As businesses grow, the risk of theft increases. In this post, I offer ten powerful steps to reduce fraud.
Windows open. Curtains blowing. The sound of crickets and an occasional train in the distance. It was a simple childhood. It was my childhood. My mother parked her black Ford Falcon and left the keys in the ignition. The doors to our home were unlocked. We trusted our neighbors and they trusted us. And why would we not? We’d known each other forever.
But then one night at the dinner table, my father said, “someone stole Miss Gussie’s Chevy.” Unthinkable. Our innocence was broken, and soon my mother took precautionary measures. Each evening, after parking, she would place the car keys under the car seat. No need to take chances. We began to close the windows at night, but still, the back door was left unlocked in case my father needed to go out for a smoke.
A couple of months later, I overheard my mother whispering to my grandmother that a man slithered into Miss Kidd’s house in the dead of night and had taken valuables. Miss Kidd lived diagonally from our home, just a stone’s throw away. To think that someone just walked–unannounced–into the octogenarian’s home. How could this be?
Fear was palpable. Our neighborhood’s character shifted. No longer would Mom leave the keys in the car. No longer would we leave the windows open. No more cricket sounds. And my father even locked the back door.
Safely we would sleep, not because there were no threats, but because of protection.Continue reading
Today we look at one of most misunderstood parts of auditing: audit risk assessment.
Are auditors leaving money on the table by avoiding risk assessment? Can inadequate risk assessment lead to peer review findings? This article shows you how to make more money and create higher quality audit documentation.
Audit Risk Assessment as a Friend
Audit risk assessment canbe our best friend, particularly if we desire efficiency, effectiveness, and profit—and who doesn’t?
This step, when properly performed, tells us what to do—and what can be omitted. In other words, risk assessment creates efficiency.
So, why do some auditors (intentionally) avoid audit risk assessment? Here are two reasons:
We don’t understand it
We're creatures of habit
Too often auditors continue doing the same as last year (commonly referred to as SALY)--no matter what. It’s more comfortable than using risk assessment.
But what if SALY is faulty or inefficient?
Maybe it’s better to assess risk annually and to plan our work accordingly (based on current conditions).
Are We Working Backwards?
The old maxim “Plan your work, work your plan” is true in audits. Audits—according to standards—should flow as follows:
Determine the risks of material misstatements (plan our work)
Develop a plan to address those risks (plan our work)
Perform substantive procedures (work our plan)
Issue an opinion (the result of planning and working)
Auditors sometimes go directly to step 3. and use the prior year audit programs to satisfy step 2. Later, before the opinion is issued, the documentation for step 1. is created “because we have to.”
In other words, we work backwards.
So, is there a better way?
A Better Way to Audit
Audit standards—in the risk assessment process—call us to do the following:
Understand the entity and its environment
Understand the transaction level controls
Use planning analytics to identify risk
Perform fraud risk analysis
While we may not complete these steps in this order, we do need to perform our risk assessment first (1.-4.) and then assess risk.
Okay, so what procedures should we use?
Audit Risk Assessment Procedures
AU-C 315.06 states:
The risk assessment procedures should include the following:
Inquiries of management, appropriate individuals within the internal audit function (if such function exists), others within the entity who, in the auditor's professional judgment, may have information that is likely to assist in identifying risks of material misstatement due to fraud or error
Observation and inspection
I like to think of risk assessment procedures as detective tools used to sift through information and identify risk.
Just as a good detective uses fingerprints, lab results, and photographs to paint a picture, we are doing the same.
First, we need to understand the entity and its environment.
Understand the Entity and Its Environment
The audit standards require that we understand the entity and its environment.
I like to start by asking management this question: "If you had a magic wand that you could wave over the business and fix one problem, what would it be?"
The answer tells me a great deal about the entity's risk.
I want to know what the owners and management think and feel. Every business leader worries about something. And understanding fear illuminates risk.
Think of risks as threats to objectives. Your client's fears tell you what the objectives are--and the threats.
To understand the entity and its related threats, ask questions such as:
How is the industry faring?
Are there any new competitive pressures or opportunities?
Have key vendor relationships changed?
Can the company obtain necessary knowledge or products?
Are there pricing pressures?
How strong is the company’s cash flow?
Has the company met its debt obligations?
Is the company increasing in market share?
Who are your key personnel and why are they important?
What is the company’s strategy?
Does the company have any related party transactions?
As with all risks, we respond based on severity. The higher the risk, the greater the response.
Audit standards require that we respond to risks at these levels:
Financial statement level
Responses to risk at the financial statement level are general, such as appointing more experienced staff for complex engagements.
Responses to risk at the transaction level are more specific such as a search for unrecorded liabilities.
But before we determine responses, we must first understand the entity's controls.
Understand Transaction Level Controls
We must do more than just understand transaction flows (e.g., receipts are deposited in a particular bank account). We need to understand the related controls (e.g., Who enters the receipt in the general ledger? Who reviews receipting activity?).
So, as we perform walkthroughs or other risk assessment procedures, we gain an understanding of the transaction cycle, but—more importantly—we gain an understanding of controls. Without appropriate controls, the risk of material misstatement increases.
AU-C 315.14 requires that auditors evaluate the design of their client's controls and to determine whether they have been implemented. However, AICPA Peer Review Program statistics indicate that many auditors do not meet this requirement. In fact, noncompliance in this area is nearly twice as high as any other requirement of AU-C 315 - Understanding the Entity and Its Environment and Assessing the Risk of Material Misstatement.
Some auditors excuse themselves from this audit requirement saying, "the entity has no controls."
All entities have some level of controls. For example, signatures on checks are restricted to certain person. Additionally, someone usually reviews the financial statements. And we could go on.
The AICPA has developed a practice audit that you'll find handy in identifying internal controls in small entities.
The use of walkthroughs is probably the best way to understand internal controls.
As you perform your walkthroughs, ask questions such as:
Who signs checks?
Who has access to checks (or electronic payment ability)?
Who approves payments?
Who initiates purchases?
Who can open and close bank accounts?
Who posts payments?
What software is used? Does it provide an adequate audit trail? Is the data protected? Are passwords used?
Who receives and opens bank statements? Does anyone have online access? Are cleared checks reviewed for appropriateness?
Who reconciles the bank statement? How quickly? Does a second person review the bank reconciliation?
Who creates expense reports and who reviews them?
Who bills clients? In what form (paper or electronic)?
Who opens the mail?
Who receipts monies?
Are there electronic payments?
Who receives cash onsite and where?
Who has credit cards? What are the spending limits?
Who makes deposits (and how)?
Who keys the receipts into the software?
What revenue reports are created and reviewed? Who reviews them?
Who creates the monthly financial statements? Who receives them?
Are there any outside parties that receive financial statements? Who are they?
Understanding the company’s controls illuminates risk. The company’s goal is to create financial statements without material misstatement. And a lack of controls threatens this objective.
So, as we perform walkthroughs, we ask the payables clerk (for example) certain questions. And—as we do—we are also making observations about the segregation of duties. Also, we are inspecting certain documents such as purchase orders.
This combination of inquiries, observations, and inspections allows us to understand where the risk of material misstatement is highest.
In a recent AICPA studyregarding risk assessment deficiencies, 40% of the identified violations related to a failure to gain an understanding of internal controls.
failure to gain understanding of internal controls
Multiple-year comparisons of key numbers (at least three years, if possible)
In creating planning analytics, use management’s metrics. If certain numbers are important to the company, they should be to us (the auditors) as well—there’s a reason the board or the owners are reviewing particular numbers so closely. (When you read the minutes, ask for a sample monthly financial report; then you’ll know what is most important to management and those charged with governance.)
You may wonder if you can create planning analytics for first-year businesses. Yes, you can. Compare monthly or quarterly numbers. Or you might compute and compare ratios (e.g., gross profit margin) with industry benchmarks. (For more information about first-year planning analytics, see my planning analytics post.)
Sometimes, unexplained variations in the numbers are fraud signals.
Identify Fraud Risks
In every audit, inquire about the existence of theft. In performing walkthroughs, look for control weaknesses that might allow fraud to occur. Ask if any theft has occurred. If yes, how?
Also, we should plan procedures related to:
Management override of controls, and
The intentional overstatement of revenues
My next post—in The Why and How of Auditing series—addresses fraud, so this is all I will say about theft, for now. Sometimes the greater risk is not fraud but errors.
Same Old Errors
Have you ever noticed that some clients make the same mistakes—every year? (Johnny--the controller--has worked there for the last twenty years, and he makes the same mistakes every year. Sound familiar?) In the risk assessment process, we are looking for the risk of material misstatement whether by intention (fraud) or by error (accident).
One way to identify potential misstatements due to error is to maintain a summary of the larger audit entries you’ve made over the last three years. If your client tends to make the same mistakes, you’ll know where to look.
Now it’s time to pull the above together.
Creating the Risk Picture
Once all of the risk assessment procedures are completed, we synthesize the disparate pieces of information into a composite image.
What are we bringing together? Here are examples:
Unexpected variances in significant numbers
Entity risk characteristics (e.g., level of competition)
Large related-party transactions
Occurrences of theft
Armed with this risk picture, we can now create our audit strategy and audit plan (also called an audit program). Focus these plans on the higher risk areas.
How can we determine where risk is highest? Use the risk of material misstatement (RMM) formula.
Assess the Risk of Material Misstatement
Understanding the RMM formula is key to identifying high-risk areas.
Using the RMM formula, we are assessing risk at the assertion level. While audit standards don’t require a separate assessment of inherent risk and control risk, consider doing so anyway. I think it provides a better representation of your risk of material misstatement.
While analytical procedures should occur at the beginning and the end of an audit, this post focuses on planning analytics.
Below I provide the quickest and best way to develop audit planning analytics.
What are Analytics?
If you're not an auditor, you may be wondering, "what are analytics?" Think of analytics as the use of numbers to determine reasonableness. For example, if a company's cash balance at December 31, 2017, was $100 million, is it reasonable for the account to be $5 million at December 31, 2018? Comparisons such as this one assist auditors in their search for errors and fraud.
Overview of this Post
We'll cover the following:
The purpose of planning analytics
When to create planning analytics (at what stage of the audit)
The best types of planning analytics
How to document planning analytics
Linkage to the audit plan
Purpose of Planning Analytics
The purpose of planning analytics is to identify risks of material misstatement. Your goal as an auditor is to render an opinion regarding the fairness of the financial statements. So, like a good sleuth, you are surveying the accounting landscape to see if material misstatements exist.
A detective investigates a crime scene using various tools: fingerprints, forensic tests, interviews, timelines. Auditors have their own tools: inquiry, observation, inspection, analytical procedures. Sherlock Holmes looks for the culprit. The auditor (and I know this isn't as sexy) looks for material misstatements.
The detective and the auditor are both looking for the same thing: evidence. And the deft use of tools can lead to success. A key instrument (procedure) available to auditors is planning analytics.
When to Create Planning Analytics
Create your preliminary analytics after gaining an understanding of the entity. Why? Context determines reasonableness of numbers. And without context (your understanding of the entity), changes in numbers from one year to the next may not look like a red flag--though maybe they should.
Therefore, learn about the entity first. Are there competitive pressures? What are the company's objectives? Are there cash flow issues? What is the normal profit margin percentage? Does the organization have debt? Context creates meaning.
Additionally, create your comparisons of numbers prior to creating your risk assessments. After all, the purpose of the analytical comparisons is to identify risk.
But before creating your planning analytics, you first need to know what to expect.
Knowing what to expect provides a basis for understanding the changes in numbers from year to year.
Expectations can include:
Increases in numbers
Decrease in numbers
Stable numbers (no significant change)
In other words, you can have reasons to believe payroll (for example) will increase or decrease. Or you might anticipate that salaries will remain similar to last year.
Examples of Expectations Not Met
Do you expect sales to decrease 5% based on decreases in the last two years? If yes, then an increase of 15% is a flashing light.
Or maybe you expect sales to remain about the same as last year? Then a 19% increase might be an indication of financial statement fraud.
But where does an auditor obtain expectations?
Sources of Expectations
Expectations of changes can come from (for example):
Past changes in numbers
Discussions with management about current year operations
Reading the company minutes
Non-financial statistics (e.g., decrease the number of widgets sold)
A major construction project
While you'll seldom know about all potential changes (and that's not the goal), information--such as that above--will help you intuit whether change (or a lack of change) in an account balance is a risk indicator.
Now, let's discuss the best types of planning analytics.
The Best Types of Planning Analytics
Auditing standards don't specify what types of planning analytics to use. But some, in my opinion, are better than others. Here's my suggested approach (for most engagements).
First, create your planning analytics at the financial statement reporting level. Why? Well, that's what the financial statement reader sees. So, why not use this level (if you can)? (There is one exception in regard to revenues. See Analytics for Fraudulent Revenue Recognition below.)
The purpose of planning analytics is to ferret out unexpected change. Using more granular information (e.g., trial balance) muddies the water. Why? There's too much information. You might have three hundred accounts in the trial balance and only fifty at the financial statement level. Chasing down trial-balance-level changes can be a waste of time. At least, that's the way I look at it.
Second, add any key industry ratios tracked by management and those charged with governance. Often, you include these numbers in your exit conference with the board (maybe in a slide presentation). If those ratios are important at the end of an audit, then they're probably important in the beginning.
Okay, so we know what analytics to create, but how should we document them?
Analytics for Fraudulent Revenue Recognition
AU-C 240.22 says, "the auditor should evaluate whether unusual or unexpected relationships that have been identified indicate risks of material misstatement due to fraud. To the extent not already included, the analytical procedures, and evaluation thereof, should include procedures relating to revenue accounts."
The auditing standards suggest a more detailed form of analytics for revenues. AU-C 240.A25 offers the following:
a comparison of sales volume, as determined from recorded revenue amounts, with production capacity. An excess of sales volume over production capacity may be indicative of recording fictitious sales.
a trend analysis of revenues by month and sales returns by month, during and shortly after the reporting period. This may indicate the existence of undisclosed side agreements with customers involving the return of goods, which, if known, would preclude revenue recognition.
a trend analysis of sales by month compared with units shipped. This may identify a material misstatement of recorded revenues.
In light of these suggested procedures, it may be prudent to create revenue analytics at a more granular level than that shown in the financial statements.
How to Document Planning Analytics
Here are my suggestions for documenting your planning analytics.
Document overall expectations.
Include comparisons of prior-year/current-year numbers at the financial statement level. (You might also include multiple prior year comparisons if you have that information.)
Document key industry ratio comparisons.
Summarize your conclusions. Are there indicators of increased risks of material misstatement? Is yes, say so. If no, say so.
Once you create your conclusions, place any identified risks on your summary risk assessment work paper (where you assess risk at the transaction level--e.g., inventory).
Use Filtered Analytical Reports with Caution (if at all)
Some auditors use filtered trial balance reports for their analytics. For instance, all accounts with changes of greater than $30,000. There is a danger in using such thresholds.
What if you expect a change in sales of 20% (approximately $200,000) but your filters include:
all accounts with changes greater than $50,000, and
all accounts with changes of more than 15%
If sales remain constant, then this risk of material misstatement (you expected change of 20%, but it did not happen) fails to appear in the filtered report. The filters remove the sales account because the change was minimal. Now, the risk may go undetected.
I am a believer in documenting conclusions on key work papers. So, how do I develop those conclusions? And what does a conclusion look like on a planning analytics work paper?
First, develop your conclusions. How? Scan the comparisons of prior year/current year numbers and ratios. We use our expectations to make judgments concerning the appropriateness of changes and of numbers that remain stable. Remember this is a judgment, so, there's no formula for this.
No Risk Identified
Now, you'll document your conclusions. But what if there are no unexpected changes? You expected the numbers to move in the manner they did. Then no identified risk is present. Your conclusion will read, (for example):
Conclusion: I reviewed the changes in the accounts and noted no unexpected changes. Based on the planning analytics, no risks of material misstatement were noted.
Alternatively, you might see unexpected changes. You thought certain numbers would remain constant, but they moved significantly. Or you expected material changes to occur, but they did not. Again, document your conclusion. For example:
Conclusion: I expected payroll to remain constant since the company's workforce stayed at approximately 425 people. Payroll expenses increased, however, by 15% (almost $3.8 million). I am placing this risk of material misstatement on the summary risk assessment work paper at 0360 and will create audit steps to address the risk.
Now, it's time to place the identified risks (if there are any) on your summary risk assessment form.
Identification of the risks of material misstatement
Creation of audit steps to respond to the identified risks (linkage)
Summary of Planning Analytics Considerations
So, now you know how to use planning analytics to search for risks of material misstatement--and how this powerful tool impacts your audit plan.
Let's summarize what we've covered:
Planning analytics are created for the purpose of identifying risks of material misstatement
Develop your expectations before creating your planning analytics (learn about the entity's operations and objectives; review past changes in numbers for context--assuming you've performed the audit in prior years)
Create analytics at the financial statement level, if possible
Use key industry ratios
Conclude about whether risks of material misstatement are present
Link your identified risks of material misstatement to your audit program
If you have thoughts or questions about this post, please let me know below in the comments box. Thanks for reading.
First-Year Businesses and Planning Analytics
You may be wondering, "but what if I my client is new?" New entities don't have prior numbers. So, how can you create planning analytics?
One option is to compute expected numbers using non-financial information. Then compare the calculated numbers to the general ledger to search for unexpected variances.
A second option is to calculate ratios common to the entity’s industry and compare the results to industry benchmarks.
While industry analytics can be computed, I’m not sure how useful they are for a new company. An infant company often does not generate numbers comparable to more mature entities. But we’ll keep this choice in our quiver--just in case.
A more useful option is the third: comparing intraperiod numbers.
Discuss the expected monthly or quarterly revenue trends with the client before you examine the accounting records. The warehouse foreman might say, “We shipped almost nothing the first six months. Then things caught fire. My head was spinning the last half of the year.” Does the general ledger reflect this story? Did revenues and costs of goods sold significantly increase in the latter half of the year?
The last option we’ve listed is a review of the budgetary comparisons. Some entities, such as governments, lend themselves to this alternative. Others, not so–those that don’t adopt budgets.
So, yes, it is possible to create useful risk assessment analytics–even for a first-year company.
Risk-based audit standards have existed for years, but I still see a resistance to risk assessment procedures. Why? A reliance on the traditional balance sheet audit approach. I think many auditors prefer to test a bank reconciliation (ticking off each cleared transaction) to interviewing the company’s CFO. They enjoy the certainty of vouching payables (yep, the invoice agrees with the payable detail) and disdain the difficulty of walking a transaction through the accounting system. Regardless, many CPA firms struggle to slay the sacred cow of balance sheet audits.
What is a Balance Sheet Audit?
So what is a balance sheet audit approach?
It’s the examination of period-end balance sheet totals (the results of accounting processes) rather than the accounting processes themselves. For example, the auditor might confirm receivables and not perform a walkthrough of billing and collections. The balance sheet audit approach lacks any significant focus on the income statement.
While it is true that nailing down (or “beating up”) the balance sheet provides helpful audit evidence, there are some downsides.
The Downside of Balance Sheet Audits
So what are the weaknesses of a balance sheet audit approach?
First, the balance sheet approach does not address the income statement. Consequently, income statement line items may be misclassified (e.g., expenses netted with revenues). If the balance sheet is correct, net income (the result of revenues and expenses) is correct. But revenues and expenses can still be misclassified. (I once saw grant revenue of $300,000 netted with related grant expenses resulting in a $0 impact to revenues and expenses.)
Secondly, and more importantly, the balance sheet audit method does not address the possibility of theft (and some forms of fraudulent reporting of revenues and expenses). Sure we can confirm cash and reconcile the balance to the general ledger. So what? If someone steals $1 million in cash receipts (or $10 million or whatever number you want to use), the balance sheet approach may not address the risk of theft.
The same is true if the CFO steals money by cutting checks to himself (or to fictitious vendors). The accounts payable balance can be reconciled to a detail, and a search for unrecorded liabilities can be performed–typical balance sheet audit steps–but these procedures don’t address theft.
Finally, audit standards require walkthroughs, fraud inquiries, planning analytics, and an understanding of the business. Without these steps, we cannot truly understand audit risks that lie hidden in accounting processes.
Understanding the business and its processes requires time, but doing so can lead to a leaner audit. You can decrease some substantive procedures when you know where your risks are. We can also mitigate audit risk (because we know what the risks are).
And this is the beauty and logic of risk-based audits. We determine where the risks are, and then we perform procedures to address those risks. We cease to blindly focus on the balance sheet.
Less time, less risk.
Sounds good to me–but slaying a sacred cow is necessary. I like my steaks medium rare. How about you?
At times, auditors errantly assess control risk at less than high. Why? Because the (lower) assessment is not supported by a test of controls.
So can you assess control risk at high without testing controls? Yes–and you may want to. Below you’ll see why.
We have been told that “you can’t default to maximum risk.” While we can’t defaultto maximum (the old pre-risk-assessment standards term), we can–and in many audits should–assess control risk at high (the present risk assessment term).
Assessing Control Risk at High
First, the auditor should determine the existence and location of risks–the purpose of risk assessment procedures. Once risk assessment procedures (walkthroughs, inquiries, analytics, etc.) are performed, we know more about what the risks are and where they are. Then—if controls are appropriately designed and working—we can assess control risk (CR) at whatever level we desire. If CR is assessed at below high, then controls must be tested to support the lower risk assessment.
The Efficiency Decision
At this point, our assessment of control risk becomes a question of efficiency. We can:
Assess control risk at high and not perform additional tests of controls, or
Assess control risk at low to moderate and test the operating effectiveness of controls
The salient question is, “Which option is most efficient?”
Risk Assessment Procedures
Risk assessment procedures, such as walkthroughs, generally are not sufficient to support a low to moderate control risk assessment. A walkthrough (often a test of one transaction) allows us to see if appropriate controls are in place. They don’t, however, tell us if the controls are consistently working.
AU-C Section 330.08 states: The auditor should design and perform tests of controls to obtain sufficientappropriate audit evidence about the operating effectiveness of relevant controls if the auditor’s assessment of risks of material misstatement…includes an expectation that the controls are operating effectively (that is, the auditor intends to rely on the operating effectiveness of controls in determining…substantive procedures).
A test of one transaction–often performed in walkthroughs–generally is not considered “sufficient appropriate audit evidence” to assess control risk at less than high.
To test and rely on controls, the auditor should examine more transactions. We might, for example, test forty disbursements for proper purchase orders. If the control is working, then we can assess control risk at low to moderate and decrease our substantive work. We could, for example, test fewer additions to plant, property and equipment.
If it takes longer to test controls (e.g., the forty purchase orders) than to perform substantive tests (e.g., vouching invoice support for additions to plant, property and equipment), then it makes more sense to assess control risk at high and perform substantive procedures. And we should do just that–if we desire to make a higher profit on the engagement (and I’m betting you do).
For example, if it takes six hours to test forty transactions for appropriate purchase orders, and it takes four hours to vouch all additions to plant, property, and equipment, then we should assess control risk at high and not perform the test of controls. We should perform the substantive procedure of vouching all significant additions to plant, property, and equipment.
Can we assess the risk of material misstatement (RMM) at low to moderate without testing controls?
If the inherent risk (IR) is low to moderate, then our combined risk of material misstatement can easily be low to moderate. (Let me encourage you to assess risk at the assertion level and not at the transaction level, but I will save that topic for another post.)
For example, a low inherent risk and a high control risk can yield a low to moderate RMM. In an equation it looks like this:
IRCRRMMAudit Approach Low X High = Moderate Basic
This approach produces a moderate RMM without testing controls. A moderate RMM supports a basic approach, and a basic approach means we are performing fewer substantive tests (a high RMM means the auditor will perform more substantive tests).
In short, many times inherent risk is low to moderate. If you combine a low to moderate inherent risk with a high control risk, you can assess RMM at low to moderate. This low to moderate RMM comports with a basic audit approach. Continuing with our plant, property and equipment example from above, you can–with the low to moderate RMM–test fewer asset purchases. And no test of controls is necessary.
This approach–assessing control risk at high after performing risk assessment procedures–often creates greater audit efficiency and is compliant with audit standards. Alternatively, we should assess control risk below high and test controls if this approach takes less time.
I started this post by saying we sometimes errantly assess control risk. By this, I mean we sometimes assess control risk at low to moderate without a sufficient test of controls. If we assess control risk at less than high, then we must test controls.
What are your thoughts about assessing control risk?
See my article about the audit risk model for more information about risks of material misstatement.