Are you using substantive analytical procedures in your audits? Many auditors rely solely on a test of detail when a better option is available. Substantive analytics, in some cases, provide better evidential matter. And they are often more efficient than a test of detail.
This article focuses on substantive analytics. But before we look at what substantive analytics are and how we can use them, let's see how analytics in general are used in an audit.
Analytics in Three Stages
Auditors use analytics in three stages of the audit:
Planning
Final
Substantive
Preliminary analytics are performed as a risk assessment procedure. We use them to locate potential misstatements. If we identify unexpected changes, we plan a response for that difference. For example, if we expect cost of goods sold to go down 5% but our planning analytics reveal an 8% increase, then we plan a response to determine why the change moved in an unexpected manner.
At the completion of the audit, we use final analytics to determine if we have addressed all risks of material misstatement. Here we put our numbers side-by-side and ask, "Have I dealt with all risks of material misstatement?" If yes, fine. If not, then we may need to perform additional substantive procedures.
So, how do we use substantive analytics? As a substantive procedure.
Substantive Analytical Procedures
AU-C 330, Performing Audit Procedures in Response to Assessed risk and Evaluating the Audit Evidence Obtained, defines two substantive procedures:
Substantive analytical procedures can, in certain cases, be more effective and efficient than a test of details.
For example, if the profit margin has been in the range of 46% to 49% for the last five years, then you might decide to use that substantive analytic to prove accuracy and occurrence (assertions) of the cost of goods sold in the current year. (This will probably be more effective than vouching 50 invoices—a test of details--and will certainly take less time.) If you compute the ratio for the current year and it’s 47%, then you have sound evidence that cost of goods sold is accurate and that the transactions occurred.
Are there audit areas where substantive analytics should not be used alone? Yes. When the area is a significant risk. A test of details must be performed in relation to significant risks. A significant risk example is the allowance for loan losses in a bank. It is a highly complex estimate. Therefore, a test of details is required. The auditor could not, for example, just compare the allowance percent to prior years, though such a comparison could be added to the tests of details.
Now let's consider how auditors use tests of details and substantive analytics to respond to risk.
Responses to Risks of Material Misstatement
Many auditors use a test of details without performing substantive analytics. Why? For many, it's simply habit. We've always tested bank reconciliations, for example. But maybe we've never used analytics to prove revenues or expenses. I think this is the result of the old-school balance sheet audit approach.
Tests of details examples include:
Testing a bank reconciliation
A search for unrecorded liabilities in payables
Confirming cash or debt or investments
Vouching additions to plant, property and equipment
Tests of details are usually used in relation to balance sheet accounts such as cash or accounts payable.
Substantive analytical procedures, on the other hand, are usually more fitting for income statement accounts such as revenue or expenses.
So, if you’re planning a response for accounts payable (a balance sheet account) and expenses (an income statement account), you might use a combined approach. A test of details for accounts payable (e.g., search for unrecorded liabilities) and substantive analytics for expense (e.g., departmental expenses divided by total expenses compared to the prior year).
One overarching principle to consider in your use of substantive analytics: use them in lower risk areas. AU-C 330 tells us that substantive analytics alone are more appropriate when assessed risk is lower. The higher your risk assessment, the more you should use tests of details.
Examples of Substantive Analytical Procedures
Here are examples of substantive analytics:
Comparison of monthly sales for the current year with that of the preceding year (to test occurrence)
Comparison of profit margins for the last few months with those subsequent to year-end (to test cutoff)
Percent of expenses to sales compared with the prior year (to test occurrence)
A comparison of balance sheet accounts with total assets compared to prior year (to test existence for assets and completeness for liabilities)
Current ratio compared to prior year (to test for solvency and going concern)
Comparing current year profit margins with prior periods (to test accuracy and occurrence)
For pension or postemployment benefit plans: actuarial value of plan assets divided by actuarial accrued liability compared to prior year (to test completeness and accuracy)
For debt: total debt divided by total assets compared to prior year (to test the financial strength of the entity and going concern)
For inventory: cost of goods sold divided by average inventory compared to prior year (to test existence and occurrence)
Now let's see how to document your substantive analytics.
Documentation of Substantive Analytical Procedures
In performing substantive analytics, make sure you document your expectations and conclusions:
Expectation – Document what you expect the result of the computation or comparison to be (you can use a range).
A common peer review finding is the lack of a documented expectation. Prior to computing a ratio or comparing numbers to prior periods, document your expectation.
Conclusion – Document whether the computation or comparison falls within your expectation. If it does not, inquire of the client. You may need to perform a test of details if the substantive analytic result is not within an acceptable range. Regardless, make sure you respond to unexplained results (i.e., those that fall outside an acceptable range) and that you document your response.
Substantive analytics are not required. So, think of them as an efficient alternative to test of details.
But are there audits where substantive analytics don't work as well? Yes. If the company has weak internal controls or a history of significant errors, you may want to rely more on tests of details. Substantive analytical procedures work better in stable environments.
Service organization control (SOC) reports are often necessary to understand outsourced accounting services. So, what are SOC reports and when are they needed?
What are SOC Reports?
When an entity provides services to other entities (e.g., ADP payroll services), the service organization desires to provide comfort to their clients. Why? Well the service organization wants to provide assurance regarding the safety and effectiveness of its services. Trust is foundational to the business relationship. Therefore, the service organization provides comfort to clients by hiring an outside independent auditor to review its accounting system. The result of that review is a service organization control report.
So if ADP desires to give comfort to its clients regarding the design and operation of its accounting system, it will hire an outside audit firm to review and render an opinion on its internal controls. While SOC reports provide comfort the service organization’s clients, they are also used in another manner.
Suppose ADP provides payroll services to Jet Sports, Inc. The auditors of Jet Sports will review ADP’s SOC report to see if their accounting system is appropriately designed and operating. After all, ADP, in this example, is an extension of Jet Sports, Inc.’s accounting system. Jet’s auditors view ADP’s services as a part of Jet’s accounting system: Jet has simply outsourced their payroll services to ADP. That’s why ADP’s SOC report is relevant to Jet Sports, Inc.’s audit.
When are SOC Reports Needed?
SOC reports are needed when:
The user entity’s complementary controls are not sufficient to lessen the possibility of material misstatements
The SOC report provides information concerning a significant transactions cycle
Many organizations outsource portions of their accounting to service organizations, such as ADP’s payroll services. External auditors need to understand a service organization’s system and related controls–particularly if that work could allow material misstatements in the user’s financial statements. This understanding is provided in SOC reports.
All financial statement audits focus upon whether material misstatements are occurring. Moreover, the auditor’s opinion is supported by audit evidence proving the financial statements are fairly stated. But does (some of this) audit evidence come from SOC reports? Sometimes, yes.
A financial statement auditor is concerned with material misstatements, regardless of how or where they occur, and regardless of who allows the misstatement. Therefore, auditors look for internal controls weaknesses in both the entity being audited and service organizations.
As we will see, the external auditor may not need all SOC reports. On the other hand, some SOC reports may be needed but don’t exist.
Definitions Related to Service Organizations
Before delving into the details of service organization controls, let’s define a few key words.
Complementary user entity controls. These are the controls performed by users of a service organization’s services. These entity controls complement the service organization’s controls: both are necessary to ensure the process is safe and effective. For example, your client might perform the complementary control of reviewing payroll hours reported before providing those to an outside payroll service organization.
Service auditor. The auditor that reports on controls at a service organization.
Service organization. An organization that provides services to user entities that impact the user entity’s financial reporting.
User auditor. The auditor that audits the financial statements of a user entity.
User entity. An entity that uses a service organization and its related SOC report.
Services provided by a service organization are relevant to the audit of a user entity’s financial statements when those services and the controls over them affect the user entity’s information system, including related business processes, relevant to financial reporting.
So if a service organization’s activities affect an entity’s information system, business processes, or financial reporting, then that activity is relevant.
When is a SOC report not needed?
When does the external auditor not need SOC reports or other information related to a service organization? Paragraph .05 of AU-C 402 answers that question as follows:
This section does not apply to services that are limited to processing an entity’s transactions that are specifically authorized by the entity, such as the processing of checking account transactions by a bank or the processing of securities transactions by a broker (that is, when the user entity retains responsibility for authorizing the transactions and maintaining the related accountability).
Additionally, complementary user entity controls may be strong enough to eliminate the need for information about the service organization’s controls.
Complementary User Entity Controls
The user entity–an entity that uses a service organization and whose financial statements are being audited–may have controls sufficient to eliminate the need for SOC reports or other information from the service organization. Sometimes the user entity has controls that mitigate the risk of material misstatements caused by service organization deficiencies. Such controls are referred to as complementary user entity controls. If the complementary controls operate effectively, the user auditor–the auditor who audits and reports on the financial statements of a user entity–may not need SOC reports or other service organization information.
Alternatively, if the service organization initiates, executes, and does the processing and recording of the user entity’s transactions and the complementary controls would not detect material misstatements, then the user auditor may need SOC reports or other service organization information.
When complementary controls are present, they should be reviewed in the walkthrough of controls by the user auditor. For example, if your client reviews payroll time recorded prior to submission to an outside payroll service provider, then determine if this control is designed appropriately and implemented (as you do for all key controls). SOC reports usually provide a list of complementary controls, so look there for potential client controls. Then see if they are in use.
Is the Placement of a SOC Report in the Audit File Sufficient?
Placing a SOC report in an audit file without reading and understanding it provides little-to-no audit evidence.
A SOC report provides information about how the service organization’s controls lessen the possibility of material misstatement. So, the user auditor needs to read and document how the service organization’s controls lessen the risk of material misstatement. This understanding of controls is necessary if the service organization’s work affects a significant transaction cycle such as payroll.
Think of SOC reports in this manner: Pretend there is no service organization and the company being audited performs the same processes and controls. If the audited entity performs these controls–and no service organization exists–the auditor gains an understanding of the controls using risk assessment procedures such as inquiry, observations, and inspections of documents. Potential control weaknesses are exposed by the risk assessment process. Thereafter, the identified risks are used to develop the audit program and substantive procedures. The same audit process is true when there is a service organization. But when a service organization is used, the user auditor is using the SOC report to gain the understanding of the service organization’s part of the entity’s accounting system.
If controls weaknesses are noted in the SOC report, the user auditor may–as a response–perform substantive procedures. By doing so the auditor lowers the overall audit risk (which is the risk that the auditor will issue an unmodified opinion when one is not merited).
Type 1 or Type 2 SOC Reports?
Service organization auditors can issue type 1 or type 2 reports.
A type1 SOC report provides a description of a service organization’s system and the suitability of the design of controls.
A type 2 SOC report includes a service organization auditor’s opinion on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design and operating effectiveness of the controls.
The type 1 report provides information about the service organization’s system and related controls. The type 2 report provides an opinion on the system description and the design and effectiveness of the controls. A type 1 or a type 2 report can be used to gain an understanding of the controls.
You may see, in some of these SOC reports, carve-outs.
Carve-Outs
Many SOC reports carve out services that are provided to the service organization by another service provider (a service provider to a service provider, if you will). In such a situation, consider whether you need to review the sub-service provider’s SOC report. (Sub-service providers are named in the SOC report along with what they do.)
So, should you (the user auditor) ever visit a service organization’s office?
Should the Auditor Visit the Service Organization?
Usually,the user auditor does not need to visit the service organization, but sometimes it is necessary to do so. If the service organization provides no SOC report and the complementary user controls are not sufficient, then the auditor may have no choice but to review the service organization’s system and controls. Only do so if the service organization handles significant parts of the accounting system.
SOC Reports Summary
In summary, if you audit an entity that uses a service organization, consider whether you need a SOC report. If the service organization provides services that impact a significant transaction cycle or account balance, then you probably need to review the related SOC report. Why? To see if there are any service organization internal control weaknesses that impact your client’s audit.
This article teaches you how to develop your audit plan and strategy. Once you complete your risk assessment, it’s time to build these critical pieces of your audit engagement.
Effectiveness and efficiently are both possible with a good audit plan. Below I explain how to do this. Additionally, we’ll also take a look at three common mistakes made in planning. See if you make any of these.
To be in compliance with audit standards, we need to develop:
Our audit strategy
Our audit plan
Developing Your Audit Strategy
What’s in the audit strategy? AU-C 300, Planning an Audit, states that the audit strategy should include the following:
The characteristics of the engagement (these define its scope)
The reporting objectives (these affect the timing of the audit and the nature of the reports to be provided)
The significant factors (these determine what the audit team will do)
The results of preliminary engagement activities (these inform the auditor’s actions)
Whether knowledge gained on other engagements is relevant (these potentially provide additional insight)
Think of the audit strategy as the big picture.
We are documenting:
The scope (the boundaries of the work)
The objectives (what the deliverables are)
The significant factors (e.g., is this a new or complex entity?)
The risk assessment (what are the risk areas?)
The planned resources (e.g., the engagement team)
Much can be achieved with the right strategy—even walking on the moon.
Strategy for Walking on the Moon
When NASA planned to put a man on the moon, a strategy was created. It could have read as follows:
We will put a man on the moon. The significant factors of our mission include mathematical computations, gravitational pull, thrust, and mechanics. The risks include threats to our astronauts’ lives, so we need to provide sufficient food, air, sound communications, and a safe vessel. The deliverable will be the placement of one man on the moon and the safe return of our three astronauts. The engagement team will include three astronauts, launch personnel at Kennedy Space Center, and mission-control employees in Houston, Texas.
A sound strategy led to Neil Armstrong’s historic walk on July 20, 1969.
Our audit strategy—in a more pedestrian pursuit—is a summary of objectives, resources, and risk. It’s the big picture. Our strategy leads to the successful issuance of our audit opinion (not quite as exciting as walking on the moon, but still important).
What’s in an Audit Strategy?
The audit strategy doesn’t have to be complicated or long, especially for smaller entities—it can be a short memo. What are we after? A summary of risks, needed resources, and objectives.
My firm uses an internally-developed strategy form—mainly, to ensure consistency. The form contains structure, such as references to risk assessment work and blank boxes in certain areas—such as partner directions—so it is flexible. As a result, the form has structure and flexibility.
Here are the main areas we cover:
Deliverables and deadlines
A time budget
The audit team
Key client contacts
New accounting standards affecting the audit
Problems encountered in the prior year
Anticipated challenges in the current year
Partner directions regarding key risk areas
References to work papers addressing risk
Who Creates the Audit Strategy?
Who should create the strategy? The in-charge can create it with the assistance of the engagement partner, or the partner can do so.
Audit Strategy as the Central Document
If you want to see one document that summarizes the entire audit, this is it. As you can see, the strategy is general in nature, but you also need a detailed plan to satisfy the demands of the strategy—this is the audit plan (commonly referred to as the audit program). NASA had a mission statement for Apollo 11, but—I’m sure—written guidelines directed the step-by-step execution of the project.
Audit Plan (or Audit Program)
Now we create the detailed planning steps—the audit program. Think of the audit program as the final stage of audit planning. What have we done to get to this stage of the audit?
The audit plan is the linkage between planning and further audit procedures.
What are “further audit procedures”? They are the tactical steps to address risk including substantive procedures and test of controls. The audit program links back to the identified risks and points forward to the substantive procedures and test of controls. Substantive procedures include tests of details and substantive analytical procedures.
Creating the Audit Program
How—in a practical sense—do we create the audit programs? Most auditors tailor the prior year audit programs. That works—as long as we revise them to address the current year risks. Audit programs are not—at least, they should not be—static documents. Even so, the current year audit program can be the same as last year—as long as the risks are the same.
Sufficient Audit Steps
How do we know if we have adequate audit program steps? Look at your risks of material misstatement (RMM)—which, hopefully, are assessed at the assertion level (e.g., completeness). An auditor assesses the risk of material misstatement because it informs the audit plan—or the steps to be performed. Audit steps should address all high and moderate RMMs.
Integrating Risk Assessment with the Audit Program
How else can we integrate our documentation? Put the relevant assertions next to each audit step—this makes the connections between the RMMs (at the assertion level) and the audit steps clear.
AU-C 330 says the auditor is required to apply substantive procedures to all relevant assertions related to each material class of transactions, account balance, and disclosure. So, the audit program should reflect steps for all material areas.
Creating Efficiency in the Audit Plan
Once you complete your risk assessment work, you want to ask, “Which is the more efficient route? Testing controls or performing substantive procedures.” Then go with your instincts.
Generally, I assess control risk at high. While we can’t default to a high control, we can—once the risk assessment work is complete—decide to assess control risk at high as an efficiency measure. Why? If we assess control risk at below high, we must test the controls as a basis for the lower risk assessment. The testing of controls can—sometimes—take longer than substantive procedures.
For example, is it better to test the controls related to fixed asset additions or is it more efficient to vouch the invoices for significant additions? Usually, the vouching of the invoices will get you to your desired destination quicker than testing controls. Generally—at least in my opinion—this line of reasoning is less true for more complex organizations. Larger organizations process more transactions and tend to have better controls. So it can be better to test controls for larger entities.
There you have it—the creation of the audit strategy and the audit plan. Your strategy includes the risks, needed resources, and objectives. And your audit program contains the tactical steps to address risks. You are set to go.
I find that auditors usually understand the above, but still make one of the following three audit planning mistakes.
Three Mistakes in Audit Planning
Auditors make three common planning mistakes: (1) not tailoring audit programs and (2) allowing prior year work papers to drive the audit process, and (3) using a balance sheet audit approach. Let’s see how these happen.
1. Not Tailoring Audit Programs
Where do most audit programs come from? They are purchased from forms providers, usually international publishing companies. These purchased programs are useful, but they can become a crutch, leading to canned audit approaches that are not responsive to risks.
If we use unrevised audit programs and if our audit approach is always the same, what good is risk assessment? Another way to say this is, If audit programs never change, why perform walkthroughs, preliminary analytics, and other risk assessment procedures?
Canned audit programs are one reason auditors give lip-service to risk assessment. In the auditor’s mind, he may be thinking, I already know what I’m going to do, so why waste time with risk assessment?This cookie-cutter approach is dangerous, but quite common. And why is it dangerous? Because it can lead to an intentional blindness toward internal controls and significant risks. And deficiencies in risk assessment lead to deficiencies in audit procedures. The result: material misstatements are not identified and an unmodified audit opinion is rendered. In other words, audit failure occurs.
Audit programs can be tailored: steps can be added, changed, or deleted. These steps can be amended based on the risk of material misstatement. But some auditors don’t change their audit plan.
And not tailoring audit programs can lead to several problems such as:
Audit team members signing off on steps not performed
Team members typing Not Applicable (N/A) next to several audit steps
Auditors performing unnecessary procedures
Auditors not performing necessary procedures
In addition to not tailoring audit programs, some auditors hit autopilot and use their prior year work papers as their current year plan.
2. Prior Year Work Papers as the Audit Plan
Audit documentation should develop sequentially:
Risk assessment
Audit programs
Audit work papers
But poor auditors tend to follow the prior year work papers and complete the audit program as an afterthought. Worse yet, the risk assessment work is completed at the end of the engagement, if at all. The tail wags the dog. This same-as-last-year approach leads to incongruities in risks of material misstatement and the procedures performed. In effect, the prior year work papers become the current year audit program.
Another common audit planning mistake is the use of a balance sheet audit approach.
3. Balance Sheet Audit Approach
Many auditors use a fully substantive approach, meaning they don’t test controls for effectiveness. Moreover, some auditors test balance sheet accounts and little else. But this approach can lead to problems.
I have heard auditors say: If I audit all of the balance sheet accounts, then the only thing that can be wrong is the composition of revenues and expenses. But is this true?
The accounting equation says:
Totals assets = Total liabilities plus Total equity
Another way to say this is:
Total equity = Total assets minus Total liabilities
If we disregard stock purchases and sales, equity is usually the accumulation of retained earnings. And retained earnings comes from the earnings or losses on the income statement. In other words, retained earnings comes from revenues and expenses. So the net income or loss (revenues minus expenses) has to fit into the accounting equation (equity equals assets minus liabilities).
Therefore, if we audit all assets and liability accounts, doesn’t it make sense that the only thing that can be wrong is the composition of revenues and expenses? Mathematically I see why someone might say this, but a flaw lurks in the construct.
Audit Failure Example
I once saw an audit firm sued for several million dollars. The CPAs audited the company for several years, issuing an unqualified opinion each year, but a theft was occurring all along.
So what were the audit firm’s mistakes? They relied too heavily upon a balance sheet audit approach, and they did not gain an understanding of the company’s key internal controls.
The auditors used substantive procedures such as:
Testing bank reconciliations
Sending receivable confirmations and vouching subsequent collections
Computing annual depreciation and agreeing it to the general ledger
Vouching additions to plant, property, and equipment
Performing a search for unrecorded liabilities in payables
Confirming debt
The balance sheet accounts reconciled to the general ledger, and no problems were noted in the audit of the balance sheet accounts. But millions were missing.
So what flaw lies in a balance sheet audit approach? Millions can go missing while the balance sheet accounts reconcile to the general ledger. Consequently, auditing the balance sheet accounts alone may not detect theft. Therefore, gaining an understanding of the internal controls and developing appropriate responses is critical to identifying material misstatements, especially when fraud is possible.
So as we plan our substantive procedures, we need to avoid the flawed balance sheet approach. Yes, substantive procedures for the balance sheet accounts are important, but fraud detection procedures are necessary when control weaknesses are present. A test of details is necessary when a significant risk (such as a fraud risk) is present.
In Summary
Develop an audit strategy and plan once you complete your risk assessments procedures. Then link the risks of material misstatement to your further audit procedures. Doing so will help ensure that your audit is successful. In other words, that no material misstatements are present when you issue an unmodified opinion.
Moreover, don’t make these three audit planning mistakes: (1) not tailoring audit programs and (2) allowing prior year work papers to drive the audit process, and (3) using a balance sheet audit approach.
See my audit series The Why and How of Auditingto learn even more about the full audit process, including how to audit transaction cycles such as cash, receivables, payables, and debt.
In this article, I address audit assertions and why they are critical to the audit process. We'll look at assertion examples and how to you can leverage these in your audit plan. Do you desire to stop over auditing? Then read on.
All businesses make assertions in their financial statements. For example, when a financial statement has a cash balance of $605,432, the business asserts that the cash exists. When the allowance for uncollectibles is $234,100, the entity asserts that the amount is properly valued. And when payables are shown at $58,980, the company asserts that the liability is complete.
Reporting Frameworks
Of course assertions derive their meaning from the reporting framework. So before you consider assertions, make sure you know what the reporting framework is and the requirements therein. For example, the occurrence of $4 million in revenue means one thing under GAAP and quite another under the cash basis of accounting.
What is a Relevant Assertion?
For an auditor, relevant assertions are those where a risk of material misstatement is reasonably possible. So, magnitude (is the risk related to a material amount?) and likelihood (is it reasonably possible?) are both considered.
For cash, maybe you believe it could be stolen, so you are concerned about existence. Is the cash really there? Or with payables, you know the client has historically not recorded all invoices, so the recorded amount might not be complete. And the pension disclosure is possibly so complicated that you believe it may not be accurate. If you believe the risk of material misstatement is reasonably possible for these areas, then the assertions are relevant.
Some auditors refer to auditing by assertions as an assertions audit. Regardless of the name, we need to know what the typical assertions are.
Audit Assertions
Assertions include:
Existence or occurrence (E/O)
Completeness (C)
Accuracy, valuation, or allocation (A/V)
Rights and obligations (R/O)
Presentation, disclosure, and understandability (P/D)
Cutoff (CU)
Not all auditors use the same assertions. In other words, they might use assertions different from those listed above, or the auditor could list each assertion separately. Regardless, auditors need to make sure they address all possible areas of misstatement.
Assertions as Scoping Tool
Think of assertions as a scoping tool that allows you to focus on the important. Not all assertions are relevant to all account balances or to all disclosures. Usually, one or more assertions are relevant to an account balance, but not all. For example, existence, rights, and cutoff might be relevant to cash, but not valuation (provided there is no foreign currency) or understandability. For the latter two, a reasonable possibility of material misstatement is not present.
As you consider the significant account balances, transaction areas, and disclosures, specify the relevant assertions. Why? So you can determine the risk of material misstatement for each and create responses. Here’s an example for accounts payable and expenses.
Assertion
Inherent Risk
Control Risk
Risk of Material Misstatement
Response
E/O
Moderate
High
Moderate
Perform substantive analytics comparing expenses to budget and prior year
C
High
High
High
Perform search for unrecorded liabilities
CU
Moderate
High
Moderate
Substantive analytical comparison of the payable balance
Inherent Risk Support
Accounts payable is not complex and there are no new accounting standards related to it. There are no subjective judgments. Volume is moderate and directional risk is an understatement. Inherent risk is assessed at high for completeness (client has not fully recorded payables in prior years). Occurrence and cutoff have not been a problem areas in past years.
Inherent Risk as the Driver
Risk of material misstatement is the result of inherent risk and control risk. Auditors often assess control risk at high because they don’t plan to test for control effectiveness. If control risk is assessed at high, then inherent risk becomes the driver of the risk of material misstatement. In the table above, the auditor believes there is a reasonable possibility that a material misstatement might occur for occurrence, completeness, and cutoff. So responses are planned for each.
Fraud risks and subjective estimates can be (and usually are) assessed at the upper end of the spectrum of inherent risk. They are, therefore, significant risks. When a significant risk is present, the auditor should perform procedures beyond his or her normal approach. As we previously said, when the client’s risk increases, the level of testing increases.
Significant Risk
The payables/expenses assessment below incorporates an additional response due to a significant risk, the risk that fictitious vendors might exist.
Assertion
Inherent Risk
Control Risk
Risk of Material Misstatement
Response
E/O
High
High
High
Perform substantive analytics comparing expenses to budget and prior year; Perform fictitious vendor test
C
High
High
High
Perform search for unrecorded liabilities
CU
Moderate
High
Moderate
Substantive analytical comparison of the payable balance
Inherent Risk Support
Accounts payable is not complex and there are no new accounting standards related to it. There are no subjective judgments. The company suffered a fictitious vendor fraud during the year, so the occurrence assertion has uncertainty. Volume is moderate and directional risk is an understatement. Inherent risk is assessed at high for occurrence (significant risk) and completeness. Cutoff has not been a problem in past years.
Significant Risk Example
In auditing expenses, the auditor knows that a risk of fictitious vendors exists. In this scheme the payables clerk adds and makes payments to a nonexistent vendor. Additionally, the payments are usually supported with fake invoices. What is the result? Yes, additional expenses. Those fraudulent payments appear as expenses in the income statement. So the occurrence assertion is suspect.
If the auditor believes the risk of fictitious vendors is at the upper end of the inherent risk spectrum, then a significant risk is present in relation to the occurrence assertion. And such a risk deserves a fraud detection procedure. In this example, the auditor responds by adding a substantive test for detection of fictitious vendors. More risk, more work.
Additionally, notice the inherent risk for occurrence is assessed at high. Why? Because it’s at the upper end of the inherent risk spectrum. A significant risk is, by definition, a high inherent risk, never low or moderate.
As you can tell, I am suggesting that risk be assessed at the assertion level. But is it ever acceptable to assess risk at the transaction level?
Assessing Risk at the Transaction Level
Is it okay to assess audit risk in the following manner?
Assertion
Inherent Risk
Control Risk
Risk of Material Misstatement
E/O; CU; R/O; A/V; P/D
High
High
High
Yes, but if all assertions are assessed at high, then a response is necessary for each.
Those who assess risk at the transaction level think they are saving time. But is this a more efficient approach? Or might it be more economical to do so at the assertion level?
Assess the Risk of Material Misstatement at the Assertion Level
If the goal of assessing risk is to quickly complete a risk assessment document (and nothing else), then assessing risk at the transaction level makes sense. But the purpose of risk assessment is to provide planning direction. Therefore, we need to know the risk of material misstatement at the assertion level.
Why? Let’s answer that question with an accounts payable example.
Accounts Payable Risk Assessment Example
Suppose the auditor assesses risk at the transaction level, assessing all accounts payable assertions at high. What does this mean? It means the auditor should perform substantive procedures to respond to the high-risk assessments for each assertion. Why? The risk assessment for valuation, existence, rights and obligations, completeness, and all other assertions are high. Logically, the substantive procedures must now address all of these (high) risks.
Alternatively, what if the accounts payable completeness assertion is assessed at high and all other assertions are at low to moderate? How does this impact the audit plan? Now the auditor plans and performs a search for unrecorded liabilities. Additionally, he may not, for example, perform existence-related procedures such as sending vendor confirmations. The lower risk assertions require less work. So knowing the risk of material misstatement at the assertion level is critical.
Do you see the advantage? Rather than using an inefficient approach—let’s audit everything—the auditor pinpoints audit procedures.
As a peer reviewer, firms say to me, “I know I over-audit, but I don’t know how to lessen my work.” And then they say, “How can I reduce my time without reducing quality?”
Here’s my answer: Perform real risk assessments and document the risk of material misstatement at the assertion level. Then tailor—yes, change the audit program—to address the risks. Perform substantive procedures or a test of controls for effectiveness related to the identified risk areas—and slap yourself every time you even think about same as last year. (Your substantive procedures can be a test of details or substantive analytics.)
And what are the benefits of assessing risk at the assertion level?
Efficient work
Higher profits
Conformity with standards
You may be wondering if financial statement level risk can affect assertion level assessments. Let's see.
Risks at the Financial Statement Level
Financial statements have financial statement level risks such as management override or the intentional overstatement of revenues. These sometimes affect assertion level risk. For example, the intentional overstatement of revenues has a direct effect upon the existence assertion for receivables and the occurrence assertion for revenues. Therefore, even when you identify financial statement level risks, consider whether they might affect assertion level risks as well.
Now let's talk about homework based on this article. Let's make this useful.
Your Audit Assertion Documentation
Look at two or three of your audit files and review your risk assessments. Are you assessing risk at the transaction level or at the assertion level? Plan to spend more time in performing risk assessment procedures and documenting your risks at the assertion level—and possibly less time performing further audit procedures.
As an auditor, you often use the work of specialists such as actuaries, appraisers, and engineers. Such work can seem mystical, like something conjured up from a mathematical soup. And since we don’t always understand their incantations, we wonder, “Can we rely on the information?” and “How do I document my use of an expert?” Thankfully, the audit standards provide guidance in AU-C 500 (management’s specialist) and AU-C 620 (auditor’s specialist). Below I unpack these requirements.
Picture is courtesy of DollarPhotoClub.com
Who Hires the Specialist?
A specialist can be hired by your audit firm or by management. If you audit banks, you might hire an appraiser to assist with loan collateral reviews–an example of an auditor’s specialist. If your client uses an actuary, then you will obtain audit evidence from a specialist hired by management.
As we begin our look into the use of experts, here are two definitions to help differentiate the types.
Specialist Definitions
AU-C 620 defines an auditor’s specialist and management’s specialist. Both definitions include “expertise in a field other than accounting and auditing.”
An auditor’s specialist can include an internal person such as a partner or staff member or an external contract person. This person works for the audit firm.
Information from a management specialist is used by the entity in the preparation of their financial statements. This person works for the audit client.
Now, let’s take a look at each.
1. Auditor’s Specialist
AU-C Section 620–Using the Work of an Auditor’s Specialist provides guidance.
Is the Specialist Needed?
AU-C 620 states that auditors should consider the use of a specialist when expertise in a field other than accounting or auditing is needed. Before using the services of a specialist, consider the significance of the information for which you might need such a person. If the information has little impact on the financial statements, then usage of their reports or skills is of less importance.
AU-C 620 Considerations
AU-C 620 also says the auditor should evaluate the competence, capability, and objectivity of the specialist. So if you hire an investment pricing expert, you want to know if she is reputable, what her experience is, whether she can perform the work appropriately, and whether she is objective.
Picture is courtesy of Adobe Stock
According to AU-C 620, information regarding the competence, capabilities, and objectivity may come from sources such as the following:
Personal experience with previous work of the expert
By talking to the specialist
Talking with other auditors or others who are familiar with their work
Knowledge of their qualifications, professional memberships, licenses to practice, or other forms of recognition (often available on their website)
Books or other publications of the expert
If you’ve previously worked with the aforementioned pricing expert, you have personal experience with her work. This helps. You might call her with regard to current year issues, and since you already know her, you probably know her qualifications.
Regarding objectivity, the auditor should inquire about any relationships that the specialist may have with the client. And if necessary, obtain a signed representation letter concerning their objectivity. Continuing with our pricing expert example, you want to ask her if she has any business relationships with the auditee. Are there any family relationships? Is there anything that might impair her objectivity?
Additionally, if the expert is hired by your firm, consider an engagement letter.
Engagement Letter with Specialist
Though not required, the auditor can use a written engagement letter to define the work of the specialist. AU-C 620 provides suggestions for the engagement letter such as:
Nature, scope, and objectives of the assistance
The roles and responsibilities of the auditor and the specialist
How information will be communicated
The need for confidentiality
Document the specialist’s work in a memorandum if an engagement letter is not obtained.
Adequacy of Work
Auditors must evaluate the adequacy of the work.
AU-C 620 requires that you evaluate the adequacy of the work, including the reasonableness of the findings and conclusions, the reasonableness of assumptions and methods, and the relevance and accuracy of the information.
Bottom line: Does the work of the expert provide sufficient and appropriate audit evidence with regard to the issue at hand (e.g., investment pricing)?
When should an auditor begin thinking about specialist usage? Before the engagement is accepted. Why? If we accept an audit without the necessary skill sets, we have a problem. As you consider the acceptance of an audit engagement, think about whether a specialist is needed, and whether such a person is available at a reasonable price.
Reference to a Specialist in an Auditor’s Opinion
AU-C 620 states that an auditor should not refer to the work of an auditor’s specialist in an unmodified audit opinion. The auditor can, however, make reference to a specialist when the opinion is modified (to explain the reason for the modification). But, if reference is made, the audit opinion should state the auditor’s responsibility is not lessened.
What does this mean? Regardless of the situation, the opinion is the auditor’s (and not the specialist’s). We may use the expert’s work as audit evidence, but the audit opinion (and the corresponding responsibility) belongs to us.
Confidentiality Language in the Client Engagement Letter
When an auditor hires an external specialist, should the audit engagement letter change?
When an audit firm hires an external specialist, the firm should follow the Code of Conduct section ET 1.700.040, Disclosing Information to a Third-Party Service Provider. How can you comply with this ethical requirement? By including additional language in your engagement letter advising the client that you might provide confidential information to an outside party. Ineffect, you are gaining consent to share client information. If you are not using an outside person, but someone who works for your firm, then no such consent is necessary.
Now, let’s take a look at management’s specialist.
2. Management’s Specialist
AU-C Section 500, Audit Evidence, provides guidance on the use of information from a management specialist.
Your audit client might use their own expert such as a pension plan actuary. To rely on the actuary, you need to know if she is competent and objective. You also need to understand–at least in a general sense–what the actuary does. You do not need to recompute the actuarial computations, for example. But a review of assumptions for reasonableness is appropriate.
AU-C 500 Considerations
AU-C 500 requires considerations similar to those of an auditor’s specialist. For instance, you need to evaluate the competence and objectivity of management’s expert. Obtain an understanding of their work, and evaluate it in light of relevant assertions. For example, is the pension disclosure, based on actuarial information, understandable and accurate?
As with an auditor’s specialist, the sources of information regarding a management specialist can come from prior experience with the person, discussions with the expert, and knowledge of their certifications and experience.
Additionally, consider including relevant language in management’s representation letter.
Representation Letter
AU-C 580, Written Representations, provides the following example of language that an auditor might include in the representation letter:
We agree with the findings of specialists in evaluating the [describe assertion] and have adequately considered the qualifications of the specialists in determining the amounts and disclosures used in the financial statements and the underlying accounting records. We did not give or cause any instructions to be given to specialists with respect to the values or amounts derived in an attempt to bias their work, and we are not otherwise aware of any matters that have had an effect on the independence or objectivity of the specialists.
Conclusion
So how do you document your use of these experts? As you can tell, the audit standards provide a framework, and the documentation will vary depending on the type of specialist used and the importance of the information. At a minimum, consider documenting:
Why you need the expert (or their work product)
What they are doing
Their abilities, reputation, and experience
Their objectivity
The adequacy of the work provided
Peer review checklists include questions regarding your documentation of such information. Therefore, you need to make sure you do so.
At the end of the day, auditing is all about obtaining reasonable assurance by obtaining audit evidence. As you consider the use of these experts, ask yourself how their work impacts your risk assessment, your audit procedures, and finally your opinion.
