Category Archives for "Accounting and Auditing"

Feb 08

Confirmation of Receivables: Is It Required?

By Charles Hall | Auditing

When is the confirmation of receivables required?

confirmation of receivables

accounts receivable

Confirmation of Receivables is Usually Required

AU-C 330 paragraph 20 states the following:

The auditor should use external confirmation procedures for accounts receivable, except when one or more of the following is applicable:

  1. The overall account balance is immaterial.
  2. External confirmation procedures for accounts receivable would be ineffective.
  3. The auditor’s assessed level of risk of material misstatement at the relevant assertion level is low, and the other planned substantive procedures address the assessed risk. In many situations, the use of external confirmation procedures for accounts receivable and the performance of other substantive procedures are necessary to reduce the assessed risk of material misstatement to an acceptably low level.

If receivables are material and confirmation procedures will be effective, then confirmations must be sent. (Normally, the existence assertion related to receivables is moderate to high. So, 3. above is not in play.)

When are Confirmations Ineffective?

AU-C 330.A56 states:

External confirmation procedures may be ineffective when based on prior years’ audit experience or experience with similar entities:

  • response rates to properly designed confirmation requests will be inadequate; or
  • responses are known or expected to be unreliable.

If the auditor has experienced poor response rates to properly designed confirmation requests in prior audits, the auditor may instead consider changing the manner in which the confirmation process is performed, with the objective of increasing the response rates or may consider obtaining audit evidence from other sources.

Alternative Procedures When Confirmations are not Sent

What audit procedure should be performed if confirmations are not sent? Usually, the auditor will examine cash collections after the period-end. Care must be taken to ensure that the subsequent collections examined relate to receivables that existed at period-end and not to sales occurring after period-end.

Required Documentation When Confirmations are not Sent

AU-C 330.31 states that “the auditor should include in the audit documentation the basis for any determination not to use external confirmation procedures for accounts receivable when the account balance is material.” So, it is not sufficient to simply state that the use of confirmations is ineffective. We should state that we tried to confirm receivables in a prior year without effective results or that we tried to confirm receivables for clients in a similar industry, but without effective results.

The auditor should include a memo to the file or add comments on the receivables work paper explaining why confirmations were not sent.

when are SOC reports needed
Feb 06

When are SOC Reports Needed by an External Auditor?

By Charles Hall | Auditing

Service organization control (SOC) reports are often necessary to understand outsourced accounting services. So, when are SOC reports needed? 

when are SOC reports needed

When are SOC Reports Needed?

SOC reports are needed when:

  • The user entity’s complementary controls are not sufficient to lessen the possibility of material misstatements
  • The SOC report provides information concerning a significant transactions cycle

Many organizations outsource portions of their accounting to service organizations. Think ADP–a service organization that provides payroll services. External auditors need to understand a service organization’s system and related controls–particularly if that work could allow material misstatements in the user’s financial statements. This understanding is provided in SOC reports.

All financial statement audits focus upon whether material misstatements are occurring. Moreover, the auditor’s opinion is supported by audit evidence proving the financial statements are fairly stated. But does (some of this) audit evidence come from SOC reports? Sometimes, yes.

A financial statement auditor is concerned with material misstatements, regardless of how or where they occur–and regardless of who allows the misstatement. Therefore, auditors look for internal controls weaknesses in both the entity being audited and outsourced service organizations.

As we will see, the external auditor may not need all SOC reports. On the other hand, some SOC reports may be needed but don’t exist.

Definitions Related to Service Organizations

Before delving into the details of service organization controls, let’s define a few key words. These definitions come from AU-C 402.

Complementary user entity controls. Controls that management of the service organization assumes, in the design of its service, will be implemented by user entities and are necessary to achieve the control objectives stated in management’s description of the service organization’s system, are identified as such in that description.

Service auditor. A practitioner who reports on controls at a service organization.

Service organization. An organization or segment of an organization that provides services to user entities that are relevant to those user entities’ internal control over financial reporting.

User auditor. An auditor who audits and reports on the financial statements of a user entity.

User entity. An entity that uses a service organization and whose financial statements are being audited.

Audit Standard for Service Organizations

AU-C 402, Audit Considerations Relating to an Entity Using a Service Organization, states the following:

Services provided by a service organization are relevant to the audit of a user entity’s financial statements when those services and the controls over them affect the user entity’s information system, including related business processes, relevant to financial reporting. Although most controls at the service organization are likely to relate to financial reporting, other controls also may be relevant to the audit, such as controls over the safeguarding of assets. A service organization’s services are part of a user entity’s information system, including related business processes, relevant to financial reporting if these services affect any of the following:

  1. The classes of transactions in the user entity’s operations that are significant to the user entity’s financial statements;
  2. The procedures within both IT and manual systems by which the user entity’s transactions are initiated, authorized, recorded, processed, corrected as necessary, transferred to the general ledger, and reported in the financial statements;
  3. The related accounting records, supporting information, and specific accounts in the user entity’s financial statements that are used to initiate, authorize, record, process, and report the user entity’s transactions. This includes the correction of incorrect information and how information is transferred to the general ledger; the records may be in either manual or electronic form;
  4. How the user entity’s information system captures events and conditions, other than transactions, that are significant to the financial statements;
  5. The financial reporting process used to prepare the user entity’s financial statements, including significant accounting estimates and disclosures; and
  6. Controls surrounding journal entries, including nonstandard journal entries used to record nonrecurring, unusual transactions, or adjustments.

If a service organization’s work affects any of the items listed in a. through f., those services are a part of the audited entity’s information system.

When is a SOC report not needed?

When does the external auditor not need SOC reports or other information related to a service organization? Paragraph .05 of AU-C 402 answers that question as follows:
 
This section does not apply to services that are limited to processing an entity’s transactions that are specifically authorized by the entity, such as the processing of checking account transactions by a bank or the processing of securities transactions by a broker (that is, when the user entity retains responsibility for authorizing the transactions and maintaining the related accountability).
 
Additionally, complementary user entity controls may be strong enough to eliminate the need for information about the service organization’s controls.

Complementary User Entity Controls

The user entity–an entity that uses a service organization and whose financial statements are being audited–may have controls sufficient to eliminate the need for SOC reports or other information from the service organization. Sometimes the user entity has controls that mitigate the risk of material misstatements caused by service organization deficiencies. Such controls are referred to as “complementary user entity controls.” If the complementary controls operate effectively, the user auditor–an auditor who audits and reports on the financial statements of a user entity–may not need SOC reports or other service organization information.

Alternatively, if the service organization initiates, executes, and does the processing and recording of the user entity’s transactions, then the user auditor may need SOC reports or other service organization information.

Is the Placement of a SOC Report in the Audit File Sufficient?

Placing a SOC report in an audit file without reading and understanding it provides little-to-no audit evidence.

A SOC report provides information about how the service organization’s controls lessen the possibility of material misstatement. So, the user auditor needs to read and document how the service organization’s controls lessen the risk of material misstatement. This understanding of controls is necessary if the service organization’s work affects a significant transaction cycle such as payroll.

Think of SOC reports in this manner: Pretend there is no service organization and the company being audited performs the same processes and controls. If the audited entity performs these controls–and no service organization exists–the auditor gains an understanding of the controls using risk assessment procedures such as inquiry, observations, and inspections of documents. Potential control weaknesses are exposed by the risk assessment process. Thereafter, the identified risks are used to develop the audit program and substantive procedures. The same audit process is true when there is a service organization. But when a service organization is used, the user auditor is using the SOC report to gain the understanding of the service organization’s part of the entity’s accounting system.

If controls weaknesses are noted in the SOC report, the user auditor may–as a response–perform substantive procedures. By doing so the auditor lowers the overall audit risk (which is the risk that the auditor will issue an unmodified opinion when one is not merited).

Type 1 or Type 2 SOC Reports?

Service organization auditors can issue type 1 or type 2 reports.

A type 1 SOC report provides a description of a service organization’s system and the suitability of the design of controls.

A type 2 SOC report includes a service organization auditor’s opinion on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design and operating effectiveness of the controls.

The type 1 report provides information about the service organization’s system and related controls. The type 2 report provides an opinion on the system description and the design and effectiveness of the controls. A type 1 or a type 2 report can be used to gain an understanding of the controls.

Should the Auditor Visit the Service Organization?

Usually, the auditor does not need to visit the service organization, but sometimes it is necessary to do so. If the service organization provides no SOC report and the complementary user controls are not sufficient, then the auditor may have no choice but to review the service organization’s system and controls. Only do so if the service organization handles significant parts of the accounting system.

Funding Depreciation
Feb 05

How to Make Your Business More Profitable by Funding Depreciation

By Charles Hall | Accounting and Auditing , Local Governments

From time to time, I have clients ask me “What is funding depreciation?” And more importantly, they ask, “How can this technique make my organization more profitable and less stressful?”

Here’s a simple explanation.

Funded depreciation is the setting aside of cash in amounts equal to an organization’s annual depreciation. The purpose: to fund future purchases of capital assets with cash.

Funding Depreciation

Picture Courtesy of Canva

Funding Depreciation

Suppose you buy a $10,000 whiz-bang gizmo – a piece of equipment – that you expect to use for ten years, and at the end of the ten years you expect it to have no value. Your annual depreciation is $1,000.

In this example, a $1,000 depreciation expense is recognized annually on your income statement (depreciation decreases net income) even though no cash outlay occurs. The balance sheet includes the cost of the whiz-bang gizmo, but at the end of ten years, the equipment has a $0 book value, being fully depreciated.

The smart manager will annually set aside $1,000 in a safe investment – such as a certificate of deposit or money market account – for the future replacement of the whiz-bang gizmo.

If the company does not annually invest the $1,000, it has a few options at the end of the ten-year period:

  • Borrow the full amount for the replacement cost
  • Seek outside funding (e.g., grants)
  • Use other funds from within the organization
  • Ask U2 to do a special benefits concert – just kidding

Obviously, if you borrow money to replace the equipment, you will have to pay interest – another cash outlay. Suppose the rate is 10%. Now the organization must pay out $1,100 each year. If the organization funds the depreciation (invests $1,000 annually), it earns interest. If the entity chooses not to fund depreciation, it will pay interest.

Businesses that fund depreciation are always making money from interest (granted not much these days) rather than paying for it.

Another advantage to funding depreciation: you know you will have the money to purchase the capital asset. You’re not concerned with whether a creditor will lend you the money for the acquisition. You’re financially stronger.

Why Doesn’t Every Entity Fund Depreciation?

So why doesn’t everyone fund depreciation?

  • Some don’t understand the concept
  • Some had rather spend the cash flows for the ten years (e.g., owners taking too much in distributions)
  • Some need the money just to run the organization
  • In governments, elected officials desire to keep tax rates low while they are in office
  • In growing businesses, the owners may need the money to fund the growth of the company
  • Most importantly, it may require two cash payments (more in a moment)

Concerning the last point, if the business had to borrow money to purchase the initial capital asset, then it must make the debt service payments (cash outlay 1). If the company also funds depreciation for that same asset (making investments equal to the annual depreciation), another cash flow occurs (cash outlay 2).

If the business can ever get into a position where it pays cash for new equipment, it will be better off. Then only one cash outlay (investment funding) occurs, and the company is making–not paying–interest.

What if the organization cannot–due to cash flow constraints–fund depreciation for all new equipment purchases? Consider doing so for just one or two pieces of equipment–over time, the entity may be able to move into a fully funded position.

Who Should Fund Depreciation?

So, who should fund depreciation?

Organizations with sufficient cash flow and discipline. It’s the smart thing to do.

Imagine a world with no debt, a world where you don’t have to wonder how you will pay for equipment. Dreaming? Maybe, but funded depreciation is worth your consideration.

Risk Assessment at the Assertion Level
Nov 07

Should Auditors Assess the Risk of Material Misstatement at the Assertion Level?

By Charles Hall | Accounting and Auditing

Should auditors assess the risk of material misstatement at the assertion level? Or is it better assess risk at the transaction level (for all assertions at once)? Those who assess at the transaction level think they are saving time. But is it more efficient to assess the risk of material misstatement at the transaction level—or might it be more economical to do so at the assertion level?

Assess the Risk of Material Misstatement at the Assertion Level

Picture from AdobeStock.com

Why Assess the Risk of Material Misstatement at the Assertion Level?

If the goal of assessing risk is to quickly create a risk assessment document (and nothing else), then assessing risk at the transaction level makes sense. But we know the purpose of the risk assessment document is to design responsive audit procedures. Consequently, assessing risk at the assertion level is wiser. 

Why? Let’s answer that question with an accounts payable example. 

Accounts Payable Risk Assessment Example

Suppose the auditor assesses risk at the transaction level, assessing all accounts payable assertions as high risk. What does this mean? It means the auditor should perform rigorous substantive procedures to respond to the high-risk assessments for each assertion. Why? His risk assessment for valuation, existence, rights and obligations, completeness, and all other assertions are high. Logically, his substantive procedures must now address all of those (high) risks.

Alternatively, what if the accounts payable completeness assertion is assessed at high and all other assertions are at low to moderate? How does this impact the audit plan? Now the auditor will create substantive procedures that respond to the risk that payables are not complete such as conducting a search for unrecorded liabilities. Additionally, he may not perform existence-related procedures such as sending vendor confirmations. 

Do you see the advantage? Rather than using a scattered approach—let’s audit everything—the auditor pinpoints his audit procedures.

Planners or Doers

Some auditors are planners. Some are doers

The planners like to perform risk assessment procedures—such as reviewing internal controls.

But those focused on doing say, “Let’s get on with it.” Many such auditors focus on a balance sheet audit approach

If I, on the first day of the audit, immediately perform basic procedures such as reviewing year-end bank reconciliations or sending receivable confirmations, then I am a doer. The audit standards do not smile upon me. Those standards call for the following:

  1. Perform risk assessment procedures
  2. Assess risks of material misstatement
  3. Create an audit plan
  4. Perform the audit plan
  5. Consider whether the initial risk assessment and audit plan is appropriate (if not amend them)

Many auditors start with step 4. Why? Because we think we already know what the risks are. Or worse yet, we are just doing the same as last year without considering risks.

Linkage with Further Audit Procedures

So why do auditors assess risk at the transaction level and not the assertion level? Sometimes, it’s because we plan to do the same as last year without considering risks. Such thinking is dangerous and not in the spirit of the audit standards—and it costs you money!

Risk Assessment

Picture from AdobeStock.com

 

As I perform peer reviews, firms say to me, “I know I over-audit, but I’m not sure how to lessen what I do.” And then they say, “How can I reduce my time and still perform a quality audit?” 

Here’s my answer: “Perform real risk assessments and document the risk of material misstatement at the assertion level. Then tailor—yes, change the audit program—to address the risks. Perform substantive procedures related to the identified risk areas—and slap yourself every time you even think about same as last year. Trust your judgment.”

And what are the benefits of assessing risk at the assertion level?

  • Think more and work less
  • Make higher profits
  • Audit in conformity with standards
  • Peer reviewers will like it

Your Files

Look at two or three of your audit files and review your risk assessments. Are you assessing risk at the transaction level or at the assertion level? Plan to spend more time in performing risk assessment procedures and documenting your risks at the assertion level–and less time performing your back-of-file (substantive) work.

auditor's cell phone
Sep 17

An Auditor’s Cell Phone

By Charles Hall | Accounting and Auditing , Technology

A cell phone is an auditor’s Swiss knife. And with all the options, I am continually looking for another way to use mine. So I’m sharing my ideas with the hope that you will likewise share yours. While I use an iPhone, I realize there are plenty of other nifty cell phones; my comments below are directed not at a particular phone but how I use mine as an auditor.

Below you will see a screenshot of my cell phone home screen and information concerning how I use various apps.

Auditor's Cell Phone

An Auditor’s Cell Phone

 

Camera

I use this iPhone app to capture pictures of documents as I perform internal control walkthroughs. I embed these pictures in my walkthrough documentation. A picture says a thousand words. If the person explaining the accounting system creates pictures on a whiteboard, I take photos of the drawings.

Sometimes I need a copy of a page from a hardback book (e.g., research); rather than using the copy machine, I take a picture of the page and email it.

Keynote

Keynote is Apple’s version of Powerpoint. I build the Keynote slide deck for presentations and use my phone to present. If you use iCloud, the slide deck you create on your iPad will automatically appear on your iPhone (if your settings are right).

You can also present a Keynote slide deck using your iPad as the presentation device and your iPhone as a remote. Your iPhone moves the slides of the iPad slide deck as you stand at a distance. Both devices (iPad and iPhone) must be on the same wifi for the remote feature to work.

Kindle

I buy most of my books using the one-click option in Amazon. Most books are 50% less in price (or more) than physical books. You can highlight books you read and then create a summary of those highlights (which I then place in my searchable Evernote account–see below); you can copy and paste these highlights to Word or other software.

If I am waiting on a plane, taxi, a friend, a doctor, etc., I have all my books handy for reading. You can even purchase my fraud prevention or SSARS 21 books (shameless advertising, yes I’m guilty).

Evernote

I love Evernote! It is my cloud storage, and at $70 per year for the premium version, it provides me with tremendous power. All the research I have performed and stored is available everywhere I go. All the articles I have saved are at my fingertips. (And it is so easy to store information in this application.) At present, I have thousands of screenshots, websites, articles, presentations, conversations, books, pictures, and answered research issues. It’s my knowledge library.

You can use this app to record conversations that are automatically loaded into Evernote.

Dropbox

I also use Dropbox to store some documents. Most apps connect well with Dropbox, and it handles large video or audio files well.

1Password

I save all my passwords in 1Password. No more wondering how I’m going to get into my computer with a password I’ve forgotten–again (I know this never happens to you).

Messages

I text my audit team members to see how things are going. Messaging is much more efficient than calling if the communication is short. (You can also take a picture of anything with Camera and message the picture. If your audit team member needs to see something on your computer screen, take a picture of it and message the shot to them with comments.)

Don’t want to type the message? Just say it out loud, and the app will record your words for sending.

Maps

I use Google maps to get to new audit locations.

Weather

I use the Weather Channel’s app to check the weather before I leave for trips so I can dress appropriately.

Pandora

Mozart or U2 makes my audit day go by much better. If you prefer music without ads, you can pay Pandora for the service. 

Sharefile

Sharefile is my go-to app for sending sensitive client data. With hackers everywhere, I don’t risk sending sensitive client data in emails.

Fantastical

My Fantastical calendar app syncs with my Outlook calendar, so regardless of where I am, I can check my appointments and schedule the same. I can also add reminders in Fantastical, so I don’t forget the milk.

ToDoist

Do I keep a to-do list? Yes, in my ToDoist app. This app integrates with Outlook.

Audible

When I am driving, I listen to books using Audible. If you’re on the road a lot, this is a great way to redeem your time.

WSJ

I read the Wall Street Journal to keep abreast of current events. This WSJ app provides me access to one of the best newspapers in America (and there aren’t many these days).

Siri

While not an app, I push the button on my iPhone and Siri asks me what I want to do. This is how I make phone calls by simply saying, “call my wife,” for example. I also send texts (or emails) the same way by saying “send a text to C.S. Lewis”; then I tell Siri what I want to say–works amazingly well; she even understands my southern accent (and that, my friends, is truly amazing).

What About You?

How do you use your cell phone at work? I would love to hear from you.

>