Accounting and Auditing Archives

Oct 31

AICPA Consulting Standards – The Swiss Army Knife

By Charles Hall | Accounting and Auditing

In this post, I tell you how to use the AICPA Consulting Standards (Statement on Standards for Consulting Services). I will also compare AUP engagements with consulting engagement options.

Are you ever asked to perform unusual engagements? Such as a report of a city’s water loss. Or a review of billing and receipts internal controls. Or maybe a test count of widgets in the Macon, Georgia warehouse.

When such requests are made, you might wonder “what professional standards should I follow?” Often the answer is the AICPA Consulting Standards.

AUP or a Consulting Engagement?

Regarding new and unusual engagements, I am sometimes asked, “Should this be an agreed-upon-procedures (AUP) engagement or a consulting engagement?”

My answer: It depends.

Allow me a moment to compare AUPs with Consulting engagements, and then I’ll explain what the decision hinges upon.

Agreed Upon Procedures Engagement

First, consider the AUP option.

AUPs are mainly composed of the following:

Procedures
Findings

You perform the procedures in relation to assertions made by a responsible party.

An example of a procedure and finding follows:

Procedure – Agreed all January 2020 disbursements greater than $20,000 to checks that cleared the bank statement; compared the payee on each check to the payee per the check register.

Finding – All check payees agreed with the exception of check 2394 for $45,000. The payee for this check was I. Cheatum, and the check register reflected a payment to King’s Supply Company.

Additionally, independence is required.

CPA Consulting Engagement

Second, we’ll consider the consulting engagement option.

A consulting engagement is less precise than an AUP and does not necessarily follow the procedures/findings format. There are no specific reporting standards for a consulting engagement, so a CPA can more easily design the engagement to meet various needs. The consulting standards are more flexible than the attestation standards. And this flexibility enables you to be more creative in designing the engagement.

Assertions by a responsible party are not required under the consulting standards.

Moreover, independence is not required.

A consulting report might address the following:

Reading of minutes
Interviews of individual employees
Flowcharting of internal controls
Summary of production statistics
Narrative of business goals and enterprise risks

As you can tell, there are no procedures and findings (though you are not prohibited from doing so). Most CPAs usually perform AUPs when there are specific procedures.

The Best Option

So which is better? An AUP or a consulting engagement?

I’ll say it again: It depends. On what? Third party reliance.

Consider the following:

Will there be external parties (e.g. creditors) placing reliance on the report?
Is the purpose of the report to add credibility to the information (by having the CPA attest to procedures and findings)?

If the answer to either of these questions is yes, then consider the AUP option. Why? The Attestation Standards–the guidance for AUPs–are more defined and rigorous. And AUP procedures tend to be more specific than those in a consulting engagement.

If no third party reliance, then a consulting engagement may be the better option. Always ask, “Who will receive the report?” You need to know who will read and potentially place reliance upon the report. Then design the work product accordingly.

Litigation Exposure

Are consulting engagements riskier than AUPs? Generally, yes. At least, in my opinion.

The safer option is to perform an AUP. In such engagements, you are asked by the client to perform particular procedures. This specificity lowers the risk of potential litigation as it relates to your work product. The flexibility of a consulting engagement, while helpful in designing creative deliverables, can be riskier because of the lack of specific client requirements.

Now, let me provide you with an overview of the Consulting Standards. As you read this primer, consider how flexible the guidance is.

AICPA Consulting Standards Primer

You might call the AICPA Consulting Standards the CPA’s Swiss army knife. Why? Because of the diversity of services you can perform.

What services fall under these standards?

The consulting standards specifically address six areas:

Consultations – e.g., reviewing a business plan
Advisory services – e.g., assistance with strategic planning
Implementation services – e.g., assistance with a merger
Transaction services – e.g., litigation services
Staff and other support services – e.g., controllership services
Product services – e.g., providing packaged training services

CPAs often provide consulting services such as the following:

Consultations with regard to complex transactions
Fraud investigation services
Internal control services
Bankruptcy services
Divorce settlement services
Controllership services
Business plan preparation
Cash management
Software selection
Business disposition planning

Now, let’s review the characteristics of consulting engagements.

Characteristics of a Consulting Engagement

The characteristics of a consulting engagement include the following:

Generally nonrecurring
Requires a CPA with specialized knowledge and skills
More interaction with client
Generally performed for the client (usually, no third party sees the information)

But, what are the workpaper requirements for a consulting engagement?

Consulting Workpaper Requirements

Consulting workpaper requirements are minimal. Nevertheless, documentation is always wise.

The understanding with the client can be oral or in writing (I recommend the latter).

The consulting standards do not require the CPA to prepare workpapers, but you should do so anyway. The workpapers are the link between your work and your report. Also, the general standards of the profession, contained in the AICPA Code of Professional Conduct, apply to all services performed by members. The general standards state:

Sufficient Relevant Data. Obtain sufficient relevant data to afford a reasonable basis for conclusions or recommendations in relation to any professional services performed.

By now, you’re probably thinking the Consulting Standards sound easy, I’ll bet the reporting requirements are challenging. Not so, my friend.

Consulting Reports

A report is not required, but if one is provided, the client and CPA determine the content and format. How’s that for flexibility?

No Opinion or Accountant’s Report

For consulting engagements, the CPA does not issue an opinion or any other attestation report.

Subject to Peer Review?

Are deliverables created under the Consulting Standards subject to peer review? No.

Where Can I Find the AICPA Consulting Standards?

Here are the AICPA Consulting Standards. They are only a few pages long.

AICPA Consulting Standards Summary

The Consulting Standards provide us with a breath of options, enabling you and I to craft services and reports in the manner desired by our clients. This is one Swiss army knife that I will continue to use.

Oct 25

Audit Walkthroughs: The Why and How

By Charles Hall | Accounting and Auditing , Risk Assessment

What is the purpose of audit walkthroughs? How do you document walkthroughs? Is it better to use checklists, flowcharts or summarize narratively? How often should walkthroughs be performed? Are they required? Will a walkthrough allow me to assess control risk at less than high?

In this post, I answer these questions about one of the most important risk assessment procedures: walkthroughs. I share techniques I’ve used for over five years. They work for me, and they will work for you.

Let’s dive right in.

What are Audit Walkthroughs?

Walkthroughs are cradle-to-grave reviews of transaction cycles. You start at the beginning of a transaction cycle (usually a source document) and walk the transaction to the end (usually posting to the general ledger). The auditor is gaining an understanding of how a transaction makes its way through the accounting system and about related internal controls.

As we perform a walkthrough, we:

Make inquiries
Inspect documents
Make observations

By asking questions, inspecting documents, and making observations, we are evaluating internal controls to see if there are weaknesses that would allow errors or fraud to occur. Audit standards do not permit the use of inquiries alone. Observations and inspections must also occur.

Some auditors believe that audit walkthroughs (or documentation of controls for significant transaction cycles) are not necessary if the auditor is assessing control risk at high. This is not true. While the auditor can assess control risk at high, she must first gain an understanding of the cycle and the related controls. In other words, the auditor can’t default to high. Risk assessment procedures are required.

What is not an Audit Walkthrough?

Following a transaction through the accounting system–without reviewing controls–is not an audit walkthrough. We must examine controls to see if they have been implemented and to see if they are properly designed.

Placing a copy of the operating and accounting system manual in the audit file is not a walkthrough. While manuals tell you what the client intends to do, they don’t tell you what is occurring. In other words, they don’t answer the implementation question.

Lastly, asking a client, “Is everything the same as last year?” is not a walkthrough. Auditors must do more than inquire.

Internal Controls Documented in Prior Audits

In some situations, AU-C section 315 allows the auditor to rely on audit evidence obtained in prior periods. In those situations, the auditor is required to perform audit procedures to establish the continued relevance of the audit evidence obtained in prior periods (for example, by performing a walkthrough).

Here’s what AU-C 315.A20 says about prior year audit information used in the current year:

Paragraph .10 requires the auditor to determine whether information obtained in prior periods remains relevant if the auditor intends to use that information for the purposes of the current audit. For example, changes in the control environment may affect the relevance of information obtained in the prior year. To determine whether changes have occurred that may affect the relevance of such information, the auditor may make inquiries and perform other appropriate audit procedures, such as walk-throughs of relevant systems.

Why Audit Walkthroughs?

Accountants are often more comfortable with numbers than processes. We like things that “tie,” “foot,” or “balance.” We may not enjoy probing accounting systems for risk. It’s too touchy-feely. Even so, passing this responsibility off to lower staff is not a good choice. It’s too complicated–and too important. So there’s no getting around it. The walkthrough—or something like it—must be done. Why? We’re gaining an understanding of risks and responding to them. We’re developing our audit plan. Screw up the plan, and we screw up the audit.

What is the purpose of the walkthrough? Identification of risk—specifically, the risk of material misstatement. Once we know the risks, we know where to audit.

Walkthroughs and Lower Control Risk Assessment

Usually, audit walkthroughs are not sufficient to support lower control risk assessments (those less than high). If the auditor assesses control risk at less than high, she is required to test the effectiveness of the control. Since audit walkthroughs are usually a test of one transaction, they typically don’t prove operating effectiveness.

Regarding computer controls, a walkthrough of one transaction might be sufficient to prove effectiveness if general computer controls are working—namely, change control. Why? Computer controls are usually consistent.

An auditor can determine whether a control has been implemented with a test of one transaction. Effectiveness, on the other hand, normally requires a test of transactions. For example, a test of 40 transactions for appropriate purchase orders.

Audit Walkthrough Documentation

While you can use checklists, flowcharts, narratives, or any other method that enables you to gain your understanding of controls, my favorite is a narrative mixed with screenshots.

So how do I do this?

I interview personnel. Usually, one or two people can explain a particular transaction flow (e.g., disbursement cycle), but some complicated processes may require several interviews.

Early on, I may not know how each person’s work fits into the whole. It’s like gathering puzzle pieces. The interviews and information may feel random, even confusing. But, later, when you put the parts together, the picture speaks more clearly. Then, you’ll understand the accounting system and control environment.

My Audit Walkthrough Tools

I document the conversations using:

A Livescribe pen
My iPhone camera

Taking Notes

Using a Livescribe pen, I write notes and record the conversations.

I begin the interview by saying, “Tell me what you do and how you do it. Treat me as if I know nothing. I want to hear all the details.” (For sample transaction-level walkthrough questions, see my audit series titled The Why and How of Auditing.)

As I listen, I write notes. At the same time, my Livescribe pen records the audio. Later the conversation can be played from the pen. (For more information about Livescribe, see my article: Livescribe, Note Taking Magic (for CPAs). )

Click the pen below to see Livescribe on Amazon.

I find that most interviewees talk too fast—at least faster than I can write. As I’m writing about the last thing they’ve said, they are moving to the next, and I fall behind. So I write simple phrases in my Livescribe notebook such as:

Add vendor
Charlie opens mail
P.O. issued by Purchasing
Checks signed by the computer

Later, as I’m typing the walkthrough narrative, I touch the letter “A” in “Add vendor” with the tip of my pen (I’m doing so in my Livescribe notes). This action causes the pen to play the audio for that part of the conversation. Likewise, touching “C” with the tip of my pen–in “Checks signed by the computer”–causes the pen to play that part of the discussion. Since the audio syncs with my notes, I can hear any part of the discussion by touching a letter with my pen.

Taking Pictures

In addition to writing notes in my Livescribe notebook, I take pictures with my iPhone. Of what? Here are examples (from a payables interview):

Invoice with approver’s initials
Screenshot of an invoice entry
If several people are processing invoices, I take a group picture of them at their desks
A signed check
The bank reconciliation

So my inputs into the walkthrough document are as follows:

Livescribe notes and audio
Photos of documents and persons

Audit Walkthrough Summary

I write my narratives in Word and embed pictures as needed. The walkthrough documentation takes this shape:

Narrative
Pictures
Control identification
Control weakness identification

Why identify control deficiencies in the walkthrough? So I can link them to my risk assessment summary. The system’s weaknesses tell me where risks exist.

Another key feature of the walkthrough documentation is the identification of who I spoke with and when. So, at the top of the transaction cycle description, I name the persons I interviewed and the date of the conversation. For example:

Charles Hall interviewed Johnny Mann, Hector Nunez, and Suzanne Milton on October 25, 2019.

Look Beyond the Normal Client Procedures

It’s easy for clients to tell you about normal procedures, but they may not think about unusual situations such as the absence of an employee or how errors are corrected.

Always ask who performs control procedures when a key person is out. Why? If someone can—even though they don’t normally—perform key controls, you need to know. Why? Such a situation can lead to fraud. For example, if a person does not normally issue checks but can, and that person also reconciles the bank statement, he might issue fraudulent checks. He knows the theft will not be detected through normal controls–in this case, the bank reconciliation.

Always look beyond accounting policies and routine procedures to see what can happen. I often have clients say to me, “John is the only one who approves the purchase orders,” for example. But I know this is not true because purchases would cease to occur when John is out. So I ask, “Who issues purchase orders when John is on vacation?”

Additionally, ask how errors are corrected. When things go wrong (and they sometimes do), you want to know how they are made right.

Identification of Controls and Control Weaknesses

As you write your narrative of the accounting system and controls, highlight both controls and control weaknesses.

I note appropriate controls as follows:

Control: Additions of new vendors is limited to three persons in the accounts payable department. Each time a new vendor is added, the computer system automatically sends an email to the CFO notifying her of the addition. Persons adding new vendors cannot process signed checks.

I note control weaknesses as follows:

Control Weakness: Only one signature is required on check disbursements. Johnny Mann signs checks, has possession of check stock, keys invoices into the payables system, and reconciles the related bank account.

Response to Risk of Material Misstatement

The control weakness created by Johnny Mann’s duties increases the risk of theft. My response? I establish audit procedures in my audit program to address the risk such as:

Review one month’s cleared checks for appropriate payees.

How do you know what audit procedures to perform in response to the risk? Ask, “What can go wrong?” and design a test for that potential. Johnny can write checks to himself. My response? Scan cleared checks to see if the payees are appropriate.

Communication of Internal Control Weaknesses

Though this article focuses on planning and risk assessment, the identification of control weaknesses will impact our end-of-audit communications.

The words Control Weakness (as shown above) makes it easy to locate control weaknesses. Upon completion of the walkthrough, I summarize all control deficiencies so I can track the disposition of each one. Each weakness is a:

Material weakness
Significant deficiency, or
Other weakness

I report material weaknesses and significant deficiencies in writing to management and those charged with governance. I communicate other deficiencies in a management letter (or verbally and document the discussion in my work papers).

See my article about classifying control weaknesses.

Audit Walkthrough Frequency

How often are walkthroughs required?

Answer: Once per year, if this is how you corroborate your understanding of the cycle. While walkthroughs are not specifically required in the audit standards, you do need to verify your understanding of the accounting system and related controls. And I know of no better way.

AICPA Guidance on Walkthrough Frequency

TIS Section 8200.12, as issued by the AICPA, states the following:

Inquiry—AU section 314 (now AU-C 315) requires the auditor to obtain an understanding of internal control. An auditor might perform walkthroughs to confirm his or her understanding of internal control. If the auditor decides to use walkthroughs to confirm his or her understanding of internal control, how often do walkthroughs need to occur?

Reply—In accordance with AU Section 314 (now AU-C 315), the auditor is required to obtain an understanding of internal control to evaluate the design of controls and to determine whether they have been implemented. To do that, performing a walkthrough would be a good practice. Accordingly, auditors might perform a walkthrough of significant accounting cycles every year [emphasis added].

If we’ve documented walkthroughs in prior years, then we need to do so again in the current year to prove the continuing relevance of the audit documentation.

The Value of Walkthroughs

Walkthroughs tell us where risks are so we can plan our engagements to detect material misstatements.

Additionally, they allow us to add value to our audits. Clients want more than just an opinion. They desire to keep assets safe and to maintain accurate records. Well written management letters that highlight control weaknesses allow you to do just that. Time to start walking.

For additional information about risk assessment, see my article Audit Risk Assessment: The Why and How.

Also, see my new book: Audit Risk Assessment Made Easy. Click the book below to see it on Amazon:

Oct 04

Correction of an Error in Financial Statements

By Charles Hall | Accounting and Auditing

A correction of an error--also referred to as a prior period adjustment--is sometimes necessary. But when should such a correction be made? And are there situations where a prior period adjustment is improper?

Below I explain what a correction of an error is, when it's appropriate, disclosure requirements, and implications for auditors.

Correction of an Error

In comparative statements (when two or more years are presented), the correction of a prior period error affects the prior period financial statements and opening balances in the current year. In single-year statements, the correction affects opening balances. Here's an example.

If Mountain Bikes, Inc. failed to accrue it's last two weeks’ payables in the prior year, a correction might be needed. Why do I say might? Well, if the amount is not material, then the correction of the error may not be required. If the amount is material, then a correction is necessary.

Suppose you are auditing the financial statements of Mountain Bikes, Inc. for the year ended December 31, 2019, and you discover an error made in the December 31, 2018 financial statements. December 31, 2018 payables of $1 million were not accrued (and the amount is material). In this example, the invoices supporting the $1 million error existed and were on hand during last year’s audit, but, for whatever reason, the amount was not accrued. And the misstatement was not detected by the audit. Now, it's necessary to make a prior period adjustment.

If Mountain Bikes, Inc. provides comparative financial statements, the restated 2018 numbers must reflect the additional $1 million in payables and expenses. This adjustment will of course decrease net income for 2018 and retained earnings. So opening retained earnings (January 1, 2019) will decrease $1 million. The adjustment should not affect net income in 2019.

Before suggesting any corrections, discuss them with your audit client.

Discuss the Error with Management

It’s time to discuss the error with management or the owners. Why? You want to make sure the error is real. If management disagrees, they will tell you, and they will provide an explanation. But if management agrees, it’s time to propose a prior period adjustment (technically referred to as a restatement in the FASB Codification).

Correction of Error Defined

FASB defines a correction of an error as follows:

An error in recognition, measurement, presentation, or disclosure in financial statements resulting from:

mathematical mistakes,
mistakes in the application of generally accepted accounting principles (GAAP), or
oversight or misuse of facts that existed at the time the financial statements were prepared.

Correction of an Error Disclosures

If Mountain Bikes, Inc. presents single year financial statements, the prior period adjustment affects just the opening balance of retained earnings (January 1, 2019, in this example). The company should still provide a disclosure explaining the prior period adjustment.

What should be in the note?

Provide a description of the nature of the error. For example, "The Company failed to record $1 million in payables as of December 31, 2018."

When comparative statements are provided, disclose the prior year numbers compared to the corrected numbers for each affected financial statement line items. (Consider displaying three columns: the uncorrected numbers as stated previously, the corrected numbers, and the difference.) FASB specifically requires disclosure of changes to retained earnings or other equity accounts for each prior period presented.

If a single period financial statement is issued, disclose the effects of the restatement on beginning retained earnings and net income from the preceding period.

Correction of Errors and Auditing

If you are the auditor, consider whether the error was intentional (fraudulent). What if, for example, the recording of the 2018 payables would have adversely affected the company's compliance with debt covenants? Then the understatement of payables may have been intentional.

Regardless, now that the misstatement is known, a prior period adjustment is necessary. Either management makes (accepts) the adjustment or you will need to qualify your opinion. Or, depending on the facts, withdrawal might be necessary. If the prior period adjustment is not made, you may need to contact your attorney and insurance company.

Additionally, if fraud is suspected in the prior period (2018, for example), it will have a bearing on the current year planning and risk assessment. You may be thinking, “But what if I discovered the error while performing the 2019 audit?” In other words, this potential fraud was not known during your 2019 audit planning. What then? Return to your audit plan and adjust accordingly. The audit plan is not static. It is living. The plan should reflect the facts, regardless of when they are discovered—in the early stage of the engagement or later.

If you believe the prior year misstatement was intentional (fraudulent), then incorporate this element in your current year audit planning and responses.

When a Prior Period Adjustment is not Merited

Sometimes an error in a prior period does not merit a prior period adjustment. For example, suppose the allowance for uncollectibles as of December 31, 2018 was adequate based on the facts that existed when the financial statements were created. However, in August 2019 (after the issuance of the 2018 statements) the company realizes it will not collect a material 2018 receivable, one that was previously believed to be collectible. Now what? Well, the allowance for uncollectibles should be adjusted in August 2019. A prior period adjustment should not be made. Changes in estimates are prospective.

Sometimes a company might desire a prior period adjustment though one is not merited. Why? It’s a way to sweep problems under the rug. Consider the example in the prior paragraph. If the company incorrectly records the bad debt as a restatement of the January 1, 2019 retained earnings, the expense does not appear in the 2019 income statement. Now, if a single-year presentation is provided, the bad debt expense does not appear in the 2018 or 2019 income statements. Consider that bonuses may be based on net income. If so, this slight of hand could result in extra (fraudulent) compensation.

A prior period adjustment might be desired for other reasons as well. Maybe the owners are sensitive to net income or management doesn’t want the embarrassment of declining net income.

Whatever the reason, a correction of error should be made only when required by generally accepted accounting principles.

Sep 26

Internal Controls: How to Understand and Develop

By Charles Hall | Accounting and Auditing , Risk Assessment

Many CPAs don't understand internal controls. Sure, we know that segregation of duties is a positive, but we are sometimes unaware of internal control weaknesses though they lie right before us. Why is this? Well, there are about a million ways that an accounting system can be designed, and no two businesses are the same. So seeing control weaknesses can be challenging.

If you work for a business, you need to understand controls so you can build a safer accounting system.

If you are an auditor, you need to understand controls so you can appropriately design your audit.

Today, I show you how to design an accounting system with sound internal controls. And if you are an auditor, you'll better understand how to see control weaknesses. We'll start with the COSO framework and later we'll examine the importance of separation of duties.

The focus of this article is building an internal control structure that ensures financial statement accuracy and prevents fraud.

COSO Internal Control Framework

COSO provides a framework for developing internal controls. Think of this framework as your ecosystem to ensure a healthy internal control system. The five elements of the framework are:

Control environment
Risk assessment
Control activities
Monitoring
Communication and information

Though accountants and auditors tend to focus on the third element, control activities, all five are important in the development of a sound internal control system.

1. Control Environment

Control environment is often referred to as tone at the top. It's the leadership part of the organization, and it's here that internal controls live or die.

If you are a board member, demand internal control reports from management. Those reports should explain the organization's processes and controls as well as monitoring activities. In other words, management should demonstrate not only that controls exist, but that they are working.

My experience with boards is they often don't think about internal controls until it's too late. When fraud happens, then the board wants to know how it happened and why. Boards need to know what is happening and why, before theft occurs. Then they can devote enough resources---hire the right people with the right experience--to ensure system development and monitoring.

Developing a strong internal control system is an ongoing process. Companies need to constantly evaluate their accounting system and its operation. How? First, by performing risk assessments.

2. Risk Assessment

An organization should determine if its accounting system allows misstatements. How? By examining the various transaction cycles such as billing and receipting; payables and disbursements; and payroll. As you examine each transaction cycle, ask what can go wrong? Then create controls to address accounting system weaknesses.

Are daily receipts being reconciled to the general ledger? If not, then develop a control requiring that this be done. Are new vendors vetted for appropriateness? If not, require procedures to ensure the propriety of new vendors. (My book, The Why and How of Auditing, provides lists of questions to ask by transaction cycle. You'll find it on Amazon.)

The risk assessment process naturally leads to the develop of appropriate controls. Once you know what can go wrong, you fix it by developing a control. This is the third element of COSO: control activities.

3. Control Activities

Control activities is the core component of internal controls. This is where the action is, where you develop your controls. The other four components of COSO (control environment, risk assessment, monitoring, and communication) support this central core. Examples of control activities include:

Bank reconciliations
Purchase orders
Signatures on checks by authorized personnel
Review of cash receipting activity by the receipts supervisor (after cash drawers are balanced at the end of a shift)
Periodic physical inventories of plant, property, and equipment
Reconciliation of debt in the general ledger to amortization schedules

In risk assessment, we determine what could go wrong? Now we create a control to lessen the risk that the event could occur. For instance, with regard to cash, we might think, "cash balances could be incorrectly stated." Therefore, we implement a control--bank reconciliations--to ensure correctness.

Separation of accounting duties is important in regard to control development. We'll discuss that area in more detail below.

4. Monitoring

Once controls are in place, you want to monitor them to ensure their use. What good is a control if it is not performed? An example of monitoring is having a supervisor inspect bank reconciliations to ensure that they were created (and that they are correct).

So, the idea here is you develop internal controls and then monitor them. Why? To ensure the control is in use and that it is performed correctly.

Next, document the accounting system and controls to make them understandable.

5. Communication and Information

In the fifth COSO element, we are documenting the internal control system. You can document the controls in several different ways including:

Memos
Flowcharts
Formal manuals
In Excel workbooks
Mindmaps

Which is best? That depends on the complexity of your system. Small organizations can use simple memos. Large entities should create formal manuals.

What is the goal? To make sure everyone understands how controls work and the reason for their existence.

In many organizations (especially smaller ones), controls are never written down. They are passed down. What do I mean? When a new accountant is hired, he or she is told what to do. Often there is no manual explaining procedures and controls. These oral instructions may not explain why internal controls are performed or how they interact with other parts of the accounting system. Consequently, new employees blindly follow oral instructions without understanding their importance. Worse yet, some don't perform the controls at all.

An added benefit of documenting controls is it makes system weaknessses more transparent. For instance, if you are documenting your accounts payable system, you might realize that an inappropriate person can add vendors. Or you might see that the payables process lacks segregation of duties.

Now let's take a look at a key feature of developing an internal control system: separation of accounting duties.

Separation of Accounting Duties

In the third COSO element above (control activities), we mentioned separation of accounting duties (also known as segregation of duties). What is this? It's dividing accounting responsibilities among multiple people in order to enhance safety. More eyes equals greater safety. Why? Well, if a mistake or theft occurs, it is more likely to be seen.

There are four actions that are performed in most accounting transaction cycles. They are:

Authorization
Bookkeeping
Custody
Reconciliation

A potential fraud danger exists when one person performs two or more of the above. For example, if Mark enters payments in the accounting system (bookkeeping) and signs checks (authorization), there is a threat that Mark will write checks to myself--especially if he knows that no one compares cleared checks to the general ledger.

The determination of whether danger exists is dependent on the full picture. If Mark knows that Joan--the person reconciling the bank statement--compares cleared checks to the general ledger and that she reviews the payee's on each check, then the danger of theft goes down. If Joan just compares the amount on the bank statement to the general ledger (and does not review the payee on the cleared check), the danger increases.

If all four of the above actions are performed by one person, then a significant control weakness exists. Auditors call this a material weakness. In such situations, it's advisable to include additional personnel in the accounting system. Why? So duties can be separated among various people.

Some companies are unable create separation of duties. Why? There may not be enough people to do so (it's hard to segregate duties with only one person in accounting) and it costs money to hire additional personnel. Without a sufficient number of people, it is difficult to design a safe environment. Even so, there are still ways to make your accounting system safer.

Financial Statement Misstatements

There are two ways that financial statements can be misstated: one is by mistake, and the second is intentionally. The first is just part of being human, the second is fraud. We need a system that reduces both threats.

Misstatements Due to Mistakes

We all make mistakes. Entries are coded to the wrong chart of accounts line. We forget to enter an invoice in payables. We fail to reconcile our bank accounts. We use inappropropriate revenue recognition methods.

How do we become aware of our mistakes? By review. These reviews are performed by the person that does the initial accounting work and by others--a supervisor, for example. The supervisor's review is an internal control.

Some accounting systems point out our errors in real time. For example, if I try to enter the same invoice twice, the system will tell me. The accounting system notice is an internal control.

So, internal controls can involve both humans (the review) and computers (input notices). The purpose of each is to ensure the correction of errors.

Misstatements that are Intentional

Sometimes companies intentionally misstate their numbers. Why? Usually to make themselves look better than they are. If profits are declining, the CEO or CFO might pressure the staff to create fictitious entries. Consider that an organization can make one journal entry on the last day of a year to inflate it's profits such as:

Dr. Cr.

Receivables 10,000,000

Revenue 10,000,000

This is an example of financial statement fraud. Know that there are hundreds of ways that financial statement fraud can occur. Also understand that when assets are stolen from a business, fraudsters often hide theft with false accounting entries.

In developing internal controls, you want to create a system that prevents these types of intentional misstatements. Even when a good accounting system exists, management override is always a concern. Consider the WorldCom fraud. What is management override? It's when management forces staff members to ignore internal controls and perform inappropriate procedures.

Closing Comments

Now you have a better understanding of internal controls.

If you work for a business, nonprofit, or government, make your system better by applying these ideas.

If you're auditor, use the above to assist you in your risk assessments and walkthroughs. (See my article about documenting your walkthroughs.)

Aug 05

Independence in Attest Engagements

By Charles Hall | Auditing , Preparation, Compilation & Review

Independence in attest engagements in critical.

Peer reviewers continue to focus on independence documentation. Today I’ll provide you with examples of what peer reviewers are looking for and guidance to keep you out of hot water.

Documentation of Nonattest Services

Peer reviews focus upon nonattest services provided to attest clients. How do we know? Well, see the peer review checklist question below (for an attest engagement).

The big “no-no” is to assume management responsibilities and then perform an attest service. Why? Performing management responsibilities impairs your independence.

Preparing Financial Statements

Below is another question from the peer review checklists. Notice the first item below: Accepting responsibility for the preparation and fair presentation of the client’s financial statements. The client (not the auditor) must assume responsibility for the financial statements.

If the client can’t–or is unwilling to–assume responsibility for the financial statements, then we are not independent, and we cannot perform an audit or a review. This assumption of responsibility does not mean the client has the ability to create financial statements, but it does mean that:

that the client will oversee the nonattest service,
the client will evaluate the adequacy and results of the nonattest service, and
the client will accept responsibility for the nonattest service

If we prepare financial statements and perform an audit, review, or compilation, we have performed a nonattest service and an attest service. Why is this important? Because if we perform a nonattest service and an attest service for the same client, we must assess our independence. And if we are not independent, then we can’t perform an audit or review engagement. (It is permissible to perform the compilation engagement when independence is impaired, but the accountant must say–in the compilation report–that he is not independent.)

Separate Form to Document Independence

So do we need a separate form in our file to document independence?

It certainly would not hurt, and I suggest that you do. PPC and CCH offer such forms (and I am sure other work paper providers do the same). These forms provide a place to document all nonattest services and to assess and document our client’s ability to assume responsibility for the nonattest services.

The PPC and CCH forms also address the cumulative effect of performing multiple nonattest services. The AICPA has stated that the performance of multiple nonattest services can impair independence. So you should document your consideration of whether the cumulative nonattest services create a problem. Peer review checklists ask if we documented this consideration.

Additionally, if significant threats are present, the accountant should document the safeguard(s) used to mitigate the risk. This documentation is particularly crucial in Yellow Book engagements. The PPC and CCH independence forms will assist you with this documentation. Below are peer review checklist questions:

Alignment in Independence Documentation

We should–in the engagement letter–specify the nonattest services and the responsibilities of management. If you are performing an audit or a review engagement, add additional language to the representation letter regarding the nonattest services performed and the client’s responsibility for those services.

So I am suggesting you document the nonattest services in three places:

Engagement letter,
Independence form, and
Representation letter (when relevant)

And when you do, please make sure the nonattest services listed in each document are the same.

Nonattest Services and Independence

Here’s a video that explains nonattest services and how to document your independence in regard to them.

« Previous 1 … 17 18 19 20 21 … 27 Next »

Category Archives for "Accounting and Auditing"