Deferred Taxes to Be Shown as Noncurrent on Classified Statement of Financial Position

Current U.S. GAAP requires that deferred taxes be separated as current and noncurrent

On November 20, 2015, the FASB issued Accounting Standards Update (ASU) 2015-17, Income Taxes (Topic 740): Balance Sheet Classification of Deferred Taxes.

Current U.S. GAAP requires entities to separate deferred income tax liabilities and assets into current and noncurrent on a classified statement of financial position. ASU 2015-17 directs that deferred income tax liabilities and assets be shown as noncurrent (alone).

Current GAAP requires the netting of current deferred tax assets and liabilities as one number and the netting of noncurrent tax assets and liabilities as a second number–provided they relate to one taxing jurisdiction (federal taxes are not netted with state taxes, for example). The new standard will require the netting to be presented as a noncurrent number.

Effective Dates

Effective dates are as follows:

  • Public business entities – Fiscal years beginning after December 15, 2016, including interim periods within those fiscal years
  • All other entities – Fiscal years beginning after December 15, 2017, and interim periods within fiscal years beginning after December 15, 2018
  • Early application is permitted

Application

The standards can be applied as follows:

  • Prospectively to all deferred tax liabilities and assets, or
  • Retrospectively to all periods presented

If prospectively applied, then disclose the change in accounting principle and the fact that prior periods were not adjusted.

If retrospectively applied, then disclose the change in accounting principle and quantitative effects of the accounting change on prior periods.

The full standard can be seen here.

Finding Gold for Management Letters

One simple step can provide you with loads of great ideas

We auditors love to provide extra value to our clients. How? Many times we do so in management letters.

But have you ever come to the close of your audit and had no ideas? Maybe you’ve heard your audit team say, “hey, what should we include in the management letter?” A better alternative would be to hear, “man, I have so many great recommendations, I’m not sure which to use.” Having numerous ideas is a possibility if we know where to look.

Nuggets of gold lie along our audit path. But how do we find them?

Picture is courtesy of DollarPhotoClub.com.

Picture is courtesy of DollarPhotoClub.com.

I’m not sure why, but many companies do not ask their employees for new ideas. If they did, they might find a goldmine. So if management isn’t digging up those particular elements, shouldn’t we? (And you can do so with one easy step.)

While performing walkthroughs (a risk assessment procedure performed early in the audit), ask each interviewee, “if you had a magic wand and could wave it over your department, what one thing would you change?” You’ll get great ideas, and the person providing the information will be glad that someone is listening to and valuing their ideas. Then summarize those nuggets of wisdom in your audit file (near the location of your management letter). While you may not use every suggestion, assay each thought and consider it’s value. 

Doesn’t it make sense that my client’s staff would possess better ideas than me? After all, they are there every day, and many have worked with the client for years. I’m only there a few days, so my inside knowledge is limited. By asking for my client’s ideas, I am just tapping into the latent knowledge and expressing it in the management letter.   

Try this, and I promise, you’ll strike gold.

Risk of Material Misstatement: How to Assess

Part 5: Appropriate risk assessments can put dollars in your pocket and result in higher quality audits

How do you assess the risk of material misstatement? How do you know when to assess inherent risk at high (or low)? Can you assess control risk at high for all assertions? What are significant risks? These are common questions about the risk assessment process.

Audit Risk Assessment

Picture is courtesy of DollarPhotoClub.com

Today we’ll discuss how auditors assess and document risk. We’ll cover:

  • Financial statement level risk
  • Transaction level risk
  • Risk of material misstatement
  • Inherent risk
  • Control risk

Understanding these concepts will put money in your pocket and will result in higher quality audits.

Financial Statement Level Risk

Before picking our audit team, we need a general understanding of the entity.

We must understand the business and its control environment to determine risks at the financial statement level (I think of this as the overall risk). The overall risk will dictate our broader responses such as who the audit team will be.

Consider whether the entity has:

  • Complex transactions
  • Related party transactions
  • New accounting pronouncements
  • Profit pressures
  • Problem vendor relationships
  • Going concern issues
  • Potential debt covenants violations
  • Cash flow problems

We also need to consider the risk of management override. This threat is always a possibility. If management is playing on the edges, consider how you will add muscle and insight to your audit team—or whether you should even perform the engagement.

Keep this thought in mind when considering financial statement level risk assessment: greater overall threats call for a stronger audit team.

Transaction Level Risks

In a previous post, we discussed risk assessment procedures such as walkthroughs, fraud inquiries, and planning analytics. The information gained from those steps is the basis for assessing risk at the transaction level.

Should the transaction risk assessment be performed at the assertion level or for the transaction cycle as a whole? Let’s answer this question by looking at how accounts payable risk might be documented.

If we assess our risk of material misstatement at high for payables (as a whole), what are we saying? That further audit procedures are necessary for all assertions. If we assess risk at high for all payable assertions, and we don’t perform audit procedures in response to the (high) risk assessment, we create an incongruity. We are saying that risk is high for all assertions, but our responses don’t agree.

Wouldn’t it be better to assess risk at the assertion level? For example, if we’ve historically proposed significant journal entries to record additional payables, maybe the risk of material misstatement for the completeness assertion is high. Our audit procedures will include a search for unrecorded liabilities. Now we have an appropriate risk assessment and response (what the audit standards refer to as linkage). The remaining accounts payable assertions could possibly be assessed at low.

Risk of Material Misstatement

We can express the risk of material misstatement (RMM) as:

RMM = Inherent Risk X Control Risk 

While audit standards don’t require that we assess inherent risk and control risk separately, it’s helpful to do so. In a moment, we’ll see that inherent risk often drives our audit responses.

Inherent Risk

So what is inherent risk? My simple definition is the risk that exists when no controls are present. (We are not saying controls don’t exist, just that we are disregarding them as we measure inherent risk.) 

Inherent risk can be a function of:

  • The complexity of the transaction (e.g., derivatives are harder to understand)
  • The nature of the financial statement item (e.g., cash is liquid and subject to theft)
  • The experience and knowledge of the client’s accounting personnel
  • Past audit issues in the area
  • The volume of transactions

As we assess inherent risk, we ask, “what’s the chance that material misstatement will occur assuming there are no related controls?”

Some areas are so risky that the audit standards refer to them as significant risks. These areas require special audit consideration. Significant risks relate to transactions that are complex, nonroutine, or involve judgment. For example, a bank’s allowance for loan losses—due to complexity—demands extra scrutiny. The inherent risk in such areas will always be high.

Now, let’s marry inherent risk with control risk so we can determine our risk of material misstatement.

Control Risk

For audits of smaller entities, control risk is often assessed at high—across the board. Why? To save time. While control risk can’t be assessed at high before performing our risk assessment procedures, we can do so afterward

Assessing control risk at high is permissible as an efficiency decision. (Risk assessment procedures are still required.)

If control risk is assessed at less than high, the auditor is required to test controls to support the lower risk assessment. It may be more economical to perform substantive procedures rather than testing controls. We might, for example, be able to vouch all of the additions to property and equipment in less time than it takes to test the related controls. If this is true, we will opt to use a substantive approach (vouching all significant additions to invoices), and we will assess control risk at high.

Also, it is possible to have a low to moderate risk of material misstatement if your inherent risk is low—even if your control risk is high. How? Consider the following equation.

Risk of Material Misstatement Formula

IR (low) X CR (high) = RMM (low or moderate)

What does this mean? Well, you can get to a low or moderate RMM without testing controls. Also, you may not need to perform any substantive procedures–depending on your final RMM for the area.

As an example of how this works, think about a low inherent risk assessment regarding plant, property, and equipment. 

  • What’s the inherent risk related to the existence of your client’s main office building? Low. 
  • If your client has no controls related to the existence of the building, would the lack of controls have any bearing on the overall RMM? No. 
  • Do you need to test any controls? No. 
  • Do you need to perform any substantive procedures? No.
  • Do you need any substantive audit steps (concerning the building) in your audit program? Probably not. The RMM is low, so you don’t need to do anything (other than document your risk assessment). 

Call to Action

Consider reviewing your risk assessments, and see if some of the inherent risk assessments will allow you to assess your RMMs at low to moderate–even if control risk is assessed at high.

This is the last in our series of posts about audit risk assessment. Thanks for joining in the journey.

If you have suggestions for other posts, please leave a comment with your idea. Thanks.

How to Prevent Payroll Fraud

Here are steps to stop payroll fraud in its tracks

Direct deposit of payroll checks can open the door to theft. Also when one person is in control of payroll processes, danger lurks.

Picture is courtesy of DollarPhotoClub.com

Picture is courtesy of DollarPhotoClub.com

I was teaching a fraud prevention class this past Friday, and one of the participants, a school payroll clerk named Dawn, asked me to address how fraud might occur in her department. So I asked her a series of questions.

“Does your school use direct deposit?” She answered yes.

“Do you fully control the issuance of W-2s?” Dawn said yes.

“Who adds the direct deposit information to your payroll software?” She answered, “I do.”

“Can anyone else change the direct deposit file?” Her answer was no.

“Who controls the master pay rate file?” Here again, she was the only one who had rights to this payroll function.

Then I asked Dawn if she reconciles the bank statement. She said that Randy, a gentleman sitting in front of her, reconciles the account. I was also told that they have hundreds of employees.

How Can Dawn Steal?

I told the class that a person in Dawn’s position could steal in multiple ways. Here are a few:

  • She can leave a terminated employee on the payroll and change that person’s bank account number to her own, allowing her to receive all payroll payments for the discontinued staff member. She can also alter the related W-2s to cover her tracks.
  • She can change the master pay rate of any employee, including herself.
  • She can inflate the hours worked for any employee.

How to Lessen Payroll Theft

After pointing out the flaws in internal control, I asked the class how they would reduce these threats. Angela (another student) sang out: “Create transparency by allowing another person to review or see what the payroll clerk is doing.” (This made me smile since I had been preaching this idea all morning.)

To lessen the threat of fraud, always ask, “how can I create transparency?” The answer will almost always involve allowing another individual to monitor the work of the primary persons in the process. And I am not proposing that this observing person be present 24/7—just that she periodically review the activity of the primary person (e.g., payroll clerk). 

The monitoring person can be someone that works with the entity or someone from the outside (e.g., external CPA). Here are sample fraud prevention measures for the above-described threats:

  • Download all the payroll records, including each employee and direct deposit bank account number; sort for identical bank account numbers (a same bank account number may mean that a terminated employee was left on the payroll, and their deposits are being routed to another person such as the payroll clerk)
  • Have someone (other than the payroll clerk) pull the payroll personnel files for twenty employees and then compare the authorized pay rates (in the personnel file) to the payroll master file (in the software); tell the payroll clerk that this procedure will occur with some frequency and will happen without notice
  • For hourly employees, have someone (other than the payroll clerk) pull the reported hours for two departments and review for appropriateness; inquire of the department head regarding any higher-than-normal hours
  • Examine the W-2s of the payroll personnel
  • Print a budget to actual salary report or a current year/prior year comparison of wages; provide the same to the governing body
  • Report findings from these procedures to the governing body; do this at least once per year (regularity makes the payroll personnel think twice about theft)

Take Away

By the way, the payroll clerk was the only person with access to the payroll master file. This is not necessarily a bad thing. You want to limit the number of persons with access to payroll master file, but a second person should monitor the payroll clerk’s inputs into the payroll software.

So what can you do in light of the above recommendations? Think about your own payroll system. Are there any potential threats to your payroll system?

If you’ve seen payroll fraud, please share a comment about how it happened.

How’s Your Brainstorming and Linkage?

Part 4: How can brainstorming result in better audits? How are we to link identified risks to our audit plans?

You’ve performed your risk assessment procedures, and now it’s time to consider the information you’ve obtained. What are your walkthroughs telling you? Are any variances in your planning analytics begging for attention? What about your fraud inquiries? Are they pointing you in a particular direction?

Now that you see the weaknesses in controls, and you know where your client is most likely to make mistakes, you can plan to address those areas where the risk of material misstatement is most likely to occur.

But before we plan, we need to brainstorm.

Picture is courtesy of DollarPhotoClub.com

Picture is courtesy of DollarPhotoClub.com

Brainstorming

Section 315 of the audit standards requires a discussion among the key engagement team members, including the engagement partner. This discussion is to include an exchange of ideas, often referred to as brainstorming, about where the financial statements might possess a risk of material misstatement due to fraud.

So when should the brainstorming session occur? Logically the “exchange of ideas” follows your risk assessment procedures.

The overall audit sequence is as follows:

  1. We gather information using risk assessment procedures
  2. We discuss the identified risk
  3. We plan our responses

In military battles, soldiers do this same thing. The army sends reconnaissance troops to check the lay of the land and to see where the enemy might lie. Why? To determine how the infantry can move forward most effectively and with the least risk. So soldiers gather information (risk assessment) prior to discussing how to respond (brainstorming). The discussion leads to a battle plan (in our world, the audit plan)

Can you imagine soldiers going into battle without surveying the land and discussing the plan of attack? Yet this what auditors do when we default to a standard audit program. Continuing with the battle analogy, does it make sense to use the same battle plan for every encounter? (We have met the enemy, and he is us.)

Once we discuss the entity’s risks, we know what our greatest threats are.

A Threat

In my last post, I provided an example internal control weakness identified in a walkthrough of accounts payable:

Control weakness: The accounts payable clerk (Judy Jones) can add new vendors and can print checks with digital signatures. In effect, she can create a new vendor and have checks sent to that vendor without anyone else’s involvement.

What’s the threat? Judy can create a fictitious vendor and send checks to herself or an accomplice.

The Response

And what can we do about the risk?

We can print a list of vendors added during the last year and have another person review the list for appropriateness. That other person might be the owner of a small business, a board member in a nonprofit, or the purchasing director in a government. We want a person in the know to review the list for improprieties. Alternatively, we can data mine the vendor addresses for a match with Judy’s home address. There are many ways to address this threat, but my point here is that we need to link our procedures with our identified risk. 

Think of the risk assessment process in the following manner:

  1. We perform risk assessment procedures
  2. We assess our risks
  3. We create responses to the identified risks

If we don’t perform risk assessment procedures such as walkthroughs, we may not be aware of risks. If we don’t assess our risks, we may not know what threats are most important. And if we don’t create responses (alter our standard audit plan), then what’s the point of risk assessment? (Surely not to please our peer reviewer.)

Auditing is a holistic art, not a science. Are there formulas? Yes, but if we audit in a formulaic manner (alone), we will miss critical pieces in developing our audit plan. Practice aids (forms) can’t think for us. So I encourage you to use your audit forms, but at some stage, it is good to push them aside and ask:

  • Am I connecting the dots (understanding the client and the risks inherent in their accounting system)?
  • Am I determining which risks are most threatening?
  • Am I creating responses that sufficiently reduce the risk of material misstatement?

My Next Post

Well, we’ve covered much of the risk assessment process, but I still want to take a deeper dive concerning assessing risk at the assertion level and the financial statement level. I’ll do that in my next post in this series.

What can you take away from the above post? Think about your last three audits. After you performed your risk assessment procedures, consider how you altered your audit plan. Do you feel like there is an appropriate linkage between your risk assessment procedures and your audit plan? Are there ways to improve the process?