Tips for Communicating with a Predecessor Auditor

By Charles Hall | Auditing

Communicating with a predecessor auditor can be trying. Even so, audit standards require that you (at least try to) contact them. 

After not sufficiently vetting a potential new client and paying the price for it, I can tell you, “This part of client acceptance is crucial.” You can avoid many headaches. 

In this article, I tell you when to make contact, what inquiries to make, what responses you might receive, how to document the conversations, and how reviewing predecessor work papers will help you audit opening balances. 

Let’s start with an example conversation between the prospective and predecessor auditors.

Example Conversation with Predecessor Auditor

“Hi Bill, I am Charles Hall of Johnson & Hitchcock CPAs. I am calling about the 2024 audit of Bird Lighting. They said they would contact you and authorize this conversation. Have they done that?”

“Yes, we heard from them last week. I can respond to your questions.”

So, I ask, “Have there been any illegalities or noncompliance issues you’ve encountered previously?” His response is a hesitant no. I sense Bill is not happy to talk with me (which I understand–we’ve been cross-town competitors for over a decade). He’s responding but is not volunteering any additional information. Probing further, I question the company’s financial condition. Bill admits to cash flow troubles, causing difficulties in compensating accounting staff. 

Now, I’m wondering if they have competent accountants. 

I ask, “How many journal entries did you propose last year, and were there any disagreements about those?” And he responds, “about 35.” He hesitates before disclosing that a heated debate preceded the posting of two material entries. 

We discuss other matters before arranging a meeting to examine their work papers. Bill says, “We’ll make the prior year’s work papers available for viewing in our office on May 4 at 10:00 a.m. You can request copies of work papers, but we reserve the right to refuse. For example, we don’t give copies of our walkthroughs or risk assessments. We’ll also ask that you sign a letter stating that you will not use this information in any way that might harm our firm.”

Now that we’ve visited a typical predecessor auditor conversation let’s see what the audit standards say about this. 

When to Initiate the Conversation

The auditor should initiate this communication before being engaged to perform the engagement.

Why? Because you want to be aware of any potential problem areas before you accept the engagement. For instance, if management is unethical, you want to know that. If management has used fraudulent accounting, being aware of such practices is to your advantage. Consequently, audit standards necessitate communication before the auditor is engaged.

Contacting the Predecessor Auditor

You should initiate communication with the predecessor auditor and make inquiries according to AU-C 210, Terms of Engagement. Such inquiries should include potential fraudulent activities involving management or employees and noncompliance or suspected noncompliance with applicable laws and regulations. Those inquiries might also include asking if the predecessor knows why the auditee is making the change in auditors. 

Additional potential problem areas include:

–leadership integrity issues

–combative attitudes

–financial problems

–lack of client responsiveness to requests for information

–excessive number of audit adjustments

–client expectations that you do additional work without compensation

–management override of controls

–disagreements over audit fees

Before establishing contact, the company’s management must authorize the predecessor auditor to respond to the successor auditor’s inquiries. If the potential client does not permit this communication, think twice about doing this audit. 

A prospective auditor can make a proposal to do the audit before contacting the predecessor auditor, but can’t accept the engagement (it’s not final) until they have communicated with the predecessor auditor. 

Not communicating with the predecessor auditor can be equivalent to walking into a minefield when anticipating a leisurely hike. The more you know as you accept a new client, the better. 

The Predecessor Auditor’s Response

Sometimes, the predecessor will not respond, as though you don’t exist. (Makes me think, “E.T., phone home.”) Why? They are probably unhappy that you’ve just taken a client from them. That’s understandable. It may not be professional, but again, it’s understandable. (This is what makes these conversations so difficult.)

The predecessor auditor is to be timely in their responses. 

Limited Responses

Other times, the predecessor might give you a limited response. You might think this when there are conversational pauses or stammerings. Such hesitations might indicate that you need to tread carefully and consider whether you should accept the client. For example, is the predecessor privy to information that would be useful to you but potentially damaging to them (i.e., the company sues them for slander)? Sometimes, you don’t know. 

Additionally, the predecessor auditor sometimes provides a limited response due to extenuating circumstances, such as pending litigation. In that case, they should say their response is limited per AU-C 210, Terms of Engagement. 

Now, let’s think about evaluating the responses. 

Evaluate the Responses

The successor auditor should evaluate the implications of the responses received (or not received) and document that information in the audit file. Why? One reason is peer reviewers look for predecessor auditor communication in an initial audit file. You need to prove you at least tried to initiate a conversation.

There’s little you can do when a predecessor auditor is nonresponsive. Even so, document your attempts to communicate. For example, include copies of letters and emails in your audit file. 

If the predecessor does respond, consider asking to see their prior year’s audit work papers. 

Reviewing Predecessor Audit Work Papers

A customary request by a potential successor auditor pertains to accessing predecessor auditor work papers. Viewing those work papers facilitates verification of opening balances for your new audit if you accept the engagement.

By the way, it is usual for the predecessor to ask you to sign a letter saying that you’ll not use the prior year’s work papers in any manner that might harm them, which is a reasonable request. 

The predecessor decides whether you can see any work papers and what they will allow you to review. They might not provide, for example, their walkthroughs. Why? Because it takes a great deal of time to create these, and they may not want to give their competitor free work.  

Summary

Not only do professional standards require you to contact the predecessor auditor, but it’s the better part of wisdom for you to do so. No, it’s not a fun process, but you’ll be glad you did. Your peer reviewer will also be happy you followed the audit standards. 

In June 2022, the AICPA Auditing Standards Board (ASB) issued Statement on Auditing Standards (SAS) No. 147, Inquiries of the Predecessor Auditor Regarding Fraud and Noncompliance With Laws and Regulations. It is effective for periods beginning on or after June 30, 2023.

Client Acceptance: How to Do It Right

By Charles Hall | Auditing

Client acceptance and continuance may be the most critical step in an audit, but it’s one that gets little attention. A prospective client calls saying, “Can you audit my company?” and we respond, “sure.” While new business can be a good thing, relationships need appropriate vetting. Not doing so can lead to significant (and sometimes disastrous) consequences.

New Relationships

My daughter recently met a young man on Instagram. Not unusual these days. But now the relationship is entering into its third month. They talk every day for two or three hours. So far, they have not been in the same room—and not even in the same city. Skype, yes. Physical presence, no. That’s happening at the end of this month. (He lives eight hours away.)

So what do Mom and Dad think about all of this? Well, it’s fine. My wife checked him out on Facebook (I know you’ve never done this). And my daughter has told us all about the “fella” and his family. We like what we’re hearing. He has similar beliefs. He has a job (Yay!), and he has graduated from college. His family background is like ours.

Why do we want to know all the details about the young man? Because relationships impact people—my daughter, the young man, his family members, and yes, my wife and I. We want everyone to be happy.

Client Acceptance 

And that’s what good relationships create. Happiness. The same is true with clients. As Steven Covey said, “think win, win.” When the customer wins, and your CPA firm wins, everyone is happy. Mutual needs are met.

Careless CPAs accept business with only one consideration: Can I get paid? 

While getting paid is important, other factors are also critical.

Before accepting an audit engagement consider:

1. Are they ethical?
2. Are you independent?
3. Do you have the technical ability to serve them?
4. Do you the capacity to serve them?

Are They Ethical?

I want my daughter to marry a guy with beliefs that correspond with who she is. Is he honest? Would he steal? Is he transparent? Who are his associates? What do others think of him? 

We ask similar questions about accepting a new client. Audit standards require us to consider whether the prospective client has integrity. If the company is not morally straight, then there’s no need to move forward. Ethics is a key to client acceptance.

(The predecessor auditor can provide information about their interactions with the company. Audit standards require contact with the predecessor auditor prior to acceptance. This is an initial year consideration.)

Are You Independent?

Independence is another key to client acceptance. And the time to determine your firm’s independence is the beginning—not at the conclusion of the audit.

Consider what happens—during a peer review—when a firm is not independent, and it has issued an audit opinion. The original audit report will be recalled, and I’ll bet the company asks for and receives a full refund of your audit fee. Now, the company needs to be re-audited.  (Oh, and there’s that impact on the peer review report.)

Pay attention to requested nonattest services—such as preparation of financial statements. If the client has no one with sufficient skill, knowledge, and experience to accept responsibility for such services, you may not be independent. See the AICPA’s Plain English Guide to Independence for more information. (You can see additional help-aids in my list of online resources for CPAs. )

Do You Have the Technical Ability to Serve Them?

If you can pick up a client in an industry in which you have no experience, should you? Possibly, but it depends on whether you can appropriately understand the client and their industry before you conduct the engagement. Some new customers may not be complicated. In those cases, CPE may get you into position to provide the audit. 

But what if the potential engagement involves a highly sophisticated industry and related accounting standards for which you are ill-equipped? It may be better to let the engagement go and refer it to an audit firm that has the requisite knowledge. Or maybe you can partner with the other firm. 

Do You Have the Capacity to Serve Them?

A prospective client calls saying, “Can you audit my company? We have a December 31 year-end, and we need the audit report by March 31.” After some discussion, I think the fee will be around $75,000. But my staff is already working sixty hours a week during this time of the year. Should I take the engagement? 

My answer would be no unless I can create the capacity. How? I can hire additional personnel or maybe I can contract with another firm to assist. If I can’t build additional capacity, then I may let the opportunity pass. 

Far too many firms accept work without sufficient capacity. When this happens, corners are cut, and staff members and partners suffer. Stuffing—even more—work into a stressful time of the year is not (always) a wise thing. We lose staff. And if the engagement is deficient, peer review results may take a hit.

When you don’t have the capacity to accept new good clients, consider whether you should discontinue service to existing bad customers.

The Continuance Decision

Quality controls standards call for CPAs to not only develop acceptance procedures, but we are to create continuance protocols as well.

I previously said CPAs often don’t give proper attention to acceptance procedures. So, how about continuance decisions? Even worse. 

Each year, we should ask, “If this was a new client opportunity, would I accept them?” If the answer is no, then why do we continue serving them? 

Here are a few questions to ponder:

• Has the client paid their prior year fees? 
• Am I still independent (consider the new Hosting Services interpretation)?
• Does the client demand more from me than the fee merits?
• Do I enjoy working with this client?
• Is the client’s financial condition creating additional risks for my firm?
• Is the client acting ethically?

Each year, well before the audit starts, ask these questions.

And then consider, is the bottom 10% of my book of business keeping me from accepting better clients? My experience has been that when I have the capacity, new business appears. When capacity is lacking, I don’t. The decision to hold on to bad clients is a decision to close the door to better clients. Don’t be afraid to let go.

Risk Assessment Starts Now

When should we start thinking about risk assessment? Now.

Whether you are going through the initial acceptance procedures or you are making your continuance decision, start thinking about risk assessment now. Assuming you accept the client, you’ll be a step ahead as you begin to develop your audit plan. Ask questions such as:

• How is your cash flow?
• Do you have any debt with covenants?
• Who receives the financial statements?
• Has the company experienced any fraud losses?
• How experienced is management?
• Why are you changing auditors?

Keep these notes for future reference and audit planning. 

The Strangest Audit Ever

As I close this post, I thought I’d share an old war story. One where I did not perform client acceptance correctly. You’ll find this story hard to believe. But it’s true.

Single Audit Overview: In Five Minutes

By Charles Hall | Accounting and Auditing , Single Audit

Here’s a Single Audit overview in five minutes. This video provides an overview of what a Single Audit is and what an auditor does in performing such an engagement.

Single Audit Overview

First, understand that some entities receive multiple federal grants. Rather than performing an audit of each individual, the Uniform Guidance allows one audit (a Single Audit) based on risk. So, if a city receives seven federal grants in one year, an auditor can perform a single audit that addresses the riskier programs. The video explains how the auditor determines major programs, the riskier grants of the seven received. Those are the ones that will be audited. 

The applicability of the Single Audit to a grantee is based on the entity’s federal expenditures. Audit the entity using the Uniform Guidance when more than $750,000 in federal funds are expended. 

Compliance Supplement

In the video, I also explain how auditors use the Compliance Supplement to audit federal programs. The Compliance Supplement provides a summary of the applicable compliance provisions for federal grants. You can locate a particular grant by searching the Compliance Supplement by its federal assistance listing number. For example, 14.321 is HUD’s Emergency Systems Grant Program.

Single Audit Compliance Areas

Potential compliance areas for federal programs include:

• Allowability
• Eligibility
• Procurement
• Special Reporting
• Sub-recipient monitoring
• And more

Auditors choose the compliance areas that are direct and material, those that are most important. These areas are audited for each major program.

Single Audit Reports

Additionally, Single Audit reports are created by the auditor to communicate the results of the audit. That way, financial statement readers can see if the grantee (e.g., city) used the grant funds appropriately and whether the entity had proper internal controls. The auditor opines upon the major program grant compliance. If noncompliance is present or if related internal controls were not in use, the auditor reports the noncompliance or deficiencies in the Single Audit report. 

Moreover, Single Audit reports include a schedule of expenditures of federal awards (SEFA). The SEFA includes a listing of expended federal awards. 

Federal Audit Clearinghouse

Finally, the Single Audit report is filed with the federal audit clearinghouse once completed. The report is publicly available, so anyone can see the results of the audit. 

Watch the video for the Single Audit overview in five minutes. 

Test of Controls: When is It Required?

By Charles Hall | Auditing

Most auditors don’t perform a test of controls? But should they? Below I explain when such a test is required. I also explain why some auditors choose to use this test even when not required. 

Once risk assessment is complete, auditors have three further audit procedures they can use to respond to identified risks:

1. Test of details 
2. Substantive analytics
3. Test of controls

This article focuses on the third option.

Below you will see:

• The Right Response
• Not Testing Controls (including video about the same)
• The Decision Regarding Testing 
• How to Test Controls
• Required Tests
• Which Controls to Test
• Three-year Rotation of Testing
• Interim or Period-End Testing

The Right Response 

Which responses to risks of material misstatement are best? That depends on what you discover in risk assessment.

If, for example, your client consistently fails to record payables, then assess control risk for completeness at high and perform a search for unrecorded liabilities (a substantive procedure).

By contrast, if the internal controls for receivables are strong, then assess control risk for the existence assertion at less than high, and test controls for effectiveness. (You do, however, have the option to perform substantive tests rather than test controls, even when controls are appropriate. More about this in a moment.)

Not Testing Controls

Many auditors assess control risk at high (after risk assessment is complete) and use a fully substantive approach. That is fine, especially in audits of smaller entities. Why? Because smaller entities tend to have weaker controls. As a result, controls may not be effective. Therefore, you may not be able to assess control risk at less than high. 

Control risk assessments of less than high must be supported with a test of controls to prove their effectiveness. But if controls are not effective, you must assess control risk at high. This is one reason why you might bypass testing controls: you know, either from prior experience or from current-year walkthroughs, that controls are not effective. If your test reveals ineffectiveness, you are back to square one: a control risk assessment of high. Then substantive procedures are your only option. In such a situation, the initial test was a waste of time. 

The Decision Regarding Testing 

But if controls are effective, why not test them? Doing so allows you to reduce your substantive procedures. There is one reason, however, why you might not test controls even though they appear appropriate: substantive tests may take less time.

Once risk assessment is complete, your responses—the further audit procedures—are based on efficiency and effectiveness. If control testing takes less time, then use this option. If substantive procedures takes less time, then perform a test of details or use substantive analytics. But, regardless of efficiency considerations, address all risks with appropriate responses.

How to Test Controls 

Suppose you’ve decided to test controls for effectiveness. But how? Let’s look at an example starting with risk assessment.

Risk Assessment

Your approach to testing controls depends on risk. 

For example, suppose your billing and collections walkthrough reveals appropriate segregation of duties. You see that authorized personnel issue receipts for each payment received. Additionally, you determine that total daily cash inflows are reconciled by the collections supervisor to the online bank statement, and she signs off on a reconciliation sheet as evidence of this procedure. Lastly, you note that a person not involved in cash collections reconciles the monthly bank statement. In other words, controls are properly designed and in use. 

Furthermore, you believe completeness is a relevant assertion. Why? Theft of incoming cash is a concern since the business handles a high volume of customer checks. If checks are stolen, cash collections would not be complete. Consequently, the inherent risk for completeness is high. The fraud risk is a significant risk which requires a test of details in addition to the test of controls.

Test Supports Effectiveness

Now it’s time to test for effectiveness. 

Test the receipt controls on a sample basis. But before doing so, document the controls you desire to test and the sample size determinations. (See AICPA’s Audit Sampling standard, AU-C 530.)

The first control you are testing is the issuance of receipts by an authorized person and your sample size might be sixty. 

The second control you are testing is the daily reconciliation of cash to the bank statement. For example, you could agree total daily receipts to the bank statement for twenty-five days. As you do so, you review the daily sign-offs on the reconciliation sheets. Why? The collection supervisor’s sign-off is the evidence that the control was performed. 

The third control you are reviewing is the reconciliation of the bank account by a person not involved in the receipting process. So, you review the year-end bank reconciliation and confirm that the person that reconciled the bank statement was not involved in cash collections. 

Once the tests are performed, determine whether the controls are effective. If they are, assess control risk for the completeness assertion at less than high. Now you have support for that lower assessment. 

And what about substantive tests?

You need to perform a test of details since a significant risk (the fraud risk) is present. You might, for example, reconcile the daily total receipts to the general ledger for a month.

Test Doesn’t Support Effectiveness

If your tests do not support effectiveness, expand your sample size and examine additional receipts. Or skip the tests (if you believe the controls are not effective) and move to a fully substantive approach. Regardless, if controls are not effective, consider the need to communicate the control deficiency to management and those charged with governance. 

So, when should you test controls? First let’s look at required tests and then optional ones. 

Required Audit Tests of Controls

Here are two situations where you must test controls:

• When there is a significant risk and you are placing reliance on controls related to that risk
• When substantive procedures don’t properly address a risk of material misstatement

Let me explain.

Auditing standards allow a three-year rotation for control testing, as long as the area tested is not a significant risk. But if the auditor plans to rely on a test of controls related to a significant risk, operating effectiveness must be tested annually. 

Also a test of controls is necessary if substantive procedures don’t properly address a risk of material misstatement. For example, consider the controls related to reallocation of investments in a 401(k). The participant goes online and moves funds from one account to another. Other than the participant, there are no humans involved in the process. When processes are fully automated, substantive procedures may not provide sufficient audit evidence. If that is your situation, you must test of controls. Thankfully, a type 2 service organization control report is usually available in audits of 401(k)s. Such a report provides evidence that controls have already been tested by the service organization’s auditor. And you can place reliance upon those tests. In most cases, substantive procedures can properly address risks of material misstatement. So this test requirement is usually not relevant. 

Optional Audit Test of Controls

We just covered the two situations when testing is required. All other control testing is optional.

Prior to making the decision about testing, consider the following:

• Do you anticipate effectiveness? There’s no need to test an ineffective control. 
• Does the control relate to an assertion for which you desire a lower control risk? 
• Will it take less time to test the control than to perform a substantive procedure? Sometimes you may not know the answer to this question until you perform the test of controls. If the initial test does not prove effectiveness, then you have to expand your sample or just punt—in other words, use a fully substantive approach. 
• Will you use the control testing in conjunction with a test of details or substantive analytics? How would effective controls reduce these substantive tests? In other words, how much substantive testing time would you save if the control is effective?
• Is the control evidence physical or electronic? For example, are the entity’s receipts in a physical receipt book or in a computer? It’s usually easier to test electronic evidence.
• How large will your sample size be? Some controls occur once a month. Others, thousands of times in the period. The larger the population, the larger the sample. And, of course, the larger the sample size, the more time it will take to perform the test. 
• Can you test the population as a whole without sampling? Data analytics software—in some instances—can be used to test the entire population. For example, if a purchase order is required for all payments above $5,000, it might be easy to compare all payments above the threshold to purchase orders, assuming the purchase orders are electronic. 

Three-Year Rotation of Testing

As I said earlier, audit standards allow a three-year rotation for testing. For example, if you test accounts payable controls in 2020, then you can wait until 2023 to test them again. In 2021 and 2022, you need to ensure that these controls have not changed. You also want to determine that those controls have continuing relevance in the current audit. How? See if the controls continue to address a risk of material misstatement. And as you perform your annual walkthroughs, inquire about changes, observe the controls, and inspect documents. Why? You want to know that everything is working as it was in 2020, when the initial test was performed. And, yes, you do need to perform those walkthroughs annually, if that is how you corroborate your understanding of controls.

In short, testing for effectiveness can, in most cases, occur every three years. But walkthroughs are necessary each year. If you tested sixty transactions for an appropriate purchase order in 2020, then you can wait until 2023 to do so again. But review of the purchase order process each year in your annual walkthroughs. 

So should you test controls at interim or after year-end?

Interim or Period-End Testing

Some auditors test controls after the period-end (after year-end in most cases). Others at interim. Which is best?

It depends.

Perform interim tests if this fits better in your work schedule. Here’s an example: You perform an interim test on November 1, 2021. Later, say in February 2022, consider whether controls have changed during the last two months of the year. See if the same people are performing those controls. And consider performing additional tests for the November 1 to December 31 period. Once done, determine if the controls are effective. 

Testing on an interim date is not always the answer. For example, if management is inclined to manipulate earnings near year-end, then interim tests may not be appropriate. 

If you choose to test after period-end, then do so for the full period being audited. Your sample should be representative of that timeframe.

So should you ever test controls at a point in time and not over a period of time? Yes, sometimes. For example, test inventory count controls at year-end only. Why? Well those controls are only relevant to the year-end count, a point in time. Most controls, however, are in use throughout the period you are auditing. Therefore, you need to test those controls over that period of time (e.g., year).

Conclusion

As I said above, many auditors tend to rely fully on substantive responses to the risks of material misstatement. But, in some cases, that may not be the best or wisest approach. If controls are designed well and functioning, why not test them? Especially if it takes less time than substantive procedures.

Finally, take a look at my two related articles regarding responses to the risk of material misstatement: (1) Test of Details: Substantive Procedures and (2) Substantive Analytical Procedures: Power Up.

Auditing Payroll: A Step by Step Guide

By Charles Hall | Auditing

Auditing payroll is a critical skill. Today I explain how.

While payroll is often seen as a low-risk area, considerable losses can occur here. So, knowing how to audit payroll is important.

Auditing Payroll – An Overview

Payroll exceeds fifty percent of total expenses in many governments, nonprofits, and small businesses. Therefore, it is often a significant transaction area.

To assist you in understanding how to audit payroll, let me provide you with an overview of a typical payroll process.

First, understand that entities have payroll cycles (e.g., two weeks starting on Monday). Then, payments are made at the end of this period (e.g., the Tuesday after the two-week period). Also, understand that most organizations have salaried and hourly employees. Salaried personnel are paid a standard amount each payroll, and hourly employees earn their wages based on time.

Second, an authorized person (e.g., department head) hires a new employee at a specified rate (e.g., $80,000 per year).

Third, human resources assists the new-hire with the completion of payroll forms, including tax forms and elections to purchase additional benefits such as life insurance.

Fourth, a payroll department employee enters the approved wage in the accounting system. The employee’s bank account number is entered into the system (if direct deposit is used).

Fifth, employees clock in and out so that time can be recorded.

Sixth, once the payroll period is complete, a person (e.g., department supervisor) reviews and approves the recorded time.

Seventh, a second person (e.g., payroll supervisor) approves the overall payroll.

Eighth, the payroll department processes payments. Direct deposit payments are made (and everyone is happy).

In this article, we will cover the following:

• Primary payroll assertions
• Payroll walkthroughs
• Payroll fraud
• Payroll mistakes
• Directional risk for payroll
• Primary risks for payroll
• Common payroll control deficiencies
• Risk of material misstatement for payroll
• Substantive procedures for payroll
• Common payroll work papers

Primary Payroll Assertions

The primary relevant payroll assertions are:

• Completeness
• Cutoff
• Occurrence

I believe—in general—completeness and cutoff (for accrued payroll liabilities) and occurrence (for payroll expenses) are the most important payroll assertions. When a company accrues payroll liabilities at period-end, it is asserting that they are complete and that they are recorded in the right period. Additionally, the company is saying that recorded payroll expenses are legitimate.

Additionally, payroll auditing requires an understanding of threats in light of these assertions. So how do I gain this knowledge? Payroll walkthroughs.

Payroll Walkthroughs

 

Perform a walkthrough of payroll to see if there are any control weaknesses. How? Walk transactions from the beginning (the hiring of an employee) to the end (a payroll payment and posting). And ask questions such as the following:

• Does the company have a separate payroll bank account?
• How often is payroll processed? What time period does the payroll cover? On what day is payroll paid?
• Who has the authority to hire and fire employees?
• What paperwork is required for a new employee? For a terminated employee?
• Is payroll budgeted?
• Who monitors the budget to actual reports? How often?
• Who controls payroll check stock? Where is it stored? Is it secure?
• If the company uses direct deposit, who keys the bank account numbers into the payroll system? Who can change those numbers?
• Do larger salary payments require multiple approvals?
• Who approves overtime payments?
• Who monitors compliance with payroll laws and regulations?
• Who processes payroll and how?
• Who signs checks or makes electronic payments? If physical checks are used, are they signed electronically (as checks are printed) or physically?
• How are payroll tax payments made? How often? Who makes them?
• Who creates the year-end payroll tax documents (e.g., W-2s) and how?
• What controls ensure the recording of payroll in the appropriate period?
• Are the following duties assigned to different persons:
  • Approval of each payroll,
  • Processing and recording payroll,
  • The reconciliation of related bank statements
  • Possession of processed payroll checks
  • Ability to enter or change employee bank account numbers
  • Ability to add employees to the payroll system or to remove them
• Who can add or remove employees from the payroll system? What is the process for adding and removing employees from the payroll system?
• Who can change the master pay rate file? Does the computer system provide an audit trail of those changes?
• Who approves salary rates and how?
• Who reconciles the payroll bank statements and how often?
• Who approves bonuses?
• What benefits (e.g., retirement accounts) does the company offer? Who pays for the benefits (e.g., employee) and how (e.g., payroll withholding)?
• Who reconciles the payroll withholding accounts and how often?
• Are any salaries capitalized rather than expensed? If yes, how and why?
• Are surprise payroll audits performed? If yes, by whom?
• Does the company outsource its payroll to a service organization? If yes, does the payroll company provide a service organization control (SOC) report? What are the service organization controls? What are the complementary controls (those performed by the employing company)?

Moreover, as we ask these questions, we need to inspect documents (e.g., payroll ledger) and make observations (e.g., who signs checks or makes electronic payments?).

If controls weaknesses exist, we create audit procedures to respond to them. For example, during the walkthrough, if we see that one person prints and signs checks, records payments, and reconciles the bank statement, then we will plan fraud-related substantive procedures.

As we perform payroll walkthroughs, we are asking, “What can go wrong—whether intentionally or by mistake?”

Payroll Fraud

When payroll fraud occurs, understatements or overstatements of payroll expense may exist.

If a company desires to inflate its profit, it can—using bookkeeping tricks—understate its expenses. As (reported) costs go down, profits go up.

On the other hand, overstatements of payroll can occur when theft is present. For example, if a payroll accountant pays himself twice, payroll expenses are higher than they should be.

Payroll Mistakes

Mistakes also lead to payroll misstatements. Payroll errors can occur when payroll personnel lack sufficient knowledge to carry out their duties. Additionally, misstatements occur when employees fail to perform internal control procedures such as reconciling bank statements.

Directional Risk for Payroll

The directional risk for payroll is an understatement. So, audit for completeness (determining that all payroll is recorded). Nevertheless, when payroll theft occurs (e.g., duplicate payments), overstatements can occur.

Primary Risks for Payroll

The primary payroll risks include:

1. Payroll is intentionally understated
2. Inappropriate parties receive payments
3. Employees receive duplicate payments

As you think about these risks, consider the control deficiencies that allow payroll misstatements.

Common Payroll Control Deficiencies

In smaller entities, it is common to have the following control deficiencies:

• One person performs two or more of the following:
  • Approves payroll payments to employees,
  • Enters time or salary rates in the payroll system,
  • Issues payroll checks or makes direct deposit payments,
  • Adds or removes employees from the payroll system
  • Reconciles the payroll bank account
• No one reviews and approves recorded time
• No one reviews and approves payroll before processing
• No one performs surprise audits of payroll
• Appropriate procedures for adding and removing employees are not present
• No one reviews the removal of terminated employees from payroll
• No one compares payroll expenses to a budget

(Here are suggestions to make your payroll controls stronger.)

Another key to auditing payroll is understanding the risks of material misstatement.

Risk of Material Misstatement for Payroll

In auditing payroll, the assertions that concern me the most are completeness, occurrence, and cutoff. So my risk of material misstatement for these assertions is usually moderate to high.

My response to higher risk assessments is to perform certain substantive procedures: namely, a reconciliation of payroll in the general ledger to quarterly 941s. Why? The company has an incentive to accurately file 941s since the returns are subject to audit by governmental authorities. So, if the 941s are correct, the reconciliation provides support for recorded payroll.

Additionally, consider theft which can occur in numerous ways, such as duplicate payments or ghost employees.

In a duplicate payment fraud, the thief, usually a payroll department employee, pays himself twice.

Ghost employees exist when payroll personnel leave a terminated employee on the payroll. Why would someone in the payroll department intentionally leave a terminated employee in the payroll system? To steal the second payment. How? By changing the terminated employee’s direct deposit bank account number to his own. The result? He receives two payments (his own and that of the terminated employee).

Once your payroll risk assessment is complete, decide what substantive procedures to perform.

Substantive Procedures for Auditing Payroll

My customary tests for auditing payroll are as follows:

1. Reconcile 941s to payroll
2. Recompute accrued payroll liability (amount recorded at period-end)
3. Review payroll withholding accounts for appropriateness and vouch subsequent payments for any significant amounts
4. Compare payroll expenses (including benefits) to budget and examine any unexplained variances
5. When control weaknesses are present, design and perform procedures to address the related risks
6. Compare accrued vacation to prior periods and current payroll activity

In light of my risk assessment and substantive procedures, what payroll work papers do I normally include in my audit files?

Common Payroll Work Papers

My payroll work papers normally include the following:

• An understanding of payroll-related internal controls
• Risk assessment of payroll at the assertion level
• Documentation of any payroll control deficiencies
• Payroll audit program
• Accrued salaries detail at period-end
• A summary of any significant payroll withholding accounts with supporting information
• A detail of vacation payable (if material) with comparisons to prior periods
• Budget to actual payroll reports
• A reconciliation of payroll in the general ledger to quarterly 941s
• Fraud-related payroll work papers (when needed)

In Summary

In this article we looked at the keys to auditing payroll. Those keys include risk assessment procedures, determining relevant assertions, assessing risks, and developing substantive procedures. My go-to substantive procedure is to reconcile payroll to 941s. I also review payroll withholding accounts and recompute salary accruals. Comparisons of payroll expenses are useful. Finally, if merited, I perform fraud-related payroll procedures.

See my book on Amazon: The Why and How of Auditing.