SSARS 23 Expands Application of Preparation, Compilation Standards — Journal of Accountancy — article
Fraud Risk Management Guide — COSO — book
Report to the Nations — ACFE — fraud survey
SSARS 23 Expands Application of Preparation, Compilation Standards — Journal of Accountancy — article
Fraud Risk Management Guide — COSO — book
Report to the Nations — ACFE — fraud survey
How do you document your audit walkthroughs? Is it better to use checklists, flowcharts or summarize narratively?
While you can use checklists, flowcharts, narratives, or any other method that enables you to gain your understanding of controls, my personal favorite is narrative mixed with screen shots. So how do I do this?
I determine the people involved in a transaction flow and schedule interviews with them. Usually, one or two people can explain a particular transaction flow (e.g., disbursement cycle), but some complicated processes require several interviews.
Sometimes I don’t know how each person’s work fits into the whole, so it’s like gathering puzzle pieces—at this stage, I am reaching for bits of the picture. The interviews and information may feel random, even confusing. But when you put the pieces together, you will see the picture—and that’s what we’re after, understanding the accounting system and control environment.
I document the conversations using:
Using a Livescribe pen, I write notes and record the conversations.
I begin the interview by saying, “Tell me what you do and how you do it. Treat me like I know nothing. I want to hear all the particulars.”
As I listen, I write general notes. The Livescribe pen records the audio which syncs with my written notes. Later the conversation can be played from the pen—more in a moment about how I use this tool.
I find that most interviewees talk too fast—at least faster than I can write. And as I’m writing their last comment, they are moving to the next (and I fall behind). So I write simple words in my Livescribe notebook such as:
Later as I’m typing the narrative into Word, I touch the letter “A” in “Add vendor” with the tip of my pen. The touching of the letter “A” causes the pen to play the audio for that part of the conversation. Likewise touching “C” with the tip of my pen–in “Checks signed by the computer”–causes the pen to play the discussion at that point. Since the audio syncs with my written notes, I can hear any part of the discussion by touching a letter with my pen.
And since Livescribe captures the audio, I jot down words—such as “Add vendor”—so I can later retrieve particular parts of the interview. These short phrases are markers for the audio and an outline of the conversation.
In addition to writing notes in my Livescribe notebook, I also take pictures with my iPhone. What am I taking snapshots of? Here are examples (from a payables interview):
So my inputs into the walkthrough document are as follows:
I write my narratives in Word and embed pictures as needed. The walkthrough documentation takes this shape:
Why identify control deficiencies in the walkthrough? So I can link them to the audit procedures to be performed—what audit standards refer to as “further audit procedures.” The weaknesses tell me where to conduct substantive procedures.
Another key feature of the walkthrough documentation is the identification of who I spoke with and when. So at the top of the transaction cycle description, I name the persons I interview and the date of the conversation. For example:
Charles Hall interviewed Johnny Mann, Hector Nunez, and Suzanne Milton on October 25, 2016.
I note appropriate controls as follows:
Control: Additions of new vendors is limited to three persons in the accounts payable department. Each time a new vendor is added, the computer system automatically sends an email to the CFO notifying her of the addition. Persons adding new vendors cannot process signed checks.
I note control weaknesses as follows:
Control Weakness: Only one signature is required on check disbursements. Johnny Mann signs checks, has possession of check stock, keys invoices into the payables system, and reconciles the related bank account.
The control weaknesses created by Johnny Mann’s performance of critical disbursement procedures increases the risk of theft. My response? I establish audit procedures in my audit program to address the risk such as:
How do you know what audit procedures to perform in response to the risk? Ask, “What can go wrong?” and design a test for that potential. Johnny can write checks to himself. My response? Scan cleared checks to see if the payees are appropriate, particularly on those checks with Johnny’s signature.
Though this article focuses upon planning and risk assessment, the identification of control weaknesses will impact our end-of-audit communications.
The bolded text (Control Weakness) makes it easy to locate control weaknesses. Upon completion of the walkthrough, I summarize all control deficiencies in separate memos so I can track the disposition of each one. Ultimately each weakness is deemed a:
I report material weaknesses and significant deficiencies in writing to management and those charged with governance. I communicate other deficiencies in a management letter (or verbally and document the discussion in my work papers).
For more information about how to categorize control weaknesses, click here.
If you missed my first two walkthrough posts, see them here:
Click the pen below to see the Livescribe on Amazon.
While we know that an audit walkthrough is an excellent way to probe accounting systems for risk, many auditors aren’t sure how to use this procedure. I hear questions such as:
An audit walkthrough is the tracking of a transaction through an accounting system while examining related controls. The purpose of the audit walkthrough is to see if controls exist and are in use (or, as the audit standards say, “implemented”). The results of our risk assessment procedures will illuminate the weaknesses in the accounting system. And we use this information about risk to create our audit plan.
So we do the following:
Walkthroughs fall in the “identify risk” category, and, consequently, are done early in the audit process.
Following a transaction through the system–without reviewing controls–is not an audit walkthrough. We must examine controls to see if they exist and are implemented.
Placing a copy of the operating and accounting system manual in the audit file is not a walkthrough. While such manuals may tell you what the client intends to do, they don’t say what is done. In other words, they don’t answer the implementation question.
Lastly, asking a client, “Is everything the same as last year?” is not a walkthrough. Auditors must do more than inquire.
Usually, audit walkthroughs are not sufficient as support for lower control risk assessments. If the auditor assesses control risk at less than high, she is required to test the effectiveness of the control. Since audit walkthroughs are usually a test of one transaction, they typically don’t validate operating effectiveness. Regarding computer controls, a walkthrough of one transaction might be sufficient to prove effectiveness if general computer controls are working—namely, change control for software. Why? Computer controls—usually—operate consistently.
The purpose of an audit walkthrough is to test for the existence and implementation of controls rather than operating effectiveness. Remember the following:
An auditor can determine implementation of controls with a test of one transaction. Effectiveness, on the other hand, usually requires sampling tests—e.g., test of 40 transactions for appropriate purchase orders.
There are three key procedures that auditors use in performing walkthroughs:
Inquiry alone is never sufficient in performing risk assessments. So we must marry inquiry with observation and inspection.
The use the three procedures listed above will depend on the transaction cycle you are examining.
For example, in reviewing the debt cycle, you will usually focus on inquiry and inspection. Why? Well, legal agreements and approvals of debt transactions are key. So I might inspect the following (for example):
In examining the disbursement cycle, you will typically focus on inquiry, observation, and inspection. My questions might include:
As I inquire about the disbursement cycle, I also observe and inspect. Here are some procedures I might perform:
You may wonder, “How do I know which procedures to perform?” Ah, that’s the $10,000 question. Always ask, “What can go wrong?” and determine if a control is in place to lessen that threat. That question will drive your risk assessment. The diversity of accounting systems makes it all but impossible to create a checklist that covers all possible issues. What does this mean? You must use your judgment.
Always ask who performs the control procedures when key persons are out. Why? An unknown person might have the power to carry out the role. If someone else can—even though they don’t normally—perform a key control procedure, you need to know this. Why? Well, here’s an example of what can happen: If a third person usually does not issue checks but can and that person also reconciles the bank statement, he might issue fraudulent checks. Why? He knows his fraudulent checks will not be detected through the bank reconciliation control.
Always look beyond accounting policies and routine procedures to see what can happen. I often have clients say to me, “John is the only one who approves the purchase orders,” for example. But I know this is not true because purchases would cease to occur when John is out. So I ask, “Who issues purchase orders when John in on vacation?”
We’ll continue our discussion about walkthroughs next week. I still need to answer the following questions:
If you have any questions about walkthroughs, please post them here, and I will try to respond. Also, please post any comments you have.
If you missed last week’s post about walkthroughs (Why Should Auditors Perform Audit Walkthroughs), check it out here. Subscribe to my blog to receive weekly updates.
The Accounting and Review Services Committee (ARSC) issued SSARS 22 Compilation of Pro Forma Financial Information. You may remember that ARSC did not address pro forma information in SSARS 21. SSARS 22 clarifies AR 120 Compilation of Pro Forma Information and codifies it as AR-C 120.
So what is pro forma information? It is a presentation that shows what the significant effects on historical financial information might have been had a consummated or proposed transaction (or event) occurred at an earlier date.
To understand SSARS 22, let’s answer a few questions.
Examples of pro forma information include presenting financial statements for the following:
Again we are providing financial information as though the transaction or event has–already–occurred.
In pro forma financial information, what should be disclosed?
Must the accountant consider his or her independence? Yes, since this is a compilation engagement. (Note: The preparation of the pro forma information is considered a nonattest service.)
Should the accountant perform acceptance and continuance procedures? Yes.
Is an engagement letter required? Yes, and it must be signed by the accountant’s firm and management or those charged with governance.
What compilation procedures should be performed?
Can the pro forma engagement be performed in conjunction with a compilation, review or an audit? Yes. Alternatively, the pro forma engagement can be performed separately.
What documentation is to be retained in the file?
Is a compilation report to be issued? Yes. (See sample report below.)
Is the accountant offering any assurance regarding the pro forma information? No.
Can the pro forma compilation report be added to the accountant’s report on historical financial statements? Yes. Alternatively, the pro forma compilation report can be presented separately.
What’s the effective date of SSARS 22? The standard is effective for compilation reports on pro forma financial information dated on or after May 1, 2017.
If you are not already providing pro forma information to clients, consider suggesting this service when appropriate. Clients may find pro forma information helpful in evaluating the potential sale of stock, the borrowing of funds for a project, or the sale of a part of the business.
Exhibit B of SSARS 22 provides the following sample compilation report on pro forma financial information:
Management is responsible for the accompanying pro forma condensed balance sheet of XYZ Company as of December 31, 20X1, and the related pro forma condensed statement of income for the year then ended (pro forma financial information), based on the criteria in Note 1. The historical condensed financial statements are derived from the financial statements of XYZ Company, on which I (we) performed a compilation engagement, and of ABC Company, on which other accountants performed a compilation engagement. The pro forma adjustments are based on management’s assumptions described in Note 1. (We) have performed a compilation engagement in accordance with Statements on Standards for Accounting and Review Services promulgated by the Accounting and Review Services Committee of the AICPA. I (we) did not examine or review the pro forma financial information nor was (were) I (we) required to perform any procedures to verify the accuracy or completeness of the information provided by management. Accordingly, I (we) do not express an opinion, a conclusion, nor provide any form of assurance on the pro forma financial information.
The objective of this pro forma financial information is to show what the significant effects on the historical financial information might have been had the underlying transaction (or event) occurred at an earlier date. However, the pro forma condensed financial statements are not necessarily indicative of the results of operations or related effects on financial position that would have been attained had the above mentioned transaction (or event) actually occurred at such earlier date.
[Additional paragraph(s) may be added to emphasize certain matters relating to the compilation engagement or the subject matter.]
[Signature of accounting firm or accountant, as appropriate] [Accountant’s city and state]
[Date of the accountant’s report]
The Accounting and Review Services Committee of the AICPA has issued SSARS 22 Compilation of Pro Forma Information. The effective date of the standard is May 1, 2017.
In the coming days, I will provide a detailed post about this standard. A new compilation report and engagement letter (for pro forma financial statements) are included in SSARS 22.
Do you ever struggle with audit walkthroughs? Maybe you’re not sure what areas to review or how extensive your documentation should be. Possibly you’re not even sure how walkthroughs are helpful.
I hear some auditors protest that professional standards don’t require walkthroughs. Right, but we have an obligation to (annually) understand and corroborate controls, and I know of no better way to achieve this goal than walkthroughs.
Walkthroughs are cradle-to-grave reviews of transaction cycles. You start at the beginning of a transaction cycle (usually a source document) and walk the transaction to the end (usually posting to the general ledger). The auditor is gaining an understanding the genesis of the transaction and then each movement through the accounting system.
As we perform the walkthrough, we also:
By asking questions, inspecting documents, making observations, we are evaluating internal controls to see if there are weaknesses that would allow errors and fraud to occur. And audit standards do not permit the use of inquiries alone. Observations or inspections must occur.
Some auditors believe that audit walkthroughs (or documentation of controls for significant transaction cycles) are not necessary if the auditor is assessing control risk at high. This is not true. While the auditor can assess control risk at high, she must first gain an understanding of the cycle and the related controls. For more information, see my related post.
Accountants are often more comfortable with numbers than processes. We like things that “tie,” “foot,” or “balance.” We may not enjoy probing accounting systems for risk—it’s too touchy-feely. Even so, passing this responsibility off to lower staff is not a good choice. It’s too complicated and too important. So there’s no getting around it. The walkthrough—or something like it—must be done, especially if you are mid- to upper-level auditors. Why? You’re developing your audit plan. Screw up the plan, and you screw up the audit.
What is the purpose of the walkthrough? Identification of risk. Once you know the risks, you know where to audit.
Too often auditors do the same as last year (SALY). And why do we do this?
First, it requires no thinking.
Second, out of fear. We think, “if the audit plan was appropriate last year, why would it not be this year?” In short, we believe it’s safe. After all, the engagement partner developed this approach seven years ago. But is it safe?
Suppose the accounts payable clerk realizes he can create fictitious vendors without notice, and his scheme allows him to steal over $10 million over a four-year period.
The audit firm has performed the engagement year after year using the same approach. On the planning side, the fraud inquiry and internal control documentation look the same. Walkthroughs have not been performed in the last five years.
On the substantive side, the auditor ties the payables detail to the trial balance. He conducts a search for unrecorded liabilities. He inquires about other potential liabilities. All, as he has done for years. Even so, in this year alone, the payables clerk walks away with $3 million—and the audit firm doesn’t know it.
Processes matter. And—for the auditor—understanding those processes is imperative.
I will say it again: we are looking for risk. Our audit opinion says that we examine the company’s internal controls to plan the audit. The opinion goes on to say that this review of controls is not performed to opine on the accounting system. So we are not testing to render an opinion on controls, but we are probing the accounting processes to identify weaknesses. And once we know where risks lie, we can focus in those areas.
Pick an audit file or two and review your internal control documentation. Have you corroborated your understanding of the controls by inquiring, inspecting, and observing the significant transaction cycles? Again walkthroughs are not technically required, but the corroboration of controls is. The walkthrough process is an effective way to achieve this objective.
This post is the first in a series about walkthroughs, so stay tuned. Next, we’ll look at how to perform walkthroughs.
At times, auditors errantly assess control risk at less than high. Why? Because we don’t test controls.
So can you assess control risk at high without testing controls? Yes.
We have been told that “you can’t default to maximum risk.” While we can’t default to maximum (the old pre-risk-assessment standards term), we can–and in many audits should–assess control risk at high (the risk assessment standards term).
First, the auditor should determine the existence and location of risks–the purpose of risk assessment procedures. Once risk assessment procedures (walkthroughs, inquiries, analytics, etc.) are performed, we know more about what the risks are and where they are. Then we can assess control risk (CR) at whatever level we desire (if CR is below high, then controls must be tested to support the lower risk assessment).
At this point our assessment of control risk becomes a question of efficiency. We can:
The salient question is: which option is most efficient?
Risk assessment procedures, such as walkthroughs, generally are not sufficient to support a low to moderate control risk assessment. A walkthrough (often a test of one transaction) simply allows us to see if particular controls are in place. They don’t, however, tell us if the controls are consistently working.
AU-C Section 330.08 states: The auditor should design and perform tests of controls to obtain sufficient appropriate audit evidence about the operating effectiveness of relevant controls if the auditor’s assessment of risks of material misstatement…includes an expectation that the controls are operating effectively (that is, the auditor intends to rely on the operating effectiveness of controls in determining…substantive procedures).
A test of one transaction–often performed in walkthroughs–generally is not considered “sufficient appropriate audit evidence” to assess control risk at less than high.
To test and rely on controls, the auditor should generally examine more transactions. We might, for example, test forty disbursements for proper purchase orders. If the control is working, then we can assess control risk at low to moderate and decrease our substantive work. We could, for example, test fewer additions to plant, property and equipment.
If it takes longer to test controls (e.g., the forty purchase orders) than to perform substantive tests (e.g., vouching invoice support for additions to plant, property and equipment), then it makes more sense to assess control risk at high and perform substantive procedures. And we should do just that–if we desire to make a higher profit on the engagement (and I’m betting you do).
For example, if it takes six hours to test forty transactions for appropriate purchase orders and it takes four hours to simply vouch all additions to plant, property and equipment, then we should assess control risk at high and not perform the test of controls. We should perform the substantive procedure of vouching all significant additions to plant, property, and equipment.
Can we assess the risk of material misstatement (RMM) at low to moderate without testing controls?
If the inherent risk (IR) is low to moderate, then our combined risk of material misstatement can easily be low to moderate. (Let me encourage you to assess risk at the assertion level and not at the transaction level, but I will save that topic for another post.)
For example, a low inherent risk and a high control risk can yield a low to moderate RMM. In an equation it looks like this:
This approach yields a moderate RMM without testing controls. A moderate RMM supports a basic approach, and a basic approach means we are performing fewer substantive tests (a high RMM means the auditor will perform extensive procedures–meaning more substantive tests).
In short, many times inherent risk is low to moderate. If you combine a low to moderate inherent risk with a high control risk, you can assess RMM at low to moderate. This low to moderate RMM comports with a basic audit approach. Continuing with our plant, property and equipment example from above, you can–with the low to moderate RMM–test fewer asset purchases. And no test of controls is necessary.
This approach–assessing control risk at high after performing risk assessment procedures–often creates greater audit efficiency and is compliant with audit standards. Alternatively, we should assess control risk below high and test controls if this approach takes less time.
I started this post by saying we sometimes errantly assess control risk. By this, I mean we sometimes assess control risk at low to moderate without a sufficient test of controls. Control tests must be performed if we assess control risk at less than high.
What are your thoughts about assessing control risk?
|Date:||October 4, 2016|
|Event:||Georgia Government Finance Officers' Conference|
|Topic:||Steal Like a Boss|
|Sponsor:||Georgia Government Finance Officers|
|Venue:||Evergreen Marriott Conference Resort | Stone Mountain GA|
Insurance companies understand something that many CPAs do not. Pricing for risk.
Let’s consider the following bid situations.
1. The company is 30 years and has had steady profits for the last decade. It is owned by two brothers who are compatible. The company has one loan for $5 million that requires an audit. Total assets are $500 million. The bookkeeper has been with the organization for twenty years, and the auditors have proposed less than three journal entries for the last five years. The year-end for the company is September 30, a time when the audit firm is moderately busy. Estimated time for the engagement is 200 hours.
2. This company is two years old and has total assets of $50 million. They’ve changed bookkeepers twice since the company started. The company has a line of credit for $5 million that is fully drawn and a long term loan for $25 million. Working capital is negative and cash flows from operations was negative ($5 million) in year two. The former auditors are not bidding on the engagement. The former auditors proposed forty-five journal entries. The year-end for the company is May 31, a time when the audit firm is not busy. Estimated time for the engagement is 200 hours.
Since the estimated time for the engagements is the same, should the fee be the same? No. And yet I have witnessed the bidding process long enough to know that at least one firm will discount the second engagement, possibly substantially. The audit firm desires the engagement because it fits their work calendar. It comes at a time when the audit firm is not busy. But does it make sense to discount high-risk work, even if it fits the calendar?
Discounting high-risk work creates two potential problems:
Some auditors will cut corners when faced with limited time budgets. Why? The engagement partner might push the audit team to stay within budget, even though he or she chose to discount the bid. The partner desires to make a profit even though the original thought was, “I’ll bid low so we’ll have something to do.” And when sufficient time is not invested in a high-risk engagement, litigation exposure increases.
So you decide to accept the high-risk engagement and the audit team delivers the discounted job within budget, but two years later your firm is slapped with a lawsuit. It seems the auditee was playing loose with the numbers, intentionally inflating numbers to satisfy the debt covenants (on the $25 million loan). The company did not make loan payments and the bank called the loan. The owners just walked away from their business leaving the keys with the bank—and you with a lawsuit. The bank believes it will suffer a loss of $7 million, and they are now looking to you to make up the difference.
Always increase risk-adjust your price—even if you don’t get the work. You need sufficient time to address the increased risks. Alternatively, walk away from the work. It may be the better part of wisdom.
Consider risk rating for all new work. You can use a scale as simple as one to five with five being high. Your firm might decide to never seek five-rated work, for example. If you decide to go after the high-risk work, consider adding a pricing premium. For five-rated engagements, you may choose to add 20%—for example—to your estimated time budget.
Think about your existing portfolio of work. Do you have any five-rated engagements? Might it be prudent to let one or two of those go? The continuance decision is just as important as acceptance. For more information about continuance decisions, click here.