Knowing how to perform compilation engagements is important for CPAs. Below I provide an overview of the salient points of AR-C 80, Compilation Engagements.
The guidance for compilations is located in AR-C 80, Compilation Engagements.
Applicability of AR-C 80
The accountant should perform a compilation engagement when he is engaged to do so.
A compilation engagement letter should be prepared and signed by the accountant or the accountant’s firm and management or those charged with governance. An engagement letter to only prepare financial statements is not a trigger for the performance of a compilation engagement.
Previously (in the SSARS 19 days), the preparation and submission of financial statements to a client triggered the performance of a compilation engagement. Now, compilation engagement guidance is applicable only when the accountant is engaged to (requested to) perform a compilation.
The objectives of the accountant in a compilation engagement are to:
Assist management in the presentation of financial statements
Report on the financial statements in accordance with the compilation engagement section of the SSARSs
Today’s article comes from my twin brother, Harry Hall. He is a certified PMP®, PMI-RMP®, and has his Associate in Risk Management (ARM-E).
Many organizations do not have an enterprise risk management (ERM) program. Therefore, these entities lack the policies and procedures to manage enterprise risks (i.e., threats and opportunities) and achieve their objectives. In this article, we’ll look at how CPAs can suggest an ERM program to their clients.
Imagine that you’ve completed an audit of an organization. One way you can help your client is to provide a management letter that provides ideas to make the organization better. And one of the suggestions you can make is for them to implement an ERM program, or you can provide ways to improve the existing program. (Of course, as the auditor, you can’t make management decisions, but you can make suggestions.)
Think about it. Has one of your clients encountered a surprise event or condition in the last few years? Imagine if the client had identified and managed the risk better. That single failure may have caused your client to miss their annual objectives, resulting in weaker financial and operating positions. It’s even possible they no longer exist.
A sound ERM program can improve–and even save–your client.
What is ERM?
First, let’s define ERM. It is a program whereby an organization identifies and manages all of its risks in order to achieve its objectives.
How does ERM differ from traditional risk management? Well, traditional risk management focuses on pure risks. These are risks where there is the possibility of loss or no loss, but no chance of gain. Hazard or insurable risks are pure risks.
ERM includes pure risks, but also includes speculative risks. Speculative risks are risks where there is a chance of loss, no loss, or gain. So, speculative risks have the potential for gain. Examples of speculative risks include financial risks, strategic risks, and some operational risks.
So, let’s see how ERM helps businesses.
Four Benefits of ERM
There are several ways that an organization may benefit from ERM. The benefits include, but are not limited to, the following:
First, an ERM Champion can help their organization implement strategic risk management, a component of ERM. Here, we can clarify enterprise objectives and improve strategic planning, analysis, and alignment.
Second, ERM helps organizations identify risks between departments. Many departments live in siloes. And most people think solely about their department’s risk. But the actions taken by one department may impact other parts of the organization.
Third, ERM can boost collaboration. As risk owners from different departments focus on enterprise objectives together, these individuals begin to better understand other departmental processes. And these can be analyzed and improved to realize greater enterprise benefits.
Fourth, organizations with ERM programs are in a better position to meet the demands from external parties such as investors, rating agencies, and regulators.
To make this work, your client needs to leverage an ERM framework.
ERM programs include risk management processes that are used throughout the enterprise. Some organizations use a framework like COSO or the ISO 31000. Others develop their own framework. In general, here are the ERM processes, regardless of the framework.
Plan risk management. Define an ERM policy that guides the behavior of individuals in the organization. The ERM policy includes elements such as the risk governance structure, risk categories, ERM methodology, roles and responsibilities, risk appetite, risk tolerance, risk limits, ERM activities, ERM reports, and a glossary. This policy should be reviewed and updated each year. And the Board should approve the revisions.
Identify risks. Determine the risk identification tools and techniques that will be used. For example, these could include brainstorming, interviews, checklists, and cause-and-effect diagrams.
Evaluate risks. Once risks are identified, ERM stakeholders should assess the risks. Risk owners may perform qualitative and quantitative risk assessments. The risk assessments result in a prioritized risk list. The benefit: you know which risks matter most.
Respond to risks. Next, risk owners develop and implement risk response plans to lessen these risks.
Monitor risks. Of course, risks change over time. Threats and opportunities may (and probably will) increase or decrease. Therefore, client’s must monitor risks. Are the risks managed according to the risk appetite and risk tolerance? Are the ERM processes providing value? Are the processes economical and efficient?
As a CPA, have you ever wondered how ERM and Internal Audit differ?
ERM vs. Internal Audit
Organizations may have an ERM department or group led by an ERM Champion or Chief Risk Officer (CRO). This group facilitates the development of an ERM policy, trains employees on ERM processes, and facilitates periodic risk reviews.
Internal Audit ensures that the risk controls are working as designed within the organization and makes recommendations for improvement where there are internal control deficiencies. (Traditionally, internal auditors have focused on accounting processes. Their role is expanding into other areas such as ERM.)
So, how does ERM and Internal Audit work together? First, the ERM Champion engages Internal Audit when developing the ERM policy. Second, Internal Audit uses the ERM risk register as input into the annual audit plan. Think about it – wouldn’t it be great to see the most significant enterprise threats and opportunities as Internal Audit develops the audit plan? Third, Internal Audit inspects the ERM processes, in addition to other organizational processes, to ensure they are efficient and economical.
Audit Management Letter Suggestion: ERM Program
In your next audit, think about the risk management practices in the organization.
Does your client have a written ERM policy? Are the risk processes being performed consistently throughout the enterprise? How are risks being identified and assessed? Does the enterprise risk register include financial risks, strategic risks, operational risks, and other risks? Has the risk appetite and risk tolerance been defined and communicated to the Board, management, and risk owners?
At the conclusion of your audit, consider including ERM recommendations in your management letter. Doing so might save your client a great deal of pain–and you’ll add value to your audit.
Harry Hall, the Project Risk Coach, is a speaker, teacher, author, and blogger. He has implemented project management offices (PMOs) and enterprise risk management (ERM) programs in the financial, healthcare, and agricultural industries. Harry is a graduate of the University of Georgia and is a certified PMP®, PMI-RMP®, and has his Associate in Risk Management (ARM-E).
Over the last thirty-five years, I have reviewed audit files for CPA firms and have commonly asked this question: Why is this work paper in the file?
Here are a seven answers I’ve received.
1. It was there last year.
But is it relevant this year? Resist the temptation to mindlessly bring forward work papers from the prior year. Performing a proper audit entails risk assessment (e.g., walkthroughs, analytics), planning (i.e., creating an audit plan), and execution (i.e., carrying out the audit plan). Likewise, compilations and reviews should reflect current year planning and performance.
2. The client gave it to me.
Inexperienced auditors tend to put everything given to them in the file. Some auditors believe “if the client gave it to me, it must be important.” But this is not necessarily true. Every work paper needs a purpose.
3. I may need it next year.
Then save it for next year—somewhere other than in the current file. If the information does not provide current year engagement evidence, then it does not belong in the file.
Consider creating a file for next year and placing next year’s information in that file. Or create a folder in the current year file titled: Nextyear’s work papers. Then move this section to next year’s file as you close the engagement.
4. I might need it this year.
Before going paperless (back in the prehistoric days when we moved work papers with hand trucks ), I kept a manila folder titled: File 13. The physical folder was my hang-on-to-it-in-case-I-need-it repository.
Since my files are now paperless, I create an electronic folder titled Recycle Bin that sits at the bottom of my file. If I receive information that is not relevant to the current year (but there is a chance I will need it), I move it to the recycle bin, and when I am wrapping up the engagement, I dispose of the folder.
5. It’s an earlier version of a work paper.
Move earlier versions of work papers to your recycle bin—or delete them.
6. I need it for my tax work.
Then it belongs in the tax file (unless it’s related to your attest work – e.g., deferred taxes).
7. We always do this.
But why is it being done this year? Maybe a fraud was missed ten years ago and the partner said, from now on we will…
The most important reason for minimizing work paper content is to reduce your legal exposure. Excess work papers may provide ammunition to an opposing attorney: “Mr. Hall, here’s a work paper from your own audit file that reveals fraud was occurring, and you didn’t see it?” (So don’t, for example, leave the full general ledger in your work papers.)
What are your thoughts about removing unnecessary audit work papers?
Segregation of duties is key to reducing fraud. But smaller entities may not be able to do so. Today, I tell you how overcome this problem, regardless of the entity’s size.
The Environment of Fraud
Darkness is the environment of wrongdoing.
No one will see us. Or so we think.
Fraud occurs in darkness.
In J.R.R. Tolkien’s Hobbit stories,Sméagol, a young man murders another to possess a golden ring, beautiful in appearance but destructive in nature. The possession of the ring and Sméagol’s hiding of self and his precious (the ring) transforms him into a hideous creature–Gollum. I know of no better or graphic portrayal of how that which is alluring in the beginning, is destructive in the end.
Fraud opportunities have those same properties: they are alluring and harmful. And, yes, darkness is the environment where fraud happens.
What’s the solution? Transparency. It protects businesses, governments, and nonprofits.
But while we desire open and understandable processes, our businesses often have just a few employees that perform the accounting duties. And, many times, no one else understands how the system works.
It is desirable to divide accounting duties among various employees, so no one person controls the whole process. This division of responsibility creates transparency. How? By providing multiple eyes to see what’s going on.
But this segregation of duties is not always possible.
Lacking Segregation of Duties
Some people says here are three key duties that must always be separated under a good system of internal controls: (1) custody of assets, (2) record keeping or bookkeeping, and (3) authorization. I add a fourth: reconciliation. The normal recommendation for lack of segregation of duties is to separate these four accounting duties to different personnel. But many organizations are unable to do so, usually due to a limited number of employees.
Some small organizations believe they can’t overcome this problem. But is this true? I don’t think so.
Here’s two easy steps to create greater transparency and safety when the separation of accounting duties is not possible.
1. Bank Account Transparency
First, consider this simple control: Provide all bank statements to someone other than the bookkeeper. Allow this second person to receive the bank statements before the bookkeeper. While no silver bullet, it has power.
Persons who might receive the bank statementsfirst (before the bookkeeper) include the following:
A nonprofit board member
The mayor of a small city
The owner of a small business
The library director
A church leader
What is the receiver of the bank statements to do? Merely open the bank statements and review the contents for appropriateness (mainly cleared checks).
In many small entities, accounting processes are a mystery to board members or owners. Why? Only one person (the bookkeeper) understands the disbursement process, the recording of journal entries, billing and collections, and payroll.
Fraud decreases when the bookkeeper knows someone is watching. Suppose the bookkeeper desires to write a check to himself but realizes that a board member will see the cleared check. Is this a deterrent? You bet.
Don’t want to send the bank statements to a second person? Request that the bank provide read-only online access to the second person. And let the bookkeeper know.
Even the appearance of transparency creates (at least some) safety. Suppose the second person reviewer opens the bank statements (before providing them to the bookkeeper) and does nothing else. The perception of a review enhances safety. I am not recommending that the review not be performed. Butif the bookkeeper even thinks someone is watching, fraud will lessen.
When you audit cash, see if these types of controls are in place.
Now, let’s look at the second step to overcome a lack of segregation of duties. Surprise audits.
2. Surprise Audits
Another way to create small-entity transparency is to perform surprise audits. These reviews are not opinion audits (such as those issued by CPAs). They involve random inspections of various areas such as viewing all checks clearing the May bank statement. Such a review can be contracted out to a CPA. Or they can be performed by someone in the company. For example, a board member.
Additionally, adopt a written policy stating that the surprise inspections will occur once or twice a year.
The policy could be as simple as:
Twice a year a board member (or designee other than the bookkeeper) will inspect the accounting system and related documents. The scope and details of the inspection will be at the judgment of the board member (or designee). An inspection report will be provided to the board.
Why word the policy this way? You want to make the system general enough that the bookkeeper has no idea what will be examined but distinct enough that a regular review occurs.
Surprise Audit Ideas
Here are some surprise audit ideas:
Inspect all cleared checks that clear a particular month for appropriate payees and signatures and endorsements
Agree all receipts to the deposit slip for three different time periods
Review all journal entries made in a two week period and request an explanation for each
Inspect two bank reconciliations for appropriateness
Review one monthly budget to actual report (look for unusual variances)
Request a report of all new vendors added in the last six months and review for appropriateness
The reviewer may not perform all of the procedures and can perform just one. What is done is not as important as the fact that something is done. In other words, the primary purpose of the surprise audit is to make the bookkeeper think twice about whether he or she can steal and not get caught.
I will say it again. Having multiple people involved reduces the threat of fraud.
Segregation of Duties Summary
In summary, the beauty of these two procedures (bank account transparency and surprise audits) is they are straightforward and cheap to implement. Even so, they are powerful. So shine the light.