Category Archives for "Accounting and Auditing"

Auditing Plant, Property, and Equipment
Sep 25

Auditing Plant, Property, and Equipment: The Why and How Guide

By Charles Hall | Auditing

Share14
Tweet
Share
Email
14 Shares

Today, I tell you how to audit plant, property, and equipment (or capital assets if you work with governments).

Plant, property, and equipment is often the largest item on a balance sheet. But the risk is often low to moderate. After all, it’s difficult to steal land or a building. And the accounting is usually not difficult. So the dollar amount can be high but the risk low.

In this post, we’ll answer questions such as, “how should we test additions and retirements of property?” and “what should we do in regard to fair value impairments?” 

Auditing Plant, Property, and Equipment

Auditing Plant, Property, and Equipment — An Overview

I will—at times in this article—refer to plant, property, and equipment as property. Governments use the term capital assets to refer to plant, property and equipment, but again, I will, for the most part, use the term property in this article.

Property is purchased for use in a business. For example, a corporate office might be bought or constructed. The building is an asset that is depreciated over its economic life. As depreciation is recorded, the book value (cost less accumulated depreciation) of the building decreases as depreciation is recognized. In other words, you expense the building as it is used.

In most reporting frameworks, including GAAP, assets are recorded at cost. Appreciation in market value is not recorded, but significant decreases, known as impairments, are booked. Property improvements (e.g., adding a new room to an existing building) are capitalized and depreciated. Repairs (e.g., painting a room) that don’t extend the life of an asset are expensed.

Also, most businesses elect to use a capitalization threshold such as $5,000. For these entities, amounts paid below the threshold are not capitalized, even if they extend the life of the asset. The amounts below the threshold are expensed as incurred.

So, how do most entities track property purchases and compute the related depreciation? They use depreciation software. Then when property is purchased, it is added to the depreciation software and an economic life (e.g., ten years) is assigned.

Below we will cover the following:

  • Primary property assertions
  • Property walkthroughs
  • Directional risk for property
  • Primary risks for property
  • Common property control deficiencies
  • Risk of material misstatement for property
  • Substantive procedures for property
  • Common property work papers

Primary Property Assertions

The primary relevant property assertions are:

  • Existence and occurrence
  • Completeness
  • Valuation
  • Classification

Of these assertions, I believe—in general—existence, occurrence, and classification are most important. So, the client is asserting that property exists, that depreciation expense is appropriate, and that amounts paid for property are capitalized (and not expensed).

Property Walkthroughs

As we perform walkthroughs of property, we are looking for ways that property might be overstated (though understatements can occur as well). 

As we perform the property walkthrough, we ask, “what can go wrong, whether intentionally or by mistake?”

In performing the walkthrough, ask questions such as:

  • Are property ledgers reconciled to the general ledger?
  • Does the entity use reasonable and consistent depreciation methods?
  • Are the depreciation methods in accordance with the reporting framework (e.g., straight line for GAAP or accelerated for tax basis)
  • Who records depreciation? 
  • Are the economic lives assigned to property appropriate?
  • What controls ensure that property is recorded in the right period?
  • What controls ensure that capital leases are capitalized as property (if applicable, see GAAP lease standards)?
  • Is there appropriate segregation of duties between persons that purchase, record, reconcile, and physically possess property?
  • What software is used to compute depreciation?
  • Does the company perform periodic physical inventories of property?
  • Are assets removed from the depreciation schedule upon sale?
  • What controls ensure that property purchases are added to the depreciation schedule (and not expensed as repairs and maintenance)?
  • What controls ensure that repair expenses are not capitalized as property?
  • What is the capitalization threshold (e.g., $5,000)?

As we ask questions, we also inspect documents (e.g., depreciation reports) and make observations (e.g., who has access to moveable property?).

If control weaknesses exist, we create audit procedures to respond to them. For example, if—during the walkthrough—we see that one person purchases property, has physical access to equipment, and performs the related accounting, then we will perform theft-related substantive procedures.

Directional Risk for Property

The directional risk for property is overstatement. So, in performing your audit procedures, perform procedures to ensure that property is not overstated. For example, vouch all significant property additions to invoices. See if the amounts added are equal to or greater than the capitalization threshold (e.g., $5,000).

Primary Risks for Property

The primary risks for property are:

  1. Property is intentionally overstated
  2. Repair expenses (or any other expenses) are improperly capitalized as property
  3. Purchases that should be recorded as property are expensed
  4. Depreciation is improperly computed and recorded (e.g., accelerated depreciation is used when straight-line is more appropriate)
  5. Moveable property (e.g., equipment) is stolen

Common Property Control Deficiencies

auditing plant, property, and equipment

In smaller entities, it is common to have the following control deficiencies:

  • One person performs more than one of the following:
    • Authorizes the purchase of property
    • Enters the property in the general ledger and depreciation schedule
    • Has physical custody of the property
    • Has responsibility for reconciling the depreciation schedule to the general ledger
  • The person computing depreciation doesn’t have sufficient knowledge to do so 
  • A second person does not review the depreciation methods for appropriateness and economic lives assigned to each property
  • No one performs surprise audits of property
  • No one performs physical inventories of property
  • There are no controls over the disposal of property
  • Appropriate bidding procedures are not used
  • No one reconciles the depreciation schedule to the general ledger
  • Property is not reviewed for potential impairments of value

(See my article providing you with ways to prevent the theft of capital assets.)

Risk of Material Misstatement for Property

In smaller engagements, I usually assess control risk at high for each assertion. If control risk is assessed at less than high, then controls must be tested to support the lower risk assessment. Assessing risks at high is usually more efficient than testing controls.

When control risk is assessed at high, inherent risk becomes the driver of the risk of material misstatement (controls risk X inherent risk = risk of material misstatement). The assertions that concern me the most are existence (for additions to property), occurrence (for depreciation), and classification (of property). With regard to classification, the business determines whether the amount should be capitalized or expensed. So my RMM for these assertions is usually moderate to high.

My response to higher risk assessments is to perform certain substantive procedures: namely, the vouching of additions to property. As RMM increases I lower the dollar threshold for vouching property additions.  

If controls related to bids are weak, your RMM for existence can be high. Bid rigging or kickbacks—fraudulent vendor actions—can result in overstatements of asset additions. 

Substantive Procedures for Property

My customary audit tests are as follows:

1. Vouch property additions to related invoices

2. Agree opening property balances in the depreciation schedule to the prior year ending balances

3. Review economic lives assigned to new property for appropriateness

4. Review the selected depreciation method in light of the property’s life

5. Compute a ratio of depreciation to property and compare the result with prior periods

6. Review new lease agreements to determine if they should be capitalized

7. Inquire about potential decreases in the value of property and request valuations if necessary

Common Property Work Papers

My property work papers normally include the following:

  • An understanding of property-related internal controls
  • Risk assessment of property at the assertion level
  • Documentation of control deficiencies related to property
  • Property audit program
  • A copy of the depreciation schedule that agrees to the general ledger
  • A summary of additions and retirements of property in the current audit period
  • Bid documents for significant construction projects or other property purchases
  • A valuation of a significant asset by a valuation specialist, if merited (potential impairment)

In Summary

In this article, we looked at how to perform property risk assessment procedures, the relevant property assertions, the property risk assessments, and substantive property procedures.

Next it’s time to turn our attention to the audit of accounts payable and expenses.

Share14
Tweet
Share
Email
14 Shares
Auditing Receivables and Revenues
Sep 09

Auditing Receivables and Revenues: The Why and How Guide

By Charles Hall | Auditing

Share
Tweet
Share
Email

Today we take a look at auditing receivables and revenues.

Revenues are the lifeblood of any organization. Without cash inflows, the entity may cease to exist. So, it’s important that each business generate sales or some type of revenue. For you, the auditor, it’s important to verify the revenue.  

Along with revenues, auditors need to prove receivables. Why? Some companies manipulate their earnings by inflating their period-end receivables.  When trade receivables increase, revenues increase. So, a company can increase its net income by recording nonexistent receivables.

In this post, we’ll answer questions such as, “should I confirm receivables or examine subsequent receipts?” and “why should I assume that revenues are overstated?"

Auditing Receivables and Revenues

Auditing Receivable and Revenues — An Overview

In this post, we will cover the following:

  1. Primary accounts receivable and revenue assertions
  2. Accounts receivable and revenue walkthrough
  3. Directional risk for accounts receivable and revenues
  4. Primary risks for accounts receivable and revenues
  5. Common accounts receivable and revenue control deficiencies
  6. Risk of material misstatement for accounts receivable and revenues
  7. Substantive procedures for accounts receivable and revenues
  8. Common accounts receivable and revenue work papers

Primary Accounts Receivable and Revenue Assertions

First, let’s look at assertions. The primary relevant accounts receivable and revenue assertions are:

  • Existence and occurrence
  • Completeness
  • Accuracy
  • Valuation
  • Cutoff

Of these assertions, I believe—in general—existence (of receivables), occurrence (of revenues) and valuation (of receivables) are most important. So, clients assert that:

  • Receivables exist 
  • Receivables are properly valued, and 
  • Revenues occurred

Accuracy comes into play if the customer has complex receivable transactions. Additionally, the cutoff assertion is often relevant, especially if the client has incentives to inflate the receivables balance (e.g., bonuses triggered at certain income levels).

Accounts Receivable and Revenue Walkthrough

Second, think about performing your risk assessment work in light of the relevant assertions.

As we perform walkthroughs of accounts receivable and revenue, we are looking for ways they are overstated (though they can also be understated as well). We are asking, “What can go wrong, whether intentionally or by mistake?”

In performing accounts receivable and revenue walkthroughs, ask questions such as:

  • Are receivables subsidiary ledgers reconciled to the general ledger?
  • Is a consistent allowance methodology used?
  • What method is used to compute the allowance and is it reasonable?
  • Who records and approves the allowance?
  • Who reviews aged receivables?
  • What controls ensure that revenues are recorded in the right period?
  • Is there adequate segregation of duties between persons recording, billing, and collecting payments? Who reconciles the related records?
  • What software is used to track billings and collections?
  • Are there any decentralized collection locations?
  • When are revenues recognized and is the recognition in accordance with the reporting framework?
  • What receivables and revenue reports are provided to the owners or the governing body?

As we ask questions, we also inspect documents (e.g., aged receivable reports) and make observations (e.g., who collects the payments?).

If controls weaknesses exist, we create audit procedures to respond to them. For example, if—during the walkthrough—we see inconsistent allowance methods, we will perform more substantive work to prove the allowance balances.

Directional Risk for Accounts Receivable and Revenues

Third, consider the directional risk of accounts receivable and revenues.

Auditing receivables and revenues

The directional risk for accounts receivable and revenue is an overstatement. So, in performing your audit procedures, perform procedures to ensure that accounts receivables and revenues are not overstated. For example, review the cutoff procedures at period-end. Be sure that no subsequent period revenues are recorded in the current fiscal year. 

Audit standards require that auditors review estimates for management bias. So, consider the current year allowance and bad debt write-offs in light of the prior year allowance. This retrospective review allows the auditor to see if the current estimate is fair. The threat is that management might reduce allowances to inflate earnings.

Moreover, the audit standards state there is a presumption (unless rebutted) that revenues are overstated. Therefore, we are to assume revenues are overstated, unless we can explain why they are not.

Primary Risks for Accounts Receivable and Revenues

Fourth, think about the risks related to receivables and revenues.

The main risks are:

  1. The company intentionally overstates accounts receivable and revenue 
  2. Company employees steal collections 
  3. Without proper cutoff, an overstatement of accounts receivables and revenue occurs 
  4. Allowances are understated
  5. Revenue recognition

Risks related to revenue also vary from company to company. For example, one telecommunications company might sell bundled services while another may not. Revenue recognition is more complex (risky) for the company selling bundled services.

Also, revenue risks vary from industry to industry. For example, the allowance for uncollectible is normally a high risk area for healthcare entities, but may not be so for other industries.

Common Accounts Receivable and Revenue Control Deficiencies

Fifth, think about the control deficiencies noted during your walkthroughs and other risk assessment work.

In smaller entities, the following control deficiencies are common:

  • One person performs one or more of the following: 
    • bills customers
    • receipts monies
    • makes deposits 
    • records those payments in the general ledger
    • reconciles the related bank account
  • The person computing allowances doesn’t possess sufficient knowledge to do so correctly
  • No surprise audits of receivables and revenues 
  • Multiple people work from one cash drawer
  • Receipts are not appropriately issued
  • Receipts are not reconciled to daily collections
  • Daily receipts are not reviewed by a second person
  • No one reconciles subsidiary receivable ledgers to the general ledger
  • Individuals with the ability to adjust customer receivable accounts (with no second-person approval or review) also collect cash 
  • Inconsistent bad debt recognition with no second-person review process
  • The revenue recognition policy may not be clear and may not be in accordance with the reporting framework

Risk of Material Misstatement for Accounts Receivable and Revenues

Sixth, now it’s time to assess your risks.

In smaller engagements, I usually assess control risk at high for each assertion. Controls must be tested to support any lower control risk assessments. Assessing risks at high is often more efficient than testing controls.

When control risk is assessed at high, inherent risk becomes the driver of the risk of material misstatement (inherent risk X control risk = risk of material misstatement). The assertions that concern me the most (those with higher inherent risks) are existence, occurrence, and valuation. So my RMM for these assertions is usually moderate to high.

My response to higher risk assessments is to perform certain substantive procedures: namely, receivable confirmations and tests of subsequent collections. As RMM increases, I send more confirmations and examine more subsequent collections.

Additionally, I thoroughly test management’s allowance computation. I pay particular attention to uncollected amounts beyond 90 days. Uncollected amounts beyond 90 days should usually be heavily reserved. And amounts beyond 120 days should—generally—be fully reserved.  

Substantive Procedures for Accounts Receivable and Revenues

And finally, it’s time to determine your substantive procedures in light of your identified risks.

auditing receivables and revenues

My customary audit procedures are as follows:

  1. Confirm accounts receivable balances (especially larger amounts)
  2. Vouch subsequent period collections, making sure the subsequent collections relate to the period-end balances (sampling can be used)
  3. Thoroughly review allowance computations to see if they are consistent with prior years; compare allowance percentages to industry averages; agree to supporting documentation (e.g., histories of uncollectible amounts); recompute the related numbers
  4. Create comparative summaries of all significant revenue accounts, comparing the current year amounts with historical data (three or more years if possible)
  5. Create summaries of average per customer income and compare with prior years (you may want to do this by specific revenue categories)
  6. Compute average profit margins by sales categories and compare with previous years

Common Accounts Receivable and Revenue Work Papers

My accounts receivable and revenue work papers frequently include the following:

  • An understanding of accounts receivable and revenue-related internal controls
  • Risk assessment of accounts receivable and revenue at the assertion level
  • Documentation of any control deficiencies
  • Accounts receivable and revenue audit program
  • A detail of receivables comprising amounts on the general ledger
  • Copies of confirmations sent
  • A summary of confirmations received
  • Subsequent collections work papers
  • Allowance work paper
  • Revenue comparison work papers

In Summary

In this chapter, we’ve looked at the following for receivables and revenues:

  • How to perform risk assessment procedures, 
  • Relevant assertions, 
  • Risk assessments (as a result of the risk assessment procedures), and
  • Substantive procedures

Next, we’ll see how to audit plant, property, and equipment.

Share
Tweet
Share
Email
auditing cash
Sep 05

Auditing Cash: The Why and How Guide

By Charles Hall | Auditing

Share
Tweet
Share
Email

Auditing cash tends to be straightforward. We usually just obtain the bank reconciliations and test them. We send confirmations and vouch the outstanding reconciling items to the subsequent month’s bank statement. But are such procedures always adequate? Hardly. 

Recall the Parmalat and ZZZZ Best Carpet Cleaning frauds. In those businesses, the theft of cash was covered up with fake bank statements and fake confirmation responses. Millions were lost and reputations of those audit firms were tarnished.

auditing cash

How to Audit Cash

In this post, we will take a look at the following:

  • Primary cash assertions
  • Cash walkthrough
  • Directional risk for cash
  • Primary risks for cash
  • Common cash control deficiencies
  • Risk of material misstatement for cash
  • Substantive procedures for cash
  • Common cash work papers

Primary Cash Assertions

The primary relevant cash assertions are:

  • Existence
  • Completeness
  • Rights
  • Accuracy
  • Cutoff

Of these assertions, I believe existence, accuracy, and cutoff are most important. The audit client is asserting that the cash balance exists, that it’s accurate, and that only transactions within the period are included.

Classification is normally not a relevant assertion. Cash is almost always a current asset. But when bank overdrafts occur, classification can be in play. The negative cash balance can be presented as cash or as a payable depending on the circumstances. 

Cash Walkthrough

As we perform walkthroughs of cash, we normally look for ways that cash might be overstated (though it can also be understated as well). We are asking, “What can go wrong?” whether intentionally or by mistake.

Cash Walkthrough

In performing cash walkthroughs, ask questions such as:

  • Are timely bank reconciliations performed by competent personnel?
  • Are all bank accounts reconciled?
  • Are the bank reconciliations reviewed by a second person?
  • Are all bank accounts on the general ledger?
  • Are transactions appropriately cut off at period-end (with no subsequent period transactions appearing in the current year)?
  • Is there appropriate segregation between persons handling cash, recording cash, making payments, and  reconciling the bank statements
  • What bank accounts were opened in the period?
  • What bank accounts were closed in the period?
  • Are there any restrictions on the bank accounts?
  • What persons are on the bank signature cards?
  • Who has the authority to open and/or close bank accounts?
  • What is the nature of each bank account (e.g., payroll bank account)?
  • Are there any cash equivalents (e.g., investments of less than three months)
  • Were there any held checks (checks written but unreleased) at the end of the period being audited?

As we ask questions, we also inspect documents (e.g., bank reconciliations) and make observations (who is doing what?).

If controls weaknesses exist, we create audit procedures to address them. For example, if during the walkthrough we review three monthly bank reconciliations and they all have obvious errors, we will perform more substantive work to prove the year-end bank reconciliation. For example, we might vouch every outstanding deposit and disbursement.

Directional Risk for Cash

What is directional risk? It’s the potential bias that a client has regarding an account balance. A client might desire an overstatement of assets and an understatement of liabilities  since each makes the balance sheet appear healthier.

The directional risk for cash is overstatement. So, in performing your audit procedures, perform procedures such as testing the bank reconciliation to ensure that cash is not overstated.

Primary Risks for Cash

The primary risks are:

  1. Cash is stolen
  2. Cash is intentionally overstated to cover up theft
  3. Not all cash accounts are on the general ledger
  4. Cash is misstated due to errors in the bank reconciliation
  5. Cash is misstated due to improper cutoff

Common Cash Control Deficiencies

In smaller entities, it is common to have the following control deficiencies:

  • One person receipts and/or disburses monies, records those transactions in the general ledger, and reconciles the related bank accounts
  • The person performing the bank reconciliation does not possess the skill to properly perform the duty
  • Bank reconciliations are not timely performed

Risk of Material Misstatement for Cash

In my smaller audit engagements, I usually assess control risk at high for each assertion. If control risk is assessed at less than high, then controls must be tested to support the lower risk assessment. Assessing risks at high is usually more efficient than testing controls.

Risk of material misstatement for cash

When control risk is assessed at high, inherent risk becomes the driver of the risk of material misstatement (control risk X inherent risk = risk of material misstatement). For example, if control risk is high and inherent risk is moderate, then my RMM is moderate. 

The assertions that concern me the most are existence, accuracy, and cutoff. So my RMM for these assertions is usually moderate to high. 

My response to higher risk assessments is to perform certain substantive procedures: namely, bank confirmations and testing of the bank reconciliations. As RMM increases I examine more of the period-end bank reconciliations and more of the outstanding reconciling items. Also, I am more inclined confirm the balances.

When the RMM is moderate, I use standard audit procedures.

Substantive Procedures for Cash

My customary audit tests are as follows:

  1. Confirm cash balances
  2. Vouch reconciling items to the subsequent month’s bank statement
  3. Ask if all bank accounts are included on the general ledger
  4. Inspect final deposits and disbursements for proper cutoff

The auditor should send confirmations directly to the bank. Some individuals create false bank statements to cover up theft. Those same persons provide false confirmation addresses. Then the confirmation is sent to an individual (the fraudster) rather than a bank. Once received, the company replies to the confirmation as though the bank is doing so. You can lessen the chance of fraudulent confirmations by using Confirmation.com, a company that specializes in bank confirmations. Also, you might Google the confirmation address to verify its existence.

Agree the confirmed bank balance to the period-end bank reconciliation (e.g., December 31, 20X9). Then, agree the reconciling items on the bank reconciliation to the bank statement subsequent to the period-end. For example, examine the January 20X0 bank statement activity when clearing the December 20X9 reconciling items. Finally, agree the reconciled balance to the general ledger cash balance for the period-end (e.g., December 31, 20X9).

Cut-off bank statements (e.g., January 20, 20X9 bank statement) may be used to test the outstanding items. Such statements, similar to bank confirmations, are mailed directly to the auditor. Alternatively, the auditor might examine the reconciling items by viewing online bank statements. (Read-only rights can be given to the auditor.)

Common Cash Work Papers

My cash work papers normally include the following:

  • An understanding of cash-related internal controls 
  • Risk assessment of cash assertions at the assertion level
  • Documentation of any control deficiencies
  • Cash audit program
  • Bank reconciliations for each significant account
  • Bank confirmations

In Summary

We’ve discussed how to perform cash risk assessment procedures, the relevant cash assertions, the cash risk assessments, and substantive cash procedures. 

Next we’ll examine how to audit receivables and revenues.

Share
Tweet
Share
Email
Developing your audit strategy and plan
Aug 08

Audit Planning: Developing Your Audit Strategy and Plan

By Charles Hall | Auditing

Share5
Tweet
Share26
Email
31 Shares

This article teaches you how to develop your audit strategy and audit plan. In the last few posts, we’ve explored the risk assessment process. Now it’s time to link your risk assessment work to your audit strategy and plan.

AU-C 300 states, “The objective of the auditor is to plan the audit so that it will be performed in an effective manner.” We also desire—though not an objective of the audit standards—to plan for efficiency, so the engagement is profitable. 

Developing your audit strategy and plan

Audit Strategy and Plan

To be in compliance with audit standards, you need to develop:

  • Your audit strategy
  • Your audit plan

Developing Your Audit Strategy

What’s in the audit strategy? AU-C 300.08 states that the audit strategy should include the following:

  • The characteristics of the engagement (these define its scope)
  • The reporting objectives (these affect the timing of the audit and the nature of the reports to be provided)
  • The significant factors (these determine what the audit team will do)
  • The results of preliminary engagement activities (these inform the auditor’s actions)
  • Whether knowledge gained on other engagements is relevant (these potentially provide additional insight)

Also, consider the resources necessary to perform the engagement.

Think of the audit strategy as the big picture. You are documenting:

  • The scope (the boundaries of the work)
  • The objectives (what the deliverables are) 
  • The significant factors (e.g., is this a new or complex entity?)
  • The risk assessment (what are the risk areas?)
  • The planned resources (e.g., the engagement team) 

Strategy for Walking on the Moon

When NASA planned to put a man on the moon, they—I am sure—created a strategy for Apollo 11. It could have read as follows:

We will put a man on the moon. The significant factors of our mission include mathematical computations, gravitational pull, thrust, and mechanics. The risks include threats to our astronauts’ lives, so we need to provide sufficient food, air, sound communications, and a safe vessel. The deliverable will be the placement of one man on the moon and the safe return of our three astronauts. The engagement team will include three astronauts, launch personnel at Kennedy Space Center, and mission-control employees in Houston, Texas. 

developing your audit strategy and plan

The strategy led to Neil Armstrong’s historic walk on July 20, 1969.

Our audit strategy—in a more pedestrian pursuit—is a summary of objectives, resources, and risk. It’s the big picture. Our strategy leads to the successful issuance of our audit opinion (not quite as exciting as walking on the moon, but still important).

Did NASA perform any risk assessments before creating its strategy and plans? You bet. The lives of Neil Armstrong, Michael Collins, and Buzz Aldrin counted on it. So, the Agency took every precaution. NASA used the risks to define the project details—what we call our audit plan (or audit program). As with all projects, you must know your risks before you develop your plan. Doing so led to “one small step for man, one giant leap for mankind,” and—more importantly—the return of three brave astronauts. In a word: Success.

What’s in an Audit Strategy?

The audit strategy doesn’t have to be complicated or long, especially for smaller entities—it can be a short memo. What are we after? A summary of risks, needed resources, and objectives.

My firm uses an internally-developed strategy form—mainly, to ensure consistency. The form contains structure, such as references to risk assessment work and blank boxes in certain areas—such as partner directions—so it is flexible. As a result, the form has structure and flexibility.

Here are the main areas we cover:

  • Deliverables and deadlines
  • A time budget
  • The audit team
  • Key client contacts
  • New accounting standards affecting the audit
  • Problems encountered in the prior year 
  • Anticipated challenges in the current year 
  • Partner directions regarding key risk areas
  • References to work papers addressing risk

Who Creates the Audit Strategy?

Who should create the strategy? The in-charge can create it with the assistance of the engagement partner, or the partner can do so. 

Audit Strategy as the Central Document

If you want to see one document that summarizes the entire audit, this is it. As you can see, the strategy is general in nature, but you also need a detailed plan to satisfy the demands of the strategy—this is the audit plan (commonly referred to as the audit program). NASA had a mission statement for Apollo 11, but—I’m sure—written guidelines directed the step-by-step execution of the project. 

Audit Plan (or Audit Program)

Now we create the detailed planning steps—the audit program. Think of the audit program as the final stage of audit planning. What have we done to get to this stage of the audit? 

  1. Performed risk assessment procedures
  2. Developed our audit strategy

Now it’s time to create the audit plan.

The audit plan is the linkage between planning and further audit procedures. What are “further audit procedures”? They are the tactical steps to address risk including substantive procedures and test of controls. The audit program links back to the identified risks and points forward to the substantive procedures and test of controls.

Creating the Audit Program

How—in a practical sense—do we create the audit programs? Most auditors tailor the prior year audit programs. That works—as long as we revise them to address the current year risks. Audit programs are not—at least, they should not be—static documents. Even so, the current year audit program can be the same as last year—as long as the risks are the same.

Sufficient Audit Steps

How do we know if we have adequate audit program steps? Look at your risks of material misstatement (RMM)—which, hopefully, are assessed at the assertion level (e.g., completeness). Audit steps should address all high and moderate RMMs. 

Integrating Risk Assessment with the Audit Program

How else can we integrate our documentation? Put the relevant assertions next to each audit step—this makes the connections between the RMMs (at the assertion level) and the audit steps clear.

AU-C 330.18 says the auditor is required to apply substantive procedures to all relevant assertions related to each material class of transactions, account balance, and disclosure. So, the audit program should reflect steps for all material areas.

Creating Efficiency in the Audit Plan

Once you complete your risk assessment work, you want to ask, “Which is the more efficient route? Testing controls or performing substantive procedures.” Then go with your instincts. 

Generally, I assess control risk at high. While we can’t default to a high control, we can—once the risk assessment work is complete—decide to assess control risk at high as an efficiency measure. Why? If we assess control risk at below high, we must test the controls as a basis for the lower risk assessment. The testing of controls can—sometimes—take longer than substantive procedures. 

For example, is it better to test the controls related to fixed asset additions or is it more efficient to vouch the invoices for significant additions? Usually, the vouching of the invoices will get you to your desired destination quicker than testing controls. Generally—at least in my opinion—this line of reasoning is less true for more complex organizations. Larger organizations process more transactions and tend to have better controls. So it can be better to test controls for larger entities.

In Summary

There you have it—the creation of the audit strategy and the audit plan. Your strategy includes the risks, needed resources, and objectives. And your audit program contains the tactical steps to address risks. You are set to go. Now it’s time to execute our audit program.

Stay with me. In my upcoming posts, I will delve into the details of auditing by transaction areas. What specific steps should an auditor perform for cash, receivables, payables—for example? In the coming weeks, I will share with you audit approaches for significant transaction cycles. Subscribe below to ensure you don’t miss out.

To see my earlier posts in this series, click here.

Share5
Tweet
Share26
Email
31 Shares
Hosting Services
Aug 07

Danger: Hosting Services Impair Independence

By Charles Hall | Auditing

Share
Tweet
Share
Email

As of July 1, 2019, hosting services impair independence, so says the AICPA. And most firms are providing hosting services (though they may not know it). This article explains why your possession of client records, whether electronic or hard-copy, can affect your independence.

Hosting Services Impair Independence

Starting July 1, 2019, your possession of client documents (e.g., tax records) or information (e.g., the housing of QuickBooks files on our server) can, in some instances, create an independence impairment. (If you temporarily possess original documents (e.g., tax records) but return them to the client in a short period, then the possession of the original documents does not impair your independence.)

hosting services impair independence

The AICPA recently adopted a new interpretation, “Hosting Services,” which appears in the Code of Conduct under nonattest services. See 1.295.143 of the Code.

Why would possessing documents or information potentially impair independence? Because you accepted the responsibility for designing, implementing or maintaining internal controls for the records in your possession. And this is considered a management function.

In effect, the AICPA is saying there is an implicit understanding that you (the CPA) will safeguard the client’s records. And to safeguard the information, you agree to create controls to ensure the safety of the information in your possession.

To understand the actions that would impair your independence, see Catherine Allen’s article in the Journal of Accountancy. Specifically, look at her examples of where independence is impaired and where it is not. 

Continue reading

Share
Tweet
Share
Email
1 2 3 4 5 28
>