures in the audit standards. 

Check out my new book: Audit Risk Assessment Made Easy. Click the book cover below to see it on Amazon. I provide a free YouTube video series that goes along with the book. 

SOC Report
Apr 24

When are SOC Reports Needed by an External Auditor?

By Charles Hall | Auditing

Service organization control (SOC) reports are often necessary to understand outsourced accounting services. So, what are SOC reports and when are they needed?

SOC Report

What are SOC Reports?

When an entity provides services to other entities (e.g., ADP payroll services), the service organization desires to provide comfort to their clients. Why? Well the service organization wants to provide assurance regarding the safety and effectiveness of its services. Trust is foundational to the business relationship. Therefore, the service organization provides comfort to clients by hiring an outside independent auditor to review its accounting system. The result of that review is a service organization control report. 

So if ADP desires to give comfort to its clients regarding the design and operation of its accounting system, it will hire an outside audit firm to review and render an opinion on its internal controls. While SOC reports provide comfort the service organization’s clients, they are also used in another manner. 

Suppose ADP provides payroll services to Jet Sports, Inc. The auditors of Jet Sports will review ADP’s SOC report to see if their accounting system is appropriately designed and operating. After all, ADP, in this example, is an extension of Jet Sports, Inc.’s accounting system. Jet’s auditors view ADP’s services as a part of Jet’s accounting system: Jet has simply outsourced their payroll services to ADP. That’s why ADP’s SOC report is relevant to Jet Sports, Inc.’s audit. 

When are SOC Reports Needed?

SOC reports are needed when:

  • The user entity’s complementary controls are not sufficient to lessen the possibility of material misstatements
  • The SOC report provides information concerning a significant transactions cycle

Many organizations outsource portions of their accounting to service organizations, such as ADP’s payroll services. External auditors need to understand a service organization’s system and related controls–particularly if that work could allow material misstatements in the user’s financial statements. This understanding is provided in SOC reports.

All financial statement audits focus upon whether material misstatements are occurring. Moreover, the auditor’s opinion is supported by audit evidence proving the financial statements are fairly stated. But does (some of this) audit evidence come from SOC reports? Sometimes, yes.

A financial statement auditor is concerned with material misstatements, regardless of how or where they occur, and regardless of who allows the misstatement. Therefore, auditors look for internal controls weaknesses in both the entity being audited and service organizations.

As we will see, the external auditor may not need all SOC reports. On the other hand, some SOC reports may be needed but don’t exist.

Definitions Related to Service Organizations

Before delving into the details of service organization controls, let’s define a few key words

Complementary user entity controls. These are the controls performed by users of a service organization’s services. These entity controls complement the service organization’s controls: both are necessary to ensure the process is safe and effective. For example, your client might perform the complementary control of reviewing payroll hours reported before providing those to an outside payroll service organization. 

Service auditor. The auditor that reports on controls at a service organization.

Service organization. An organization that provides services to user entities that impact the user entity’s financial reporting.

User auditor. The auditor that audits the financial statements of a user entity.

User entity. An entity that uses a service organization and its related SOC report. 

Audit Standard for Service Organizations

AU-C 402, Audit Considerations Relating to an Entity Using a Service Organization, states the following:

Services provided by a service organization are relevant to the audit of a user entity’s financial statements when those services and the controls over them affect the user entity’s information system, including related business processes, relevant to financial reporting.

So if a service organization’s activities affect an entity’s information system, business processes, or financial reporting, then that activity is relevant. 

When is a SOC report not needed?

When does the external auditor not need SOC reports or other information related to a service organization? Paragraph .05 of AU-C 402 answers that question as follows:
 
This section does not apply to services that are limited to processing an entity’s transactions that are specifically authorized by the entity, such as the processing of checking account transactions by a bank or the processing of securities transactions by a broker (that is, when the user entity retains responsibility for authorizing the transactions and maintaining the related accountability).
 
Additionally, complementary user entity controls may be strong enough to eliminate the need for information about the service organization’s controls.

Complementary User Entity Controls

The user entity–an entity that uses a service organization and whose financial statements are being audited–may have controls sufficient to eliminate the need for SOC reports or other information from the service organization. Sometimes the user entity has controls that mitigate the risk of material misstatements caused by service organization deficiencies. Such controls are referred to as complementary user entity controlsIf the complementary controls operate effectively, the user auditor–the auditor who audits and reports on the financial statements of a user entity–may not need SOC reports or other service organization information.

Alternatively, if the service organization initiates, executes, and does the processing and recording of the user entity’s transactions and the complementary controls would not detect material misstatements, then the user auditor may need SOC reports or other service organization information.

When complementary controls are present, they should be reviewed in the walkthrough of controls by the user auditor. For example, if your client reviews payroll time recorded prior to submission to an outside payroll service provider, then determine if this control is designed appropriately and implemented (as you do for all key controls). SOC reports usually provide a list of complementary controls, so look there for potential client controls. Then see if they are in use. 

Is the Placement of a SOC Report in the Audit File Sufficient?

Placing a SOC report in an audit file without reading and understanding it provides little-to-no audit evidence.

A SOC report provides information about how the service organization’s controls lessen the possibility of material misstatement. So, the user auditor needs to read and document how the service organization’s controls lessen the risk of material misstatement. This understanding of controls is necessary if the service organization’s work affects a significant transaction cycle such as payroll.

Think of SOC reports in this manner: Pretend there is no service organization and the company being audited performs the same processes and controls. If the audited entity performs these controls–and no service organization exists–the auditor gains an understanding of the controls using risk assessment procedures such as inquiry, observations, and inspections of documents. Potential control weaknesses are exposed by the risk assessment process. Thereafter, the identified risks are used to develop the audit program and substantive procedures. The same audit process is true when there is a service organization. But when a service organization is used, the user auditor is using the SOC report to gain the understanding of the service organization’s part of the entity’s accounting system.

If controls weaknesses are noted in the SOC report, the user auditor may–as a response–perform substantive procedures. By doing so the auditor lowers the overall audit risk (which is the risk that the auditor will issue an unmodified opinion when one is not merited).

Type 1 or Type 2 SOC Reports?

Service organization auditors can issue type 1 or type 2 reports.

A type 1 SOC report provides a description of a service organization’s system and the suitability of the design of controls.

A type 2 SOC report includes a service organization auditor’s opinion on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design and operating effectiveness of the controls.

The type 1 report provides information about the service organization’s system and related controls. The type 2 report provides an opinion on the system description and the design and effectiveness of the controls. A type 1 or a type 2 report can be used to gain an understanding of the controls.

You may see, in some of these SOC reports, carve-outs. 

Carve-Outs

Many SOC reports carve out services that are provided to the service organization by another service provider (a service provider to a service provider, if you will). In such a situation, consider whether you need to review the sub-service provider’s SOC report. (Sub-service providers are named in the SOC report along with what they do.)

So, should you (the user auditor) ever visit a service organization’s office?

Should the Auditor Visit the Service Organization?

Usually, the user auditor does not need to visit the service organization, but sometimes it is necessary to do so. If the service organization provides no SOC report and the complementary user controls are not sufficient, then the auditor may have no choice but to review the service organization’s system and controls. Only do so if the service organization handles significant parts of the accounting system.

SOC Reports Summary

In summary, if you audit an entity that uses a service organization, consider whether you need a SOC report. If the service organization provides services that impact a significant transaction cycle or account balance, then you probably need to review the related SOC report. Why? To see if there are any service organization internal control weaknesses that impact your client’s audit. 

1 3 4 5 6 7 13
>