Mar 02

Three Considerations in First Year Audits

By Charles Hall | Auditing

Congratulations! You've won a new audit client. Now, let's consider the first year audit considerations.

In this post, I explain why it's necessary to obtain supporting information for opening balances and how contacting the predecessor auditor is to your advantage.

First Year Audit Considerations

Here are three key first year audit considerations:

  1. Obtaining information about opening balances 
  2. Reviewing the predecessor auditor's workpapers
  3. Complying with your firm's quality control standards 

Let's take a look at each of these.

1. Obtaining Information about Opening Balances

AU-C 510.08 states "The auditor should obtain sufficient appropriate audit evidence about whether the opening balances contain misstatements that materially affect the current period's financial statements." If you are unable to obtain such information, then you will need to qualify or disclaim your opinion. So, it's important to get comfortable with these balances.

Some auditors think, "Well, I'll just review the prior year audit report." That's a good start, but not good enough.

Why can't we just review the prior audit report? If the prior audit covered the period ending December 31, 2018, it does not cover the January 1, 2019 balances. If your audit is for the year ended December 31, 2019, then reviewing the audited financial statements for the year ending December 31, 2018 helps but it does not ensure the legitimacy of the January 1, 2019 opening balances. The audit standards state that the auditor has to determine whether the prior period closing balances were correctly brought forward to the new period. Additionally, we need to consider how the predecessor's audit work affects our current year risk assessment (more in a moment).

Also, determine that the opening balances are in compliance with appropriate accounting policies. If the prior year financial statements were created using the modified cash basis of accounting but GAAP financials are required in the current year, then bringing forward prior year balances won't do. GAAP is full accrual; the modified cash is not.

Additionally, the audit standards state that the successor auditor should perform "specific audit procedures to obtain evidence regarding opening balances" (per AU-C 510.08). You might, for example, examine the depreciation schedule for the prior year and compare it to the opening balances. For debt or investments, you could confirm the opening balances (I'm not saying this is required, just an option). For some (less significant balances) you might examine investment statements or loan amortizations and agree those to the opening balances. The opening balances for current assets or liabilities might be proven by activity early in the current year: Were prior year receivables collected? Were prior year payables paid?

What we can't do, however, is nothing. The General Audit Engagement Checklist (PRP Section 20,400) asks the peer reviewer the following:

Did the successor auditor obtain sufficient appropriate audit evidence regarding opening balances about whether opening balances contain misstatements that materially affect the current period's financial statements and appropriate accounting policies reflected in the opening balances have been consistently applied?

The peer reviewer will look for documentation as it relates to opening balances. If not present, then there is a problem. At a minimum, write a memo stating how you got comfortable with all significant opening balances. And create an audit program related to opening balances.

2. Reviewing the Predecessor Auditor's Workpapers

Reviewing the predecessor auditor's workpapers is one of the more unpleasant duties of an auditor. I did so recently. The predecessor auditor is a friend of mine. As I visited him, I was uncomfortable. He was cordial, respectful, and nice. Some predecessor auditors don't exactly roll out the red carpet for you (and I get that). I try to remember the importance of professional courtesy when I lose a job (though it stings my pride).

Reviewing the Predecessor Auditor's Workpapers

In any event, the successor auditor is required to initiate communications with the predecessor auditor prior to accepting the engagement (see AU-C 210.11-12). The peer review checklist asks:

If the auditor succeeded another auditor, did the successor auditor initiate communications with the predecessor auditor to ascertain whether there were matters that might assist the auditor in determining whether to accept the engagement?

Why call the predecessor auditor? To see if there were disagreements between the auditor and the company. To see if there were ethical issues.

Additionally, you need to request permission to review their prior year workpapers. AU-C 510.A 7 says, "The extent, if any to which a predecessor auditor permits access to the audit documentation...is a matter of the predecessor auditor's professional judgment." Translation: They don't have to permit access, but they (generally) should. If the predecessor allows access to their workpapers, you can use that information in planning your current year audit. 

3. Complying with Your Firm's Quality Control Standards

See what your firm's quality control document says about initial audits. Many firms require an engagement quality control review (an EQCR) for first-year engagements. (If yours does not, consider adding it to your QC document.) Why? New audits take a great deal of time. Because they do, it's tempting to cut corners. An EQCR lessens the temptation. The engagement partner knows the engagement will be reviewed by another firm member (often, another partner). 

How the Predecessor Auditor's Work Helps You

Contacting the predecessor auditor may be the best thing you can do prior to accepting an audit. They might tell you, for example, that the potential client is unethical or that they are slow to pay their audit fees. Because you desire a healthy book of business, this step may save you plenty of headaches. As I've said before client acceptance is the important audit step.

If you accept the engagement, consider how the predecessor's responses and workpapers affect your risk assessmentWere there several material audit adjustments in the prior year? Did the predecessor auditor issue a material weakness letter? Then such considerations should be included in your current year risk assessment.

The predecessor auditor's work can also help you get comfortable with opening balances. 

what is materiality
Feb 26

Materiality is Not (Just) a Number

By Charles Hall | Auditing

What is materiality?

Materiality is to reasonable assurance what white stripes are to a basketball court. Materiality is the boundary in which we audit financial statements. Step outside the lines, and the referee blows the whistle.

What is materiality

The problem, however, is the lines of materiality aren't clearly laid stripes. They are judgmental and movable and different for each game. Nevertheless, we accountants cry for sameness and regularity. It is our nature to seek certainty. And so we develop forms and procedures to corral this thing called materiality. But even with our methods (and forms), we must be mindful that our goal is to opine upon information that is true. Not perfect information, but reliable financial statements.

What is Materiality?

The Financial Accounting Standards Board defines materiality this way:  The omission or misstatement of an item in a financial report is material if, in light of surrounding circumstances, the magnitude of the item is such that it is probable that the judgment of a reasonable person relying upon the report would have been changed or influenced by the inclusion or correction of the item.

This definition is quite different than a formula such as 1% of total revenue (or any other computation), but we need some clearly laid stripes, do we not?

Material misstatments can include:

  • the omission of a significant disclosure
  • an incomplete disclosure
  • a known misstatement of a financial statement line
  • an unknown misstatement of a financial statement line
  • an unreasonable estimate 

Readers of financial statements--management, owners, lenders, vendors, and others--make decisions. While the concept of materiality is not directed toward any one potential financial statement user, the auditor should be aware of the auditee's risks. Some businesses have high levels of debt, for example, and their compliance with debt covenants may be of concern. Auditors become aware of risk factors by performing risk assessment procedures, and once those risks are identified, they will impact materiality.

The auditor's job is to provide reasonable assurance concerning the financial statements. So how do we go about doing this? One critical step is computing materiality.

Materiality Computation

In order to compute materiality, we first decide which base to use such as total revenues, total assets, net income. Since we need consistency, we select a base that is relevant and similar over time. Often total assets or total revenues are good choices. So what's an example of a poor base? Net income would be a poor choice for a business that "salaries out" all its profits each year--a zero profit does not give you much to work with.

Once the base is selected, we need to apply a percent to compute materiality. This percent is not defined in professional standards, so again, we are left to judgment. Most CPAs defer to forms providers (such as PPC); others create their own percentages. Either way, we need results that will provide "reasonable assurance." There are no magic percentages, but we want a materiality amount that is tight enough--large misstatements may falsely "influence the decisions that users make."

Materiality will be proportional. Materiality for a billion dollar company will be much higher than for a million dollar one. Also the percentages may be different based on the dynamics of the business. A company that is highly leveraged with debt might merit a lower scale of percentages. Risks deserve tighter definitions.

what is materiality

One problem with using a materiality calculation is the auditor may have undetected misstatements. What if, for example, our materiality was $100,000 and we had $90,000 in passed adjustments and $35,000 in undetected misstatements? In such a situation, we might opine that the financial statements are fairly stated and they are not. Similarly, the cumulative aggregation of errors noted in various transaction cycles may exceed materiality. We need cushion to cover the risk of undetected error and the aggregation of uncorrected misstatements. This cushion comes in the form of performance materiality.

Performance Materiality

AU-C 320.A14 describes performance materiality in the following manner:

Performance materiality is set to reduce to an appropriately low level the probability that the aggregate of uncorrected and undetected misstatements in the financial statements exceeds materiality for the financial statements as a whole. Similarly, performance materiality relating to a materiality level determined for a particular class of transactions, account balance, or disclosure is set to reduce to an appropriately low level the probability that the aggregate of uncorrected and undetected misstatements in that particular class of transactions, account balance, or disclosure exceeds the materiality level for that particular class of transactions, account balance, or disclosure.

Performance materiality calls for materiality thresholds at the transaction or account level. Usually performance materiality is calculated at 50% to 75% of materiality. Why the range? We are still responding to risk. If you believe the risk of undetected misstatements is high, then use a lower percent in the range (e.g., 55% of materiality). Likewise, if your client is less inclined to record detected error, a lower percent should be used. Remember your goal: the combined effect of undetected error and uncorrected misstatements can't exceed materiality for the statements as a whole. We don't want misstatements--in whatever form--to wrongly influence the decisions of financial statement users.

As we audit transaction areas, we need to summarize uncorrected missatements.

Uncorrected Misstatements

AU-C 450.11 says the following about uncorrected misstatements:

The auditor should determine whether uncorrected misstatements are material, individually or in the aggregate. In making this determination, the auditor should consider:

  1. the size and nature of the misstatements, both in relation to particular classes of transactions, account balances, or disclosures and the financial statements as a whole, and the particular circumstances of their occurrence and
  2. the effect of uncorrected misstatements related to prior periods on the relevant classes of transactions, account balances, or disclosures and the financial statements as a whole.

We need to accumulate uncorrected misstatements (sometimes referred to as passed adjustments) in a manner that will allow us to judge the effect from various perspectives--account level, transaction class levels, financial statement level. This is more than computing a number and comparing passed adjustments with the effect on net income or total assets. We are always asking, "Will these passed adjustments materially affect a user's judgment of the financial statements?"

So what are the documentation requirements for uncorrected misstatements?

AU‐C 450.12 requires that the auditor document:

  • The amount designated by the auditor below which misstatements need not be accumulated (clearly trivial).
  • All misstatements accumulated and whether they have been corrected.
  • A conclusion as to whether uncorrected misstatements, individually or in the aggregate, cause the financial statements to be materially misstated, and the basis for the conclusion.

Some identified misstatements are so small that they will not be accumulated. We call these trivial misstatements.

Trivial Misstatements

AU-C 420.A2 says the following about trivial misstatements:

The auditor may designate an amount below which misstatements would be clearly trivial and would not need to be accumulated because the auditor expects that the accumulation of such amounts clearly would not have a material effect on the financial statements.

Why create a trivial misstatement amount? To increase our efficiency. All detected differences below the trivial misstatement amount (e.g., $5,000) are not accumulated and, the auditor will not create a passed adjustment (no journal entry is necessary). The auditor simply notes the trivial difference on the work paper, and she is done. No further documentation is required. If you expect dozens of passed adjustments, then the trivial misstatement amount should be smaller. You don't want the accumulation of trivial misstatements to become not-so-trivial.

How Do You Calculate Materiality Amounts?

I'm curious. How does your firm compute materiality? Do you use a form (such as one from PPC) or has your firm created its own materiality document?

Seven Deadly Audit Sins
Feb 26

Seven Deadly Audit Sins

By Charles Hall | Auditing

Seven deadly audit sins can destroy you.

You just completed an audit project, and you have another significant write-down. Last year’s audit hours came in well over budget, and at the time you thought, “This will not happen again.” But here it is–again.

Here are seven deadly (audit) sins that cause our engagements to fail.

Seven Deadly Audit Sins

Picture is courtesy of DollarPhotoClub.com

1. We don’t plan.

Rolling over the prior year file does not qualify as planning. Including PPC programs–though I use them myself–is not planning.

What do I mean? The engagement has not been properly scoped. We don’t know what has changed and what is required. Each year, audits have new wrinkles.

Are there any fraud rumors? Has the CFO left without explanation? Have cash balances decreased while profits increased? Does the client have a new accounting program? Can you still obtain the reports you need? Are there any new audit or accounting standards?

Anticipate issues and be ready for them.

2. SALY lives.

Elvis may not be in the house, but SALY is.

Performing the same audit steps is wasteful. Just because we needed the action ten years ago does not mean we need it today. Kill SALY. (No, I don’t mean your staff member; SALY stands for Same As Last Year).

I find that audit files are like closets; we allow old thoughts (clothes) to accumulate without purging. It’s time for a Goodwill visit. Are all of the prior audit procedures relevant to this year’s engagement?

Will better planning require us to think more in the early phases of the engagement? Yes. Is this hard work? Yes. Will it result in less thinking and effort (for the overall project)? Yes.

3. We use weak staff.

Staffing your engagement is the primary key to project success. Excellent staff makes a challenging engagement pan out well. Poor staff causes your engagement time to balloon–lots of motion, but few results.

4. We don’t monitor.

Partners must keep an eye on the project. And I don’t mean just asking, “how’s it going?” Look in the audit file. See what is going on. In-charges will usually tell you what you want to hear. They hope to save the job on the final play, but a Hail Mary pass often results in a lost game.

Charles’ maxim: Monitor that which you desire to improve.

Or as Ronald Reagan once said: Trust but verify.

5. We use outdated technology.

Are you paperless? Using portable scanners and monitors? Are your auditors well versed in Adobe Acrobat (here’s a free short course)? Are you electronically linking your trial balances to Excel documents? Do you use project management software (e.g., Basecamp)? How about conferencing software (e.g., Zoom)? Do you have secure remote access to audit files?

6. Staff (intentionally) hide problems.

Remind your staff that bad news communicated early is always welcome.

Early communication of bad news should be encouraged and rewarded (yes, rewarded, assuming the employee did not cause the problem).

Sometimes leaders unwittingly cause their staff to hide problems; in the past, we may have gone ballistic on them–now they fear the same.

7. No post-reviews.

Once our audit is complete, we should honestly assess the project. Then make a list of inefficiencies or failures for future reference.

If you are a partner, consider a fifteen-minute meeting with staff to go over the list.

Your Ideas

What do you do to keep your audits within budget?

Fraud Prevention for Small Governments
Feb 06

Fraud Prevention for Small Governments

By Charles Hall | Fraud , Local Governments

Many small governments suffer losses from theft since they lack a sufficient number of employees to segregate accounting duties. There are, however, steps you can take to protect your resources. In this post, I provide ideas for fraud prevention in small governments.

Most government officials don’t realize that external audits are not designed to detect immaterial fraud (immaterial can be tens of thousands of dollars – sometimes even more). Such officials incorrectly believe that a clean opinion means no fraud is occurring in their locale – this is a mistake. External financial statement opinion audits are not designed to look for fraud at immaterial levels. Even if your government has an external audit, consider implementing fraud prevention procedures.

Fraud Prevention for Small Governments

In a typical small government accounting setting, the city of In Between (as in between two stop lights) (population 1,202) has a mayor and three council members. The city has one bookkeeper (we’ll call him Dale) who orders and receives all purchased items; he writes all checks, reconciles bank statements, and keys all transactions into the accounting system. Dale also receipts all collections and makes all deposits. Mayor Chester signs all checks (vendor and payroll). (In a long-standing tradition, the mayor also graces the city Christmas parade float as Santa Claus.) With so little segregation of duties, what can be done?

The smaller the government, the greater the need for fraud prevention – even if Santa Claus in involved. And yet, these are the governments that most often don’t have the resources–whether the money to pay for outside assistance or employees to segregate duties–to prevent fraud. Here are few ideas for even the smallest of governments.

Low-Cost Fraud Prevention

First, let’s look at low-cost fraud prevention options:

  • Have all bank statements mailed directly to Mayor Chester who will open and inspect the bank statement activity before providing the bank statements to Dale; alternatively, provide online access to Mayor Chester who reviews bank statement activity and signs a monthly memo documenting his review
  • Once or twice a year, have council members pick two months at random (e.g., May and September) and review key bank statement activity (e.g., the operating and payroll accounts)
  • Once or twice a year, have council members randomly select checks (e.g., ten vendor checks and ten payroll checks) and review supporting documentation (e.g., invoices and time sheets)
  • Once or twice a year, have the mayor and council review receipt collections and related documentation (e.g., for two days deposits); agree receipts to bank deposits and to the general ledger
  • Provide monthly budget to actual reports to mayor and council
  • Provide monthly overtime summaries to mayor and council
  • Do not allow Dale to sign checks
  • Require two signatures on checks above a certain level (e.g., $5,000); have two of the council members (in addition to the mayor) on the bank signature cards; supporting documentation (e.g., invoice) should be provided to check signers for review
  • Require Mayor Chester and Dale to authorize any wire transfers
  • Have Dale provide the mayor with monthly bank reconciliations; the mayor should document (e.g., initial the reconciliation) his review
  • Don’t provide Dale with a credit card
  • If Dale is provided a credit card, provide him with one card; use a low maximum credit limit (e.g., $1,000); Dale’s credit card statements should be provided to the mayor when he signs the related check for payment
  • Use a centralized receipting location (if possible); receipts should always be written upon collection of a payment

Higher Cost Fraud Fraud Prevention

Now let’s examine some higher cost options (that are probably more effective):

  • Have an outside CPA or Certified Fraud Examiner (CFE) perform the receipting and payment tests listed above
  • Have an outside CPA or CFE map your internal control system and make system-design recommendations
  • Have an outside CPA or CFE make surprise unannounced visits (e.g., two per year) to examine the receipting system, payroll, and the payment system; at the beginning of the year, tell Dale that the surprise visits will occur (details of what will be tested should not be communicated to Dale)
  • Install a security camera to record all of Dale’s collection and receipting activity
  • Purchase fidelity bond to cover elected officials and Dale

Keep in mind that you can limit the cost of the outside CPA. The contract might read Surprise audit of vendor payments with cost limited to $1,500. Try to contract with a CPA or CFE with governmental experience. The surprise audits and the fidelity bond recommendations are, in my opinion, the most critical steps.

Some states like New York audit local governments for fraud; consequently, if your local government is frequently audited by a state agency, there may be less of a need to hire an outside CPA or CFE to perform fraud prevention procedures.

Additional Fraud Prevention Resources

Click here for a list of local government controls to consider.

For additional insights into preventing fraud in your government, get The Little Book of Local Government Fraud Prevention on Amazon.

Yellow Book Independence
Feb 02

Yellow Book Independence and Preparing Financial Statements

By Charles Hall | Auditing , Local Governments

Yellow Book independence is a big deal. And if you prepare financial statements in a Yellow Book audit, you need to be aware of the independence rules. Below I tell you how to maintain your independence—and stay out of hot water,

Yellow Book Independence

Yellow Book Independence Impairment in Peer Review

Suppose that--during your peer review--it is determined your firm lacks independence in regard to a Yellow Book engagement.

What could happen? Well, I can't say for sure, but I think it would be nasty. At a minimum, you would probably receive a finding for further consideration--or worse, a negative peer review report. The engagement is definitely nonconforming (not conforming to professional standards).

Then, you'd need to provide a response--explaining what you intend to do about the lack of independence. And this could get very interesting. Not where you want to be.

Preparation of Financial Statements is a Significant Threat

If you prepare financial statements (a nonattest service) for your audit client, you have a significant threat. Why? You are auditing something (the financial statements) that you created. There is a self-review threat. 

When there is a significant threat, you must use a safeguard (to lessen the threat). Such as? A second partner review. So, for example, you might have a second audit partner (someone not involved in the audit) review the financial statements. Since the second partner did not create the financial statement, the self-review threat is mitigated.

Notice the safeguard (the second partner review) is something the audit firm does--and not an action of the audit client. Therefore, it qualifies as a safeguard.

2018 Yellow Book

The 2018 Yellow Book states the following in paragraph 3.88:

Auditors should conclude that preparing financial statements in their entirety from a client-provided trial balance or underlying accounting records creates significant threats to auditors' independence, and should document the threats and safeguards applied to eliminate and reduce threats to an acceptable level...or decline to provide the services. (CPAHallTalk bolded the preceding words in this section.)

But My Client has Sufficient SKE

You've heard your audit client must have sufficient skill, knowledge and experience (SKE) and that they must oversee and assume responsibility for nonattest services. This is true and is always required when nonattest services are provided to an audit client. 

Even so, the client's SKE does not address the self-review threat

Think of the SKE issue as a minimum requirement. Do not pass "go" if the client does not assign someone (with SKE) to oversee the nonattest service. You are not independent. End of discussion. 

SKE is not a safeguard

The January AICPA Reviewer Alert distinguishes the SKE requirement from safeguards saying, "Client SKE should not be viewed as a safeguard, but rather a mandatory condition before performing any nonaudit services."

Once the client SKE issue is dealt with, consider if safeguards are necessary. If you are asked to prepare the financial statements, a second issue arises--the self-review threat. And this threat has to be addressed. A second review--whether a second partner review or an EQCR--is a good way to do so. 

The AICPA (in its AICPA Yellow Book Pratice aid) provides examples of safeguards including:

  • Obtaining secondary reviews of the nonaudit services by professional personnel who were not involved in planning or supervising the audit engagement.
  • Obtaining secondary reviews of the nonaudit services by professional personnel who were not members of the audit engagement team.

See Appendix E of the AICPA Yellow Book Practice Aid for additional examples of safeguards and how to apply them.

Independence Documentation is Required

The Yellow Book requires that your independence be documented. If it is not, a violation of professional standards exists. 

So, document the SKE of the client and the safeguards used to address significant threats. Also, document which nonattest services are signficiant threats.

Document Significant Threats

The January 2019 Reviewer Alert (an AICPA newsletter provided to peer reviewers) provides a scenario where an audit firm performs a Yellow Book audit and prepares financial statements. Then the firm has an engagement quality control review (EQCR) performed, but it does not identify the preparation of financial statements as a significant threat. The newsletter states "the engagement would ordinarily be deemed nonconforming for failure to document identification of a significant threat." So, even if a safeguard (e.g., a second partner review) is in use, the lack of documentation makes the engagement nonconforming.

In Summary

Here's the lowdown to protect your firm:

  1. Document the nonattest services you are to perform
  2. Document the client person that will oversee and assume responsibility for the nonattest service
  3. Document the SKE of the designated person
  4. Consider whether any nonattest services are significant threats 
  5. Document which, if any, nonattest services are significant threats
  6. Use (and document) a safeguard to address each significant threat (examples of safeguards include an EQCR or a second-partner review)

Looking for a tool to document Yellow Book independence? Consider the AICPA's practice aid. Here is the free PDF version. You can also purchase the fillable version here. (Cost is $39 for AICPA members.) This is the 2011 Yellow Book aid. I am thinking the AICPA will create a 2018 Yellow Book version as well. 

>