Here are 15 risk assessment mistakes. Have you seen these?
Assessing control risk at high with no understanding of internal controls and no walkthroughs (in other words, defaulting to high control risk)
Seeing significant internal control problems, assessing control risk at high, then performing routine audit procedures (and no extended procedures)
Assessing inherent risk too high (resulting in unnecessary responses–audit procedures)
Assessing inherent risk too low (resulting in adequate responses–audit procedures)
Not documenting why inherent risks are assessed as they are
Seeing risks of material misstatement in the performance of risk assessment procedures (e.g., preliminary analytics), but not documenting those on the summary risk assessment form
Adding audit procedures for assertions that are not relevant (wasted hours of work)
Not documenting linkage between the risks of material misstatement by assertion to the planned audit procedures
Failing to document an understanding of the entity and its industry
Assessing control risk below high without the support of a test of controls
Defaulting to a test of details rather than performing a test of controls for effectiveness when the test of details takes more time than the test of controls (not necessarily wrong, just takes more time)
Not identifying significant risks (and not performing needed extended procedures)
Not understanding how weak internal controls affect the risk of material misstatement
Not giving sufficient attention to internal controls because “my controls risk will be assessed at high anyway”
Doing the same-as-last-year without determining if last year’s approach was correct and without determining if new risks of material misstatement are present
Review one of your audit files and see if any of these risk assessment mistakes are present.
Peer reviews find that many CPA firms don't identify significant risks in audits, and that's a problem. Why? Because they are the seedbed of many material misstatements. And when material misstatements are not identified, audit failure often occurs.
Below, I will tell you how to identify, assess, and respond to significant risks.
I also explain the new requirement to communicate significant risks to those charged with governance.
Defining Significant Risk
The Auditing Standards Board previously defined significant risks as those deserving special audit consideration. They've amended this definition in SAS 145 to focus on the inherent risk characteristics rather than the response.
For example, a highly complex receivable allowance is inherently risky because it's subjective and complicated. Yes, we will give it special audit consideration. But it's a significant risk because of its nature (subjective and complex), not because of our response (re-computing the estimate and comparing it with prior periods, for example).
How Many Significant Risks?
At least one significant risk exists in most audits, and frequently there are more. The number depends on the entity, its environment, the types of services it provides or goods it sells, the complexity of its accounts, the subjectivity of determining balances, the susceptibility of accounts to bias or fraud, and the level of change.
The audit standard defines the risk as one close to the upper end of the spectrum of inherent risk without regard for controls. In other words, we consider the inherent risk factors, and we disregard internal controls as we identify these risks.
Align Inherent Risk with Significant Risk
Notice that significant risks are based solely upon inherent risk. So don’t make the mistake of identifying such a risk and then assessing inherent risk below high. After all, the definition says close to the upper end of the spectrum of inherent risk.
Suppose, for example, you identify a significant risk for the allowance for uncollectible receivables, an estimate, due the concerns about the valuation assertion (because it's complex and subjective; see inherent risk factors below). Then the inherent risk for the valuation assertion must be high (or max).
It's useful to think of inherent risk on a scale of 1 to 10, with 10 being high risk. If you believe the inherent risk is a 9 or a 10 (close to the upper end of the spectrum of inherent risk), then a significant risk is present. Though auditors commonly use low, moderate, high to measure inherent risk, the audit standards don't specify how this is to be done. I'm not saying don't use low, moderate, high, only that thinking of inherent risks on scale of 1 to 10 helps me evaluate risk and to determine whether a significant risk is present.
Inherent Risk Factors
And what are the inherent risk factors?
Complexity
Subjectivity
Change
Uncertainty
Susceptibility to misstatement due to management bias or other fraud risk factors (in terms of how they affect inherent risk)
Two Questions to Consider
So the auditor reviews an assertion and asks, "In light of these risk factors, what is the probability of misstatement without regard for controls?" The auditor also asks, "Would a material misstatement occur?" So we consider two things:
Is it highly likely that a misstatement will occur for the assertion (without regard for controls)?
Will the misstatement be material?
If both answers are yes, it's a significant risk.
Responses to Significant Risks
Peer reviews find that auditors sometimes identify these risks but plan inadequate responses. If the risk is significant, then a strong response is necessary.
For example, if inventory obsolescence is an issue, the auditor should plan procedures to identify the impaired items and test for appropriate valuation. You may need a specialist in such a situation. So, what would be an inadequate response? Performing basic inventory procedures. Additional procedures, sometimes referred to as extended steps, are necessary to address the inventory valuation assertion.
As you plan the additional audit procedures, link them from the identified risk (usually on your summary risk assessment form) to your responses (usually on your audit program). In the inventory example, you would link the risk for the valuation assertion to the inventory audit steps (the extended steps to identify and value the impaired items).
You must also communicate these risks to those charged with governance.
Present guidance states that significant risks are those that deserve special audit consideration, so you'll use that definition until SAS 145 is implemented. (Even so SAS 145 will help you understand these risks now.)
How to Communicate
You can communicate significant risks in one of three ways:
Engagement letter
Planning letter to those charged with governance
Verbally to the board with documentation of that communication in the audit file--this could be a separate Word document that says who you talked with, when, and the significant risk areas communicated.
The Communication Change
SAS 134 amended AU-C 260.11 (AU-C 260 The Auditor's Communication with Those Charged with Governance) as follows (amended language is underlined):
The auditor should communicate with those charged with governance an overview of the planned scope and timing of the audit, which includes communicating about the significant risks identified by the auditor.
Sample Significant Risk Language
Here's an example of the language to be used in any of the three options above:
The anticipated significant risk areas in the audit are:
receivables/revenues,
the allowance for uncollectibles
the pension liability and disclosure.
Aligning the Communication with Workpapers
The significant risk areas communicated to the board during planning should align with those identified in your workpapers. You could, however, not know all of the risk areas when you create your initial communication. It's even possible you might not identify a these risks until you are well into the engagement. So the initial significant risk communication and the identified risks in the audit file could be different. You can communicate any additional risks in your final communication to those charged with governance.
Why are we making this communication the board? Well the board governs the entity, so they need to be aware of areas with a higher risk of potential misstatements.
Optional Communication
The explanatory information that accompanies AU-C 260 (specifically .A21) states you may include in the governance communication how you (as the auditor) are going to address the significant risks, but this is optional.
Accounts payable is usually one of the more important audit areas. Why? Risk. First, it’s easy to increase net income by not recording period-end payables. Second, many forms of theft occur in the accounts payable area.
In this post, I’ll answer questions such as, “how should we test accounts payable?” And “should I perform fraud-related expense procedures?” We’ll also take a look at common payables-related risks and how to respond to them. In short, you will learn what you need to know about auditing accounts payable.
Auditing Accounts Payable and Expenses — An Overview
What is a payable? It’s the amount a company owes for services rendered or goods received. Suppose the company you are auditing receives $2,000 in legal services in the last week of December 2019, but the law firm sends the related invoice in January 2020. The company owes $2,000 as of December 31, 2019. The services were provided, but the payment was not made until after the year-end. Consequently, the company should accrue (record) the $2,000 as payable at year-end.
In determining whether payables exist, I like to ask, “if the company closed down at midnight on the last day of the year, would it have a legal obligation to pay for a service or good?” If the answer is yes, then record the payable even if the invoice is received after the year-end. Was a service provided or have goods been received by year-end? If yes (and the amount has not already been paid), accrue a payable.
In this chapter, we will cover the following things an accounts payable auditor need to consider:
Primary accounts payable and expense assertions
Accounts payable and expense walkthroughs
Directional risk for accounts payable and expenses
Primary risks for accounts payable and expenses
Common accounts payable and expense control deficiencies
Risks of material misstatement for accounts payable and expenses
Search for unrecorded liabilities
Auditing for accounts payable and expense fraud
Substantive procedures for accounts payable and expenses
Typical accounts payable and expense work papers
So, let’s begin our journey of auditing accounts payable and expenses.
Primary Accounts Payable and Expense Assertions
The primary relevant accounts payable and expense assertions are:
Existence
Completeness
Cutoff
Occurrence
Of these assertions, I believe completeness and cutoff (for payables) and occurrence (for expenses) are usually most important. When a company records its payables and expenses by period-end, it is asserting that they are complete and that they are accounted for in the right period. Additionally, the company is implying that amounts paid are legitimate.
Accounts Payable and Expense Walkthroughs
As we perform walkthroughs of accounts payable and expenses, we are looking for understatements (though they can also be overstated as well). We are asking, “what can go wrong?” whether intentionally or by mistake.
In performing accounts payable and expense walkthroughs, ask questions such as:
Who reconciles the accounts payable summary to the general ledger?
Does the company use an annual expense budget?
Are budget/expense reports provided to management or others? Who receives these reports?
What controls ensure the recording of payables in the appropriate period?
Who authorizes purchase orders? Are any purchases authorized by means other than a purchase order? If yes, how?
Are purchase orders electronic or physical?
Are purchase orders numbered?
How does the company vet new vendors?
Who codes invoices (specifies the expense account) and how?
Are three-way matches performed (comparison of purchase order with the receiving document and the invoice)?
Are paid invoices marked “paid”?
Does the company have a purchasing policy?
Can credit cards be used to bypass standard purchasing procedures? Who has credit cards and what are the limits? Who reviews credit card activity?
Are bids required for certain types of purchases or dollar amounts? Who administers the bidding process and how?
Do larger payments require multiple approvals?
Which employees key invoices into the accounts payable module?
Who signs checks or makes electronic payments?
Who is on the bank signature card?
Are signature stamps used? If yes, who has control of the signature stamps and whose signature is affixed?
How are electronic payments made (e.g., ACH)?
Is there adequate segregation of duties for persons:
Approving purchases,
Paying payables,
Recording payables, and
Reconciling the related bank statements
Which persons have access to check stock and where is the check stock stored?
Who can add vendors to the payables system?
What are the entity’s procedures for payments of travel and entertainment expenses?
Who reconciles the bank statements and how often?
As we ask these questions, we inspect documents (e.g., payables ledger) and make observations (e.g., who signs checks or makes electronic payments?). So, we are inquiring, inspecting, and observing.
If controls weaknesses exist, we create audit procedures to respond to them. For example, if–during the walkthrough–we see that one person prints and signs checks, records payments, and reconciles the bank statement, then we will perform fraud-related substantive procedures (more about this in a moment).
Here’s a short video about risk assessment for accounts payable auditors.
Directional Risk for Accounts Payable and Expenses
The directional risk for accounts payable and expenses is an understatement. So, perform procedures to ensure that invoices are properly included. For example, perform a search for unrecorded liabilities (see below).
Primary Risks for Accounts Payable and Expenses
The primary risks for accounts payable and expenses are:
Accounts payable and expenses are intentionally understated
Payments are made to inappropriate vendors
Duplicate payments are made to vendors
Keep these in mind as you audit accounts payable.
Common Payable and Expense Control Deficiencies
In smaller entities, it is common to have the following control deficiencies:
One person performs two or more of the following:
Approves purchases,
Enters invoices in the accounts payable system,
Issues checks or makes electronic payments,
Reconciles the accounts payable bank account,
Adds new vendors to the accounts payable system
A second person does not review payments before issuance
No one performs surprise audits of accounts payable and expenses
Bidding procedures are weak or absent
No one reconciles the accounts payable detail to the general ledger
New vendors are not vetted for appropriateness
The company does not create a budget
No one compares expenses to the budget
Electronic payments can be made by one person (with no second-person approval or involvement)
The bank account is not reconciled on a timely basis
When bank accounts are reconciled, no one examines the canceled checks for appropriate payees (the dollar amount on the bank statement is agreed to the general ledger but no one compares the payee name on the cleared check to the vendor name in the general ledger)
When segregation of duties is lacking, consider whether someone can use the expense cycle to steal funds. How? By making payments to fictitious vendors, for example. Or intentionally paying a vendor twice–and then stealing the second check. (See the section titled Auditing for Fraud below.)
Risks of Material Misstatement for Payables and Expenses
In smaller engagements, I usually assess control risk at high for each assertion. When I assess control risk at less than high, I have to test controls to support the lower risk assessment. Therefore, assessing risks at high is usually more efficient (than testing controls).
When control risk is assessed at high, inherent risk becomes the driver of the risk of material misstatement (control risk X inherent risk = risk of material misstatement). The assertions that concern me the most are completeness, occurrence, and cutoff. So my RMM for these assertions is usually moderate to high.
My response to higher risk assessments is to perform certain substantive procedures: namely, a search for unrecorded liabilities and detailed expense analyses. The particular expense accounts that I examine are often the result of my preliminary planning analytics.
Search for Unrecorded Liabilities
How does one perform a search for unrecorded liabilities? Use these steps:
Obtain a complete check register for the period subsequent to your audit period
Pick a dollar threshold ($10,000) for the examination of subsequent payments
Examine the subsequent payments (above the threshold) and related invoices to determine if the payables are suitably included or excluded from the period-end accounts payable detail
Inquire about any unrecorded invoices
As the RMM for completeness increases, vouch payments at a lower dollar threshold.
How should you perform a detailed analysis of expense accounts? First, compare your expenses to budget—if the entity has one—or to prior year balances. If you note any significant variances (that can’t be explained), then obtain a detail of those particular expense accounts and investigate the cause.
Theft can occur in numerous ways—such as fictitious vendors or duplicate payments. If control weaknesses are present, consider performing fraud-related procedures. When fraud-related control weaknesses exist, assess the RMM for the occurrence assertion at high. Why? There is a risk that the expense (the occurrence) is fraudulent.
So, how should you respond to such risks?
Auditing for Fraud
An example of a fraud-related test is one for duplicate payments. How?
Obtain a check register in Excel
Sort by the vendor
Scan the check register for payments made to the same vendor for the same amount
Inquire about payments made to the same vendor for the same amount
In a duplicate payment fraud, the thief intentionally pays an invoice twice. He steals the second check and converts it to cash.
This is just one example of expense fraud. There are dozens of such schemes.
Substantive Procedures for Accounts Payable and Expenses
My customary audit tests are as follows:
Vouch subsequent payments to invoices using the steps listed above (in Search for Unrecorded Liabilities)
Compare expenses to budget and examine any unexplained variances
When control weaknesses are present, design and perform fraud detection procedures
If there are going concern issues, you may need to examine the aged payables listing. Why? Management can fraudulently shorten invoice due dates. Doing so makes the company appear more current. For example, suppose the business has three unpaid invoices totaling $1.3 million that were due over ninety days ago. The company changes the due dates in the accounts payable system, causing the invoices to appear as though they were due just thirty days ago. Now the aged payables listing looks better than it would have.
Typical Payable and Expense Work Papers
My accounts payable and expense work papers usually include the following:
An understanding of internal controls as they relate to accounts payable and expenses
Risk assessment of accounts payable and expenses at the assertion level
Documentation of any accounts payable and expense control deficiencies
Accounts payable and expense audit program
An aged accounts payable detail at period-end
A search for unrecorded liabilities work paper
Budget to actual expense reports and, if unexpected variances are noted, a detailed analysis of those accounts
Fraud-related expense work papers (if significant control weaknesses are present)
So, now you learned about auditing accounts payable. My next post addresses auditing payroll.
In some entities such as governments, payroll makes up over 50% of total expenses. Consequently, knowing how to audit payroll expenses is of great importance. My next post is titled The Why and How of Auditing Payroll. So, stay tuned.
Today I provide an overview of how this standard affects nonprofit revenue recognition.
ASU 2018-08: Nonprofit Contribution Recognition
The purpose of the standard is to provide guidance in regard to recognizing contributions in nonprofit organizations. This standard is conceptually consistent with Topic 606, Revenue from Contracts with Customers, which requires revenue to be recognized when performance obligations are satisfied. ASU 2018-08 requires contribution revenue recognition when conditions are met (see below).
Once ASU 2018-08 becomes effective (years ending December 31, 2019 for many nonprofits), nonprofits will recognize revenues in one of three ways:
Exchange transaction
Conditional Contribution
Unconditional Contribution
The financial statement presentation of the revenue can be affected by the nature of the transaction.For example, there might be a conditional contribution and a donor restriction for the same monies. So contribution revenue will not be recognized until the barriers are satisfied (see below), but revenue will appear in with donor restriction or without donor restriction on the statement of activities, depending on the specifics of the transaction.
1. Exchange transaction
If a nonprofit is paid based on commensurate value, then there is an exchange transaction. The nonprofit recognizes revenue as it provides the service or goods. Apply Topic 606, Revenue from Contracts With Customers, for these transactions. An example of an exchange transaction is a nonprofit is paid market rate for painting a local store.
ASU 2018-08 makes it plain that benefits received by the public as a result of the assets transferred is not equivalent to commensurate value received by the resource provider.
2. Conditional Contribution
A conditional contribution is one where:
a barrier is present and
a right of return or right of release for the contributor exists
Barriers
The following are indicators of a barrier:
Recipient must achieve a measurable, performance-related outcome (e.g., providing a specific level of service, creating an identified number of units of output, holding a specific event)
A stipulation limits the recipient’s discretion on the conduct of the activity (e.g., specific guidelines about incurring qualifying expenses)
A stipulation is related to the primary purpose of the agreement (e.g., must report on funded research)
Recognize revenue when the barrier is overcome.
Measureable, Performance-related Outcome
An example of meeting a measurable outcome would be if the donor requires serving meals to 1,000 homeless persons. Another example is a matching requirement.
Limited Recipient Discretion
An example of limited discretion would be a requirement to hire specific individuals to conduct an activity.
Stipulation Related to Grant's Primary Purpose
An example of a stipulation related to the agreement's primary purpose is a grant that requires filing an annual report of funded research. If the grantor requires repayment of the amount received should the report not be filed, then the requirement is a barrier.
Questionable Barriers
Judgment is necessary to determine whether a requirement is a barrier.
For example, filing routine reports to a resource provider showing progress on a funded activity may be seen as routine and not a barrier. Goals or budgets where no penalty is assessed if the organization fails to achieve them are not considered barriers.
Are budgets an indicator of limited discretion? A line-item budget for a grant is often seen as a guardrail rather than a barrier. A June 2019 FASB Q&A states, “Thus, stipulations other than adherence to a budget (for example, the need to incur qualifying expenses) would normally need to be present for a barrier to entitlement to exist.” The Q&A goes on to say, “The unique facts and circumstances of each grant agreement must be analyzed within the context of the indicators to conclude whether a barrier to entitlement exists.”
Recognition of Contribution
Per ASU 2018-08 “Conditional contributions received are accounted for as a liability or are unrecognized initially, that is, until the barriers to entitlement are overcome, at which point the transaction is recognized as unconditional and classified as either net assets with restrictions or net assets without restrictions.”
3. Unconditional Contribution
If there are no barriers or if barriers have been overcome, the receipt is unconditional.There might still be a purpose or time restriction, resulting in the funds being classified as “With Donor Restrictions” until the restriction is satisfied. Recognize the revenue either as:
A public company or a not-for-profit organization that has issued, or is a conduit bond obligor for, securities that are traded, listed, or quoted on an exchange or an over-the-counter market would apply the new standard for transactions in which the entity serves as a resource recipient to annual reporting periods beginning after June 15, 2018, including interim periods within that annual period. Other organizations would apply the standard to annual reporting periods beginning after December 15, 2018, and interim periods within annual periods beginning after December 15, 2019.
A public company or a not-for-profit organization that has issued, or is a conduit bond obligor for, securities that are traded, listed, or quoted on an exchange or an over-the-counter market would apply the new standard for transactions in which the entity serves as a resource provider to annual reporting periods beginning after December 15, 2018, including interim periods within that annual period. Other organizations would apply the standard to annual reporting periods beginning after December 15, 2019, and interim periods within annual periods beginning after December 15, 2020.
Applicability
Per ASU 2018-08, “Accounting for contributions is an issue primarily for not-for-profit (NFP) entities because contributions are a significant source of revenue for many of those entities. However, the amendments in this Update apply to all entities, including business entities, that receive or make contributions of cash and other assets, including promises to give within the scope of Subtopic 958-605 and contributions made within the scope of Subtopic 720-25, Other Expenses—Contributions Made.”
In this post, I provide ten steps to better audit workpapers.
Have you ever been insulted by a work paper review note?
Your tickmarks look like something my six-year old created.
Rather than providing guidance,the comment feels like an assault.
Or maybe as a reviewer you stare at a workpaper and you’re thinking, “what the heck is this?” Your stomach tightens and you say out loud, “I can’t understand this.”
There are ways to create greater audit workpaper clarity.
10 Steps to Better Audit Workpapers
Here are ten steps to make your workpapers sparkle.
Timely review. The longer the in-charge waits to review work papers, the harder it is for the staff person to remember what they did and, if needed, to make corrections. Also, consider that the staff person may be reassigned to another job. Therefore, he may not be available to clear the review notes.
Communicate the purpose.
a. An unclear work paper is like a stone wall. It blocks communication.
b. State the purpose; for example:
Purpose of Work Paper – To search for unrecorded liabilities as of December 31, 2018. Payments greater than $30,000 made from January 1, 2019, through March 5, 2019, were examined for potential inclusion in accounts payable.
Or:
Purpose of Work Paper – To provide a detail of accounts receivable that agrees with the trial balance; all amounts greater than $20,000 agreed to subsequent receipt.
If the person creating the work paper can’t state the purpose, then maybe there is none. It’spossible that the staff person is trying to copy prior year work that (also) had no purpose.
c. All work papers should satisfy a part of the audit program (plan). No corresponding audit program step? Then the audit program should be updated to include the step—or maybe the work paper isn’t needed at all.
3. The preparer should sign off on each workpaper(so it’s clear who created it).
4. Audit program steps should be signed off as the work is performed (not at the end of the audit–just before review). The audit program should drive the audit process—not the prior year workpapers.
5. Define tickmarks.
6. Reference work papers. (If you are paperless, use electronic links.)
7. Communicate the reason for each journal entry.
The following explanation would not be appropriate:
To adjust to actual.
A better explanation:
To reverse client-prepared journal entry 63 that was made to accrue the September 10, 2018, Carter Hardware invoice for $10,233.
8. When in doubt, leave it out.
Far too many documents are placed in the audit file simply because the client provided them. Moreover, once the work paper makes its way into the file, auditors get “remove-a-phobia“–that dreaded sense that if the auditor removes the work paper, he may need it later.
If you place those unneeded documents in your audit file and do nothing with them, they may create potential legal issues. I can hear the attorney saying, “Mr. Hall, here is an invoice from your audit file that reflects fraud.”
Again, does the work paper have a purpose?
My suggestion for those in limbo: Place them in a“file 13” stack until you are completely done. Then–once done–destroy them. I place these documents in a recycle bin at the bottom of my file.
9. Complete forms. Blanks should not appear in completed forms (use N/A where necessary).
10. Always be respectful in providing feedback to staff. It’s too easy to get frustrated and say or write things we shouldn’t. For instance, your audit team is more receptive to:
Consider providing additional detail for your tickmark: For instance–Agreed invoice to cleared check payee and dollar amount.
This goes over better than:
You failed to define your tickmark–again?
Last Remarks
What other ways do you make your audit workpapers sparkle? Comment below.