Category Archives for "Accounting and Auditing"

auditing cash
Mar 11

Auditing Cash: The Why and How Guide

By Charles Hall | Auditing

Auditing cash tends to be straightforward. We usually just obtain the bank reconciliations and test them. We send confirmations and vouch the outstanding reconciling items to the subsequent month’s bank statement. But are such procedures always adequate? Hardly. 

Recall the Parmalat and ZZZZ Best Carpet Cleaning frauds. In those businesses, the theft of cash was covered up with fake bank statements and fake confirmation responses. Millions were lost and reputations we’re sullied.

auditing cash

How to Audit Cash

In this post, we will take a look auditing cash including:

  • Primary cash assertions
  • Cash walkthrough
  • Directional risk for cash
  • Primary risks for cash
  • Common cash control deficiencies
  • Risk of material misstatement for cash
  • Substantive procedures for cash
  • Common cash work papers

Primary Cash Assertions

The primary relevant cash assertions are:

  • Existence
  • Completeness
  • Rights
  • Accuracy
  • Cutoff

Of these assertions, I believe existence, accuracy, and cutoff are most important. The audit client is asserting that the cash balance exists, that it’s accurate, and that only transactions within the period are included.

Classification is normally not a relevant assertion. Cash is almost always a current asset. But when bank overdrafts occur, classification can be in play. The negative cash balance can be presented as cash or as a payable depending on the circumstances.

Cash Walkthrough

As we perform walkthroughs of cash, we normally look for ways that cash might be overstated (though it can also be understated as well). We are asking, “What can go wrong?” whether intentionally or by mistake.

In performing cash walkthroughs, ask questions such as:

  • Are timely bank reconciliations performed by competent personnel?
  • Are all bank accounts reconciled?
  • Are the bank reconciliations reviewed by a second person?
  • Are all bank accounts on the general ledger?
  • Are transactions appropriately cut off at period-end (with no subsequent period transactions appearing in the current year)?
  • Is there appropriate segregation between persons handling cash, recording cash, making payments, and  reconciling the bank statements
  • What bank accounts were opened in the period?
  • What bank accounts were closed in the period?
  • Are there any restrictions on the bank accounts?
  • What persons are on the bank signature cards?
  • Who has the authority to open and/or close bank accounts?
  • What is the nature of each bank account (e.g., payroll bank account)?
  • Are there any cash equivalents (e.g., investments of less than three months)
  • Were there any held checks (checks written but unreleased) at period-end?

As we ask questions, we also inspect documents (e.g., bank reconciliations) and make observations (who is doing what?).

If controls weaknesses exist, we create audit procedures to address them. For example, if during the walkthrough we review three monthly bank reconciliations and they all have obvious errors, we will perform more substantive work to prove the year-end bank reconciliation. For example, we might vouch every outstanding deposit and disbursement.

Directional Risk for Cash

What is directional risk in auditing cash? It’s the potential bias that a client has regarding an account balance. A client might desire an overstatement of assets and an understatement of liabilities  since each makes the balance sheet appear healthier.

The directional risk for cash is overstatement. So, in performing your audit procedures, perform procedures such as testing the bank reconciliation to ensure that cash is not overstated.

Primary Risks for Cash

The primary risks are:

  1. Cash is stolen
  2. Cash is intentionally overstated to cover up theft
  3. Not all cash accounts are on the general ledger
  4. Cash is misstated due to errors in the bank reconciliation
  5. Cash is misstated due to improper cutoff

Common Cash Control Deficiencies

In smaller entities, it is common to have the following control deficiencies:

  • One person receipts and/or disburses monies, records those transactions in the general ledger, and reconciles the related bank accounts
  • The person performing the bank reconciliation does not possess the skill to perform the duty
  • Bank reconciliations are not timely performed

Risk of Material Misstatement for Cash

In my smaller audit engagements, I usually assess control risk at high for each assertion. If control risk is assessed at less than high, then controls must be tested to support the lower risk assessment. Assessing risks at high is usually more efficient than testing controls.

When control risk is assessed at high, inherent risk becomes the driver of the risk of material misstatement (control risk X inherent risk = risk of material misstatement). For example, if control risk is high and inherent risk is moderate, then my RMM is moderate.

The assertions that concern me the most are existence, accuracy, and cutoff. So my RMM for these assertions is usually moderate to high.

My response to higher risk assessments is to perform certain substantive procedures: namely, bank confirmations and testing of the bank reconciliations. As RMM increases I examine more of the period-end bank reconciliations and more of the outstanding reconciling items. Also, I am more inclined confirm the balances.

Substantive Procedures for Cash

My customary audit tests are as follows:

  1. Confirm cash balances
  2. Vouch reconciling items to the subsequent month’s bank statement
  3. Ask if all bank accounts are included on the general ledger
  4. Inspect final deposits and disbursements for proper cutoff

The auditor should send confirmations directly to the bank. Some individuals create false bank statements to cover up theft. Those same persons provide false confirmation addresses. Then the confirmation is sent to an individual (the fraudster) rather than a bank. Once received, the fraudster replies to the confirmation as though the bank is doing so. You can lessen the chance of fraudulent confirmations by using Confirmation.com, a company that specializes in bank confirmations. Alternatively, you might Google the confirmation address to verify its existence.

Agree the confirmed bank balance to the period-end bank reconciliation (e.g., December 31, 20X7). Then, agree the reconciling items on the bank reconciliation to the bank statement subsequent to the period-end. For example, examine the January 20X8 bank statement activity when clearing the December 20X7 reconciling items. Finally, agree the reconciled balance to the general ledger cash balance for the period-end (e.g., December 31, 20X7).

Cut-off bank statements (e.g., January 20, 20X8 bank statement) may be used to test the outstanding items. Such statements, similar to bank confirmations, are mailed directly to the auditor. Alternatively, the auditor might examine the reconciling items by viewing online bank statements. (Read-only rights can be given to the auditor.)

Common Cash Work Papers

My cash work papers normally include the following:

  • An understanding of cash-related internal controls
  • Risk assessment of cash assertions at the assertion level
  • Documentation of any control deficiencies
  • Cash audit program
  • Bank reconciliations for each significant account
  • Bank confirmations

Auditing Cash 

We’ve discussed how to perform cash risk assessment procedures, the relevant cash assertions, the cash risk assessments, and substantive cash procedures.

Next we’ll examine how to audit receivables and revenues.

Get Your Copy of The Why and How of Auditing

Click the book below to see it on Amazon.

Click the book cover to see The Why and How of Auditing on Amazon.

Preliminary analytical procedures
Mar 11

Preliminary Analytical Procedures

By Charles Hall | Auditing

Preliminary analytical procedures are used to identify material misstatements in financial statements. In this article, I explain how to create planning analytics and how to use them to identify potential misstatements. I also provide documentation tips. 

Preliminary analytical procedures

Preliminary Analytical Procedures

The auditing standards provide four risk assessment procedures: 

  1. Inquiry
  2. Observation
  3. Inspection
  4. Analytical procedures

I previously provided you with information about the first three risk assessment procedures. Today, I provide you with the fourth, analytical procedures.

While analytical procedures should occur at the beginning and the end of an audit, this post focuses on preliminary analytical procedures (sometimes called a preliminary analytical review).

Below I provide the quickest and best way to develop audit planning analytics

What are Analytics?

If you're not an auditor, you may be wondering, "what are analytics?" Think of analytics as the use of numbers to determine reasonableness. For example, if a company's cash balance at December 31, 2020, was $100 million, is it reasonable for the account to be $5 million at December 31, 2021? Comparisons such as this one assist auditors in their search for errors and fraud.

Preliminary Analytical Procedures Overview

We'll cover the following:

  • The purpose of preliminary analytical procedures 
  • When to create planning analytics (at what stage of the audit)
  • Developing expectations 
  • The best types of planning analytics
  • How to document preliminary analytical procedures
  • Developing conclusions 
  • Linkage to the audit plan

(The following video comes from my Audit Risk Assessment Made Easy YouTube playlist. These videos correspond to my book of the same name. See it on Amazon.)

Purpose of Preliminary Analytical Procedures

Analytical procedures used in planning an audit should focus on identifying risks of material misstatement. Your goal as an auditor is to render an opinion regarding the fairness of the financial statements. So, like a good sleuth, you are surveying the accounting landscape to see if material misstatements exist.

A detective investigates a crime scene using various tools: fingerprints, forensic tests, interviews, timelines. Auditors have their own tools: inquiry, observation, inspection, analytical procedures. Sherlock Holmes looks for the culprit. The auditor (and I know this isn't as sexy) looks for material misstatements. 

The detective and the auditor are both looking for the same thing: evidence. And the deft use of tools can lead to success. A key instrument (procedure) available to auditors is preliminary analytical procedures.

When to Create Planning Analytics

Create your preliminary analytics after gaining an understanding of the entity. Why? Context determines reasonableness of numbers. And without context (your understanding of the entity), changes in numbers from one year to the next may not look like a red flag--though maybe they should.

Therefore, learn about the entity first. Are there competitive pressures?  What are the company's objectives? Are there cash flow issues? What is the normal profit margin percentage? Does the organization have debt? Context creates meaning.

Additionally, create your comparisons of numbers prior to creating your risk assessments. After all, the purpose of the analytical comparisons is to identify risk.

But before creating your planning analytics, you first need to know what to expect.

Developing Expectations 

Knowing what to expect provides a basis for understanding the changes in numbers from year to year. 

Expectations can include:

  • Increases in numbers
  • Decrease in numbers
  • Stable numbers (no significant change)

In other words, you can have reasons to believe payroll (for example) will increase or decrease. Or you might anticipate that salaries will remain similar to last year.

Examples of Expectations Not Met

Do you expect sales to decrease 5% based on decreases in the last two years? If yes, then an increase of 15% is a flashing light.

Or maybe you expect sales to remain about the same as last year? Then a 19% increase might be an indication of financial statement fraud.

But where does an auditor obtain expectations?

Sources of Expectations

Expectations of changes can come from (for example):

  • Past changes in numbers 
  • Discussions with management about current year operations
  • Reading the company minutes
  • Staffing reductions
  • Non-financial statistics (e.g., decrease the number of widgets sold)
  • A major construction project

While you'll seldom know about all potential changes (and that's not the goal), information--such as that above--will help you intuit whether change (or a lack of change) in an account balance is a risk indicator.

Now, let's discuss the best types of planning analytics. 

The Best Types of Planning Analytics

Auditing standards don't specify what types of planning analytics to use. But some, in my opinion, are better than others. Here's my suggested approach (for most engagements). 

Audit Planning Analytics

Comparative Numbers

First, create your planning analytics at the financial statement reporting level. Why? Well, that's what the financial statement reader sees. So, why not use this level (if you can)? (There is one exception in regard to revenues. See Analytics for Fraudulent Revenue Recognition below.)

The purpose of planning analytics is to ferret out unexpected change. Using more granular information (e.g., trial balance) muddies the water. Why? There's too much information. You might have three hundred accounts in the trial balance and only fifty at the financial statement level. Chasing down trial-balance-level changes can be a waste of time. At least, that's the way I look at it.

Comparative Ratios

Second, add any key industry ratios tracked by management and those charged with governance. Often, you include these numbers in your exit conference with the board (maybe in a slide presentation). If those ratios are important at the end of an audit, then they're probably important in the beginning.

Examples of key industry ratios include:

  • Inventory turnover
  • Return on equity
  • Days cash on hand
  • Gross profit 
  • Debt/Equity 

Other Metrics

Other metrics such as earnings before interest, taxes, depreciation, and amortization (EBITDA) are consequential for some companies. If relevant, include those.

Hence, create planning analytics that align with the company’s focal points. And how do you know what those are? Read the company’s minutes before you create your preliminary analytics. Most of the time you’ll see the tracked numbers there. 

One last thought about analytical types. When relevant, use nonfinancial information, such as the number of products sold. If a company sells just three or four products and you have the sales statistics, why not compute the estimated revenue and compare it to the recorded revenue? It makes sense to do so. After all, the auditing standards say that preliminary analytics may include both financial and nonfinancial information. 

Okay, so we know what analytics to create, but how should we document them?

Analytics for Fraudulent Revenue Recognition

AU-C 240 says the auditor should include preliminary analytics relating to revenue accounts.

AU-C 240 suggests a more detailed form of analytics for revenues such as:

  • a comparison of sales volume with production capacity
  • a trend analysis of revenues by month and sales returns by month 
  • a trend analysis of sales by month compared with units shipped to customers

In light of these suggested procedures, it may be prudent to create revenue analytics at a more granular level than that shown in the financial statements.

How to Document Preliminary Planning Analytics

Here are my suggestions for documenting preliminary planning analytics.

  1. Document overall expectations.
  2. Include comparisons of prior-year/current-year numbers at the financial statement level. (You might also include multiple prior year comparisons if you have that information.)
  3. Document key industry ratio comparisons.
  4. Summarize your conclusions. Are there indicators of increased risks of material misstatement? Is yes, say so. If no, say so.

Once you create your conclusions, place any identified risks on your summary risk assessment work paper (where you assess risk at the transaction level--e.g., inventory).

Use Filtered Analytical Reports with Caution (if at all)

Some auditors use filtered trial balance reports for their analytics. For instance, all accounts with changes of greater than $30,000. There is a danger in using such thresholds. 

What if  you expect a change in sales of 20% (approximately $200,000) but your filters include:

  •  all accounts with changes greater than $50,000, and 
  • all accounts with changes of more than 15%

If sales remain constant, then this risk of material misstatement (you expected change of 20%, but it did not happen) fails to appear in the filtered report. The filters remove the sales account because the change was minimal. Now, the risk may go undetected.

Developing Conclusions

I am a believer in documenting conclusions on key work papers. So, how do I develop those conclusions? And what does a conclusion look like on a planning analytics work paper?

First, develop your conclusions. How? Scan the comparisons of prior year/current year numbers and ratios. We use our expectations to make judgments concerning the appropriateness of changes and of numbers that remain stable. Remember this is a judgment, so, there's no formula for this.

No Risk Identified

Now, you'll document your conclusions. But what if there are no unexpected changes? You expected the numbers to move in the manner they did. Then no identified risk is present. Your conclusion will read, (for example):

Conclusion: I reviewed the changes in the accounts and noted no unexpected changes. Based on the planning analytics, no risks of material misstatement were noted.

Risk Identified

Alternatively, you might see unexpected changes. You thought certain numbers would remain constant, but they moved significantly. Or you expected material changes to occur, but they did not. Again, document your conclusion. For example:

Conclusion: I expected payroll to remain constant since the company's workforce stayed at approximately 425 people. Payroll expenses increased, however, by 15% (almost $3.8 million). I am placing this risk of material misstatement on the summary risk assessment work paper at 0360 and will create audit steps to address the risk.

Now, it's time to place the identified risks (if there are any) on your summary risk assessment form.

Linkage to the Audit Plan

I summarize all risks of material misstatements on my summary risk assessment form. These risks might come from walkthroughs, planning analytics or other risk assessment procedures. Regardless, I want all of the identified risks--those discovered in the risk assessment process--in one place.

The final step in the audit risk assessment process is to link your identified risks to your audit program

Overview of Risk Assessment and Linkage

Now, I tailor my audit program to address the risks. Tailoring the audit program to respond to identified risks is known as linkage.

Audit standards call for the following risk assessment process:

  • Risk assessment procedures (e.g., planning analytics)
  • Identification of the risks of material misstatement
  • Creation of audit steps to respond to the identified risks (linkage)

Summary of Preliminary Analytical Procedure Considerations

So, now you know how to use planning analytics to search for risks of material misstatement--and how this powerful tool impacts your audit plan.

Let's summarize what we've covered:

  1. Planning analytics are created for the purpose of identifying risks of material misstatement
  2. Develop your expectations before creating your planning analytics (learn about the entity's operations and objectives; review past changes in numbers for context--assuming you've performed the audit in prior years)
  3. Create analytics at the financial statement level, if possible
  4. Use key industry ratios 
  5. Conclude about whether risks of material misstatement are present
  6. Link your identified risks of material misstatement to your audit program

So there you are. I hope you've found this article useful. For more information about risk assessment, check out my book Audit Risk Assessment Made Easy, available on Amazon. 

First-Year Businesses and Planning Analytics

You may be wondering, "but what if I my client is new?" New entities don't have prior numbers. So, how can you create planning analytics? 

First Option

One option is to compute expected numbers using non-financial information. Then compare the calculated numbers to the general ledger to search for unexpected variances.

Second Option

A second option is to calculate ratios common to the entity’s industry and compare the results to industry benchmarks.

While industry analytics can be computed, I’m not sure how useful they are for a new company. An infant company often does not generate numbers comparable to more mature entities. But we’ll keep this choice in our quiver--just in case.

Third Option

A more useful option is the third: comparing intraperiod numbers. 

Discuss the expected monthly or quarterly revenue trends with the client before you examine the accounting records. The warehouse foreman might say, “We shipped almost nothing the first six months. Then things caught fire. My head was spinning the last half of the year.” Does the general ledger reflect this story? Did revenues and costs of goods sold significantly increase in the latter half of the year?

Fourth Option

The last option we’ve listed is a review of the budgetary comparisons. Some entities, such as governments, lend themselves to this alternative. Others, not so–those that don’t adopt budgets.

Summary

So, yes, it is possible to create useful risk assessment analytics–even for a first-year company.

SSAE 19
Feb 26

SSAE 19: Agreed-Upon Procedures Engagements

By Charles Hall | Auditing

On December 19, 2019, the AICPA released SSAE 19, Agreed-Upon Procedures Engagements. AUPs provide you with the ability to provide assurance in a targeted manner (e.g.,  just for inventory). Though you’ve been able to perform AUPs for many years, the new guidance in SSAE 19 provides you with greater flexibility. See how below. 

Greater AUP Flexibility

CPAs will find the new agreed-upon procedures (AUP) standard (SSAE 19) more flexible that the preceding guidance (SSAE 18 AT-C section 215).

How is it more flexible?

  • You no longer request an assertion from the responsible party
  • You can issue general-use reports 
  • Intended users are not required to take responsibility for the sufficiency of the procedures
  • You can develop or assist in developing the procedures over the course of the engagement

And which of these do I like the best? No requirement for assertions.

Additionally, I like the option to develop AUP procedures as the engagement progresses. In the past, the client might review the draft AUP report (at the end of the engagement) and realize it doesn't meet their needs. Sometimes it's better for practitioners to develop procedures as they perform the AUP. SSAE 19 allows you to do just that.

So, if you develop new procedures, what must you do? Prior to issuance of the AUP report, obtain the engaging party's agreement regarding the procedures. Moreover, obtain their acknowledgement that the procedures are appropriate and that they satisfy the intended purpose of the engagement. In effect, the client reviews the procedures, agrees with them, and expresses satisfaction.

Definition of an Agreed-Upon Procedures Engagement

SSAE 19 defines an agreed-upon procedures engagement as "an attestation engagement in which a practitioner performs specific procedures on subject matter and reports the findings without providing an opinion or conclusion. The subject matter may be financial or nonfinancial information." The standard goes on to say "Because the needs of engaging party may vary widely, the nature, timing, and extend of the procedures may vary, as well."

SSAE 19

Now, let's see what the AUP objectives are.

SSAE 19 Objectives

The objectives of an SSAE 19 engagement include:

  • Applying specific procedures to subject matter
  • Issuing a written practitioner's report that describes the procedures applied and the findings

Next, let's look at the structure of an AUP report.

AUP Report Structure

The structure of the AUP report should be as follows:

  • Procedures
  • Findings

So, the CPA should state what was done and then provide the findings (results). The procedures and findings are placed in the body of the AUP report. 

The description of the procedures should be simple and clear.

Good AUP Procedure and Finding

Here's an example of a good AUP procedure and finding:

Procedure - We obtained the January 2022 check register and the January operating bank account statement. We compared check numbers 2850, 2892, 2933, 2935, 2972 to cleared checks agreeing the payee and the amount. 

Findings - No exceptions were noted.

Now, let's look at a poor example:

Poor AUP Procedure and Finding

Procedure - We scanned the company's 2022 bank statements and talked with the CFO. The books seemed to be in order with the exception of July errors.

Finding - Overall, the check disbursements appear to be okay after our general review.

In this poor example, we see general words or statements. What does the word scanned mean? How about seemed to be in order ? Additionally, the finding is vague: okay after our general review.

SSAE 19 provides examples of acceptable and unacceptable wording.

Acceptable and Unacceptable AUP Wording

SSAE 19 calls the practitioner to clearly define procedures. Moreover, the standard states that practitioners should not perform procedures that are open to varying interpretations or that are vague. 

Unacceptable Terms

.A27 of the standard even provides examples of unacceptable AUP terms such as:

  • General review
  • Evaluate
  • Examine

Acceptable Terms

.A27 also provides examples of acceptable AUP terms such as:

  • Inspect
  • Compare
  • Agree
  • Recalculate

In addition to proper wording, document your engagement in accordance with SSAE 19.

AUP Documentation

SSAE 19 calls for the following documentation:

  • Written agreement with the engaging party regarding the appropriateness of the procedures performed for the intended purpose of the engagement
  • The nature, timing, and extent or procedures performed
  • The results of the procedures

You'll also need a written engagement letter (see paragraph .15 of SSAE 19 for an example) and a representation letter (see paragraph .27 of SSAE 19 for an example).

So what about dating the representation letter? The representation letter date should be the date of the AUP report. Additionally, the representation letter should address the subject matter and periods covered by the practitioner's findings.

By now you may be thinking, "Where can I find AUP report examples?"

SSAE 19 Illustrative AUP Report

SSAE 19 provides four illustrative AUP reports in its exhibit (see .A78). 

The four example AUP reports relate to:

  1. Statement of investment performance statistics
  2. Cash and accounts receivable
  3. Claims of creditors
  4. Procedures specified in regulation

If you're looking for a template to follow, see example 2. Why? The cash and accounts receivable procedures and findings are excellent. Build procedures and findings like these and you'll be in good shape.

I suggest you download SSAE 19 and keep these reports handy.

So, what about independence? Is that required?

Attestation Independence

The practitioner has to be independent in order to perform an AUP.  

One exception exists when the practitioner "is required by law or regulation to accept an agreed-upon procedures engagement and report on the procedures performed and findings obtained."

SSAE 19 Effective Date

The effective date of SSAE 19 is for AUP reports dated on or after July 15, 2021.

Early implementation is permitted.

If third party assurance is not needed, consider issuing a consulting report in lieu of an AUP report. See my article: AICPA Consulting Standards - The Swiss Army Knife.

Risk assessment mistakes
Feb 11

15 Risk Assessment Mistakes CPAs Make

By Charles Hall | Accounting and Auditing

Here are 15 risk assessment mistakes. Have you seen these?

Risk assessment mistakes

  1. Assessing control risk at high with no understanding of internal controls and no walkthroughs (in other words, defaulting to high control risk)
  2. Seeing significant internal control problems, assessing control risk at high, then performing routine audit procedures (and no extended procedures)
  3. Assessing inherent risk too high (resulting in unnecessary responses–audit procedures)
  4. Assessing inherent risk too low (resulting in adequate responses–audit procedures)
  5. Not documenting why inherent risks are assessed as they are
  6. Seeing risks of material misstatement in the performance of risk assessment procedures (e.g., preliminary analytics), but not documenting those on the summary risk assessment form
  7. Adding audit procedures for assertions that are not relevant (wasted hours of work)
  8. Not documenting linkage between the risks of material misstatement by assertion to the planned audit procedures
  9. Failing to document an understanding of the entity and its industry
  10. Assessing control risk below high without the support of a test of controls
  11. Defaulting to a test of details rather than performing a test of controls for effectiveness when the test of details takes more time than the test of controls (not necessarily wrong, just takes more time)
  12. Not identifying significant risks (and not performing needed extended procedures)
  13. Not understanding how weak internal controls affect the risk of material misstatement
  14. Not giving sufficient attention to internal controls because “my controls risk will be assessed at high anyway”
  15. Doing the same-as-last-year without determining if last year’s approach was correct and without determining if new risks of material misstatement are present

Review one of your audit files and see if any of these risk assessment mistakes are present.

Want to understand risk assessment? Check out my risk assessment book on Amazon.

significant risk
Feb 08

Significant Risks in Audits of Financial Statements

By Charles Hall | Auditing

Peer reviews find that many CPA firms don't identify significant risks in audits, and that's a problem. Why? Because they are the seedbed of many material misstatements. And when material misstatements are not identified, audit failure often occurs.

Below, I will tell you how to identify, assess, and respond to significant risks.

I also explain the new requirement to communicate significant risks to those charged with governance.  

significant risk

Defining Significant Risk

The Auditing Standards Board previously defined significant risks as those deserving special audit consideration. They've amended this definition in SAS 145 to focus on the inherent risk characteristics rather than the response

For example, a highly complex receivable allowance is inherently risky because it's subjective and complicated. Yes, we will give it special audit consideration. But it's a significant risk because of its nature (subjective and complex), not because of our response (re-computing the estimate and comparing it with prior periods, for example). 

How Many Significant Risks?

At least one significant risk exists in most audits, and frequently there are more. The number depends on the entity, its environment, the types of services it provides or goods it sells, the complexity of its accounts, the subjectivity of determining balances, the susceptibility of accounts to bias or fraud, and the level of change.

Defined in SAS 145

SAS 145, Understanding the Entity and Its Environment and Assessing the Risk of Material Misstatement, defines significant risk in terms of likelihood and magnitude. The threat must be likely, and the result must be material. (See my SAS 145 article.)

The audit standard defines the risk as one close to the upper end of the spectrum of inherent risk without regard for controls. In other words, we consider the inherent risk factors, and we disregard internal controls as we identify these risks.

Align Inherent Risk with Significant Risk

Notice that significant risks are based solely upon inherent risk. So don’t make the mistake of identifying such a risk and then assessing inherent risk below high. After all, the definition says close to the upper end of the spectrum of inherent risk.

Suppose, for example, you identify a significant risk for the allowance for uncollectible receivables, an estimate, due the concerns about the valuation assertion (because it's complex and subjective; see inherent risk factors below). Then the inherent risk for the valuation assertion must be high (or max). 

It's useful to think of inherent risk on a scale of 1 to 10, with 10 being high risk. If you believe the inherent risk is a 9 or a 10 (close to the upper end of the spectrum of inherent risk), then a significant risk is present. Though auditors commonly use low, moderate, high to measure inherent risk, the audit standards don't specify how this is to be done. I'm not saying don't use low, moderate, high, only that thinking of inherent risks on scale of 1 to 10 helps me evaluate risk and to determine whether a significant risk is present.

Inherent Risk Factors

And what are the inherent risk factors? 

  • Complexity
  • Subjectivity
  • Change
  • Uncertainty
  • Susceptibility to misstatement due to management bias or other fraud risk factors (in terms of how they affect inherent risk)

Two Questions to Consider

So the auditor reviews an assertion and asks, "In light of these risk factors, what is the probability of misstatement without regard for controls?" The auditor also asks, "Would a material misstatement occur?" So we consider two things:

  • Is it highly likely that a misstatement will occur for the assertion (without regard for controls)?
  • Will the misstatement be material?

If both answers are yes, it's a significant risk.

Responses to Significant Risks

Peer reviews find that auditors sometimes identify these risks but plan inadequate responses. If the risk is significant, then a strong response is necessary. 

For example, if inventory obsolescence is an issue, the auditor should plan procedures to identify the impaired items and test for appropriate valuation. You may need a specialist in such a situation. So, what would be an inadequate response?  Performing basic inventory procedures. Additional procedures, sometimes referred to as extended steps, are necessary to address the inventory valuation assertion.

As you plan the additional audit procedures, link them from the identified risk (usually on your summary risk assessment form) to your responses (usually on your audit program). In the inventory example, you would link the risk for the valuation assertion to the inventory audit steps (the extended steps to identify and value the impaired items).


You must also communicate these risks to those charged with governance. 

Communicating Significant Risks

Communicate the significant risks to those charged with governance as you implement SAS 134, Auditor Reporting and Amendments, Including Amendments Addressing Disclosures in the Audit of Financial Statements (required for December 31, 2021 year-end engagements and after).

(See my SAS 134 article to understand the types of audit opinions.)  

Present guidance states that significant risks are those that deserve special audit consideration, so you'll use that definition until SAS 145 is implemented. (Even so SAS 145 will help you understand these risks now.)

significant risk

How to Communicate 

You can communicate significant risks in one of three ways:

  1. Engagement letter
  2. Planning letter to those charged with governance
  3. Verbally to the board with documentation of that communication in the audit file--this could be a separate Word document that says who you talked with, when, and the significant risk areas communicated. 

The Communication Change

SAS 134 amended AU-C 260.11 (AU-C 260 The Auditor's Communication with Those Charged with Governance) as follows (amended language is underlined):

The auditor should communicate with those charged with governance an overview of the planned scope and timing of the audit, which includes communicating about the significant risks identified by the auditor.

Sample Significant Risk Language 

Here's an example of the language to be used in any of the three options above:

The anticipated significant risk areas in the audit are:

  1. receivables/revenues,
  2. the allowance for uncollectibles 
  3. the pension liability and disclosure. 

Aligning the Communication with Workpapers

The significant risk areas communicated to the board during planning should align with those identified in your workpapers. You could, however, not know all of the risk areas when you create your initial communication. It's even possible you might not identify a these risks until you are well into the engagement. So the initial significant risk communication and the identified risks in the audit file could be different. You can communicate any additional risks in your final communication to those charged with governance. 

Why are we making this communication the board? Well the board governs the entity, so they need to be aware of areas with a higher risk of potential misstatements. 

Optional Communication 

The explanatory information that accompanies AU-C 260 (specifically .A21) states you may include in the governance communication how you (as the auditor) are going to address the significant risks, but this is optional.  

Audit Risk Assessment Book on Amazon

See my book on Amazon: Audit Risk Assessment Made Easy, Seeing What Others Miss.

 

>