audit assertions
Mar 07

Audit Assertions in Financial Statement Audits

By Charles Hall | Auditing

In this article, I address audit assertions and why they are critical to the audit process. We'll look at assertion examples and how to you can leverage these in your audit plan. Do you desire to stop over auditing? Then read on. 

All businesses make assertions in their financial statements. For example, when a financial statement has a cash balance of $605,432, the business asserts that the cash exists. When the allowance for uncollectibles is $234,100, the entity asserts that the amount is properly valued. And when payables are shown at $58,980, the company asserts that the liability is complete

audit assertions

Reporting Frameworks

Of course assertions derive their meaning from the reporting framework. So before you consider assertions, make sure you know what the reporting framework is and the requirements therein. For example, the occurrence of $4 million in revenue means one thing under GAAP and quite another under the cash basis of accounting

What is a Relevant Assertion?

For an auditor, relevant assertions are those where a risk of material misstatement is reasonably possible. So, magnitude (is the risk related to a material amount?) and likelihood (is it reasonably possible?) are both considered. 

For cash, maybe you believe it could be stolen, so you are concerned about existence. Is the cash really there? Or with payables, you know the client has historically not recorded all invoices, so the recorded amount might not be complete. And the pension disclosure is possibly so complicated that you believe it may not be accurate. If you believe the risk of material misstatement is reasonably possible for these areas, then the assertions are relevant. 

Some auditors refer to auditing by assertions as an assertions audit. Regardless of the name, we need to know what the typical assertions are. 

Audit Assertions

Assertions include:

  • Existence or occurrence (E/O)
  • Completeness (C)
  • Accuracy, valuation, or allocation (A/V)
  • Rights and obligations (R/O)
  • Presentation, disclosure, and understandability (P/D)
  • Cutoff (CU)

Not all auditors use the same assertions. In other words, they might use assertions different from those listed above, or the auditor could list each assertion separately. Regardless, auditors need to make sure they address all possible areas of misstatement. 

Assertions as Scoping Tool

Think of assertions as a scoping tool that allows you to focus on the important. Not all assertions are relevant to all account balances or to all disclosures. Usually, one or more assertions are relevant to an account balance, but not all. For example, existence, rights, and cutoff might be relevant to cash, but not valuation (provided there is no foreign currency) or understandability. For the latter two, a reasonable possibility of material misstatement is not present.

As you consider the significant account balances, transaction areas, and disclosures, specify the relevant assertions. Why? So you can determine the risk of material misstatement for each and create responses. Here’s an example for accounts payable and expenses. 

AssertionInherent RiskControl RiskRisk of Material MisstatementResponse
E/OModerateHighModeratePerform substantive analytics comparing expenses to budget and prior year
CHighHighHighPerform search for unrecorded liabilities
CUModerate HighModerateSubstantive analytical comparison of the payable balance

Inherent Risk Support

Accounts payable is not complex and there are no new accounting standards related to it. There are no subjective judgments. Volume is moderate and directional risk is an understatement. Inherent risk is assessed at high for completeness (client has not fully recorded payables in prior years). Occurrence and cutoff have not been a problem areas in past years.

Inherent Risk as the Driver

Risk of material misstatement is the result of inherent risk and control risk. Auditors often assess control risk at high because they don’t plan to test for control effectiveness. If control risk is assessed at high, then inherent risk becomes the driver of the risk of material misstatement. In the table above, the auditor believes there is a reasonable possibility that a material misstatement might occur for occurrence, completeness, and cutoff. So responses are planned for each. 

Fraud risks and subjective estimates can be (and usually are) assessed at the upper end of the spectrum of inherent risk. They are, therefore, significant risks. When a significant risk is present, the auditor should perform procedures beyond his or her normal approach. As we previously said, when the client’s risk increases, the level of testing increases. 

Significant Risk 

The payables/expenses assessment below incorporates an additional response due to a significant risk, the risk that fictitious vendors might exist.

AssertionInherent RiskControl RiskRisk of Material MisstatementResponse
E/OHighHighHighPerform substantive analytics comparing expenses to budget and prior year; Perform fictitious vendor test
CHighHighHighPerform search for unrecorded liabilities
CUModerate HighModerateSubstantive analytical comparison of the payable balance

Inherent Risk Support

Accounts payable is not complex and there are no new accounting standards related to it. There are no subjective judgments. The company suffered a fictitious vendor fraud during the year, so the occurrence assertion has uncertainty. Volume is moderate and directional risk is an understatement. Inherent risk is assessed at high for occurrence (significant risk) and completeness. Cutoff has not been a problem in past years. 

Significant Risk Example

In auditing expenses, the auditor knows that a risk of fictitious vendors exists. In this scheme the payables clerk adds and makes payments to a nonexistent vendor. Additionally, the payments are usually supported with fake invoices. What is the result? Yes, additional expenses. Those fraudulent payments appear as expenses in the income statement. So the occurrence assertion is suspect. 

If the auditor believes the risk of fictitious vendors is at the upper end of the inherent risk spectrum, then a significant risk is present in relation to the occurrence assertion. And such a risk deserves a fraud detection procedure. In this example, the auditor responds by adding a substantive test for detection of fictitious vendors. More risk, more work.  

Additionally, notice the inherent risk for occurrence is assessed at high. Why? Because it’s at the upper end of the inherent risk spectrum. A significant risk is, by definition, a high inherent risk, never low or moderate.

As you can tell, I am suggesting that risk be assessed at the assertion level. But is it ever acceptable to assess risk at the transaction level

Assessing Risk at the Transaction Level

Is it okay to assess audit risk in the following manner?

AssertionInherent RiskControl RiskRisk of Material Misstatement
E/O; CU; R/O; A/V; P/DHighHighHigh

Yes, but if all assertions are assessed at high, then a response is necessary for each. 

Those who assess risk at the transaction level think they are saving time. But is this a more efficient approach? Or might it be more economical to do so at the assertion level?

Assess the Risk of Material Misstatement at the Assertion Level

If the goal of assessing risk is to quickly complete a risk assessment document (and nothing else), then assessing risk at the transaction level makes sense. But the purpose of risk assessment is to provide planning direction. Therefore, we need to assess risk at the assertion level. 

Why? Let’s answer that question with an accounts payable example. 

Accounts Payable Risk Assessment Example

Suppose the auditor assesses risk at the transaction level, assessing all accounts payable assertions at high. What does this mean? It means the auditor should perform substantive procedures to respond to the high-risk assessments for each assertion. Why? The risk assessment for valuation, existence, rights and obligations, completeness, and all other assertions are high. Logically, the substantive procedures must now address all of these (high) risks.

Alternatively, what if the accounts payable completeness assertion is assessed at high and all other assertions are at low to moderate? How does this impact the audit plan? Now the auditor plans and performs a search for unrecorded liabilities. Additionally, he may not, for example, perform existence-related procedures such as sending vendor confirmations. The lower risk assertions require less work.

Do you see the advantage? Rather than using an inefficient approach—let’s audit everything—the auditor pinpoints audit procedures. 

Once assertions are assessed, it’s time to link them to further audit procedures.

Linkage with Further Audit Procedures

As a peer reviewer, firms say to me, “I know I over-audit, but I don’t know how to lessen my work.” And then they say, “How can I reduce my time without reducing quality?” 

Here’s my answer: Perform real risk assessments and document the risk of material misstatement at the assertion level. Then tailor—yes, change the audit program—to address the risks. Perform substantive procedures or a test of controls for effectiveness related to the identified risk areas—and slap yourself every time you even think about same as last year. (Your substantive procedures can be a test of details or substantive analytics.)

And what are the benefits of assessing risk at the assertion level?

  • Efficient work
  • Higher profits 
  • Conformity with standards

You may be wondering if financial statement level risk can affect assertion level assessments. Let's see. 

Risks at the Financial Statement Level

Financial statements have financial statement level risks such as management override or the intentional overstatement of revenues. These sometimes affect assertion level risk. For example, the intentional overstatement of revenues has a direct effect upon the existence assertion for receivables and the occurrence assertion for revenues. Therefore, even when you identify financial statement level risks, consider whether they might affect assertion level risks as well. 

Now let's talk about homework based on this article. Let's make this useful. 

Your Audit Assertion Documentation

Look at two or three of your audit files and review your risk assessments. Are you assessing risk at the transaction level or at the assertion level? Plan to spend more time in performing risk assessment procedures and documenting your risks at the assertion level—and possibly less time performing further audit procedures.

audit and work paper mistakes
Feb 19

Audit and Work Paper Mistakes: A List of 40

By Charles Hall | Auditing

Today, I offer you a list of forty audit and work paper mistakes.

audit and work paper mistakes

The list is based on my observations from over over thirty-five years of audit reviews (and not on any type of formal study).

You will, however, shake your head in agreement as you read these. I know you’ve seen them as well. The list is not comprehensive. So, you can add others in the comments section of this post.

Here’s the list.

  1. No preparer sign-off on a work paper
  2. No evidence of work paper reviews
  3. Placing unnecessary documents in the file (the work paper provides no evidential matter for the audit)
  4. Signing off on unperformed audit program steps
  5. No references to supporting documentation in the audit program
  6. Using canned audit programs that aren’t based on risk assessments for the particular entity
  7. Not documenting expectations for planning analytics
  8. Inadequate explanations for variances in planning analytics (“revenue went up because sales increased”)
  9. Planning analytics with obvious risk of material misstatement indicators, but no change in the audit plan to address the risk (sometimes referred to as linkage)
  10. Not documenting who inquiries were made of
  11. Not documenting when inquiries were made
  12. Significant deficiencies or material weaknesses that are not communicated in written form
  13. Verbally communicating control deficiencies (those not significant deficiencies or material weaknesses) without documenting the conversation
  14. Performing needed substantive tests with no related audit program steps (i.e., the audit program was not amended to include the necessary procedures)
  15. Assessing control risk below high without testing controls
  16. Assessing the risk of material misstatement at low without a basis (reason) for doing so
  17. Documenting significant risks (e.g., allowance for uncollectible receivable estimates in healthcare entities) but no high inherent risks (when inherent risk are separately documented)
  18. Not documenting the predecessor auditor communication in a first-year engagement
  19. Not documenting the qualifications and objectivity of a specialist
  20. Not documenting all nonattest services provided
  21. Not documenting independence
  22. Not documenting the continuance decision before an audit is started
  23. Performing walkthroughs at the end of an engagement rather than the beginning
  24. Not performing walkthroughs or any other risk assessment procedures
  25. Not performing risk assessment procedures for all significant transaction areas (e.g., risk assessment procedures performed for billing and collections but not for payroll which was significant)
  26. Not retaining the support for opinion wording in the file (especially for modifications)
  27. Specific items tested are not identified (e.g., “tested 25 disbursements, comparing amounts in the check register to cleared checks” — we don’t know which particular payments were tested)
  28. Making general statements that can’t be re-performed based on the information provided (e.g., “inquired of three employees about potential fraud” — we don’t know who was interviewed or what was asked or their responses)
  29. Retrospective reviews of estimates are not performed (as a risk assessment procedure)
  30. Going concern indicators are present but no documentation regarding substantial doubt
  31. IT controls are not documented
  32. The representation letter is dated prior to final file reviews by the engagement partner or a quality control partner
  33. Consultations with external or internal experts are not documented
  34. No purpose or conclusion statement on key work papers

35. Tickmarks are not defined (at all)

36. Inadequately defining tickmarks (e.g., ## Tested) — we don’t know what was done

37. No group audit documentation though a subsidiary is included in the consolidated financial statements

38. No elements of unpredictability were performed

39. Not inquiring of those charged with governance about fraud

40. Not locking the file down within 60 days 

That’s my list of audit and workpaper mistakes. What would you add?

Even if you do all of these, have you documented them properly? See my article If It’s Not Documented, It’s Not Done.

Feb 16

AU-C 315 Exposure Draft Issued by AICPA

By Charles Hall | Accounting and Auditing

The AICPA issued its AU-C 315 exposure draft in August 2020. AU-C 315, Understanding the Entity and its Environment and Assessing the Risks of Material Misstatements, has been with us several years. Now the AICPA is updating it. 

Conceptually the exposure draft is not that different from the extant standard, but the details introduce some interesting changes. The proposed standard, if adopted, will have a significant impact on future audits. 

AU-C 315

Risk Assessment: The Early Years

Risk assessment provides the foundation for planning an audit. So it's critical that an auditor understand the entity and its environment, including controls, prior to assessing the risk of material misstatement. 

The Auditing Standards Board (ASB) issued its original risk assessment standards in 2006 with SAS 109 being a part of that suite. Since that time auditors have done a much better job of understanding the entities they audit prior to planning. Even so, auditors continue to struggle with understanding internal controls. Additionally, some find it difficult to use that information in risk assessment and planning. 

Risk Assessment Confusion

Since the issuance of SAS 109, auditors have asked questions such as:

  • Why do I need to understand the system of internal controls if I am using a substantive approach?
  • What risk assessment procedures are required?
  • When are controls relevant to my audit (in other words, what controls should I pay attention to)?
  • How do I assess the risk of material misstatement?
  • Why is risk assessment not more scalable?
  • When is an account balance, transaction cycle, or disclosure significant (in other words, what accounts balances, transaction cycles, and disclosures should I pay attention to)?
  • What makes an assertion inherently risky?
  • What is a significant risk?

These questions (and related misunderstandings) manifested themselves in peer reviews. 

Peer Review Information

Firms are receiving peer review feedback saying there is a lack of documented understandings of the entity and its controls. Moreover, peer reviewers have found that auditors are, in some cases, not using the information--even when control understandings are documented--as a basis for risk assessment or planning. 

So, the AICPA is, in this update, trying to lend a helping hand. 

Exposure Draft Goals

The ASB is addressing the following with this exposure draft:

  1. The auditor's work to understand an entity's system of internal control
  2. Modernize the standard, particularly in regard to IT
  3. Assist the auditor in determining risks of material misstatements, including significant risks

Risk Assessment Upgrade

This ASB has received feedback from practitioners and firms since the exposure draft was issued. 

One of the things I see in the draft proposal is clarification regarding what's important in an audit (and how certain elements are defined), such as:

  • The reporting framework
  • Relevant assertions
  • Significant account balances, transaction cycles, disclosures
  • Significant risks

As I was reading the draft proposal, I kept thinking, this makes sense. I think you will too. 

Effective Date

The effective date, if the standard is issued, is for periods ending on or after December 15, 2023. 

Review Financial Statements
Feb 14

Review Financial Statements on Monitors

By Charles Hall | Accounting and Auditing , Technology

Today I give you seven steps to review financial statements on computer screens. I explain how to review financial statements in Word and in PDFs. 

In another post titled How CPAs Review Financial Statements, I provide information about creating and reviewing financial statements, but it doesn’t provide information about doing so on computer screens. This article does.

Review Financial Statements on Computer Screens

Financial Statement Review in Word

  1. First, open and visually scan the entire financial statement (spend two to three seconds per page) just to get a feel for the whole product. How do the parts fit together? Are the financial statements subject to the Yellow Book? Do they contain supplementary information? Are the statements comparative?
  2. Second, use a large computer screen (22 inches or more) to compare your financial statement pages. If you are reviewing in Word, reduce the financial statement page size by holding the control key down and scrolling back with your mouse. As you do so, you will see multiple statements on the screen, for instance: balance sheet, income statement and cash flow statement.  Now that you can see multiple statements, you can tick and tie your numbers. I use step 2. to compare the financial statement numbers. For example, I compare the net income number on the income statement to the same number on the cash flow statement. Then I use step 3. to compare the financial statements to the notes and the supplementary information.
  3. Next, use two to three computer screens to compare your financial statements with the notes and supplementary information. Open the financial statement on each screen–for instance, the balance sheet on screen 1, the notes on screen 2, and the supplementary information on screen 3. In Word, click View, New Window and another instance of the document will open. Then you can move the new instance to a second screen. Alternatively, you can use the side-by-side feature in Word to place two open documents on one screen. 
  4. After completing your review of the notes, return to and take a second look at the balance sheet to see if the disclosures are complete. (Since you just reviewed the notes, it’s easier to compare them to the balance sheet. If, for example, you look at the balance sheet and see inventory but no disclosure for the same, you’ll more easily see the error.)
  5. Use the find feature (in Word, click the Home tab, click Find, then key in the number–or word–you are looking for) to locate words or numbers. If you want to compare the long-term debt number on the balance sheet to the notes and to supplemental information, type that number into your search dialog box and you’re immediately taken to the same number in the notes. Click next, and you will see the next instance (in the supplementary information). You can do the same with words. (Note: If you embed Excel tables in the Word document, the find feature will not locate numbers in the embedded tables. Consider PDF review option below.)
  6. When needed, take breaks. Never spend more than 1.5 hours reviewing statements without taking a short break. You get more done by relaxing periodically.
  7. Finally, if you are reviewing financial statements in Word, consider turning on Track Changes and key in suggested revisions. Word reflects your modifications in a distinct color. That way, others can see your suggested changes. They can also see who made the suggested corrections. Thereafter, they can accept or reject the proposed changes.

Financial Statement Review with PDF Documents

You may find it easier to review financial statements after converting them to a PDF (rather than in Word). This makes all numbers and words fully searchable (no embedded Excel spreadsheet limitation issue). 

You can use the split screen feature (click Windows, Split in Adobe Acrobat) to see the same financial statements on one screen. I usually do this on my center screen. This allows me to scroll and compare numbers in the financial statements. For instance, I compare total assets with total liabilities and equity. Or I compare equity on the balance sheet with my statement of changes in equity ending balances. 

I also open a second instance of the PDF on my right-hand screen, mainly to compare my notes with the financial statements (on my center screen). Then I use control-f to locate numbers or words. For instance, if I see $456,856 for total plant, property, and equipment (on my center screen), I click on the right-hand screen, then control-f, then key in the number to find it in the notes. 

I make review comments in the PDF using the comments feature in Adobe Acrobat. Then persons can respond with the reply feature in the comments field. That way, they can provide a response, whether they agree or not—and what they did if a correction was made. 

Your Suggestions

Those are my ideas. What are yours?

Review Financial Statements
Feb 10

How CPAs Review Financial Statements

By Charles Hall | Accounting and Auditing

Most CPA firms create financial statements for their clients. This blog post tells you how to create and review financial statements efficiently and effectively.

Review Financial Statements

Picture is courtesy of AdobeStock.com

Create Financial Statements

First, where possible, electronically link the trial balance to the financial statements. (Linking is often done from the trial balance to Excel. Then the Excel document is embedded into a Word document.) Doing so will expedite the financial statement process and enhance the integrity of the numbers.

Do the following:

  • Prepare the initial draft of the statements
  • Create clear disclosures
  • Complete a current financial statement disclosure checklist 
  • Research any nonstandard opinion or report language (place sample reports from PPC or other sources in the file). Later the partner or manager will compare this supporting document to the opinion or report
  • Research any additional reports (e.g., Yellow Book, Single Audit). Place a copy of such reports in the file. Later the partner or manager will compare the supporting document to the opinion or report. 
  • The staff person should review the audit planning document to see if any new standards are to be incorporated into this to year’s financial statements

Next you’ll need to proof the financial statements.

Proof the Financial Statements

Proof your financial statements. The proofer usually does the following before the partner or managers’ review:

  • Add (foot the numbers for) all statements, notes, schedules
  • Tick and tie numbers such as:
    • Total assets equal total liabilities and equity
    • Ending cash on the cash flow statement agrees with the balance sheet
    • Net income on the income statement agrees with the beginning number of an indirect method cash flow statement
    • Numbers in the notes agree with the financial statements
    • Numbers in the supplementary schedules agree with the financial statements
  • Review financial statements for compliance with firm formatting standard 
  • Read financial statements for appropriate grammar and punctuation (consider using Grammarly)
  • Compare the table of contents to all pages in the report
  • Review page numbers

Partner or Manager Review

Finally, the partner or manager reviews the financial statements. Having the proofer do their part will minimize the review time for this final-stage review.

Here are tips for the final review:

  • Scan the complete set of financials to get a general feel for the composition of the report (e.g., Yellow Book report, supplementary information, the industry, etc.). This is a cursory review taking three or four seconds per page.
  • Read the beginning part of the summary of significant accounting policies taking note of the reporting framework (e.g., GAAP), type of entity (e.g., nonprofit), and whether the statements are consolidated or combined. Doing so early provides context for the remaining review of the financials.
  • Read the opinion or report noting any nonstandard language (e.g., going concern paragraph)
    • Agree named financial statement titles in the opinion or report to the financial statements
    • Agree the dates (e.g., year-end) in the opinion or report to the statements
    • Compare supporting sample report (as provided by your staff member and noted above) to the opinion or report
    • Compare representation letter date to the opinion or review report date
  • Review the balance sheet making mental notes of line items that should have related notes (retain those thoughts for review of the notes)
  • Review the income statement
  • Review the statement of changes in equity (if applicable)
  • Review the cash flow statement
  • Review the notes (making mental notes regarding sensitive or important disclosures so you can later see if the communication with those charged with governance appropriately contains references to these notes)
  • Return to the balance sheet to see if there are additional disclosures needed (since you just read the notes, you will be more aware of omissions — e.g., intangibles are not disclosed)
  • Review supplementary information (and related opinion for this information if applicable)
  • Review other reports such as Yellow Book and Single Audit (the staff member preparing the financial statements should have placed supporting examples in the file; refer to the examples as necessary)
  • If the review is performed with a printed copy of the statements, use yellow highlighter to mark reviewed sections and numbers
  • If you review a paper copy, pencil in corrections and provide corrected pages to the staff member for amendments to be made
  • If the review is performed on the computer, take screenshots of pages needing corrections and provide to the staff member
  • Better yet, review electronically. See my related post Review Financial Statements on Computer Screens

Last Step

Destroy all drafts. Or at a minimum, don’t leave them in the file. Once the financial statements are complete, there is no reason to retain drafts.

Your Suggestions

What other review procedures do you use?

>