The AICPA has issued SSARS 25. It is titled Materiality in a Review of Financial Statements and Adverse Conclusions. Below I tell you how this standard affects your future review engagements.
Materiality in Review Engagements
Until SSARS 25, there was no requirement for you to document materiality in review engagements. Some firms, like my own, decided to do so any way. Others have not. Now, there's no choice. SSARS 25 explicitly requires that we determine and use materiality.
Makes sense. The accountant's conclusion says we are not aware of any material modifications that should be made. The conclusion paragraph follows:
Accountant's Conclusion
Based on our review, we are not aware of any material modifications that should be made to the accompanying financial statements in order for them to be in accordance with accounting principles generally accepted in the United States of America.
It would be difficult to plan or conclude a review engagement without knowing what materiality is. SSARS 25 requires that we design and perform analytical procedures and inquiries to address all material items in the financial statements. This includes disclosures.
New Inquiry Requirements
SSARS 25 adds new inquiries of management including:
Material commitments, contractual obligations, or contingencies
Material nonmonetary transactions
Significant changes in the business activities or operations
Significant changes to the terms of contracts that materially affect the financial statements
Significant journal entries
Status of any uncorrected misstatements from the previous review engagement
How management determined that significant estimates are reasonable
Management's assessment of the entity's ability to continue as a going concern, and whether there are conditions that cast doubt about the entity's ability to continue as a going concern
Related Party Transactions
Additionally, SSARS 25 requires that the accountant remain alert for related party transactions that were not disclosed by management. The accountant should inquire of management about transactions outside the normal course of business. You want to know if related party transactions are being used to make the financial statements look better than they really are.
Next, you will see that the standard now permits adverse conclusions.
Adverse Conclusions in Review Engagements
In the past, adverse conclusions in a review engagement were not allowed. SSARS 25 changes this. If the financial statements are materially and pervasively misstated, you can issue an adverse conclusion.
SSARS 25 provides an illustrative accountant's review report with an adverse conclusion. (See illustration 7 on pages 85 and 86 of SSARS 25.) That example states the financial statements are not in accordance with accounting principles generally accepted in the United States of America.
Here's the adverse review report conclusion:
Adverse Conclusion
Based on my (our) review, due to the significance of the matter described in the Basis for Adverse Conclusion paragraph, the financial statements are not in accordance with accounting principles generally accepted in the United States of America.
One more thing, SSARS 25 requires a statement in the review report regarding independence.
Independence in Review Reports
Independence is still required to perform a review engagement. What is different, however, is the accountant must include a statement in the review report saying he or she is independent. That phrase, to be included in the Accountant's Responsibility section of the report, reads as follows:
We are required to be independent of ABC Company and to meet our other ethical responsibilities, in accordance with the relevant ethical requirements related to our review.
See examples of the independence wording in the illustrative reports in SSARS 25. Those reports start on page 75 of the standard.
So when is SSARS 25 effective?
SSARS 25 Effective Date
The effective date for SSARS 25 is for periods ending on or after December 15, 2021. Early implementation is permitted.
Control risk continues to create confusion in audits. Some auditors assess control risk at less than high when they shouldn’t. Others assess control risk at high when it would be better if they did not. The misunderstandings about this risk can result in faulty audits and problems in peer review. In this article, I explain what control risk is and how you can best leverage it to perform quality audits in less time.
Control Risk Defined
What is control risk? It’s the chance that an entity’s internal controls will not prevent or detect material misstatements in a timely manner.
Companies develop internal controls to manage inherent risk. The greater the inherent risk, the greater the need for controls.
Audit Risk Model
As we begin this article, think about control risk in the context of the audit risk model:
Audit risk = Inherent risk X Control risk X Detection risk
Recall the client’s risk is made up of inherent risk and control risk. And the remainder, detection risk, is what the auditor controls. Auditors gain an understanding of inherent risk and control risk. Why? To develop their audit plan and lower their detection risk (the risk that the audit will not detect material misstatements). Put more simply, the auditor understands the client’s risk in order to lower her own.
After the auditor gains an understanding of the entity and its environment, including internal controls, control risk is often assessed at high. Why? Two reasons: one has to do with efficiency and the other with weak internal controls.
Assessing Control Risk at High
Consider the first reason for high control risk assessments: efficiency.
Control risk can be assessed at high, even if—during your walkthroughs— you see that controls are properly designed and in use. But why would you assess this risk at high when controls are okay?
Let me answer that question with a billing and collection example.
Risk At High: Efficiency Decision
You can test billing and collection internal controls for effectiveness (assuming your walkthrough reveals appropriate controls). But if this test takes eight hours and a substantive approach takes five hours, which is more efficient? Obviously, the substantive approach. And if you use a fully substantive approach, you must assess control risk at high for all relevant assertions.
At this point, you may still be thinking, But, Charles, if controls are appropriately designed and implemented, why is control risk high? Because a test of controls is required for control risk assessments below high: the auditor needs a basis (evidence) for the lower assessment. And a walkthrough is not (in most cases) considered a test of controls for effectiveness: it does not provide a sufficient basis for the lower risk assessment. A walkthrough provides an initial impression about controls, but that impression can be wrong. That’s why a test of controls is necessary when control risk is below high, to prove the effectiveness of the control.
In our example above, a substantive approach is more efficient than testing controls. So we plan a substantive approach and assess control risk at high for all relevant assertions.
Risk at High: Weak Controls
Now, let’s look at the second reason for high control risk assessments: weak internal controls. Here again, allow me to explain by way of example.
If the billing and collection cycle walkthrough reveals weak internal controls, then control risk is high. Why? Because the controls are not designed appropriately or they are not in use. In other words, they would not prevent or detect a material misstatement. You could test those controls for effectiveness. But why would you? They are ineffective. Consequently, risk has to be high. Why? Again, because there is no basis for the lower risk assessment. (Even if you tested controls, the result would not support a lower risk assessment: the controls are not working.)
If, on the other hand, controls are appropriate, then you might test them (though you are not required to).
Assessing Control Risk at Less than High
What if, based on your walkthrough, controls are okay. And you believe the test of controls will take four hours while a substantive approach will take eight hours? Then you can test controls for effectiveness. And if the controls are effective, you can assess the risk at less than high. Now you have support for the lower risk assessment.
But what if you test controls for effectiveness and the controls are not working? Then a substantive approach is your only choice.
Many auditors don’t test controls for this reason: they are afraid the test of controls will prove the controls are ineffective. For example, if you test sixty transactions for the issuance of a purchase order, and seven transactions are without purchase orders, the sample does not support effectiveness. The result: the test of controls is a waste of time.
Some auditors mistakenly believe they don’t need an understanding of controls because they plan to use a fully substantive audit approach. But is this true?
Fully Substantive Audit Approach
Weak internal controls can result in more substantive procedures, even if you normally use a substantive approach.
Suppose you assess control risk at high for all billing and collection cycle assertions and plan to use a fully substantive approach. Now, consider two scenarios, one where the entity has weak controls, and another where controls are strong.
Billing and Collection Cycle – Weak Controls
Think about a business that has a cash receipt process with few internal controls. Suppose the following is true:
Two employees receipt cash
They both work from one cash drawer
The two employees provide receipts to customers, but only if requested
They apply the payments to the customer’s accounts, but they also have the ability to adjust (reduce or write off) customer balances
At the end of the day, one of the two employees creates a deposit slip and deposits the money at a local bank (though this is not always done in a timely manner)
These same employees also create and send bills to customers
Additionally, they reconcile the related bank account
Obviously, a segregation of duties problem exists and theft could occur. For example, the clerks could steal money and write off the related receivables. Child’s play.
Billing and Collection Cycle – Strong Controls
But suppose the owner detects theft and fires the two employees. He does background checks on the replacements. Now the following is true:
A separate cash drawer is assigned to each clerk
The controller is required to review customer account adjustments on a daily basis (the controller can’t adjust receivable accounts)
The cash receipt clerks reconcile their daily activity to a customer receipts report, and the money along with the report is provided to the controller
The controller counts the daily funds received and reconciles the money to the cash receipts report
Then the controller creates a deposit slip and provides the funds and deposit slip to a courier
Once the deposit is made, the courier gives the bank deposit receipt to the controller
A fourth person (that does not handle cash) reconciles the bank statement in a timely manner
The monthly customer bills are created and mailed by someone not involved in the receipting process
Moreover, the owner reviews a monthly cash receipts report
Now, let me ask you: would you use the same substantive audit procedures for each of the above scenarios? Hopefully not. The first situation begs for a fraud test. For example, we might test the adjustments to receivables on a sample basis. Why? To ensure the clerks are not writing off customer balances and stealing cash.
Audit Procedures: Basic and Extended
Basic audit procedures for the billing and collection cycle might include:
Test the period-end bank reconciliation
Create substantive analytics for receivable balances and revenues
Confirm receivable accounts and examine subsequent receipts
We perform these basic procedures whether controls are good or weak. But we would add—when controls are weak and might allow theft—extended substantive procedures such as testing accounts receivable adjustments.
Do you see how the understanding of controls impacts planning (even when control risk is assessed at high)? If we were unaware of the control weaknesses, we would not plan the needed fraud detection procedures.
In summary, we need to understand controls even if we plan to use a fully substantive approach, and even if risks are assessed at high for all assertions. More risk means more audit work.
A Simple Summary
Control risk is the probability that an entity’s internal controls will not prevent or detect material misstatements in a timely manner
Internal control weaknesses may require a control risk assessment of high
Control risk can only be assessed below high when a test of control proves the control to be effective (the test of control provides the basis for the lower risk assessment)
If walkthroughs show controls to be appropriately designed and implemented, the auditor can (1) assess control risk at high and use a fully substantive approach, or (2) assess control risk below high and test controls for effectiveness, whichever is most efficient
Even if an auditor intends to use a fully substantive approach, walkthroughs are necessary to determine if additional substantive tests are needed; additional substantive procedures may be necessary when material fraud is possible due to internal control weaknesses
For additional information about risk assessment, see the AICPA’s SAS 145, Understanding the Entity and Its Environment and Assessing the Risk of Material Misstatement. The guidance was issued in October 2021.
Statement on Auditing Standards No. 145 (SAS 145), Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement, updates the risk assessment standards. Auditors need to be aware of these upcoming changes.
Conceptually, risk assessment remains the same, but some particulars are different and significantly affect how you audit. SAS 145 is voluminous, but below I summarize the salient points to make it easy for you to digest--or, at least, as easy as I could.
Separate assessments of inherent risk and control risk
You’ll see several new definitions below. Understanding those is critical to understanding SAS 145.
SAS 145 Topics
This article addressesthe following SAS 145 topics:
Separate inherent and control risk assessments
Assessing control risk at the maximum level
Significant risks
Inherent risk factors and spectrum of risk
Relevant assertions
Significant classes of transactions, account balances, and disclosures
Stand-back requirement
Scalability
Professional skepticism
Information technology (IT) controls
System of internal control
Increasing complexity of entities and auditing
Documentation requirements
Effective date of SAS 145
Separate Inherent and Control Risk Assessments
Most auditors have assessed inherent and control risk separately for some time, but those separate assessments were previously not required. SAS 145, however, requires that auditors individually assess these two risks at the assertion level. Interestingly, documenting a combined inherent and control risk assessment is not required.
You can assess inherent risk and control risk in various ways; the standard does not specify a particular means of doing so. For instance, you might use high, moderate, or low; or use a scale of one to ten (more about this in a moment).
Assessing Control Risk at the Maximum Level
Many auditors assess control risk at high or maximum, regardless of the internal control structure--whether the controls are designed appropriately and implemented or not. You might plan to use a fully substantive approach; for example, when substantive procedures take less time than testing controls for effectiveness.
If you decide not to test controls for effectiveness, SAS 145 requires that you assess control risk at the maximum (or high) so that the risk of material misstatement is the same as the inherent risk assessment.
So, if control risk is assessed at maximum, can the evaluation of the design and implementation of controls (i.e., walkthroughs) still impact the planned audit procedures? Yes. Increased risk leads to a change in nature, timing, and extent of planned audit procedures. For example, if your walkthrough reveals a lack of segregation of duties, you may need to add more substantive procedures to address fraud risk.
On the other hand, if a test of controls for effectiveness supports a lower control risk, you can bring the assessment below maximum. But you cannot lower control risk without the support of a test of controls for effectiveness.
Your inherent risk assessment is crucial if you use a fully substantive approach. Why? Because SAS 145 requires that inherent risk be the same as the risk of material misstatement. If your inherent risk is assessed higher than it should be, you’ll perform unnecessary work to address the risk and waste time.
Significant Risks
The Auditing Standards Board provides a new definition for significant risks. The first part of the definition (see paragraph 12 of SAS 145 for the full definition) is as follows:
A significant risk is an identified risk of material misstatement for which the assessment of inherent risk is close to the upper end of the spectrum of inherent risk due to the degree to which inherent risk factors affect the combination of the likelihood of a misstatement occurring and the magnitude of the potential misstatement should that misstatement occur.
(Note - the blog author bolded some words in the definition above for emphasis.)
The prior significant risk definition focused on the response to the risk, not the risk itself. That guidance said it was a risk that needed special audit consideration.
The new definition focuses on the risk itself. To be clear, the risk of material misstatement. Notice the new definition requires consideration of likelihood and magnitude. In other words, probability and dollar impact. Also, notice the description is based solely on inherent risk, with no consideration of control risk. (See my article about significant risks.)
Next, we take a look at Inherent Risk. Here's a video addressing the topic.
Inherent Risk Factors and Spectrum of Risk
SAS 145 defines inherent risk factors as:
Characteristics of events or conditions that affect the susceptibility to misstatement, whether due to fraud or error, of an assertion about a class of transactions, account balance, or disclosure, before consideration of controls. Such factors may be qualitative or quantitative and include complexity, subjectivity, change, uncertainty, or susceptibility to misstatement due to management bias or other fraud risk factors insofar as they affect inherent risk.
Depending on the degree to which the inherent risk factors affect the susceptibility of an assertion to misstatement, the level of inherent risk varies on a scale that is referred to as the spectrum of inherent risk.
(Note - the blog author bolded some words in the definition above for emphasis.)
Inherent Risk Factors
Consider the likelihood of misstatement in light of the inherent risk factors, including:
Complexity
Subjectivity
Change
Uncertainty
Susceptibility to misstatement due to management bias or other fraud risk factors (in terms of how they affect inherent risk)
So as you consider the inherent risk of an assertion, use these factors to determine the likelihood of misstatement. Then consider the magnitude of the potential misstatement. If the risk is close to the upper end of the spectrum of risk (for inherent risk) and the potential misstatement is material, then the entity has a significant risk.
Ten-Point Scale, An Example
I like to evaluate significant risks on a ten-point scale, with ten being the highest risk. While SAS 145 does not use such an illustration, a nine or a ten is a significant risk, provided it can lead to a material misstatement. For example, a bank’s allowance for loan losses is usually a significant risk because it is a complex estimate in a material account balance. In making this assessment, we disregard internal controls.
One additional change is SAS 145 removes the requirement to determine whether financial statement level risks are significant risks. Financial statement risk can, however, affect your assessment of significant risks at the assertion level. For example, you might decide that management override creates a significant risk in relation to the occurrence assertion in revenues.
The term relevant assertion has also changed.
Here's a video that explains what relevant assertions are.
Relevant Assertions
Using SAS 145, relevant assertions are based on classes of transactions, account balances, and disclosures with an identified risk of material misstatement.
Before SAS 145, we looked at relevant assertions as they related to material classes of transactions, account balances, and disclosures. And relevant assertions were those that had a meaningful bearing on whether an account was fairly stated. (I never knew what meaningful bearing meant.)
The new relevant assertion definition is clearer. Assertions are considered in light of:
Likelihood of misstatement
Magnitude of misstatement
Relevant Assertion Definition
In SAS 145, a relevant assertion is defined as:
An assertion about a class of transactions, account balance, or disclosure is relevant when it has an identified risk of material misstatement. A risk of material misstatement exists when (a) there is a reasonable possibility of a misstatement occurring (that is, its likelihood), and (b) if it were to occur, there is a reasonable possibility of the misstatement being material (that is, its magnitude). The determination of whether an assertion is a relevant assertion is made before consideration of any related controls (that is, the determination is based on inherent risk).
(Note - the blog author bolded some words in the definition above for emphasis.)
Probability and Dollar Impact
A relevant assertion is an identified risk of material misstatement when a reasonable possibility of its occurrence is present. Reasonable possibility means a more than a remote chance of happening. And if it happens, a material misstatement must be possible. Again we see an emphasis upon probability and dollar impact. And again, internal controls are ignored in making this determination. That is, inherent risk is the basis for determining which assertions are relevant.
Inventory Example
As an example, suppose high-technology components comprise inventory that becomes obsolete quickly. Your valuation assertion is inherently risky, and if inventory is a significant account balance, then valuation is a relevant assertion. Notice we made this determination without regard for the related controls. Moreover, we believe there is a reasonable possibility of obsolescence.
Once again, we see that inherent risk is vital in SAS 145.
We said that relevant assertions relate to significant classes of transactions, account balances, and disclosures. But what are significant classes?
Significant Classes of Transactions, Account Balances, and Disclosures
In SAS 145, significant classes of transactions, account balances, or disclosures are defined in the following manner:
Significant class of transactions, account balance, or disclosure. A class of transactions, account balance, or disclosure for which there is one or more relevant assertions.
So a significant class is one with a relevant assertion--one where the likelihood of material misstatement is more than remote.
So, if an account balance like receivables, for example, has a relevant assertion, it’s a significant class.
Purpose of the Definition
The purpose of this definition is to provide clarification concerning the scope of the auditor’s work. In other words, this definition tells us where to focus. We’ll perform risk assessment procedures and assess risk in the significant classes of transactions, account balances, and disclosures. It is in these areas where we will plan responses to the identified risks therein. SAS 145 requires substantive procedures for each significant class of transactions, account balances, and disclosures with relevant assertions.
Consider this: if plant, property, and equipment (PP&E) is material, but there is no relevant assertion for the account balance, it is not a significant area. Suppose a company has $10 million in PP&E (a material balance) and it purchases no new capital assets during the year. There is only one PP&E asset, a building, which has appreciated. Is there a relevant assertion? Probably not. Why? There is little likelihood of material misstatement.
Now change the scenario and suppose the building suffers an earthquake. Is PP&E a significant class? Yes, if substantial damage occurred. Why? Because you now have a relevant assertion: valuation.
Once you have designated all significant classes of transactions, account balances, and disclosures, evaluate all remaining material areas to see if the initial scope determination is appropriate. Is there a remaining account balance, transaction class, or disclosure that needs our attention, even though it did not qualify as a significant area? If yes, then plan audit procedures accordingly.
The main point here is that the auditor focuses upon significant classes of transactions, account balances, and disclosures first(those with relevant assertions) and then remaining material amounts (which don’t have relevant assertions). For instance, say you choose cash, receivables/revenues, payables/expenses, and payroll as your significant areas, but not plant, property, and equipment (PP&E) because it has no relevant assertion. In the stand-back phase, ask yourself if PP&E deserves audit scrutiny. If it does, plan PP&E audit procedures.
A company might have disclosures that are not significant (e.g., executive compensation), but you decide to audit it anyway. Why? You believe the scope of your planned audit is incomplete without it.
The purpose of the stand-back provision is to ensure completeness of the auditor’s identification of transactions, account balances, and disclosures--the areas the auditor plans to audit.
Scalability
The complexity of an entity’s activities and environment drive the scalability of applying SAS 145.
Size and complexity do not necessarily correlate. Smaller entities tend to be less complex, but some are not--they are complex. Larger entities tend to be more complicated, but some are not. So consider the accounting system, the industry, the internal controls including information technology, and other factors in applying SAS 145.Complexity, not the entity’s size, determines how you use this standard.
Some entities may lack formal internal control policies. Even so, such a system of internal controls can still be functional. Therefore, auditors can vet these informal controls with inquiries, observations, and inspection of documents. In other words, risk assessment works even in small entities with informal controls.
The nature and extent of risk assessment procedures will vary depending upon the nature and circumstances of the entity. Therefore, auditors should exercise judgment in determining the nature and extent of risk assessment procedures. For example, risk assessment procedures can be less for a non-complex business with simple processes. In such a company, the auditor might have fewer inquiries to understand the business and fewer preliminary analytics.
Audit procedures in an initial audit may be more extensive. After the initial audit period, the auditor can focus on changes since then. (Even so, auditors still need to annually review the design and implementation of key controls related to significant transaction classes, account balances, disclosures.)
Professional Skepticism
Understanding the entity and its environment, including its reporting framework, is a foundation for professional skepticism. Auditors determine the evidence needed for risk assessment in light of the entity’s nature and accounting system.
SAS 145 highlights the need for auditors to maintain professional skepticism during the engagement team discussion.
Professional skepticism allows the auditor to:
Appropriately deal with contradictory information
Evaluate the responses received from management and those charged with governance
Be alert to potential misstatement due to fraud or error
Consider audit evidence in light of the entity’s nature and circumstances
Professional skepticism is necessary for evaluating audit information in an unbiased manner, leading to better identification and assessment of risks of material misstatement.
Next, we look at the effects of information technology on your risk assessments. Here's a video that provides an overview.
Information Technology (IT) Controls
SAS 145 emphasizes IT controls as they affect the risk of material misstatement. The standard introduces a new term: risk arising from the use of IT. And it defines general IT controls.
So what IT controls are you to consider? Those that affect the risk of material misstatement at the assertion level.
Here’s how I think about this:
Start with the risk of material misstatement at the assertion level
Determine the IT applications that affect the assertion
Review the general IT controls that affect the IT applications
IT Relevant Assertion Example
For example, say occurrence is a relevant assertion for expenses. Then you might consider an IT control that requires a three-way match for invoice processing; the software will not allow a disbursement without matching the invoice amount, the purchase order amount, and the quantity in the receiving document. In such a system, the IT application is the payables module in the software.
An example of a general control (see definition below) for this application is the password for access to the payables module.
Why is the general IT control (the password) important? If a password was not necessary, then anyone could process payments. And this affects the occurrence assertion.
As the auditor performs a walkthrough for payables, she will (for example):
Inspect the three-way match documents.
Observe the payables module in use.
Inspect the logical access records from IT, showing who has access to the payables module.
Observe the entry of a password by a payables clerk.
You don’t need to review all general controls, only those related to risks arising from the use of IT.
Risk Arising from the Use of IT
SAS 145 defines risk arising from the use of ITas:
Susceptibility of information-processing controls to ineffective design or operation, or risks to the integrity of information in the entity’s information system, due to ineffective design or operation of controls in the entity’s IT processes.
Lower IT Risk
Entities are less likely to be subject to risks arising from the use of IT when they:
Use stand-alone applications
Have low volumes of transactions
Have transactions supported by hard-copy documents
Higher IT Risks
Entities are more likely to be subject to risks arising from the use of IT when they:
Have interfaced applications
Have high volumes of transactions
Have applications that automatically initiate transactions
General IT Controls
SAS 145 defines general IT controls as:
Controls over the entity’s IT processes that support the continued proper operation of the IT environment, including the continued effective functioning of information-processing controls and the integrity of information in the entity’s information system.
Examples of general IT controls include firewalls, backup and restoration, intrusion detection, passwords, physical security, and antivirus protection.
Increasing Complexity of Entities and Auditing
SAS 145 recognizes the increasing complexity of entities and auditing. It does so by highlighting audit methods and tools such as:
Remote observation of assets using drones or video cameras
Use of data analytics software and visualization techniques to identify risks of material misstatement
Performing risk assessment on large volumes of data, including analysis, recalculations, reperformance, and reconciliations
System of Internal Control
SAS 145 replaces the term internal control with system of internal control. It defines system of control as:
The system designed, implemented, and maintained by those charged with governance, management, and other personnel to provide reasonable assurance about the achievement of an entity’s objectives with regard to reliability of financial reporting, effectiveness and efficiency of operations, and compliance with applicable laws and regulations. For purposes of GAAS, the system of internal control consists of five interrelated components:
i. Control environment
ii. The entity’s risk assessment process
iii. The entity’s process to monitor the system of internal control
iv. The information system and communication
v. Control activities
It appears the Auditing Standards Board is highlighting the holistic nature of internal controls by including all five of the COSO control elements.
SAS 145 Documentation Requirements
Auditors must document their evaluation of the design of identified controls and their determination of whether such controls were implemented.
Additionally, auditors must document their rationale for significant judgments regarding identified and assessed risks of material misstatement. In other words, how did you identify a risk of material misstatement, and why did you assess it as you did?
What is the criterion for determining whether the risk assessment documentation is appropriate? As in the past, it’s whether an experienced auditor having no previous experience with the audit understands the nature, timing, and extent of the risk assessment procedures. So, document the rationale for your risk assessment work and your conclusions.
Effective Date of SAS 145
SAS 145 is effective for audits of financial statements for periods ending on or after December 15, 2023.
Risk Assessment Book on Amazon
Do you need an easy to understand risk assessment book? See my book on Amazon.
Do you lack independence in a compilation engagement? If yes, then here’s how to disclose the impairment in the compilation report.
An accountant can issue a compilation report even though independence is lacking. When independence is impaired, the Statement on Standards for Accounting and Review Services requires that the CPA modify the compilation report. The cause of the impairment (e.g., you own a portion of the business) can be disclosed in the compilation report but is not required. You can, if you prefer, simply say you are not independent; this is what most CPAs do.
Lacking Independence in a Compilation – Current Year
The accountant’s compilation report can disclose a lack of independence as follows:
We are not independent with respect to ABC Company.
Just add this sentence separately at the bottom of the compilation report.
Lacking Independence in a Compilation – Prior Year
If you were not independent in 2020 but you are independent in 2021 (and comparative statements are presented), the accountant’s report can read:
As of and for the year ended December 31, 2020, we were not independent with respect to ABC Company.
Alternatively, the report can read:
As of and for the year ended December 31, 2020, we were not independent with respect to ABC Company. We are currently independent with respect to ABC Company.
Independence in Review Engagements and Audits
CPAs must be independent to perform review engagements or audits. There are no exceptions. See the AICPA Code of Professional Conduct for guidance on independence issues. Independence rules are found in section 1.200.
Independence in Preparation of Financial Statement Engagements
CPAs can perform a Preparation of Financial Statement engagement without being independent. No independence disclosure is required since this service is a nonattest service.
Do you struggle with creating cash flow statements? Would you like to know how to correct cash flow statement errors? Below I explain how. We'll also discuss when you can omit cash flow statements and if it’s desirable or undesirable to do so.
Cash flows are the lifeblood of any entity. Therefore, we must ensure the correctness of cash flow statements. For many small businesses, the auditor creates and audits this statement. So we need to make sure we do so correctly.
Correcting Cash Flow Errors
Cash flow statement errors can be challenging, but, in many cases, there is a simple solution.
Example from My Office
This morning a staff member came to my office and said, "Something is out on my cash flow statement, and I don't know how to fix it. It has to do with PPP loan forgiveness of $280,000." (Most people know where the problem is, but they don't know how to correct the outage.)
So I told him what I've said to many over the years. "Imagine there are three physical buckets: operating, investing, financing. Then pretend the transaction in question is the only one of the year." Next, ask, "was cash received, and if yes, how much?" And finally, "in what bucket should I place the cash?" Mentally you are placing physical dollars in the three physical buckets even though cash is received electronically and physically.
Returning to my conversation with my staff member, I asked, "did the business receive any PPP money in the current year?" He said, "no, all came in the prior year." My next question was, "how much cash belongs to any of the three buckets in the current year?" And he said, "none."
The PPP money was a cash inflow that went into the financing bucket in the prior year. In the current year, there is no cash, only forgiveness. It's a noncash transaction. Now, think about the journal entry to recognize the loan forgiveness: the company debited the loan payable and credited a revenue account.
So if the company uses the indirect method in its cash flow statement, it begins with net income. We know $280,000 of PPP loan forgiveness is in net income. If we pretend that's the only transaction, then net income is $280,000. And how much cash was received in the current year? Yes, $0. So we know we need to subtract $280,000 from net income to get to $0 cash flows from operations. Just below net income, we'd include a line titled "PPP loan forgiveness," subtracting the PPP amount to arrive at $0.
There's the answer to this problem, and this example explains how to correct cash flow statement errors.
Isolate Cash Flow Problem
The mistake most people make in solving cash flow problems is trying to think about several different transactions simultaneously. Try to focus on one transaction at a time.
The cash flows from investing and financing are usually easy to determine. Why? Because we reflect the actual cash inflows and outflows in those sections of the cash flow statement. Problems commonly arise in the operating area because of the indirect method (starting with net income and backing into cash flow from operations). When they do, see if you can determine the net change in each of the three buckets. You can back into the net change for operations if you know the net cash change and the net changes for investing and financing: subtract the net amounts for investing and financing from the net cash change. Then you can work from there to see why cash flow from operations is out (if that is the troublesome area).
Three Steps to Correct Cash Flow Statement Errors
From there, use these three steps to correct cash flow statement errors:
Pretend the transaction is the only transaction for the year
Determine how much cash was received for that transaction, if any
Determine whether the amount in question is operating, investing, or financing
Spreadsheet with Balance Sheet Changes
Of course, I also recommend you place the current year balance sheet with comparative prior period numbers in an Excel spreadsheet. That way, you can see the changes in the numbers. Identify the investing and financing changes such as the investment and debt balance sheet lines. The remaining balance sheet changes are operating lines. The cash change on the spreadsheet is your net cash change on the statement.
Cash Flow Statement Importance
We, as auditors, pay less attention to cash flows than we should. We often focus on revenues, net income, or equity, but not cash flows. Why? I believe it's our training: our trainers tell us revenues, net income, and equity are most important. But if you were buying a business or loaning money to the company, would you pay attention to cash flows? Almost certainly. What if you were valuing the business? Would you pay attention to cash flows? Yes, again.
Cash flows from operations might be the most crucial number in the financial statements since it is the entity's lifeblood. Show me a business that generates no cash flow from operations, and I'll show you a company that will go under (in most cases).
In evaluating going concern, the company and auditors review cash flows. After all, the going concern assessment is about whether a company can meet its ongoing obligations to pay its future bills. So cash flow information is crucial for companies with continuing losses or deficit equity positions.
Financial statements sometimes don't contain a cash flow statement. But should they?
Omitting Cash Flow Statements
It is permissible to omit the cash flow statement in a compilation--and most accountants do. True even for financial statements created under generally accepted accounting principles. (You may not omit the statement from audited or reviewed financial statements if GAAP is in use unless the auditor's report is modified.)
And special purpose financial statements such as tax-basis don't require a cash flow statement even if audited or reviewed.
But is it wise to omit this statement? Maybe not. All businesses, even small ones, need to know how much cash is coming in or going out by category--not just net income. And I'm sure lenders appreciate cash flow information: that's how businesses pay loans.
Of course, the decision to include or omit the statement (when it's optional) for small businesses is a cost/benefit decision. Creating the cash flow statement requires an increase in the fee for compilations, for example. And the owners may not desire to pay the additional amount.
Businesses usually don't need cash flow information for interim compilations, such as monthly financial statements. But the company owners or management might find value in annual cash flow statements.
Cash Flow Information
Use the three steps listed above to hone in on cash flow statement outages. Hopefully, doing so will aid you in making corrections. And consider including cash flow statements in all financial statements, if desired by your client.
