Category Archives for "Auditing"

SSAE 19
Feb 26

SSAE 19: Agreed-Upon Procedures Engagements

By Charles Hall | Auditing

On December 19, 2019, the AICPA released SSAE 19, Agreed-Upon Procedures Engagements. AUPs provide you with the ability to provide assurance in a targeted manner (e.g.,  just for inventory). Though you’ve been able to perform AUPs for many years, the new guidance in SSAE 19 provides you with greater flexibility. See how below. 

Greater AUP Flexibility

CPAs will find the new agreed-upon procedures (AUP) standard (SSAE 19) more flexible that the preceding guidance (SSAE 18 AT-C section 215).

How is it more flexible?

  • You no longer request an assertion from the responsible party
  • You can issue general-use reports 
  • Intended users are not required to take responsibility for the sufficiency of the procedures
  • You can develop or assist in developing the procedures over the course of the engagement

And which of these do I like the best? No requirement for assertions.

Additionally, I like the option to develop AUP procedures as the engagement progresses. In the past, the client might review the draft AUP report (at the end of the engagement) and realize it doesn't meet their needs. Sometimes it's better for practitioners to develop procedures as they perform the AUP. SSAE 19 allows you to do just that.

So, if you develop new procedures, what must you do? Prior to issuance of the AUP report, obtain the engaging party's agreement regarding the procedures. Moreover, obtain their acknowledgement that the procedures are appropriate and that they satisfy the intended purpose of the engagement. In effect, the client reviews the procedures, agrees with them, and expresses satisfaction.

Definition of an Agreed-Upon Procedures Engagement

SSAE 19 defines an agreed-upon procedures engagement as "an attestation engagement in which a practitioner performs specific procedures on subject matter and reports the findings without providing an opinion or conclusion. The subject matter may be financial or nonfinancial information." The standard goes on to say "Because the needs of engaging party may vary widely, the nature, timing, and extend of the procedures may vary, as well."

Now, let's see what the AUP objectives are.

SSAE 19 Objectives

The objectives of an SSAE 19 engagement include:

  • Applying specific procedures to subject matter
  • Issuing a written practitioner's report that describes the procedures applied and the findings

Next, let's look at the structure of an AUP report.

AUP Report Structure

The structure of the AUP report should be as follows:

  • Procedures
  • Findings

So, the CPA should state what was done and then provide the findings (results). The procedures and findings are placed in the body of the AUP report. 

The description of the procedures should be simple and clear.

Good AUP Procedure and Finding

Here's an example of a good AUP procedure and finding:

Procedure - We obtained the January 2022 check register and the January operating bank account statement. We compared check numbers 2850, 2892, 2933, 2935, 2972 to cleared checks agreeing the payee and the amount. 

Findings - No exceptions were noted.

Now, let's look at a poor example:

Poor AUP Procedure and Finding

Procedure - We scanned the company's 2022 bank statements and talked with the CFO. The books seemed to be in order with the exception of July errors.

Finding - Overall, the check disbursements appear to be okay after our general review.

In this poor example, we see general words or statements. What does the word scanned mean? How about seemed to be in order ? Additionally, the finding is vague: okay after our general review.

SSAE 19 provides examples of acceptable and unacceptable wording.

Acceptable and Unacceptable AUP Wording

SSAE 19 calls the practitioner to clearly define procedures. Moreover, the standard states that practitioners should not perform procedures that are open to varying interpretations or that are vague. 

Unacceptable Terms

.A27 of the standard even provides examples of unacceptable AUP terms such as:

  • General review
  • Evaluate
  • Examine

Acceptable Terms

.A27 also provides examples of acceptable AUP terms such as:

  • Inspect
  • Compare
  • Agree
  • Recalculate

In addition to proper wording, document your engagement in accordance with SSAE 19.

AUP Documentation

SSAE 19 calls for the following documentation:

  • Written agreement with the engaging party regarding the appropriateness of the procedures performed for the intended purpose of the engagement
  • The nature, timing, and extent or procedures performed
  • The results of the procedures

You'll also need a written engagement letter (see paragraph .15 of SSAE 19 for an example) and a representation letter (see paragraph .27 of SSAE 19 for an example).

So what about dating the representation letter? The representation letter date should be the date of the AUP report. Additionally, the representation letter should address the subject matter and periods covered by the practitioner's findings.

By now you may be thinking, "Where can I find AUP report examples?"

SSAE 19 Illustrative AUP Report

SSAE 19 provides four illustrative AUP reports in its exhibit (see .A78). 

The four example AUP reports relate to:

  1. Statement of investment performance statistics
  2. Cash and accounts receivable
  3. Claims of creditors
  4. Procedures specified in regulation

If you're looking for a template to follow, see example 2. Why? The cash and accounts receivable procedures and findings are excellent. Build procedures and findings like these and you'll be in good shape.

I suggest you download SSAE 19 and keep these reports handy.

So, what about independence? Is that required?

Attestation Independence

The practitioner has to be independent in order to perform an AUP.  

One exception exists when the practitioner "is required by law or regulation to accept an agreed-upon procedures engagement and report on the procedures performed and findings obtained."

SSAE 19 Effective Date

The effective date of SSAE 19 is for AUP reports dated on or after July 15, 2021.

Early implementation is permitted.

If third party assurance is not needed, consider issuing a consulting report in lieu of an AUP report. See my article: AICPA Consulting Standards - The Swiss Army Knife.

significant risk
Feb 08

Significant Risks in Audits of Financial Statements

By Charles Hall | Auditing

Peer reviews find that many CPA firms don't identify significant risks in audits, and that's a problem. Why? Because they are the seedbed of many material misstatements. And when material misstatements are not identified, audit failure often occurs.

Below, I will tell you how to identify, assess, and respond to significant risks.

I also explain the new requirement to communicate significant risks to those charged with governance.  

Defining Significant Risk

The Auditing Standards Board previously defined significant risks as those deserving special audit consideration. They've amended this definition in SAS 145 to focus on the inherent risk characteristics rather than the response

For example, a highly complex receivable allowance is inherently risky because it's subjective and complicated. Yes, we will give it special audit consideration. But it's a significant risk because of its nature (subjective and complex), not because of our response (re-computing the estimate and comparing it with prior periods, for example). 

How Many Significant Risks?

At least one significant risk exists in most audits, and frequently there are more. The number depends on the entity, its environment, the types of services it provides or goods it sells, the complexity of its accounts, the subjectivity of determining balances, the susceptibility of accounts to bias or fraud, and the level of change.

Defined in SAS 145

SAS 145, Understanding the Entity and Its Environment and Assessing the Risk of Material Misstatement, defines significant risk in terms of likelihood and magnitude. The threat must be likely, and the result must be material. (See my SAS 145 article.)

The audit standard defines the risk as one close to the upper end of the spectrum of inherent risk without regard for controls. In other words, we consider the inherent risk factors, and we disregard internal controls as we identify these risks.

Align Inherent Risk with Significant Risk

Notice that significant risks are based solely upon inherent risk. So don’t make the mistake of identifying such a risk and then assessing inherent risk below high. After all, the definition says close to the upper end of the spectrum of inherent risk.

Suppose, for example, you identify a significant risk for the allowance for uncollectible receivables, an estimate, due the concerns about the valuation assertion (because it's complex and subjective; see inherent risk factors below). Then the inherent risk for the valuation assertion must be high (or max). 

It's useful to think of inherent risk on a scale of 1 to 10, with 10 being high risk. If you believe the inherent risk is a 9 or a 10 (close to the upper end of the spectrum of inherent risk), then a significant risk is present. Though auditors commonly use low, moderate, high to measure inherent risk, the audit standards don't specify how this is to be done. I'm not saying don't use low, moderate, high, only that thinking of inherent risks on scale of 1 to 10 helps me evaluate risk and to determine whether a significant risk is present.

Inherent Risk Factors

And what are the inherent risk factors? 

  • Complexity
  • Subjectivity
  • Change
  • Uncertainty
  • Susceptibility to misstatement due to management bias or other fraud risk factors (in terms of how they affect inherent risk)

Two Questions to Consider

So the auditor reviews an assertion and asks, "In light of these risk factors, what is the probability of misstatement without regard for controls?" The auditor also asks, "Would a material misstatement occur?" So we consider two things:

  • Is it highly likely that a misstatement will occur for the assertion (without regard for controls)?
  • Will the misstatement be material?

If both answers are yes, it's a significant risk.

Responses to Significant Risks

Peer reviews find that auditors sometimes identify these risks but plan inadequate responses. If the risk is significant, then a strong response is necessary. 

For example, if inventory obsolescence is an issue, the auditor should plan procedures to identify the impaired items and test for appropriate valuation. You may need a specialist in such a situation. So, what would be an inadequate response?  Performing basic inventory procedures. Additional procedures, sometimes referred to as extended steps, are necessary to address the inventory valuation assertion.

As you plan the additional audit procedures, link them from the identified risk (usually on your summary risk assessment form) to your responses (usually on your audit program). In the inventory example, you would link the risk for the valuation assertion to the inventory audit steps (the extended steps to identify and value the impaired items).


You must also communicate these risks to those charged with governance. 

Communicating Significant Risks

Communicate the significant risks to those charged with governance as you implement SAS 134, Auditor Reporting and Amendments, Including Amendments Addressing Disclosures in the Audit of Financial Statements (required for December 31, 2021 year-end engagements and after).

(See my SAS 134 article to understand the types of audit opinions.)  

Present guidance states that significant risks are those that deserve special audit consideration, so you'll use that definition until SAS 145 is implemented. (Even so SAS 145 will help you understand these risks now.)

How to Communicate 

You can communicate significant risks in one of three ways:

  1. Engagement letter
  2. Planning letter to those charged with governance
  3. Verbally to the board with documentation of that communication in the audit file--this could be a separate Word document that says who you talked with, when, and the significant risk areas communicated. 

The Communication Change

SAS 134 amended AU-C 260.11 (AU-C 260 The Auditor's Communication with Those Charged with Governance) as follows (amended language is underlined):

The auditor should communicate with those charged with governance an overview of the planned scope and timing of the audit, which includes communicating about the significant risks identified by the auditor.

Sample Significant Risk Language 

Here's an example of the language to be used in any of the three options above:

The anticipated significant risk areas in the audit are:

  1. receivables/revenues,
  2. the allowance for uncollectibles 
  3. the pension liability and disclosure. 

Aligning the Communication with Workpapers

The significant risk areas communicated to the board during planning should align with those identified in your workpapers. You could, however, not know all of the risk areas when you create your initial communication. It's even possible you might not identify a these risks until you are well into the engagement. So the initial significant risk communication and the identified risks in the audit file could be different. You can communicate any additional risks in your final communication to those charged with governance. 

Why are we making this communication the board? Well the board governs the entity, so they need to be aware of areas with a higher risk of potential misstatements. 

Optional Communication 

The explanatory information that accompanies AU-C 260 (specifically .A21) states you may include in the governance communication how you (as the auditor) are going to address the significant risks, but this is optional.  

Audit Risk Assessment Book on Amazon

See my book on Amazon: Audit Risk Assessment Made Easy, Seeing What Others Miss.

 

Auditing accounts payable
Feb 02

Auditing Accounts Payable and Expenses

By Charles Hall | Auditing

Accounts payable is usually one of the more important audit areas. Why? Risk. First, it’s easy to increase net income by not recording period-end payables. Second, many forms of theft occur in the accounts payable area.

Auditing accounts payable

In this post, I’ll answer questions such as, “how should we test accounts payable?” And “should I perform fraud-related expense procedures?” We’ll also take a look at common payables-related risks and how to respond to them. In short, you will learn what you need to know about auditing accounts payable.

Auditing Accounts Payable and Expenses — An Overview

What is a payable? It’s the amount a company owes for services rendered or goods received. Suppose the company you are auditing receives $2,000 in legal services in the last week of December 2019, but the law firm sends the related invoice in January 2020. The company owes $2,000 as of December 31, 2019. The services were provided, but the payment was not made until after the year-end. Consequently, the company should accrue (record) the $2,000 as payable at year-end.

In determining whether payables exist, I like to ask, “if the company closed down at midnight on the last day of the year, would it have a legal obligation to pay for a service or good?” If the answer is yes, then record the payable even if the invoice is received after the year-end. Was a service provided or have goods been received by year-end? If yes (and the amount has not already been paid), accrue a payable.

In this chapter, we will cover the following things an accounts payable auditor need to consider:

  • Primary accounts payable and expense assertions
  • Accounts payable and expense walkthroughs
  • Directional risk for accounts payable and expenses
  • Primary risks for accounts payable and expenses
  • Common accounts payable and expense control deficiencies
  • Risks of material misstatement for accounts payable and expenses
  • Search for unrecorded liabilities
  • Auditing for accounts payable and expense fraud
  • Substantive procedures for accounts payable and expenses
  • Typical accounts payable and expense work papers

So, let’s begin our journey of auditing accounts payable and expenses.

Primary Accounts Payable and Expense Assertions

The primary relevant accounts payable and expense assertions are:

  • Existence
  • Completeness
  • Cutoff
  • Occurrence

Of these assertions, I believe completeness and cutoff (for payables) and occurrence (for expenses) are usually most important. When a company records its payables and expenses by period-end, it is asserting that they are complete and that they are accounted for in the right period. Additionally, the company is implying that amounts paid are legitimate.

Accounts Payable and Expense Walkthroughs

As we perform walkthroughs of accounts payable and expenses, we are looking for understatements (though they can also be overstated as well). We are asking, “what can go wrong?” whether intentionally or by mistake.

Accounts payable walkthrough

In performing accounts payable and expense walkthroughs, ask questions such as:

  • Who reconciles the accounts payable summary to the general ledger?
  • Does the company use an annual expense budget?
  • Are budget/expense reports provided to management or others? Who receives these reports?
  • What controls ensure the recording of payables in the appropriate period?
  • Who authorizes purchase orders? Are any purchases authorized by means other than a purchase order? If yes, how?
  • Are purchase orders electronic or physical?
  • Are purchase orders numbered?
  • How does the company vet new vendors?
  • Who codes invoices (specifies the expense account) and how?
  • Are three-way matches performed (comparison of purchase order with the receiving document and the invoice)?
  • Are paid invoices marked “paid”?
  • Does the company have a purchasing policy?
  • Can credit cards be used to bypass standard purchasing procedures? Who has credit cards and what are the limits? Who reviews credit card activity?
  • Are bids required for certain types of purchases or dollar amounts? Who administers the bidding process and how?
  • Do larger payments require multiple approvals?
  • Which employees key invoices into the accounts payable module?
  • Who signs checks or makes electronic payments?
  • Who is on the bank signature card?
  • Are signature stamps used? If yes, who has control of the signature stamps and whose signature is affixed?
  • How are electronic payments made (e.g., ACH)?
  • Is there adequate segregation of duties for persons:
    • Approving purchases,
    • Paying payables,
    • Recording payables, and
    • Reconciling the related bank statements
  • Which persons have access to check stock and where is the check stock stored?
  • Who can add vendors to the payables system?
  • What are the entity’s procedures for payments of travel and entertainment expenses?
  • Who reconciles the bank statements and how often?

As we ask these questions, we inspect documents (e.g., payables ledger) and make observations (e.g., who signs checks or makes electronic payments?). So, we are inquiring, inspecting, and observing.

If controls weaknesses exist, we create audit procedures to respond to them. For example, if–during the walkthrough–we see that one person prints and signs checks, records payments, and reconciles the bank statement, then we will perform fraud-related substantive procedures (more about this in a moment).

Here’s a short video about risk assessment for accounts payable auditors.

Directional Risk for Accounts Payable and Expenses

The directional risk for accounts payable and expenses is an understatement. So, perform procedures to ensure that invoices are properly included. For example, perform a search for unrecorded liabilities (see below).

Primary Risks for Accounts Payable and Expenses

The primary risks for accounts payable and expenses are:

  1. Accounts payable and expenses are intentionally understated
  2. Payments are made to inappropriate vendors
  3. Duplicate payments are made to vendors

Keep these in mind as you audit accounts payable.

Common Payable and Expense Control Deficiencies

payables control deficiencies

In smaller entities, it is common to have the following control deficiencies:

  • One person performs two or more of the following:
    • Approves purchases,
    • Enters invoices in the accounts payable system,
    • Issues checks or makes electronic payments,
    • Reconciles the accounts payable bank account,
    • Adds new vendors to the accounts payable system
  • A second person does not review payments before issuance
  • No one performs surprise audits of accounts payable and expenses
  • Bidding procedures are weak or absent
  • No one reconciles the accounts payable detail to the general ledger
  • New vendors are not vetted for appropriateness
  • The company does not create a budget
  • No one compares expenses to the budget
  • Electronic payments can be made by one person (with no second-person approval or involvement)
  • The bank account is not reconciled on a timely basis
  • When bank accounts are reconciled, no one examines the canceled checks for appropriate payees (the dollar amount on the bank statement is agreed to the general ledger but no one compares the payee name on the cleared check to the vendor name in the general ledger)

When segregation of duties is lacking, consider whether someone can use the expense cycle to steal funds. How? By making payments to fictitious vendors, for example. Or intentionally paying a vendor twice–and then stealing the second check. (See the section titled Auditing for Fraud below.)

Risks of Material Misstatement for Payables and Expenses

In smaller engagements, I usually assess control risk at high for each assertion. When I assess control risk at less than high, I have to test controls to support the lower risk assessment. Therefore, assessing risks at high is usually more efficient (than testing controls).

When control risk is assessed at high, inherent risk becomes the driver of the risk of material misstatement (control risk X inherent risk = risk of material misstatement). The assertions that concern me the most are completeness, occurrence, and cutoff. So my RMM for these assertions is usually moderate to high.

My response to higher risk assessments is to perform certain substantive procedures: namely, a search for unrecorded liabilities and detailed expense analyses. The particular expense accounts that I examine are often the result of my preliminary planning analytics.

Search for Unrecorded Liabilities

How does one perform a search for unrecorded liabilities? Use these steps:

  1. Obtain a complete check register for the period subsequent to your audit period
  2. Pick a dollar threshold ($10,000) for the examination of subsequent payments
  3. Examine the subsequent payments (above the threshold) and related invoices to determine if the payables are suitably included or excluded from the period-end accounts payable detail
  4. Inquire about any unrecorded invoices

As the RMM for completeness increases, vouch payments at a lower dollar threshold.

How should you perform a detailed analysis of expense accounts? First, compare your expenses to budget—if the entity has one—or to prior year balances. If you note any significant variances (that can’t be explained), then obtain a detail of those particular expense accounts and investigate the cause.

Theft can occur in numerous ways—such as fictitious vendors or duplicate payments. If control weaknesses are present, consider performing fraud-related procedures. When fraud-related control weaknesses exist, assess the RMM for the occurrence assertion at high. Why? There is a risk that the expense (the occurrence) is fraudulent.

So, how should you respond to such risks?

Auditing for Fraud

An example of a fraud-related test is one for duplicate payments. How?

  • Obtain a check register in Excel
  • Sort by the vendor
  • Scan the check register for payments made to the same vendor for the same amount
  • Inquire about payments made to the same vendor for the same amount

In a duplicate payment fraud, the thief intentionally pays an invoice twice. He steals the second check and converts it to cash.

This is just one example of expense fraud. There are dozens of such schemes.

Substantive Procedures for Accounts Payable and Expenses

My customary audit tests are as follows:

  1. Vouch subsequent payments to invoices using the steps listed above (in Search for Unrecorded Liabilities)
  2. Compare expenses to budget and examine any unexplained variances
  3. When control weaknesses are present, design and perform fraud detection procedures

If there are going concern issues, you may need to examine the aged payables listing. Why? Management can fraudulently shorten invoice due dates. Doing so makes the company appear more current. For example, suppose the business has three unpaid invoices totaling $1.3 million that were due over ninety days ago. The company changes the due dates in the accounts payable system, causing the invoices to appear as though they were due just thirty days ago. Now the aged payables listing looks better than it would have.

Accounts payable work papers

Typical Payable and Expense Work Papers

My accounts payable and expense work papers usually include the following:

  • An understanding of internal controls as they relate to accounts payable and expenses
  • Risk assessment of accounts payable and expenses at the assertion level
  • Documentation of any accounts payable and expense control deficiencies
  • Accounts payable and expense audit program
  • An aged accounts payable detail at period-end
  • A search for unrecorded liabilities work paper
  • Budget to actual expense reports and, if unexpected variances are noted, a detailed analysis of those accounts
  • Fraud-related expense work papers (if significant control weaknesses are present)

So, now you learned about auditing accounts payable. My next post addresses auditing payroll.

In some entities such as governments, payroll makes up over 50% of total expenses. Consequently, knowing how to audit payroll expenses is of great importance. My next post is titled The Why and How of Auditing Payroll. So, stay tuned.

See my prior posts in The Why and How of Auditing.

Get Your Copy of the Why and How of Auditing

Click the book cover below to go to Amazon.

Get your copy of the Why and How of Auditing.

control risk
Jan 14

Control Risk: Financial Statement Audits

By Charles Hall | Auditing , Risk Assessment

Control risk continues to create confusion in audits. Some auditors assess control risk at less than high when they shouldn’t. Others assess control risk at high when it would be better if they did not. The misunderstandings about this risk can result in faulty audits and problems in peer review. In this article, I explain what control risk is and how you can best leverage it to perform quality audits in less time.

control risk

Control Risk Defined

What is control risk? It’s the chance that an entity’s internal controls will not prevent or detect material misstatements in a timely manner. 

Companies develop internal controls to manage inherent risk. The greater the inherent risk, the greater the need for controls.

Audit Risk Model

As we begin this article, think about control risk in the context of the audit risk model:

Audit risk = Inherent risk X Control risk X Detection risk

Recall the client’s risk is made up of inherent risk and control risk. And the remainder, detection risk, is what the auditor controls. Auditors gain an understanding of inherent risk and control risk. Why? To develop their audit plan and lower their detection risk (the risk that the audit will not detect material misstatements). Put more simply, the auditor understands the client’s risk in order to lower her own.

Further Audit Procedures

And how does the auditor reduce detection risk? With further audit procedures. Those include test of controls and substantive procedures (test of details or substantive analytics). 

After the auditor gains an understanding of the entity and its environment, including internal controls, control risk is often assessed at high. Why? Two reasons: one has to do with efficiency and the other with weak internal controls.

YouTube player

Assessing Control Risk at High

Consider the first reason for high control risk assessments: efficiency

Control risk can be assessed at high, even if—during your walkthroughs— you see that controls are properly designed and in use. But why would you assess this risk at high when controls are okay? 

Let me answer that question with a billing and collection example. 

Risk At High: Efficiency Decision

You can test billing and collection internal controls for effectiveness (assuming your walkthrough reveals appropriate controls). But if this test takes eight hours and a substantive approach takes five hours, which is more efficient? Obviously, the substantive approach. And if you use a fully substantive approach, you must assess control risk at high for all relevant assertions. 

At this point, you may still be thinking, But, Charles, if controls are appropriately designed and implemented, why is control risk high? Because a test of controls is required for control risk assessments below high: the auditor needs a basis (evidence) for the lower assessment. And a walkthrough is not (in most cases) considered a test of controls for effectiveness: it does not provide a sufficient basis for the lower risk assessment. A walkthrough provides an initial impression about controls, but that impression can be wrong. That’s why a test of controls is necessary when control risk is below high, to prove the effectiveness of the control.

In our example above, a substantive approach is more efficient than testing controls. So we plan a substantive approach and assess control risk at high for all relevant assertions. 

Risk at High: Weak Controls

Now, let’s look at the second reason for high control risk assessments: weak internal controls. Here again, allow me to explain by way of example. 

If the billing and collection cycle walkthrough reveals weak internal controls, then control risk is high. Why? Because the controls are not designed appropriately or they are not in use. In other words, they would not prevent or detect a material misstatement. You could test those controls for effectiveness. But why would you? They are ineffective. Consequently, risk has to be high. Why? Again, because there is no basis for the lower risk assessment. (Even if you tested controls, the result would not support a lower risk assessment: the controls are not working.)

If, on the other hand, controls are appropriate, then you might test them (though you are not required to). 

Assessing Control Risk at Less than High

What if, based on your walkthrough, controls are okay. And you believe the test of controls will take four hours while a substantive approach will take eight hours? Then you can test controls for effectiveness. And if the controls are effective, you can assess the risk at less than high. Now you have support for the lower risk assessment. 

But what if you test controls for effectiveness and the controls are not working? Then a substantive approach is your only choice. 

Many auditors don’t test controls for this reason: they are afraid the test of controls will prove the controls are ineffective. For example, if you test sixty transactions for the issuance of a purchase order, and seven transactions are without purchase orders, the sample does not support effectiveness. The result: the test of controls is a waste of time. 

Some auditors mistakenly believe they don’t need an understanding of controls because they plan to use a fully substantive audit approach. But is this true?

Fully Substantive Audit Approach

Weak internal controls can result in more substantive procedures, even if you normally use a substantive approach

Suppose you assess control risk at high for all billing and collection cycle assertions and plan to use a fully substantive approach. Now, consider two scenarios, one where the entity has weak controls, and another where controls are strong.

Billing and Collection Cycle – Weak Controls

Think about a business that has a cash receipt process with few internal controls. Suppose the following is true:

  • Two employees receipt cash  
  • They both work from one cash drawer 
  • The two employees provide receipts to customers, but only if requested
  • They apply the payments to the customer’s accounts, but they also have the ability to adjust (reduce or write off) customer balances 
  • At the end of the day, one of the two employees creates a deposit slip and deposits the money at a local bank (though this is not always done in a timely manner)
  • These same employees also create and send bills to customers 
  • Additionally, they reconcile the related bank account 

Obviously, a segregation of duties problem exists and theft could occur. For example, the clerks could steal money and write off the related receivables. Child’s play. 

Billing and Collection Cycle – Strong Controls

But suppose the owner detects theft and fires the two employees. He does background checks on the replacements. Now the following is true:

  • A separate cash drawer is assigned to each clerk
  • The controller is required to review customer account adjustments on a daily basis (the controller can’t adjust receivable accounts)
  • The cash receipt clerks reconcile their daily activity to a customer receipts report, and the money along with the report is provided to the controller 
  • The controller counts the daily funds received and reconciles the money to the cash receipts report
  • Then the controller creates a deposit slip and provides the funds and deposit slip to a courier
  • Once the deposit is made, the courier gives the bank deposit receipt to the controller
  • A fourth person (that does not handle cash) reconciles the bank statement in a timely manner
  • The monthly customer bills are created and mailed by someone not involved in the receipting process
  • Moreover, the owner reviews a monthly cash receipts report 

Now, let me ask you: would you use the same substantive audit procedures for each of the above scenarios? Hopefully not. The first situation begs for a fraud test. For example, we might test the adjustments to receivables on a sample basis. Why? To ensure the clerks are not writing off customer balances and stealing cash. 

Audit Procedures: Basic and Extended

Basic audit procedures for the billing and collection cycle might include:

  • Test the period-end bank reconciliation
  • Create substantive analytics for receivable balances and revenues
  • Confirm receivable accounts and examine subsequent receipts

We perform these basic procedures whether controls are good or weak. But we would add—when controls are weak and might allow theft—extended substantive procedures such as testing accounts receivable adjustments. 

Do you see how the understanding of controls impacts planning (even when control risk is assessed at high)? If we were unaware of the control weaknesses, we would not plan the needed fraud detection procedures. 

In summary, we need to understand controls even if we plan to use a fully substantive approach, and even if risks are assessed at high for all assertions. More risk means more audit work. 

A Simple Summary

  • Control risk is the probability that an entity’s internal controls will not prevent or detect material misstatements in a timely manner
  • Internal control weaknesses may require a control risk assessment of high
  • Control risk can only be assessed below high when a test of control proves the control to be effective (the test of control provides the basis for the lower risk assessment)
  • If walkthroughs show controls to be appropriately designed and implemented, the auditor can (1) assess control risk at high and use a fully substantive approach, or (2) assess control risk below high and test controls for effectiveness, whichever is most efficient
  • Even if an auditor intends to use a fully substantive approach, walkthroughs are necessary to determine if additional substantive tests are needed; additional substantive procedures may be necessary when material fraud is possible due to internal control weaknesses

See my inherent risk article here

For additional information about risk assessment, see the AICPA’s SAS 145, Understanding the Entity and Its Environment and Assessing the Risk of Material Misstatement The guidance was issued in October 2021. 

SAS 145
Jan 10

SAS 145: New Risk Assessment Standard

By Charles Hall | Auditing

Statement on Auditing Standards No. 145 (SAS 145), Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement, updates the risk assessment standards. Auditors need to be aware of these upcoming changes. 

Conceptually, risk assessment remains the same, but some particulars are different and significantly affect how you audit. SAS 145 is voluminous, but below I summarize the salient points to make it easy for you to digest--or, at least, as easy as I could. 

SAS 143, Auditing Accounting Estimates and Related Disclosures, introduced some concepts used in SAS 145. Those concepts include:

  • Inherent risk factors
  • Spectrum of inherent risk
  • Separate assessments of inherent risk and control risk

You’ll see several new definitions below. Understanding those is critical to understanding SAS 145. 

SAS 145 Topics

This article addresses the following SAS 145 topics:

  • Separate inherent and control risk assessments
  • Assessing control risk at the maximum level
  • Significant risks
  • Inherent risk factors and spectrum of risk
  • Relevant assertions
  • Significant classes of transactions, account balances, and disclosures
  • Stand-back requirement
  • Scalability
  • Professional skepticism
  • Information technology (IT) controls
  • System of internal control
  • Increasing complexity of entities and auditing
  • Documentation requirements
  • Effective date of SAS 145

Separate Inherent and Control Risk Assessments

Most auditors have assessed inherent and control risk separately for some time, but those separate assessments were previously not required. SAS 145, however, requires that auditors individually assess these two risks at the assertion level. Interestingly, documenting a combined inherent and control risk assessment is not required. 

You can assess inherent risk and control risk in various ways; the standard does not specify a particular means of doing so. For instance, you might use high, moderate, or low; or use a scale of one to ten (more about this in a moment). 

Assessing Control Risk at the Maximum Level

Many auditors assess control risk at high or maximum, regardless of the internal control structure--whether the controls are designed appropriately and implemented or not. You might plan to use a fully substantive approach; for example, when substantive procedures take less time than testing controls for effectiveness.

If you decide not to test controls for effectiveness, SAS 145 requires that you assess control risk at the maximum (or high) so that the risk of material misstatement is the same as the inherent risk assessment.

So, if control risk is assessed at maximum, can the evaluation of the design and implementation of controls (i.e., walkthroughs) still impact the planned audit procedures? Yes. Increased risk leads to a change in nature, timing, and extent of planned audit procedures. For example, if your walkthrough reveals a lack of segregation of duties, you may need to add more substantive procedures to address fraud risk.   

On the other hand, if a test of controls for effectiveness supports a lower control risk, you can bring the assessment below maximum. But you cannot lower control risk without the support of a test of controls for effectiveness. 

Your inherent risk assessment is crucial if you use a fully substantive approach. Why? Because SAS 145 requires that inherent risk be the same as the risk of material misstatement. If your inherent risk is assessed higher than it should be, you’ll perform unnecessary work to address the risk and waste time. 

Significant Risks

The Auditing Standards Board provides a new definition for significant risks. The first part of the definition (see paragraph 12 of SAS 145 for the full definition) is as follows:

A significant risk is an identified risk of material misstatement for which the assessment of inherent risk is close to the upper end of the spectrum of inherent risk due to the degree to which inherent risk factors affect the combination of the likelihood of a misstatement occurring and the magnitude of the potential misstatement should that misstatement occur. 

(Note - the blog author bolded some words in the definition above for emphasis.)

The prior significant risk definition focused on the response to the risk, not the risk itself. That guidance said it was a risk that needed special audit consideration

The new definition focuses on the risk itself. To be clear, the risk of material misstatement. Notice the new definition requires consideration of likelihood and magnitude. In other words, probability and dollar impact. Also, notice the description is based solely on inherent risk, with no consideration of control risk. (See my article about significant risks.)

Next, we take a look at Inherent Risk. Here's a video addressing the topic. 

Inherent Risk Factors and Spectrum of Risk

SAS 145 defines inherent risk factors as:

Characteristics of events or conditions that affect the susceptibility to misstatement, whether due to fraud or error, of an assertion about a class of transactions, account balance, or disclosure, before consideration of controls. Such factors may be qualitative or quantitative and include complexity, subjectivity, change, uncertainty, or susceptibility to misstatement due to management bias or other fraud risk factors insofar as they affect inherent risk. 

Depending on the degree to which the inherent risk factors affect the susceptibility of an assertion to misstatement, the level of inherent risk varies on a scale that is referred to as the spectrum of inherent risk.

(Note - the blog author bolded some words in the definition above for emphasis.)

Inherent Risk Factors

Consider the likelihood of misstatement in light of the inherent risk factors, including:

  • Complexity
  • Subjectivity
  • Change
  • Uncertainty
  • Susceptibility to misstatement due to management bias or other fraud risk factors (in terms of how they affect inherent risk)

So as you consider the inherent risk of an assertion, use these factors to determine the likelihood of misstatement. Then consider the magnitude of the potential misstatement. If the risk is close to the upper end of the spectrum of risk (for inherent risk) and the potential misstatement is material, then the entity has a significant risk. 

Ten-Point Scale, An Example

I like to evaluate significant risks on a ten-point scale, with ten being the highest risk. While SAS 145 does not use such an illustration, a nine or a ten is a significant risk, provided it can lead to a material misstatement. For example, a bank’s allowance for loan losses is usually a significant risk because it is a complex estimate in a material account balance. In making this assessment, we disregard internal controls. 

One additional change is SAS 145 removes the requirement to determine whether financial statement level risks are significant risks. Financial statement risk can, however, affect your assessment of significant risks at the assertion level. For example, you might decide that management override creates a significant risk in relation to the occurrence assertion in revenues. 

The term relevant assertion has also changed. 

Here's a video that explains what relevant assertions are. 

Relevant Assertions

Using SAS 145, relevant assertions are based on classes of transactions, account balances, and disclosures with an identified risk of material misstatement.

Before SAS 145, we looked at relevant assertions as they related to material classes of transactions, account balances, and disclosures. And relevant assertions were those that had a meaningful bearing on whether an account was fairly stated. (I never knew what meaningful bearing meant.)

The new relevant assertion definition is clearer. Assertions are considered in light of:

  • Likelihood of misstatement
  • Magnitude of misstatement

Relevant Assertion Definition

In SAS 145, a relevant assertion is defined as:

An assertion about a class of transactions, account balance, or disclosure is relevant when it has an identified risk of material misstatement. A risk of material misstatement exists when (a) there is a reasonable possibility of a misstatement occurring (that is, its likelihood), and (b) if it were to occur, there is a reasonable possibility of the misstatement being material (that is, its magnitude). The determination of whether an assertion is a relevant assertion is made before consideration of any related controls (that is, the determination is based on inherent risk).

(Note - the blog author bolded some words in the definition above for emphasis.)

Probability and Dollar Impact

A relevant assertion is an identified risk of material misstatement when a reasonable possibility of its occurrence is present. Reasonable possibility means a more than a remote chance of happening. And if it happens, a material misstatement must be possible. Again we see an emphasis upon probability and dollar impact. And again, internal controls are ignored in making this determination. That is, inherent risk is the basis for determining which assertions are relevant.

Inventory Example

As an example, suppose high-technology components comprise inventory that becomes obsolete quickly. Your valuation assertion is inherently risky, and if inventory is a significant account balance, then valuation is a relevant assertion. Notice we made this determination without regard for the related controls. Moreover, we believe there is a reasonable possibility of obsolescence. 

Once again, we see that inherent risk is vital in SAS 145.

We said that relevant assertions relate to significant classes of transactions, account balances, and disclosures. But what are significant classes?

Significant Classes of Transactions, Account Balances, and Disclosures

In SAS 145, significant classes of transactions, account balances, or disclosures are defined in the following manner:

Significant class of transactions, account balance, or disclosure. A class of transactions, account balance, or disclosure for which there is one or more relevant assertions.

So a significant class is one with a relevant assertion--one where the likelihood of material misstatement is more than remote. 

So, if an account balance like receivables, for example, has a relevant assertion, it’s a significant class.

Purpose of the Definition

The purpose of this definition is to provide clarification concerning the scope of the auditor’s work. In other words, this definition tells us where to focus. We’ll perform risk assessment procedures and assess risk in the significant classes of transactions, account balances, and disclosures. It is in these areas where we will plan responses to the identified risks therein. SAS 145 requires substantive procedures for each significant class of transactions, account balances, and disclosures with relevant assertions. 

Consider this: if plant, property, and equipment (PP&E) is material, but there is no relevant assertion for the account balance, it is not a significant area. Suppose a company has $10 million in PP&E (a material balance) and it purchases no new capital assets during the year. There is only one PP&E asset, a building, which has appreciated. Is there a relevant assertion? Probably not. Why? There is little likelihood of material misstatement. 

Now change the scenario and suppose the building suffers an earthquake. Is PP&E a significant class? Yes, if substantial damage occurred. Why? Because you now have a relevant assertion: valuation.  

My Risk Assessment Book

Click book below to see it on Amazon.

Stand-Back Requirement

Once you have designated all significant classes of transactions, account balances, and disclosures, evaluate all remaining material areas to see if the initial scope determination is appropriate. Is there a remaining account balance, transaction class, or disclosure that needs our attention, even though it did not qualify as a significant area? If yes, then plan audit procedures accordingly. 

The main point here is that the auditor focuses upon significant classes of transactions, account balances, and disclosures first (those with relevant assertions) and then remaining material amounts (which don’t have relevant assertions). For instance, say you choose cash, receivables/revenues, payables/expenses, and payroll as your significant areas, but not plant, property, and equipment (PP&E) because it has no relevant assertion. In the stand-back phase, ask yourself if PP&E deserves audit scrutiny. If it does, plan PP&E audit procedures. 

A company might have disclosures that are not significant (e.g., executive compensation), but you decide to audit it anyway. Why? You believe the scope of your planned audit is incomplete without it. 

The purpose of the stand-back provision is to ensure completeness of the auditor’s identification of transactions, account balances, and disclosures--the areas the auditor plans to audit. 

Scalability

The complexity of an entity’s activities and environment drive the scalability of applying SAS 145. 

Size and complexity do not necessarily correlate. Smaller entities tend to be less complex, but some are not--they are complex. Larger entities tend to be more complicated, but some are not. So consider the accounting system, the industry, the internal controls including information technology, and other factors in applying SAS 145. Complexity, not the entity’s size, determines how you use this standard. 

Some entities may lack formal internal control policies. Even so, such a system of internal controls can still be functional. Therefore, auditors can vet these informal controls with inquiries, observations, and inspection of documents. In other words, risk assessment works even in small entities with informal controls

The nature and extent of risk assessment procedures will vary depending upon the nature and circumstances of the entity. Therefore, auditors should exercise judgment in determining the nature and extent of risk assessment procedures. For example, risk assessment procedures can be less for a non-complex business with simple processes. In such a company, the auditor might have fewer inquiries to understand the business and fewer preliminary analytics. 

Audit procedures in an initial audit may be more extensive. After the initial audit period, the auditor can focus on changes since then. (Even so, auditors still need to annually review the design and implementation of key controls related to significant transaction classes, account balances, disclosures.)

Professional Skepticism

Understanding the entity and its environment, including its reporting framework, is a foundation for professional skepticism. Auditors determine the evidence needed for risk assessment in light of the entity’s nature and accounting system.

SAS 145 highlights the need for auditors to maintain professional skepticism during the engagement team discussion.

Professional skepticism allows the auditor to:

  • Appropriately deal with contradictory information
  • Evaluate the responses received from management and those charged with governance
  • Be alert to potential misstatement due to fraud or error
  • Consider audit evidence in light of the entity’s nature and circumstances

Professional skepticism is necessary for evaluating audit information in an unbiased manner, leading to better identification and assessment of risks of material misstatement.

Next, we look at the effects of information technology on your risk assessments. Here's a video that provides an overview.


Information Technology (IT) Controls

SAS 145 emphasizes IT controls as they affect the risk of material misstatement. The standard introduces a new term: risk arising from the use of IT. And it defines general IT controls

So what IT controls are you to consider? Those that affect the risk of material misstatement at the assertion level. 

Here’s how I think about this: 

  1. Start with the risk of material misstatement at the assertion level
  2. Determine the IT applications that affect the assertion
  3. Review the general IT controls that affect the IT applications

IT Relevant Assertion Example

For example, say occurrence is a relevant assertion for expenses. Then you might consider an IT control that requires a three-way match for invoice processing; the software will not allow a disbursement without matching the invoice amount, the purchase order amount, and the quantity in the receiving document. In such a system, the IT application is the payables module in the software.

An example of a general control (see definition below) for this application is the password for access to the payables module.

Why is the general IT control (the password) important? If a password was not necessary, then anyone could process payments. And this affects the occurrence assertion.  

As the auditor performs a walkthrough for payables, she will (for example):

  1. Inspect the three-way match documents.
  2. Observe the payables module in use.
  3. Inspect the logical access records from IT, showing who has access to the payables module.
  4. Observe the entry of a password by a payables clerk. 

You don’t need to review all general controls, only those related to risks arising from the use of IT

Risk Arising from the Use of IT 

SAS 145 defines risk arising from the use of IT as:

Susceptibility of information-processing controls to ineffective design or operation, or risks to the integrity of information in the entity’s information system, due to ineffective design or operation of controls in the entity’s IT processes.

Lower IT Risk

Entities are less likely to be subject to risks arising from the use of IT when they:

  • Use stand-alone applications
  • Have low volumes of transactions
  • Have transactions supported by hard-copy documents

Higher IT Risks

Entities are more likely to be subject to risks arising from the use of IT when they:

  • Have interfaced applications
  • Have high volumes of transactions
  • Have applications that automatically initiate transactions

General IT Controls 

SAS 145 defines general IT controls as: 

Controls over the entity’s IT processes that support the continued proper operation of the IT environment, including the continued effective functioning of information-processing controls and the integrity of information in the entity’s information system.

Examples of general IT controls include firewalls, backup and restoration, intrusion detection, passwords, physical security, and antivirus protection. 

Increasing Complexity of Entities and Auditing

SAS 145 recognizes the increasing complexity of entities and auditing. It does so by highlighting audit methods and tools such as:

  • Remote observation of assets using drones or video cameras
  • Use of data analytics software and visualization techniques to identify risks of material misstatement
  • Performing risk assessment on large volumes of data, including analysis, recalculations, reperformance, and reconciliations

System of Internal Control

SAS 145 replaces the term internal control with system of internal control. It defines system of control as:

The system designed, implemented, and maintained by those charged with governance, management, and other personnel to provide reasonable assurance about the achievement of an entity’s objectives with regard to reliability of financial reporting, effectiveness and efficiency of operations, and compliance with applicable laws and regulations. For purposes of GAAS, the system of internal control consists of five interrelated components: 

i. Control environment 

ii. The entity’s risk assessment process 

iii. The entity’s process to monitor the system of internal control 

iv. The information system and communication 

v. Control activities

It appears the Auditing Standards Board is highlighting the holistic nature of internal controls by including all five of the COSO control elements

SAS 145 Documentation Requirements 

Auditors must document their evaluation of the design of identified controls and their determination of whether such controls were implemented

Additionally, auditors must document their rationale for significant judgments regarding identified and assessed risks of material misstatement. In other words, how did you identify a risk of material misstatement, and why did you assess it as you did?

What is the criterion for determining whether the risk assessment documentation is appropriate? As in the past, it’s whether an experienced auditor having no previous experience with the audit understands the nature, timing, and extent of the risk assessment procedures. So, document the rationale for your risk assessment work and your conclusions

Effective Date of SAS 145

SAS 145 is effective for audits of financial statements for periods ending on or after December 15, 2023.

Risk Assessment Book on Amazon

Do you need an easy to understand risk assessment book? Click my book below to see it on Amazon. 

1 4 5 6 7 8 15
>