Category Archives for "Accounting and Auditing"

Excuses for unnecessary workpapers
Nov 29

Seven Excuses for Unnecessary Audit Work Papers

By Charles Hall | Auditing

Unnecessary audit work papers create clutter and potential legal problems.

I see two problems in most work paper files:

(1) Too much documentation, and
(2) Too little documentation

I have written an article titled: Audit Documentation: If It’s Not Documented, It’s Not Done. Since I’ve already addressed the too little documentation issue, I’ll now speak to the other problem: too much documentation.

unnecessary audit work papers

Unnecessary Audit Work Papers

Over the last thirty-five years, I have reviewed audit files for CPA firms and have commonly asked this question: Why is this work paper in the file?

Here are a seven answers I’ve received.

1. It was there last year.

But is it relevant this year? Resist the temptation to mindlessly bring forward work papers from the prior year. Performing a proper audit entails risk assessment (e.g., walkthroughs, analytics), planning (i.e., creating an audit plan), and execution (i.e., carrying out the audit plan). Likewise, compilations and reviews should reflect current year planning and performance.

2. The client gave it to me.

Inexperienced auditors tend to put everything given to them in the file. Some auditors believe “if the client gave it to me, it must be important.” But this is not necessarily true. Every work paper needs a purpose.

YouTube player

3. I may need it next year.

Then save it for next year—somewhere other than in the current file. If the information does not provide current year engagement evidence, then it does not belong in the file.

Consider creating a file for next year and placing next year’s information in that file. Or create a folder in the current year file titled: Next year’s work papers. Then move this section to next year’s file as you close the engagement.

4. I might need it this year.

Before going paperless (back in the prehistoric days when we moved work papers with hand trucks [icon name=”smile-o” class=”” unprefixed_class=””]), I kept a manila folder titled: File 13. The physical folder was my hang-on-to-it-in-case-I-need-it repository.

Since my files are now paperless, I create an electronic folder titled Recycle Bin that sits at the bottom of my file. If I receive information that is not relevant to the current year (but there is a chance I will need it), I move it to the recycle bin, and when I am wrapping up the engagement, I dispose of the folder.

5. It’s an earlier version of a work paper.

Move earlier versions of work papers to your recycle bin—or delete them.

6. I need it for my tax work.

Then it belongs in the tax file (unless it’s related to your attest work – e.g., deferred taxes).

7. We always do this.

But why is it being done this year? Maybe a fraud was missed ten years ago and the partner said, from now on we will…

Are these procedures still relevant?

The test of details, substantive analytics, and test of controls should be in response to the current year audit risk assessment and planning.

Reducing Legal Exposure

The most important reason for minimizing work paper content is to reduce your legal exposure. Excess work papers may provide ammunition to an opposing attorney: “Mr. Hall, here’s a work paper from your own audit file that reveals fraud was occurring, and you didn’t see it?” (So don’t, for example, leave the full general ledger in your work papers.)

What are your thoughts about removing unnecessary audit work papers?

management override of internal controls
Nov 11

Management Override of Internal Controls

By Charles Hall | Auditing , Fraud , Risk Assessment

Management can override internal controls, resulting in fraudulent financial reporting. Below I provide examples of management override of internal controls and how you can audit for these potential threats. 

Controls can be overridden, even when properly designed and operating. Accounting personnel usually comply with the wishes of management either out of loyalty or fear. So if a trusted C.E.O. asks the accounting staff to perform questionable actions, they will sometimes comply because they trust the leader. Alternatively, management can threaten accounting personnel with the loss of their jobs if they don’t comply. Either way, management gets what it wants by overriding internal controls. 

Examples of Management Override of Internal Controls

Here are examples of management override of internal controls:

  1. Booking journal entries to inflate profits or cover up theft
  2. Using significant transactions outside the normal course of business to dress up the financial statements
  3. Manipulating estimates 
  4. Transferring company cash to their personal accounts 

Auditors consider management override in all audits (or at least, they should). Why? Because it’s always possible. That's why audit standards require that we respond to the risk of management override in all audits. 

First, let’s consider how management overrides controls with journal entries.

1. Journal Entry Fraud

Think about the WorldCom fraud. Expenses were capitalized to inflate profits. Income statement amounts were moved to the balance sheet with questionable entries. Once the fraud was discovered, the internal auditors were told the billion-dollar entries were based on what management wanted. The entries were not in accordance with generally accepted accounting principles. And why was this done? To increase stock prices. Management owned shares of WorldCom, so they profited from the climbing stock values. The fraud led to prison sentences and the demise of the company, all because of management override. 

Journal entries are an easy way to override controls. Consider this scenario: Management meets at year-end, and they have not met their goals; so they manipulate earnings by recording nonexistent receivables and revenues, or they record revenues before they are earned. For example, management accrues $10 million in fake revenue, or they book January revenues in December. 

Journal Entry Testing

Auditors should test journal entries for potential fraud, but how? First, understand the normal process for making journal entries: who makes them, when are they made, and how. Also, inquire about journal entry controls and consider any fraud incentives, such as bonuses related to profits. Then think about where fraudulent entries might be made and test those areas. Fraudulent journal entries are often made at year-end, so make sure you test those. Here are some additional journal entry test ideas:

  • Examine entries made to seldom-used accounts
  • Review consolidating entries (also known as top-side entries)
  • Test entries made at unusual hours (e.g., during the night) 
  • Vet entries made by persons that don’t normally make journal entries
  • Look at suspense account entries
  • Review round-dollar entries (e.g., $100,000)
  • Test entries made to unusual accounts

You don’t need to perform all of the above tests, just the ones that are higher risk in light of journal entry controls and fraud incentives. Data mining software can be helpful in vetting journal entries. For example, you can search for journal entries made by unauthorized persons. Just extract all journal entries from the general ledger and group them by persons making the entries; thereafter, scan the list for unauthorized persons. 

Fraudulent journal entries are not the only way to override controls. The books can be cooked with related party transactions. 

2. Funny Business

Sometimes, as an auditor, you’ll see funny transactions. No, I don’t mean they are amusing. I mean they are unusual. Management can alter profits with transactions outside the normal course of business, and these are often related party transactions. 

For example, Burning Fire, an audit client, is owned by Don Jackson. Mr. Jackson also owns another business, Placid Lake. As you are auditing Burning Fire, you see it received a check for $10 million dollars from Placid Lake. So you ask for transaction support, but there is little. The CFO says the payment was made for “prior services rendered,” but it doesn’t ring true. This could be fraud and is an example of a transaction outside the normal course of business. Why would a company record such an entry? Possibly to bolster Burning Fire’s financial statements. When you see such a transaction, consider whether a fraud incentive is present. For example, do loan covenants require certain financial ratios and does this transaction bring them into compliance? 

Next, we look at how management can juice up profits by manipulating estimates. 

management override of internal controls

3. Manipulating Estimates

Auditing standards require a retrospective review of estimates as a risk assessment procedure. Why? Because management can manipulate estimates to inflate earnings and assets. Auditing standards call such tendencies bias, a sign that fraudulent financial reporting might exist. That’s why auditors review prior estimates and related results. 

For instance, suppose a company has a policy of reserving 90% of receivables that are ninety days or older. If at year-end the greater-than-ninety-days bucket contains $1,000,000, management can increase earnings $400,000 by lowering the reserve to 50%. What an easy way to increase net income! 

Retrospective Review of Estimates

So, how does an auditor perform a retrospective review of an allowance for uncollectible accounts? Compare the year-end reserve with that of the last two or three years. If the reserve decreases, ask why. There might be legitimate reasons for the decline. But if there is no reasonable basis for the smaller allowance, bias could be present. Note such changes in your risk assessment summary. For example, in the accounts receivable section, you might say: The allowance for uncollectible accounts appears to have decreased without a reasonable basis. Why? Because you’ve identified a fraud risk that deserves attention. 

Complex estimates are easier to manipulate without detection than simple ones. Why? Because intricate estimates are harder to understand, and complexity creates a smokescreen, making bias more difficult to spot. As an example, consider pension plan assumptions and estimates. Very complex. And changes in the assumptions can dramatically affect the balance sheet and net income. 

Now, let's look at how to document your retrospective review. 

Documenting Your Retrospective Review

Document your retrospective review. How? List the current and prior year estimates and explain the basis for each. Also, examine the results of the prior year estimates. For example, compare the current year bad debts with the prior year uncollectible allowance. Additionally, consider including incentives for manipulating profits such as bonuses. 

Label the workpaper Retrospective Review of Estimates to communicate its purpose. Also, consider adding purpose and conclusion statements such as:

  • Purpose of workpaper: To perform a retrospective review of estimates to see if bias is present.
  • Conclusion: While the allowance estimate is higher in the current year, the judgments and assumptions are the same. It does not appear that bias is present. All other prior year estimates appear reasonable. 

Other conclusion examples follow:

  • Conclusion: The rate of return used in computing the pension liability increased by 1%. The increase does not appear to be warranted given the mix of investments and past history. Bias appears to be present and is noted in the risk assessment summary form (in the payroll and benefits section).
  • Conclusion: Based on our review of the economic lives of assets in the prior year depreciation schedule, no bias is noted.
  • Conclusion: We reviewed bad debt write-offs in the current year and compared them to the uncollectible allowance in the prior year. No management bias is noted.

Is there another way that management might override controls? Yes, sometimes management requires accounting personnel to transfer company cash to personal bank accounts. 

4. Transferring Company Cash to Personal Accounts

Years ago I audited a hospital in Alabama. The C.E.O. would sometimes go to Panama City Beach, and while there, direct his accounting staff to wire funds to his personal account—and they did. Why? The threat of losing their jobs. Some management personnel, especially those with muscle, can intimidate the accounting employees into doing the unbelievable. I’ve seen this happen and once the C.E.O. is called out, he pretends to know nothing about the prior conversations with accounting.  

Management Override of Internal Controls

In your future audits, consider that management override of internal controls is always a possibility.

So don't allow yourself to believe that management is too honest to commit fraud. (A personal friend of mine just went to jail for stealing $3.5 million; he was part of the company's management team. I've known him for twenty years, so I was stunned to hear this.) Conduct your audits to detect material misstatements, including fraud--even if you've known the management team for many years. 

Entity-Level Controls
Sep 21

Entity-Level Controls: Why They Matter

By Charles Hall | Accounting and Auditing

In this article, I explain why entity-level controls are important and how to audit them.

Activity-level controls, those such as segregation of duties, get all the love. But what about entity-level controls? It seems to me they don’t receive the attention they deserve. 

Entity-Level Controls

Internal Controls

The fountainhead of internal controls is the Committee of Sponsoring Organizations (COSO). Auditors recognize the COSO control components when they see:

  1. Control environment
  2. Risk assessment
  3. Monitoring 
  4. Information and communication
  5. Control activities

Controls that address financial-statement-level risks are known as entity-level controls. For example, a poor control environment can pervasively affect financial statements. And controls that address risks at the assertion level–such as control activities–are known as activity-level controls. 

Auditing standards require consideration of these five components in all audits. While auditors are more familiar with the fifth element, control activities, the others are important as well. Auditors review the design and implementation of controls of each component, not just control activities. In other words, auditors consider entity-level and activity-level controls. Or at least, they should. 

The five components, when designed and working correctly, result in materially correct financial statements. In large businesses, the five components are often more clearly defined. Smaller entities, however, tend to blend the five, and they are less distinct. Regardless, the entity-level and activity-level controls are important in all companies, nonprofits, and governments.

If you prefer a video overview of entity-level controls, here it is.

YouTube player

1. Control Environment

The first element is control environment, what many refer to as the tone at the top. In examining this component, you learn about those charged with governance and management. Are they committed to financial statements without material misstatements? Do these leaders receive internal control reports? If the entity has internal auditors, how often do they meet with the board? If there are no internal auditors, how receptive is the board to annual audit communications regarding internal controls?

The control environment component is more subjective than the other four. Therefore, testing for appropriate design and implementation is more challenging. So, what should you look for? What documents should you review?

Code of Conduct

Some companies have a code of conduct. If they do, review it, and see if company personnel are familiar with it. Is the code a part of the company’s DNA or just a document for the filing cabinet?

Active Governance

In all entities, see if the board members and management actively govern. Read the minutes to understand the board’s participation level. Review the reports provided to them. See how often they receive these and whether they understand them.  

Segregation of duties, an activity-level control, may be lacking, especially in smaller organizations. A compensating control is the board or owner’s review of financial statements. Additionally, in entities with budgets, the board might receive budget-to-actual reports. Moreover, the board might review a list of disbursements. 

How often does the board or the owners meet? If monthly, great. If once a year, not so good.

Conflict of Interest Statement

Is there a conflict-of-interest statement and does the company abide by it? Do board members and management disclose their potential conflicts annually?

Whistle-Blower Policy

Does the entity have a whistle-blower policy? Can employees anonymously report suspicious activity? Who receives the whistle-blower reports? Who follows up on them and how often? How does the company respond to theft?

Internal Auditors

If the company has internal auditors, do they report directly to the board or to management? Internal auditors should have a direct line to those charged with governance. Additionally, internal auditors should be hired and fired by the board, not management. Internal auditors monitor the actions of management. That’s why they should report directly to the board.

Information Technology

Are appropriate resources given to the information technology (IT) personnel? Does IT provide periodic operating reports to the board and management? Do they have sufficient education and knowledge? What is IT doing to protect the information system? Is IT accountable to leadership? Are they transparent about their activities?

Accountability

And what about management personnel? Are they accountable to the board? In some organizations, the chief executive officer (CEO) runs the company with little accountability. Not desirable in larger entities, but quite common and maybe necessary in smaller ones. The CEO and an owner might be one and the same in a smaller business.

Integrity

After reviewing factors such as those mentioned above, consider that honesty is the key to control environment. And honesty is not what the leadership says, but what they do. So ask yourself, “Do they walk the talk?”

Document Controls

Even though the control environment is more subjective than the other four components, you still need to review the design and implementation of controls. You can only do so with controls, not personal characteristics. You can’t review the CEO’s ethics, for example, but you can read the code of conduct. You can’t review the CFO’s transparency, but you can examine a whistle-blower program. You can’t review board chair’s intelligence, but you can inspect monthly financial statements, as provided to the board. Look for controls, not just subjective characteristics. Asking, “Are your board members ethical?” is not enough. 

But what if there are no control environment documents such as a code of conduct? In smaller entities, this is possible, but most organizations do provide financial reports to those in charge. If there are no controls, consider the impact on the risk of material misstatement. Also, consider whether compensating controls exist in the other four components of the internal control system.

Now, let’s look at the risk assessment. 

2. Risk Assessment

Here again, examine the design and implementation of the risk assessment component. Smaller companies might present a challenge in doing so: No formal risk assessment process. An informal process, however, does not mean that controls are lacking.

risk assessment

Small Company Risk Assessment

A small business owner’s risk assessment process might include financial statements reviews. Why? Her knowledge of the business enables her to detect—at least some—misstatements. Moreover, the owner considers the competency of her accountants. She knows that smart accountants lead to good numbers. Additionally, she hires outside IT professionals to maintain the information system, or she uses cloud-based software such as QuickBooks. Why? Because IT is part of a healthy accounting system. As you can see, small business risk assessment can be informal, but still effective.

Large Company Risk Assessment

In larger companies, risk assessment is more robust. The board and management periodically meet to focus on risk assessment. And internal auditors test the accounting system and provide reports to leadership. It’s easier to review risk assessment design and implementation in such an environment.   

Financial Statement Risk Assessment

Regardless of the entity size, companies normally use disclosure checklists to prepare their financial statements. Such checklists lower the risk of incomplete or omitted disclosures. 

Does the company present consolidated financial statements? Then consolidating controls, such as a second-person review, are necessary. Improper consolidating procedures can easily result in material misstatements. Therefore, risk assessment should encompass the consolidation process. 

Most importantly, company personnel should think about how the financial statements might contain material misstatements in light of the existing controls, accounting personnel, and business dynamics. So, has anyone considered how errors or fraud might occur? And is the risk assessment process documented? If yes, then the auditor should review it. If no, then the auditor should consider the company’s informal processes and whether they decrease the risk of material misstatements. 

The risk assessment works best when monitoring reports are also used. 

3. Monitoring

Monitoring provides feedback on the effectiveness of the financial reporting process. Error and fraud can occur even when a company has a great internal control structure. Not only should monitoring information be provided to the leadership of the organization, but companies should generate monitoring reports at lower levels. After all, you want to detect problems as soon as possible. 

As we said in the risk assessment section above, larger companies often have internal auditors. And those auditors provide reports to the board and management about financial reporting, whether it is occurring properly or not. Such reporting during the year lessens the probability that the external auditors will detect material misstatements after year-end. 

But even if an organization has no internal auditors, monitoring can still occur. The CFO can review monthly accounting reports. The payroll supervisor can compare the current compensation reports with earlier ones. The board can review budget-to-actual reports. The owner can compare production statistics with monthly financial statements. 

Vetting the design and implementation of monitoring is usually much easier than reviewing the control environment or risk assessment. Why? Well, either accounting reports are generated and reviewed by company personnel or they are not. 

If the monitoring reports enable the organization to detect and correct material misstatements, then this component is properly designed. And companies that generate and review monitoring reports have implemented the control. 

Creating monitoring reports is a part of another entity-level control: information and communication. 

4. Information and Communication

How does the entity communicate its internal controls? How does a company inform its employees about its financial reporting process? Do training manuals exist? Are the internal controls mapped in a flowchart? What reports are provided to the board and management, or to an owner of the company? Are dashboards used? 

Most smaller entities communicate the internal control structure verbally. A new person is hired and the supervisor explains what is to be done. And oftentimes the supervisor knows what to do because the same was done for him on the day he was hired. Similar to control environment and risk assessment, the information and communication component is not always clearly defined in a smaller organization.

Larger entities often have formal internal control or accounting manuals; the policies are in black and white. But written internal control communications don’t always mean material misstatements are less likely. Personnel can still not understand their internal control responsibilities. The bottom line is whether the control structure is properly communicated. That can be done verbally or in writing.

Verbal and Written Communications

When internal controls are communicated verbally, the auditor needs to inquire of employees to see how they learned about the accounting system and related internal controls. Then observe the daily operations to see if the controls are performed properly. 

When the internal control are communicated in writing, the auditor should review the guidance. And, again, observe the organization’s personnel to see if they understand the accounting system and controls.

Monthly financial statements and reporting statistics are vital to managing an organization and to ensuring the appropriateness of the information. Additionally, many entities use dashboards to see key information. Why? Well, you can’t steer a ship without knowing where it is. 

Regarding information and communication, you want to know if the accounting handbooks, internal control reports, and financial reports lessen the probability of material misstatement. Does everyone know their internal control responsibilities? Are reports provided in a timely manner? If there is a breakdown in the controls, is that information communicated to those that can mend the weakness? 

When you think of information and communication, think of Captain Kirk at the helm of his spaceship. The screen before him and the people around him kept him informed. Because he knew what was going on at all times, he was able to protect his friends and his ship. The same is true in a business, a nonprofit, or a government. Clear communications keep the financial statements in good order.   

Entity-Level Controls

My purpose in writing this post is to remind you of the importance of entity level controls. Give them a little love and respect. Pay attention to them. In some ways, they are more important than activity-level controls. After all, if the board and management aren’t honest, what good are activity-level controls. And even if the leaders are honest, risk assessment is necessary to detect breakdowns in the control structure. Monitoring, as a sister to risk assessment, will help the company see control weaknesses. And finally, information and communication makes everyone aware of their responsibilities and internal controls weaknesses. 

In a perfectly designed internal control system, each component complements and supports the other, making the risk of material misstatement less likely. Lower risk means less substantive work for the auditor, and higher risk means more. 

Auditor’s Risk Assessment Summary

If you detect control weaknesses while examining the entity-level controls, consider how they affect your risk assessment. Bring those weaknesses into your risk assessment summary along with any others you detect in your other risk assessment work (e.g., walkthroughs, planning analytics). 

Once all risks are brought together, you can develop your responses. Make sure you link your risks to the planned procedures. Otherwise, your peer reviewer may throw a red flag. 

Here’s an article regarding responses titled Tests of Details: Substantive Procedures.

what is materiality
Aug 16

Audit Materiality: How to Understand

By Charles Hall | Auditing

Want to perform your audits correctly but with less time? Then understand audit materiality, performance materiality, and trivial misstatements. Below you’ll see how to use audit materiality in the planning, conduct, and conclusion of your engagements. You’ll also see how to use performance materiality and trivial misstatements.

audit materiality

Audit Materiality

Materiality is to reasonable assurance what white stripes are to a basketball court. And understanding materiality is a key to making sure no one blows the whistle on you. Moreover, understanding trivial misstatements can reduce your audit time.

So what is materiality in auditing?

Financial statements are seldom perfect. Some misstatements are present, and that’s okay as long as they aren’t too large. But how big can they be without affecting financial statement users’ decisions? Audit materiality provides the answer. It is a boundary, like white stripes on a basketball court.

That boundary, however, is not precise. The white stripes are different for each audit. Why? Because materiality is judgmental. The boundary is based on what is important to financial statement users. And different users focus on different information.

In one audit, the benchmark is total revenues. In another, it’s total assets. And what is a benchmark? It’s what’s most important to the financial statement users. Once the benchmark is chosen, auditors apply a percent to it to compute materiality. For example, one percent of total assets.

Additionally, qualitative factors, such as risks of the client, play into materiality, but auditors need a clearly defined boundary. That’s why materiality is number, not a feeling. Auditors use materiality in planning their audits; they assess the risk of material misstatement at the assertion level. It’s also used in the conduct and evaluation of evidential matter at the conclusion of the engagement, particularly in reviewing passed audit journal entries. Passed journal entries should not exceed materiality.

Once SSARS 25 is effective, CPAs should document materiality in review engagements.

So how is materiality defined?

What is Materiality in Auditing?

The Financial Accounting Standards Board provides the materiality definition as follows:

The omission or misstatement of an item in a financial report is material if, in light of surrounding circumstances, the magnitude of the item is such that it is probable that the judgment of a reasonable person relying upon the report would have been changed or influenced by the inclusion or correction of the item.

Interesting. This definition is not a formula such as one percent of total assets. Even so, we need clearly laid stripes, do we not? We need a number. So here we have a planning materiality definition, as well as a materiality definition for the conduct and completion of the engagement. 

So, consider that material misstatements include:

  • the omission of a significant disclosure
  • an incomplete disclosure
  • a known financial statement line misstatement
  • an unknown financial statement line misstatement
  • an unreasonable estimate

Also keep in mind that financial statement readers—management, owners, lenders, vendors—make decisions. The FASB lumps these together as a reasonable person whose judgment…would have changed if the misstatement were not present. So, what does this reasonable person look for? What omission or misstatement affects her judgment? And what magnitude of misstatement alters her decisions? The answers tell us what materiality is.

Additionally, an entity’s risks are important. One business might have a high level of debt, for example. The lender is concerned about debt covenant compliance. Another business has an inventory obsolescence issue. The owners might focus here. Risk impacts materiality for each user.

In light of a myriad of factors, the auditor’s job is to provide reasonable assurance that the financial statements are materially correct. So how do we do this? We begin by computing materiality.

YouTube player

Computing Audit Materiality

In order to compute audit materiality, we must first decide which benchmark is best. Examples include total revenues, total assets, and net income. We select a benchmark that is relevant to financial statement users and stable over time. Often total assets or total revenues are good choices. So what’s a poor example? Net income. Why? Because some businesses “salary out” their profits. Zero net income gives you little to work with. (Net income can, however, be appropriate for some entities.)

Once the benchmark is selected, we need to apply a percent to compute materiality. The percent is not defined in professional standards, so again, it’s judgmental. Most CPAs use percentages in materiality forms provided by third-party publishers; others create their own. Either way, auditors must provide reasonable assurance that the financial statements are fairly stated. So, materiality and the related percentages need to be sufficiently low. There are no magical percentages, but an excessively high materiality can lead to an improper audit opinion.

Moreover, materiality is proportional. For instance, a $100,000 error in a billion dollar company may not affect users’ decisions. But a $100,000 error in a million dollar company might.

Uncorrected and Undetected Misstatements

Even with a good materiality number, uncorrected and undetected misstatements can create problems.

The total of undetected errors may exceed materiality. What if, for example, materiality is $100,000, there are no uncorrected audit adjustments, but undetected misstatements of $80,000, $20,000, and $25,000 exist in receivables, inventory, and investments, respectively?  Well, an aggregate material misstatement is present.

Similarly, what if materiality is $100,000, the client refuses to post an $80,000 audit adjustment, and there are $45,000 in undetected misstatements? In such a situation, the auditor might think the financial statements are fairly stated, but they are not.

Because uncorrected and undetected errors are sometimes material, we need a cushion, a number less than materiality. Something to protect us. And what is that cushion? Performance materiality.

Audit Performance Materiality

Performance materiality is another key to ensuring your audits don’t result in improper audit opinions. This number is usually less than overall audit materiality and applies to transaction classes, account balances, and disclosures. 

AU-C 320.A14 describes performance materiality in the following manner:

Performance materiality is set to reduce to an appropriately low level the probability that the aggregate of uncorrected and undetected misstatements in the financial statements exceeds materiality for the financial statements as a whole. Similarly, performance materiality relating to a materiality level determined for a particular class of transactions, account balance, or disclosure is set to reduce to an appropriately low level the probability that the aggregate of uncorrected and undetected misstatements in that particular class of transactions, account balance, or disclosure exceeds the materiality level for that particular class of transactions, account balance, or disclosure.

As you can see, performance materiality calls for materiality thresholds at the transaction class, account balance, and disclosure level. Usually performance materiality is calculated at 50% to 75% of materiality. Why the range? Different risk levels for different clients. If you believe the risk of undetected misstatements is high, then use a lower percent (e.g., 55% of materiality). Likewise, if your client is not inclined to record detected errors, lower the percent. Remember your goal: the combined undetected error and uncorrected misstatements must be less than materiality—both for the statements as a whole and for classes of transactions, account balances, and disclosures. We don’t want misstatements, in whatever form, to wrongly influence the decisions of financial statement users.

As we perform an audit, we need to summarize uncorrected misstatements.

Uncorrected Misstatements

AU-C 450.11 says the following about uncorrected misstatements:

The auditor should determine whether uncorrected misstatements are material, individually or in the aggregate. In making this determination, the auditor should consider:

    • the size and nature of the misstatements, both in relation to particular classes of transactions, account balances, or disclosures and the financial statements as a whole, and the particular circumstances of their occurrence and

    • the effect of uncorrected misstatements related to prior periods on the relevant classes of transactions, account balances, or disclosures and the financial statements as a whole.

We need to accumulate uncorrected misstatements in a manner that allows us to judge them at these levels: classes of transactions, account balances, or disclosures and the financial statements as a whole. And this is more than just computing performance materiality and comparing it to passed adjustments. We should always ask, “Will these uncorrected misstatements adversely affect a user’s judgment?” Misstatements caused by fraud, for example, are more significant than those caused by error.

So what are the documentation requirements for uncorrected misstatements?

AU-C 450.12 requires the auditor to document:

  • The amount designated by the auditor below which misstatements need not be accumulated (clearly trivial)
  • All misstatements accumulated and whether they have been corrected
  • A conclusion as to whether uncorrected misstatements, individually or in the aggregate, cause the financial statements to be materially misstated, and the basis for the conclusion

Some identified misstatements are so small that they will not be accumulated. We call these trivial misstatements.

Audit Trivial Misstatements

AU-C 420.A2 says the following about trivial misstatements:

The auditor may designate an amount below which misstatements would be clearly trivial and would not need to be accumulated because the auditor expects that the accumulation of such amounts clearly would not have a material effect on the financial statements.

Why create a trivial misstatement amount? Efficiency. All misstatements below the trivial threshold (e.g., $5,000) are not accumulated. The auditor simply notes the trivial difference on the work paper, and she is done. No journal entry is proposed, and no other documentation is necessary. If you expect dozens of passed adjustments, then the trivial threshold should be smaller. You don’t want the cumulative trivial misstatements to become material.

YouTube player

Audit Materiality Summary

Now you know about materiality in auditing.

Want to become a better auditor? Then use materiality, performance materiality, and trivial misstatements in the right manner. And you’ll be well on your way.

If you’ve found this information useful, consider signing up for my free newsletter. After doing so, I’ll notify you each time I create new content. (No spam or unnecessary emails. I promise.) Join the 2,600 other accountants and auditors that already receive these updates.

Sign up in the subscription box at the top of this blog.

wrapping up audits
Jul 26

Wrapping Up Audits: The Why and How

By Charles Hall | Auditing

Wrapping up audits is a chore. But today's post will help you do just that.
Do you ever have the almost-done illusion? You think you’re almost done, but you’re not—and you’re not even close. Frustrating! 

wrapping up audits

What? I’m Not Done?

I remember my boss asking me, “what’s the status of the audit?” I answered, “oh, I’m about 90% done.” But actually I was—at best—75% through. Why the miscalculation? I mistakenly thought if the planning and transaction areas (e.g., cash) were complete, that I was nearly finished. I was wrong. Wrapping up audits takes (or least can take) a significant amount of time. 

Wrapping Up Audits — An Overview

In the final stages of an audit, we are (among other things):

  • Updating subsequent events
  • Considering going concern
  • Creating final analytics
  • Providing audit entries to the client
  • Summarizing passed journal entries
  • Reviewing the file
  • Creating financial statements
  • Completing the disclosure checklist
  • Reviewing financial statements
  • Obtaining a management representation letter
  • Creating your audit opinion
  • Creating a management letter
  • Communicating control deficiencies

There is no required order for these steps. The sequence provided below is simply my normal method.

Let’s start with subsequent events.

Updating Subsequent Events

The financial statements should disclose material subsequent events such as legal settlements, the issuance of debt, the adoption of a benefit plan, or the sale of stock. And while disclosure is important, subsequent events—such as legal settlements—can affect the year-end balance sheet. Some subsequent events trigger the accrual of liabilities.

Here are common subsequent event procedures:

  • Inquire of management and company attorneys about subsequent events
  • Review subsequent receipts and payments
  • Read the minutes created after period-end
  • Review subsequent interim financial statements
  • Review the subsequent year’s budget
  • Obtain an understanding of management’s methods for accumulating subsequent event information

In performing these procedures, obtain subsequent event information through the audit report date. 

If you’ve sent attorneys’ letters asking about potential litigation, you may need to get an update to coincide with the audit report date. You want the attorney’s written response to be as close to the audit report date as possible. How close? Usually within two weeks. If there are significant issues, you may want to bring the written response through the audit report date.

Another critical issue in wrapping up audits is going concern.

Considering Going Concern

Even in the planning stage, auditors should consider going concern, especially if the entity is struggling financially. But as you approach the end of the audit, going concern should crystallize. Now you have your audit evidence, and it’s time to determine if a going concern opinion is necessary. Also, consider whether going concern disclosures are sufficient. If substantial doubt is present, then the entity should include going concern disclosures (even if substantial doubt is alleviated by management’s plans).

And what is substantial doubt? The Financial Accounting Standards Board defines it this way:

Substantial doubt about the entity’s ability to continue as a going concern is considered to exist when aggregate conditions and events indicate that it is probable that the entity will be unable to meet obligations when due within one year of the date that the financial statements are issued or are available to be issued.

So, for nongovernmental entities, ask “Is it probable that the company will meet its obligations for one year from the opinion date?” If it is probable that the entity will meet its obligations, then substantial doubt does not exist. If it is not probable that the entity will meet its obligations, then substantial doubt exists.

And what is the period of time to be considered when assessing going concern? One year from the audit report date—unless the entity is a government. If the entity is a government, then the evaluation period is one year from the financial statement date (though this period can lengthen in certain circumstances).

The going concern evaluation is one that management makes as it considers whether disclosures are necessary. 

Then the auditor considers going concern from an audit perspective. If substantial doubt is present, the auditor issues a going concern opinion. Also, if going concern disclosures are incorrect or inadequate, the auditor may need to modify the opinion.

Wrapping up audits also includes the creation and review of final analytics.

Creating Final Analytics

Auditors create planning analytics—the comparison of key numbers—early in the audit. Why? To look for the risk of material misstatement. Unexpected changes in numbers are indicators of potential error or fraud. They create questions. When unexpected variations exist, auditors plan procedures to test why. 

wrapping up audits

So, what is the purpose of final analytics? To determine whether unanswered questions still exit. Auditors want to know, given the audit evidence in hand, that the numbers are fairly stated.

What analytics should you use? Audit standards don’t specify particular analytics. Some auditors read the financial statements (when comparative periods are presented). Others review key ratios. And some compare current year trial balance numbers with the prior year. 

My final analytics are often the same as those in the beginning. For example, if my planning analytics include a comparison of trial balance numbers, so will my final analytics. Why do I use the same analytics? I want to know that the questions raised in the beginning are now answered. 

In wrapping up your audits, consider the numbers important to your clients. Many auditors—in an exit conference—provide key analytics to management and board members, such as performance indicators or liquidity ratios. Consider whether these numbers should be a part of your final (and planning) analytics. 

Now, you are ready to provide your proposed audit entries.

Providing Audit Entries to the Client

Give your audit entries to your client. Hopefully, you discussed these adjustments with your client when you discovered them. If you did, this part is easy. You’re just giving your client the entries. If not, review the proposed adjustments with the client and see if they agree.

Your client may desire to pass on (not post) some immaterial entries. 

Summarizing Passed Journal Entries

Prior to creating the representation letter, the auditor needs to summarize passed journal entries. Why? Audit standards require management to provide a written assertion regarding whether the uncorrected misstatements are material. The summary assists in that determination. 

Once you summarize the uncorrected misstatements, you should consider whether they are material. Review your audit materiality and consider whether the passed adjustments are acceptable. If material uncorrected misstatements exist, consider the effect on your opinion.

In addition to all of the above, you need to review the audit file to make sure everything is in order. 

Reviewing the File

Perform your final review of the work papers and sign off as the reviewer. All preparer and reviewer dates must precede or coincide with the representation letter date (which is the opinion date). Why? Reviews are a part of your evidential matter. Documentation—including reviews—must exist no later than the opinion date. 

See my article titled Seven Excuses for Unnecessary Audit Work Papers.

Once the audit file is ready, it’s time to create the financial statements (if you’ve been engaged to do so).

Creating Financial Statements

Larger entities usually create their own financial statements, but smaller organizations sometimes outsource this work to their auditors. 

wrapping up audits

If the auditor creates the financial statements, the following needs to occur:

  • The audit firm creates the financial statements.
  • The audit firm reviews the financial statements 
  • The client reviews the financial statements 

If you (the auditor) are engaged to create the financial statements, complete them on time. Why? Management must read and take responsibility for the financial statements prior to signing the representation letter. 

Also, the auditor’s review of the financial statements needs to be completed prior to the date of management’s representation letter. Why? All evidential matter, including the audit firm’s review of the financial statements, must be complete before the opinion is issued.

So, management and the auditor must review the financial statements before the opinion is issued. We’ll discuss the financial statement review process for auditors in a moment, but before we do, let’s take a look at completing the disclosure checklist.

Completing the Disclosure Checklist

Whether you or your client creates the financial statements, a disclosure checklist helps ensure the completeness and propriety of the notes. Remember your audit opinion covers the financial statements and the disclosures. 

Since new accounting standards are issued throughout the year, make sure you use a current checklist. Otherwise, you may not be aware of new or amended disclosure requirements.

Now it’s time to review the financial statements.

Reviewing Financial Statements

If your audit firm creates the financial statements, at least two people should be involved—one creating and one reviewing. Why? Two reasons: (1) the self-review threat (an independence issue) and (2) blind spots.

So, what is a self-review threat? It’s the idea that the person creating something (e.g., the financial statements) will not be independent in reviewing the same. Why is this a problem? Well, we are issuing an independent auditor’s opinion. That’s why we need a second-person review of the financial statements—to mitigate the self review threat.

Additionally, a second-person review is useful in overcoming blind spots. If I create financial statements with errors, I may not see my own mistakes. I have a blind spots. Such errors are often readily apparent to a second person.

See my  post about reviewing financial statement on a computer screen.

Once the financial statements have been prepared and reviewed by your audit firm and your client, it’s time to obtain the management representation letter, another step in wrapping up audits.

Obtaining a Management Representation Letter

The management letter is usually prepared by the audit firm and is provided to the client for signing. In the letter, the client is making certain assertions regarding issues such as the following:

  • Management’s responsibility for the financial statements
  • Management’s responsibility for internal controls
  • Assurances that all transactions have been recorded
  • Whether known fraud has occurred
  • Whether known non-compliance with laws or regulations occurred
  • The effects of uncorrected misstatements
  • Litigation
  • The assumptions used in computing estimates
  • Related party transactions
  • Subsequent events
  • Supplementary information
  • Responsibility for nonattest services

The representation letter should cover all financial statements and periods referred to in the auditor’s report. If management refuses to provide the management letter, then consider the effect upon the auditor’s report. Such a refusal constitutes a scope limitation and will usually preclude the issuance of an unmodified opinion.

Another part of wrapping up audits is creating your audit opinion.

Creating Your Audit Opinion

You’ve planned and performed your audit. 

Now you need to consider the type of opinion you’ll issue. If an unmodified opinion is merited, no problem. Use the standard opinion. But if you are going to qualify the opinion, or issue a disclaimer or adverse opinion, there’s more work to be done. Additionally, sometimes you need to add an emphasis-of-matter paragraph or an other-matter paragraph to your opinion.

wrapping up audits

Determine which opinion is appropriate. Most CPAs use sample reports from national publishing companies. Others use sample reports directly from the auditing standards. Regardless, place a copy of the sample report in your audit file. Why? Your peer reviewer—or someone else—might question your report language. Responding to such questions is much easier with the sample report in hand.

Create your opinion and have a second person review the report, comparing the opinion to the sample report. Check and recheck your wording.

Another consideration in wrap-up is whether you’ll issue a management letter. 

Creating a Management Letter

While not required, you can provide a written management letter to your audit client. Why would you do so? To add value to the audit. 

What is a management letter? Suggestions for improving the business. 

What should you include in the letter? It’s up to you (and dependent upon your observations during the audit), but here are a few examples:

  • Suggested monthly reports for the owners or management
  • Warnings regarding cyber attacks and prevention techniques
  • A suggestion that excess cash be used to pay off high interest rate debt
  • Procurement and bidding recommendations
  • A suggestion that security cameras be installed
  • Software recommendations 
  • A recommendation that all equipment be physically inspected and reconciled to the property ledger 
  • A suggestion that the company review its property insurance coverage
  • Best practices for the implementation of new accounting standards

If you provide a management letter, give the client a draft prior to issuance. Why? To avoid the embarrassment of making inappropriate suggestions—maybe they’ve already done what you are suggesting, for example. 

In addition to the management letter, you may also need to communicate significant deficiencies and material weaknesses.

Communicating Control Deficiencies

Audit standards define significant deficiencies and material weaknesses as follows:

  1. Significant deficiency. A deficiency, or a combination of deficiencies, in internal control that is less severe than a material weakness yet important enough to merit attention by those charged with governance.
  2. Material weakness. A deficiency, or a combination of deficiencies, in internal control, such that there is a reasonable possibility that a material misstatement of the entity’s financial statements will not be prevented, or detected and corrected, on a timely basis.

Auditing standards require a written communication of significant deficiencies and material weaknesses.

Control deficiencies are often noted during the risk assessment process, particularly as you perform walkthroughs. 

You may also note control weaknesses as you prepare audit journal entries, especially if the adjustments are material. Errors are usually the result of weak internal controls.

Regardless of how you become aware of the control weaknesses, capture them immediately. Otherwise, you may forget them later on. Also, if control weaknesses are material, you may need to communicate them to management when they are discovered (and again at the completion of the audit).

As you are wrapping up audits, create your internal control letter based on the weaknesses noted.

Consider providing a draft of the internal control letter to management prior to final issuance. Why? To avoid potential misunderstandings. If there’s a disagreement between the client and the auditor, it’s best to clear the issue prior to final issuance of the internal control letter.

One other suggestion: if there are sensitive issues, the senior audit team member (usually the engagement partner) should make this communication. It’s a time to speak the truth with tactfulness—and experience helps.

I started this chapter by saying that wrap-up can take a significant amount of time. As we have seen, there is much to be done in this closing stage of the engagement. 

Wrap Up Procedures in Auditing - A Simple Summary

Here’s a summary of wrap up procedures in auditing:

  • Perform subsequent event procedures to ensure that all relevant information is included in the financial statements 
  • Consider whether going concern disclosures are necessary and, if required, complete; also consider the need for a going concern opinion
  • Create final analytics and determine if all significant variations in the numbers have been addressed
  • Provide proposed audit entries to the client 
  • Summarize and review all passed journal entries to ensure that material misstatements are not present
  • Review the work paper file 
  • Create the financial statements (if you have been engaged to do so)
  • Complete a current disclosure checklist
  • Review the financial statements 
  • Obtain a signed management representation letter 
  • Create your audit opinion 
  • Create a management letter 
  • Communicate significant deficiencies and material weaknesses 

There you have it: the wrap-up process. Now, when your boss asks, “what’s the status of the audit?” you can say, “I’m at 90 percent”—and be sure of it.

This post is a part of a series of articles title The Why and How of Auditing. Check it out. The series is also available as a book on Amazon. Be one of the thousands who have purchased this resource. You'll find it useful as a partner or a staff member.

1 13 14 15 16 17 27
>