By Charles Hall | Accounting and Auditing
Most CPA firms lack uniformity of processes and software. Why? Because different partners want things done their way (not the firm way).
While this may make sense for the individual partner, it creates confusion and decreases profit for the firm as a whole.
But uniformity creates speed. And speed creates profit.
Listen now to hear why this is true in CPA firms.
By Charles Hall | Auditing
Today we take a look at auditing receivables and revenues.
Revenues are the lifeblood of any organization. Without cash inflows, the entity may cease to exist. So, it’s important that each business generate sales or some type of revenue. For you, the auditor, it’s important to verify the revenue.
Along with revenues, auditors need to prove receivables. Why? Some companies manipulate their earnings by inflating their period-end receivables. When trade receivables increase, revenues increase. So, a company can increase its net income by recording nonexistent receivables.
In this post, we’ll answer questions such as, “should I confirm receivables or examine subsequent receipts?” and “why should I assume that revenues are overstated?"
In this post, we will cover the following:
First, let’s look at assertions. The primary relevant accounts receivable and revenue assertions are:
Of these assertions, I believe—in general—existence (of receivables), occurrence (of revenues) and valuation (of receivables) are most important. So, clients assert that:
Accuracy comes into play if the customer has complex receivable transactions. Additionally, the cutoff assertion is often relevant, especially if the client has incentives to inflate the receivables balance (e.g., bonuses triggered at certain income levels).
Second, think about performing your risk assessment work in light of the relevant assertions.
As we perform walkthroughs of accounts receivable and revenue, we are looking for ways they are overstated (though they can also be understated as well). We are asking, “What can go wrong, whether intentionally or by mistake?”
In performing accounts receivable and revenue walkthroughs, ask questions such as:
As we ask questions, we also inspect documents (e.g., aged receivable reports) and make observations (e.g., who collects the payments?).
If controls weaknesses exist, we create audit procedures to respond to them. For example, if—during the walkthrough—we see inconsistent allowance methods, we will perform more substantive work to prove the allowance balances.
Third, consider the directional risk of accounts receivable and revenues.
The directional risk for accounts receivable and revenue is an overstatement. So, in performing your audit procedures, perform procedures to ensure that accounts receivables and revenues are not overstated. For example, review the cutoff procedures at period-end. Be sure that no subsequent period revenues are recorded in the current fiscal year.
Audit standards require that auditors review estimates for management bias. So, consider the current year allowance and bad debt write-offs in light of the prior year allowance. This retrospective review allows the auditor to see if the current estimate is fair. The threat is that management might reduce allowances to inflate earnings.
Moreover, the audit standards state there is a presumption (unless rebutted) that revenues are overstated. Therefore, we are to assume revenues are overstated, unless we can explain why they are not.
Fourth, think about the risks related to receivables and revenues.
The main risks are:
Risks related to revenue also vary from company to company. For example, one telecommunications company might sell bundled services while another may not. Revenue recognition is more complex (risky) for the company selling bundled services.
Also, revenue risks vary from industry to industry. For example, the allowance for uncollectible is normally a high risk area for healthcare entities, but may not be so for other industries.
Fifth, think about the control deficiencies noted during your walkthroughs and other risk assessment work.
In smaller entities, the following control deficiencies are common:
Sixth, now it’s time to assess your risks.
In smaller engagements, I usually assess control risk at high for each assertion. Controls must be tested to support any lower control risk assessments. Assessing risks at high is often more efficient than testing controls.
When control risk is assessed at high, inherent risk becomes the driver of the risk of material misstatement (inherent risk X control risk = risk of material misstatement). The assertions that concern me the most (those with higher inherent risks) are existence, occurrence, and valuation. So my RMM for these assertions is usually moderate to high.
My response to higher risk assessments is to perform certain substantive procedures: namely, receivable confirmations and tests of subsequent collections. As RMM increases, I send more confirmations and examine more subsequent collections.
Additionally, I thoroughly test management’s allowance computation. I pay particular attention to uncollected amounts beyond 90 days. Uncollected amounts beyond 90 days should usually be heavily reserved. And amounts beyond 120 days should—generally—be fully reserved.
And finally, it’s time to determine your substantive procedures in light of your identified risks.
My customary audit procedures are as follows:
My accounts receivable and revenue work papers frequently include the following:
In this chapter, we’ve looked at the following for receivables and revenues:
Next, we’ll see how to audit plant, property, and equipment.
By Charles Hall | Auditing
Auditing cash tends to be straightforward. We usually just obtain the bank reconciliations and test them. We send confirmations and vouch the outstanding reconciling items to the subsequent month’s bank statement. But are such procedures always adequate? Hardly.
Recall the Parmalat and ZZZZ Best Carpet Cleaning frauds. In those businesses, the theft of cash was covered up with fake bank statements and fake confirmation responses. Millions were lost and reputations of those audit firms were tarnished.
In this post, we will take a look at the following:
The primary relevant cash assertions are:
Of these assertions, I believe existence, accuracy, and cutoff are most important. The audit client is asserting that the cash balance exists, that it’s accurate, and that only transactions within the period are included.
Classification is normally not a relevant assertion. Cash is almost always a current asset. But when bank overdrafts occur, classification can be in play. The negative cash balance can be presented as cash or as a payable depending on the circumstances.
As we perform walkthroughs of cash, we normally look for ways that cash might be overstated (though it can also be understated as well). We are asking, “What can go wrong?” whether intentionally or by mistake.
In performing cash walkthroughs, ask questions such as:
As we ask questions, we also inspect documents (e.g., bank reconciliations) and make observations (who is doing what?).
If controls weaknesses exist, we create audit procedures to address them. For example, if during the walkthrough we review three monthly bank reconciliations and they all have obvious errors, we will perform more substantive work to prove the year-end bank reconciliation. For example, we might vouch every outstanding deposit and disbursement.
What is directional risk? It’s the potential bias that a client has regarding an account balance. A client might desire an overstatement of assets and an understatement of liabilities since each makes the balance sheet appear healthier.
The directional risk for cash is overstatement. So, in performing your audit procedures, perform procedures such as testing the bank reconciliation to ensure that cash is not overstated.
The primary risks are:
In smaller entities, it is common to have the following control deficiencies:
In my smaller audit engagements, I usually assess control risk at high for each assertion. If control risk is assessed at less than high, then controls must be tested to support the lower risk assessment. Assessing risks at high is usually more efficient than testing controls.
When control risk is assessed at high, inherent risk becomes the driver of the risk of material misstatement (control risk X inherent risk = risk of material misstatement). For example, if control risk is high and inherent risk is moderate, then my RMM is moderate.
The assertions that concern me the most are existence, accuracy, and cutoff. So my RMM for these assertions is usually moderate to high.
My response to higher risk assessments is to perform certain substantive procedures: namely, bank confirmations and testing of the bank reconciliations. As RMM increases I examine more of the period-end bank reconciliations and more of the outstanding reconciling items. Also, I am more inclined confirm the balances.
When the RMM is moderate, I use standard audit procedures.
My customary audit tests are as follows:
The auditor should send confirmations directly to the bank. Some individuals create false bank statements to cover up theft. Those same persons provide false confirmation addresses. Then the confirmation is sent to an individual (the fraudster) rather than a bank. Once received, the company replies to the confirmation as though the bank is doing so. You can lessen the chance of fraudulent confirmations by using Confirmation.com, a company that specializes in bank confirmations. Also, you might Google the confirmation address to verify its existence.
Agree the confirmed bank balance to the period-end bank reconciliation (e.g., December 31, 20X9). Then, agree the reconciling items on the bank reconciliation to the bank statement subsequent to the period-end. For example, examine the January 20X0 bank statement activity when clearing the December 20X9 reconciling items. Finally, agree the reconciled balance to the general ledger cash balance for the period-end (e.g., December 31, 20X9).
Cut-off bank statements (e.g., January 20, 20X9 bank statement) may be used to test the outstanding items. Such statements, similar to bank confirmations, are mailed directly to the auditor. Alternatively, the auditor might examine the reconciling items by viewing online bank statements. (Read-only rights can be given to the auditor.)
My cash work papers normally include the following:
We’ve discussed how to perform cash risk assessment procedures, the relevant cash assertions, the cash risk assessments, and substantive cash procedures.
Next we’ll examine how to audit receivables and revenues.
By Charles Hall | Risk Assessment
Some auditors have been told they can’t assess control risk at high. Is this true? Also, is it possible to assess control risk at high and not test controls?
Additionally, some auditors believe that control risk is assessed at high only if internal controls are not in place. But is that true?
Listen now to hear the answers. Hint — assessing control risk at high might be your best solution.
By Charles Hall | Auditing
This article teaches you how to develop your audit strategy and audit plan. In the last few posts, we’ve explored the risk assessment process. Now it’s time to link your risk assessment work to your audit strategy and plan.
AU-C 300 states, “The objective of the auditor is to plan the audit so that it will be performed in an effective manner.” We also desire—though not an objective of the audit standards—to plan for efficiency, so the engagement is profitable.
To be in compliance with audit standards, you need to develop:
What’s in the audit strategy? AU-C 300.08 states that the audit strategy should include the following:
Also, consider the resources necessary to perform the engagement.
Think of the audit strategy as the big picture. You are documenting:
When NASA planned to put a man on the moon, they—I am sure—created a strategy for Apollo 11. It could have read as follows:
We will put a man on the moon. The significant factors of our mission include mathematical computations, gravitational pull, thrust, and mechanics. The risks include threats to our astronauts’ lives, so we need to provide sufficient food, air, sound communications, and a safe vessel. The deliverable will be the placement of one man on the moon and the safe return of our three astronauts. The engagement team will include three astronauts, launch personnel at Kennedy Space Center, and mission-control employees in Houston, Texas.
The strategy led to Neil Armstrong’s historic walk on July 20, 1969.
Our audit strategy—in a more pedestrian pursuit—is a summary of objectives, resources, and risk. It’s the big picture. Our strategy leads to the successful issuance of our audit opinion (not quite as exciting as walking on the moon, but still important).
Did NASA perform any risk assessments before creating its strategy and plans? You bet. The lives of Neil Armstrong, Michael Collins, and Buzz Aldrin counted on it. So, the Agency took every precaution. NASA used the risks to define the project details—what we call our audit plan (or audit program). As with all projects, you must know your risks before you develop your plan. Doing so led to “one small step for man, one giant leap for mankind,” and—more importantly—the return of three brave astronauts. In a word: Success.
The audit strategy doesn’t have to be complicated or long, especially for smaller entities—it can be a short memo. What are we after? A summary of risks, needed resources, and objectives.
My firm uses an internally-developed strategy form—mainly, to ensure consistency. The form contains structure, such as references to risk assessment work and blank boxes in certain areas—such as partner directions—so it is flexible. As a result, the form has structure and flexibility.
Here are the main areas we cover:
Who should create the strategy? The in-charge can create it with the assistance of the engagement partner, or the partner can do so.
If you want to see one document that summarizes the entire audit, this is it. As you can see, the strategy is general in nature, but you also need a detailed plan to satisfy the demands of the strategy—this is the audit plan (commonly referred to as the audit program). NASA had a mission statement for Apollo 11, but—I’m sure—written guidelines directed the step-by-step execution of the project.
Now we create the detailed planning steps—the audit program. Think of the audit program as the final stage of audit planning. What have we done to get to this stage of the audit?
Now it’s time to create the audit plan.
The audit plan is the linkage between planning and further audit procedures. What are “further audit procedures”? They are the tactical steps to address risk including substantive procedures and test of controls. The audit program links back to the identified risks and points forward to the substantive procedures and test of controls.
How—in a practical sense—do we create the audit programs? Most auditors tailor the prior year audit programs. That works—as long as we revise them to address the current year risks. Audit programs are not—at least, they should not be—static documents. Even so, the current year audit program can be the same as last year—as long as the risks are the same.
How do we know if we have adequate audit program steps? Look at your risks of material misstatement (RMM)—which, hopefully, are assessed at the assertion level (e.g., completeness). Audit steps should address all high and moderate RMMs.
How else can we integrate our documentation? Put the relevant assertions next to each audit step—this makes the connections between the RMMs (at the assertion level) and the audit steps clear.
AU-C 330.18 says the auditor is required to apply substantive procedures to all relevant assertions related to each material class of transactions, account balance, and disclosure. So, the audit program should reflect steps for all material areas.
Once you complete your risk assessment work, you want to ask, “Which is the more efficient route? Testing controls or performing substantive procedures.” Then go with your instincts.
Generally, I assess control risk at high. While we can’t default to a high control, we can—once the risk assessment work is complete—decide to assess control risk at high as an efficiency measure. Why? If we assess control risk at below high, we must test the controls as a basis for the lower risk assessment. The testing of controls can—sometimes—take longer than substantive procedures.
For example, is it better to test the controls related to fixed asset additions or is it more efficient to vouch the invoices for significant additions? Usually, the vouching of the invoices will get you to your desired destination quicker than testing controls. Generally—at least in my opinion—this line of reasoning is less true for more complex organizations. Larger organizations process more transactions and tend to have better controls. So it can be better to test controls for larger entities.
There you have it—the creation of the audit strategy and the audit plan. Your strategy includes the risks, needed resources, and objectives. And your audit program contains the tactical steps to address risks. You are set to go. Now it’s time to execute our audit program.
Stay with me. In my upcoming posts, I will delve into the details of auditing by transaction areas. What specific steps should an auditor perform for cash, receivables, payables—for example? In the coming weeks, I will share with you audit approaches for significant transaction cycles. Subscribe below to ensure you don’t miss out.
To see my earlier posts in this series, click here.
