How to Document Audit Walkthroughs

Part 3 - Documenting control weaknesses tells you where to audit

How do you document your audit walkthroughs? Is it better to use checklists, flowcharts or summarize narratively?

Audit Walkthroughs

Picture from

Documenting Your Audit Walkthroughs

While you can use checklists, flowcharts, narratives, or any other method that enables you to gain your understanding of controls, my personal favorite is narrative mixed with screen shots. So how do I do this?

I determine the people involved in a transaction flow and schedule interviews with them. Usually, one or two people can explain a particular transaction flow (e.g., disbursement cycle), but some complicated processes require several interviews. 

Sometimes I don’t know how each person’s work fits into the whole, so it’s like gathering puzzle pieces—at this stage, I am reaching for bits of the picture. The interviews and information may feel random, even confusing. But when you put the pieces together, you will see the picture—and that’s what we’re after, understanding the accounting system and control environment.

The Interview

I document the conversations using:

  • A Livescribe pen
  • My iPhone camera

Taking Notes

Using a Livescribe pen, I write notes and record the conversations.

I begin the interview by saying, “Tell me what you do and how you do it. Treat me like I know nothing. I want to hear all the particulars.” 

As I listen, I write general notes. The Livescribe pen records the audio which syncs with my written notes. Later the conversation can be played from the pen—more in a moment about how I use this tool. 

I find that most interviewees talk too fast—at least faster than I can write. And as I’m writing their last comment, they are moving to the next (and I fall behind). So I write simple words in my Livescribe notebook such as:

  • Add vendor
  • Charlie opens mail
  • P.O. issued by Purchasing
  • Checks signed by the computer

Later as I’m typing the narrative into Word, I touch the letter “A” in “Add vendor” with the tip of my pen. The touching of the letter “A” causes the pen to play the audio for that part of the conversation. Likewise touching “C” with the tip of my pen–in “Checks signed by the computer”–causes the pen to play the discussion at that point. Since the audio syncs with my written notes, I can hear any part of the discussion by touching a letter with my pen.  

And since Livescribe captures the audio, I jot down words—such as “Add vendor”—so I can later retrieve particular parts of the interview.  These short phrases are markers for the audio and an outline of the conversation.

Taking Pictures

In addition to writing notes in my Livescribe notebook, I also take pictures with my iPhone. What am I taking snapshots of? Here are examples (from a payables interview):

  • Invoice with approver’s initials  
  • Screenshot of an invoice entry  
  • If several people are processing invoices, I take a group picture of them at their desks
  • A signed check 
  • The bank reconciliation 

So my inputs into the walkthrough document are as follows:

  • Livescribe notes and audio
  • Photos of documents and persons 

I write my narratives in Word and embed pictures as needed. The walkthrough documentation takes this shape:

  • Narrative
  • Pictures
  • Control identification
  • Control weakness identification

Why identify control deficiencies in the walkthrough? So I can link them to the audit procedures to be performed—what audit standards refer to as “further audit procedures.” The weaknesses tell me where to conduct substantive procedures.

Another key feature of the walkthrough documentation is the identification of who I spoke with and when. So at the top of the transaction cycle description, I name the persons I interview and the date of the conversation. For example:

Charles Hall interviewed Johnny Mann, Hector Nunez, and Suzanne Milton on October 25, 2016. 

Identification of Controls and Control Weaknesses

I note appropriate controls as follows: 

Control: Additions of new vendors is limited to three persons in the accounts payable department. Each time a new vendor is added, the computer system automatically sends an email to the CFO notifying her of the addition. Persons adding new vendors cannot process signed checks.

I note control weaknesses as follows:

Control Weakness: Only one signature is required on check disbursements. Johnny Mann signs checks, has possession of check stock, keys invoices into the payables system, and reconciles the related bank account. 

Response to Risks

The control weaknesses created by Johnny Mann’s performance of critical disbursement procedures increases the risk of theft. My response? I establish audit procedures in my audit program to address the risk such as:

  • Review one month’s cleared checks for propriety, examining the check signature and payee. 

How do you know what audit procedures to perform in response to the risk? Ask, “What can go wrong?” and design a test for that potential. Johnny can write checks to himself. My response? Scan cleared checks to see if the payees are appropriate, particularly on those checks with Johnny’s signature.  

Communication of Control Weaknesses

Though this article focuses upon planning and risk assessment, the identification of control weaknesses will impact our end-of-audit communications.

The bolded text (Control Weakness) makes it easy to locate control weaknesses. Upon completion of the walkthrough, I summarize all control deficiencies in separate memos so I can track the disposition of each one. Ultimately each weakness is deemed a:

  1. Material weakness
  2. Significant deficiency, or
  3. Other weakness 

I report material weaknesses and significant deficiencies in writing to management and those charged with governance. I communicate other deficiencies in a management letter (or verbally and document the discussion in my work papers). 

For more information about how to categorize control weaknesses, click here.

If you missed my first two walkthrough posts, see them here:

Why Should Auditors Perform Audit Walkthroughs?

How to Identify Risk of Material Misstatements with Walkthroughs

Click the pen below to see the Livescribe on Amazon.

How to Identify Risk of Material Misstatements with an Audit Walkthrough

Post 2 - Knowing what risk assessment procedures to use

While we know that an audit walkthrough is an excellent way to probe accounting systems for risk, many auditors aren’t sure how to use this procedure. I hear questions such as:

  • What is an audit walkthrough?
  • Will a walkthrough allow me to assess control risk at less than high?
  • What procedures should I perform?
  • How many procedures should I perform?
  • How can I document my walkthroughs?
  • Should I perform walkthroughs annually?
  • What transaction cycles merit walkthroughs?
Audit Walkthrough

Picture from

What is an Audit Walkthrough?

An audit walkthrough is the tracking of a transaction through an accounting system while examining related controls. The purpose of the audit walkthrough is to see if controls exist and are in use (or, as the audit standards say, “implemented”). The results of our risk assessment procedures will illuminate the weaknesses in the accounting system.  And we use this information about risk to create our audit plan.

So we do the following:

  1. Identify risk
  2. Assess risk
  3. Create an audit plan to address risk

Walkthroughs fall in the “identify risk” category, and, consequently, are done early in the audit process.

What is not a Walkthrough?

Following a transaction through the system–without reviewing controls–is not an audit walkthrough. We must examine controls to see if they exist and are implemented. 

Placing a copy of the operating and accounting system manual in the audit file is not a walkthrough. While such manuals may tell you what the client intends to do, they don’t say what is done. In other words, they don’t answer the implementation question.

Lastly, asking a client, “Is everything the same as last year?” is not a walkthrough. Auditors must do more than inquire.

Will Audit Walkthroughs Allow a Lower Control Risk Assessment?

Usually, audit walkthroughs are not sufficient as support for lower control risk assessments. If the auditor assesses control risk at less than high, she is required to test the effectiveness of the control. Since audit walkthroughs are usually a test of one transaction, they typically don’t validate operating effectiveness. Regarding computer controls, a walkthrough of one transaction might be sufficient to prove effectiveness if general computer controls are working—namely, change control for software. Why? Computer controls—usually—operate consistently.

The purpose of an audit walkthrough is to test for the existence and implementation of controls rather than operating effectiveness. Remember the following:

  • Focus on implementation of controls — During risk assessment
  • Focus on effectiveness of controls — When testing controls to support lower control risk

An auditor can determine implementation of controls with a test of one transaction. Effectiveness, on the other hand, usually requires sampling tests—e.g., test of 40 transactions for appropriate purchase orders.

What Procedures and How Many Should I Perform?

There are three key procedures that auditors use in performing walkthroughs:

  1. Inquiry
  2. Observation
  3. Inspection

Inquiry alone is never sufficient in performing risk assessments. So we must marry inquiry with observation and inspection. 

The use the three procedures listed above will depend on the transaction cycle you are examining.

Debt Cycle Example

For example, in reviewing the debt cycle, you will usually focus on inquiry and inspection. Why? Well, legal agreements and approvals of debt transactions are key. So I might inspect the following (for example):

  • Debt agreement
  • Minutes showing approval of the debt
  • Approvals of debt service payments

Disbursement Cycle Example

In examining the disbursement cycle, you will typically focus on inquiry, observation, and inspection. My questions might include:

  • How are purchase orders issued?
  • What persons issue purchase orders?
  • Who receives invoices?
  • What persons approve the payments?
  • Are checks signed physically or electronically and by whom?
  • Who reconciles the bank statements?
  • What persons monitor aged payables (and how)?

As I inquire about the disbursement cycle, I also observe and inspect. Here are some procedures I might perform:

  • Examine I.T. lists of who can add vendors to the system
  • Inspect a purchase order to see who approves it
  • Observe who issues the purchase order (multiple people might release P.O.s)
  • Inspect an invoice for initials of a department head as approval for payment
  • Observe who is receiving and approving the invoices
  • Watch the processing of a check batch (I want to know who can sign checks)
  • Inspect aged accounts payable detail and one bank reconciliation to determine who reconciles the payables total and bank account to the general ledger

Knowing Which Procedures to Use

You may wonder, “How do I know which procedures to perform?” Ah, that’s the $10,000 question. Always ask, “What can go wrong?” and determine if a control is in place to lessen that threat. That question will drive your risk assessment. The diversity of accounting systems makes it all but impossible to create a checklist that covers all possible issues. What does this mean? You must use your judgment.

Look Beyond the Normal Client Procedures

Always ask who performs the control procedures when key persons are out. Why? An unknown person might have the power to carry out the role. If someone else can—even though they don’t normallyperform a key control procedure, you need to know this. Why? Well, here’s an example of what can happen: If a third person usually does not issue checks but can and that person also reconciles the bank statement, he might issue fraudulent checks. Why? He knows his fraudulent checks will not be detected through the bank reconciliation control.

Always look beyond accounting policies and routine procedures to see what can happen. I often have clients say to me, “John is the only one who approves the purchase orders,” for example. But I know this is not true because purchases would cease to occur when John is out. So I ask, “Who issues purchase orders when John in on vacation?”

More Answers Next Week

We’ll continue our discussion about walkthroughs next week. I still need to answer the following questions:

  • How can I document my walkthroughs?
  • Should I perform walkthroughs annually?
  • What transaction cycles merit walkthroughs?

If you have any questions about walkthroughs, please post them here, and I will try to respond. Also, please post any comments you have.

If you missed last week’s post about walkthroughs (Why Should Auditors Perform Audit Walkthroughs), check it out here. Subscribe to my blog to receive weekly updates. 

Are You Up to Speed on the New Pro Forma Information Standard?

Providing "What if?" information to clients can be helpful

The Accounting and Review Services Committee (ARSC) issued SSARS 22 Compilation of Pro Forma Financial Information. You may remember that ARSC did not address pro forma information in SSARS 21. SSARS 22 clarifies AR 120 Compilation of Pro Forma Information and codifies it as AR-C 120.

Pro Forma Information

So what is pro forma information? It is a presentation that shows what the significant effects on historical financial information might have been had a consummated or proposed transaction (or event) occurred at an earlier date.

Pro Forma Information

Picture from

To understand SSARS 22, let’s answer a few questions.

Examples of Pro Forma Information

Examples of pro forma information include presenting financial statements for the following:

  • Business combinations
  • The selling of a significant part of a business
  • A change in the capitalization of an entity

Again we are providing financial information as though the transaction or event has–already–occurred.

Required Disclosures

In pro forma financial information, what should be disclosed?

  • A description of the transaction (or event) that is reflected in the presentation
  • The date on which the transaction (or event) is assumed to occur
  • The financial reporting framework
  • The source of the financial information
  • The significant assumptions used
  • Any significant uncertainties about those assumptions
  • A statement that the pro forma information should be read in conjunction with the related historical information and that the pro forma information is not necessarily indicative of the results that would have been attained had the transaction (or event) actually taken place


Must the accountant consider his or her independence? Yes, since this is a compilation engagement. (Note: The preparation of the pro forma information is considered a nonattest service.)

Acceptance and Continuance

Should the accountant perform acceptance and continuance procedures? Yes.

Engagement Letter

Is an engagement letter required? Yes, and it must be signed by the accountant’s firm and management or those charged with governance.

Compilation Procedures

What compilation procedures should be performed?

  • Read the pro forma financial information to determine if it is appropriate in form and free from obvious material misstatement
  • Obtain an understanding of the underlying transaction or event (that the pro forma information is based upon)
  • Determine that management includes:
    • Complete financial statements for the most recent year (or from the preceding year if financial statements for the most recent year are not yet available) or make such financial statements readily available (e.g., post on a public website)
    • If pro forma financial information is presented for an interim period, either historical interim financial information for that period (which may be in condensed form) or make such interim information readily available
    • For business combinations, the relevant financial information for the significant parts of the combined entity
  • Determine that the information in the preceding bullet has been subjected to a compilation, review or an audit
  • Determine that the compilation, review or audit report on the historical information is included in any document containing the  pro forma financial information (or made readily available such as on a public website)
  • Determine whether the significant assumptions and uncertainties are disclosed
  • Determine whether the source of the historical financial information on which the pro forma information is based is appropriately identified

Pro Forma in Conjunction with Other Services

Can the pro forma engagement be performed in conjunction with a compilation, review or an audit? Yes. Alternatively, the pro forma engagement can be performed separately.

Required Documentation

What documentation is to be retained in the file?

  • Engagement letter
  • The results of procedures performed
  • Copy of the pro forma financial information
  • Copy of the accountant’s compilation report

Compilation Report Required

Is a compilation report to be issued? Yes. (See sample report below.)

Is the accountant offering any assurance regarding the pro forma information? No.

Can the pro forma compilation report be added to the accountant’s report on historical financial statements? Yes. Alternatively, the pro forma compilation report can be presented separately.

Effective Date of SSARS 22

What’s the effective date of SSARS 22? The standard is effective for compilation reports on pro forma financial information dated on or after May 1, 2017.

Potential New Service for Your Clients

If you are not already providing pro forma information to clients, consider suggesting this service when appropriate. Clients may find pro forma information helpful in evaluating the potential sale of stock, the borrowing of funds for a project, or the sale of a part of the business.

Sample SSARS 22 Compilation Report

Exhibit B of SSARS 22 provides the following sample compilation report on pro forma financial information:

Management is responsible for the accompanying pro forma condensed balance sheet of XYZ Company as of December 31, 20X1, and the related pro forma condensed statement of income for the year then ended (pro forma financial information), based on the criteria in Note 1. The historical condensed financial statements are derived from the financial statements of XYZ Company, on which I (we) performed a compilation engagement, and of ABC Company, on which other accountants performed a compilation engagement. The pro forma adjustments are based on management’s assumptions described in Note 1. (We) have performed a compilation engagement in accordance with Statements on Standards for Accounting and Review Services promulgated by the Accounting and Review Services Committee of the AICPA. I (we) did not examine or review the pro forma financial information nor was (were) I (we) required to perform any procedures to verify the accuracy or completeness of the information provided by management. Accordingly, I (we) do not express an opinion, a conclusion, nor provide any form of assurance on the pro forma financial information.

The objective of this pro forma financial information is to show what the significant effects on the historical financial information might have been had the underlying transaction (or event) occurred at an earlier date. However, the pro forma condensed financial statements are not necessarily indicative of the results of operations or related effects on financial position that would have been attained had the above mentioned transaction (or event) actually occurred at such earlier date.

[Additional paragraph(s) may be added to emphasize certain matters relating to the compilation engagement or the subject matter.]

[Signature of accounting firm or accountant, as appropriate] [Accountant’s city and state]
[Date of the accountant’s report]

SSARS 22 Compilation of Pro Forma Infomation

The Accounting and Review Services Committee of the AICPA has issued SSARS 22 Compilation of Pro Forma Information. The effective date of the standard is May 1, 2017.

In the coming days, I will provide a detailed post about this standard. A new compilation report and engagement letter (for pro forma financial statements) are included in SSARS 22.

Why Should Auditors Perform Audit Walkthroughs?

Post 1 - Why are walkthroughs important and are they required?

Do you ever struggle with audit walkthroughs? Maybe you’re not sure what areas to review or how extensive your documentation should be. Possibly you’re not even sure how walkthroughs are helpful.

Audit Walkthroughs

Picture is from

I hear some auditors protest that professional standards don’t require walkthroughs. Right, but we have an obligation to (annually) understand and corroborate controls, and I know of no better way to achieve this goal than walkthroughs.

What are Walkthroughs?

Walkthroughs are cradle-to-grave reviews of transaction cycles. You start at the beginning of a transaction cycle (usually a source document) and walk the transaction to the end (usually posting to the general ledger). The auditor is gaining an understanding the genesis of the transaction and then each movement through the accounting system.

As we perform the walkthrough, we also:

  • Make inquiries
  • Inspect documents
  • Make observations

By asking questions, inspecting documents, making observations, we are evaluating internal controls to see if there are weaknesses that would allow errors and fraud to occur. And audit standards do not permit the use of inquiries alone. Observations or inspections must occur.

Some auditors believe that audit walkthroughs (or documentation of controls for significant transaction cycles) are not necessary if the auditor is assessing control risk at high. This is not true. While the auditor can assess control risk at high, she must first gain an understanding of the cycle and the related controls. For more information, see my related post.

Why Audit Walkthroughs?

Accountants are often more comfortable with numbers than processes. We like things that “tie,” “foot,” or “balance.” We may not enjoy probing accounting systems for risk—it’s too touchy-feely. Even so, passing this responsibility off to lower staff is not a good choice. It’s too complicated and too important. So there’s no getting around it. The walkthrough—or something like it—must be done, especially if you are mid- to upper-level auditors. Why? You’re developing your audit plan. Screw up the plan, and you screw up the audit.

What is the purpose of the walkthrough? Identification of risk. Once you know the risks, you know where to audit.

Too often auditors do the same as last year (SALY). And why do we do this?

First, it requires no thinking.

Second, out of fear. We think, “if the audit plan was appropriate last year, why would it not be this year?” In short, we believe it’s safe. After all, the engagement partner developed this approach seven years ago. But is it safe?

Why SALY is Dangerous

Suppose the accounts payable clerk realizes he can create fictitious vendors without notice, and his scheme allows him to steal over $10 million over a four-year period.

The audit firm has performed the engagement year after year using the same approach. On the planning side, the fraud inquiry and internal control documentation look the same. Walkthroughs have not been performed in the last five years.

On the substantive side, the auditor ties the payables detail to the trial balance. He conducts a search for unrecorded liabilities. He inquires about other potential liabilities. All, as he has done for years. Even so, in this year alone, the payables clerk walks away with $3 million—and the audit firm doesn’t know it.

Processes matter. And—for the auditor—understanding those processes is imperative.

Why Walkthroughs?

I will say it again: we are looking for risk. Our audit opinion says that we examine the company’s internal controls to plan the audit. The opinion goes on to say that this review of controls is not performed to opine on the accounting system. So we are not testing to render an opinion on controls, but we are probing the accounting processes to identify weaknesses. And once we know where risks lie, we can focus in those areas.

Check Your Work Papers for Audit Walkthroughs

Pick an audit file or two and review your internal control documentation. Have you corroborated your understanding of the controls by inquiring, inspecting, and observing the significant transaction cycles? Again walkthroughs are not technically required, but the corroboration of controls is. The walkthrough process is an  effective way to achieve this objective.

This post is the first in a series about walkthroughs, so stay tuned. Next, we’ll look at how to perform walkthroughs.

Assessing Audit Control Risk at High (and Saving Time)

You can assess control risk at high

At times, auditors errantly assess control risk at less than high. Why? Because we don’t test controls.

So can you assess control risk at high without testing controls? Yes.

We have been told that “you can’t default to maximum risk.” While we can’t default to maximum (the old pre-risk-assessment standards term), we can–and in many audits should–assess control risk at high (the risk assessment standards term).

Assessing control risk at high

Picture is from

Assessing Control Risk at High

First, the auditor should determine the existence and location of risks–the purpose of risk assessment procedures. Once risk assessment procedures (walkthroughs, inquiries, analytics, etc.) are performed, we know more about what the risks are and where they are. Then we can assess control risk (CR) at whatever level we desire (if CR is below high, then controls must be tested to support the lower risk assessment).

The Efficiency Decision

At this point our assessment of control risk becomes a question of efficiency. We can:

  1. Assess control risk at high and not perform additional tests of controls, or
  2. Assess control risk at low to moderate and test the operating effectiveness of controls

The salient question is: which option is most efficient?

Risk Assessment Procedures

Risk assessment procedures, such as walkthroughs, generally are not sufficient to support a low to moderate control risk assessment. A walkthrough (often a test of one transaction) simply allows us to see if particular controls are in place. They don’t, however, tell us if the controls are consistently working.

Testing Controls

AU-C Section 330.08 states: The auditor should design and perform tests of controls to obtain sufficient appropriate audit evidence about the operating effectiveness of relevant controls if the auditor’s assessment of risks of material misstatement…includes an expectation that the controls are operating effectively (that is, the auditor intends to rely on the operating effectiveness of controls in determining…substantive procedures).

A test of one transaction–often performed in walkthroughs–generally is not considered “sufficient appropriate audit evidence” to assess control risk at less than high.

Back to the Efficiency Issue


To test and rely on controls, the auditor should generally examine more transactions. We might, for example, test forty disbursements for proper purchase orders. If the control is working, then we can assess control risk at low to moderate and decrease our substantive work. We could, for example, test fewer additions to plant, property and equipment.

If it takes longer to test controls (e.g., the forty purchase orders) than to perform substantive tests (e.g., vouching invoice support for additions to plant, property and equipment), then it makes more sense to assess control risk at high and perform substantive procedures. And we should do just that–if we desire to make a higher profit on the engagement (and I’m betting you do).

For example, if it takes six hours to test forty transactions for appropriate purchase orders and it takes four hours to simply vouch all additions to plant, property and equipment, then we should assess control risk at high and not perform the test of controls. We should perform the substantive procedure of vouching all significant additions to plant, property, and equipment.

Reducing Substantive Tests (Without Testing Controls)

Can we assess the risk of material misstatement (RMM) at low to moderate without testing controls?


If the inherent risk (IR) is low to moderate, then our combined risk of material misstatement can easily be low to moderate. (Let me encourage you to assess risk at the assertion level and not at the transaction level, but I will save that topic for another post.)

For example, a low inherent risk and a high control risk can yield a low to moderate RMM. In an equation it looks like this:

 IR         CR         RMM            Audit Approach
Low X High = Moderate              Basic

This approach yields a moderate RMM without testing controls. A moderate RMM supports a basic approach, and a basic approach means we are performing fewer substantive tests (a high RMM means the auditor will perform extensive procedures–meaning more substantive tests).

In short, many times inherent risk is low to moderate. If you combine a low to moderate inherent risk with a high control risk, you can assess RMM at low to moderate. This low to moderate RMM comports with a basic audit approach. Continuing with our plant, property and equipment example from above, you can–with the low to moderate RMM–test fewer asset purchases. And no test of controls is necessary.

This approach–assessing control risk at high after performing risk assessment procedures–often creates greater audit efficiency and is compliant with audit standards. Alternatively, we should assess control risk below high and test controls if this approach takes less time.


I started this post by saying we sometimes errantly assess control risk. By this, I mean we sometimes assess control risk at low to moderate without a sufficient test of controls. Control tests must be performed if we assess control risk at less than high.

What are your thoughts about assessing control risk?

I will be speaking at the Georgia Government Finance Officers’ Conference on October 4, 2016. My presentation is titled “Steal Like a Boss,” a tongue-in-cheek view of how fraudsters think and act. Hope to see you there.

Date: October 4, 2016
Time: 2:20 p.m.
Event: Georgia Government Finance Officers' Conference
Topic: Steal Like a Boss
Sponsor: Georgia Government Finance Officers
Venue: Evergreen Marriott Conference Resort | Stone Mountain GA
Public: Public

Why Pricing for Risk is So Important

Why discounting bids harms CPA firms

Insurance companies understand something that many CPAs do not. Pricing for risk.

Pricing for Risk

Picture is from

Pricing for Risk

Let’s consider the following bid situations.

1. The company is 30 years and has had steady profits for the last decade. It is owned by two brothers who are compatible. The company has one loan for $5 million that requires an audit. Total assets are $500 million. The bookkeeper has been with the organization for twenty years, and the auditors have proposed less than three journal entries for the last five years. The year-end for the company is September 30, a time when the audit firm is moderately busy. Estimated time for the engagement is 200 hours.

2. This company is two years old and has total assets of $50 million. They’ve changed bookkeepers twice since the company started. The company has a line of credit for $5 million that is fully drawn and a long term loan for $25 million. Working capital is negative and cash flows from operations was negative ($5 million) in year two. The former auditors are not bidding on the engagement. The former auditors proposed forty-five journal entries. The year-end for the company is May 31, a time when the audit firm is not busy. Estimated time for the engagement is 200 hours.

Since the estimated time for the engagements is the same, should the fee be the same? No. And yet I have witnessed the bidding process long enough to know that at least one firm will discount the second engagement, possibly substantially. The audit firm desires the engagement because it fits their work calendar. It comes at a time when the audit firm is not busy. But does it make sense to discount high-risk work, even if it fits the calendar?

Discounting high-risk work creates two potential problems:

  • Sufficient time is not invested
  • Litigation exposure increases

Sufficient Time is Not Invested

Some auditors will cut corners when faced with limited time budgets. Why? The engagement partner might push the audit team to stay within budget, even though he or she chose to discount the bid. The partner desires to make a profit even though the original thought was, “I’ll bid low so we’ll have something to do.” And when sufficient time is not invested in a high-risk engagement, litigation exposure increases.

Litigation Exposure Increases

So you decide to accept the high-risk engagement and the audit team delivers the discounted job within budget, but two years later your firm is slapped with a lawsuit. It seems the auditee was playing loose with the numbers, intentionally inflating numbers to satisfy the debt covenants (on the $25 million loan). The company did not make loan payments and the bank called the loan. The owners just walked away from their business leaving the keys with the bank—and you with a lawsuit. The bank believes it will suffer a loss of $7 million, and they are now looking to you to make up the difference.

Price for Risk Regardless

Always increase risk-adjust your price—even if you don’t get the work. You need sufficient time to address the increased risks. Alternatively, walk away from the work. It may be the better part of wisdom.

Rating New Work

Consider risk rating for all new work. You can use a scale as simple as one to five with five being high. Your firm might decide to never seek five-rated work, for example. If you decide to go after the high-risk work, consider adding a pricing premium. For five-rated engagements, you may choose to add 20%—for example—to your estimated time budget.

Think about your existing portfolio of work. Do you have any five-rated engagements? Might it be prudent to let one or two of those go? The continuance decision is just as important as acceptance. For more information about continuance decisions, click here.