SSARS 23 Expands Application of Preparation, Compilation Standards — Journal of Accountancy — article
Fraud Risk Management Guide — COSO — book
Report to the Nations — ACFE — fraud survey
SSARS 23 Expands Application of Preparation, Compilation Standards — Journal of Accountancy — article
Fraud Risk Management Guide — COSO — book
Report to the Nations — ACFE — fraud survey
How do you document your audit walkthroughs? Is it better to use checklists, flowcharts or summarize narratively?
While you can use checklists, flowcharts, narratives, or any other method that enables you to gain your understanding of controls, my personal favorite is narrative mixed with screen shots. So how do I do this?
I determine the people involved in a transaction flow and schedule interviews with them. Usually, one or two people can explain a particular transaction flow (e.g., disbursement cycle), but some complicated processes require several interviews.
Sometimes I don’t know how each person’s work fits into the whole, so it’s like gathering puzzle pieces—at this stage, I am reaching for bits of the picture. The interviews and information may feel random, even confusing. But when you put the pieces together, you will see the picture—and that’s what we’re after, understanding the accounting system and control environment.
I document the conversations using:
Using a Livescribe pen, I write notes and record the conversations.
I begin the interview by saying, “Tell me what you do and how you do it. Treat me like I know nothing. I want to hear all the particulars.”
As I listen, I write general notes. The Livescribe pen records the audio which syncs with my written notes. Later the conversation can be played from the pen—more in a moment about how I use this tool.
I find that most interviewees talk too fast—at least faster than I can write. And as I’m writing their last comment, they are moving to the next (and I fall behind). So I write simple words in my Livescribe notebook such as:
Later as I’m typing the narrative into Word, I touch the letter “A” in “Add vendor” with the tip of my pen. The touching of the letter “A” causes the pen to play the audio for that part of the conversation. Likewise touching “C” with the tip of my pen–in “Checks signed by the computer”–causes the pen to play the discussion at that point. Since the audio syncs with my written notes, I can hear any part of the discussion by touching a letter with my pen.
And since Livescribe captures the audio, I jot down words—such as “Add vendor”—so I can later retrieve particular parts of the interview. These short phrases are markers for the audio and an outline of the conversation.
In addition to writing notes in my Livescribe notebook, I also take pictures with my iPhone. What am I taking snapshots of? Here are examples (from a payables interview):
So my inputs into the walkthrough document are as follows:
I write my narratives in Word and embed pictures as needed. The walkthrough documentation takes this shape:
Why identify control deficiencies in the walkthrough? So I can link them to the audit procedures to be performed—what audit standards refer to as “further audit procedures.” The weaknesses tell me where to conduct substantive procedures.
Another key feature of the walkthrough documentation is the identification of who I spoke with and when. So at the top of the transaction cycle description, I name the persons I interview and the date of the conversation. For example:
Charles Hall interviewed Johnny Mann, Hector Nunez, and Suzanne Milton on October 25, 2016.
I note appropriate controls as follows:
Control: Additions of new vendors is limited to three persons in the accounts payable department. Each time a new vendor is added, the computer system automatically sends an email to the CFO notifying her of the addition. Persons adding new vendors cannot process signed checks.
I note control weaknesses as follows:
Control Weakness: Only one signature is required on check disbursements. Johnny Mann signs checks, has possession of check stock, keys invoices into the payables system, and reconciles the related bank account.
The control weaknesses created by Johnny Mann’s performance of critical disbursement procedures increases the risk of theft. My response? I establish audit procedures in my audit program to address the risk such as:
How do you know what audit procedures to perform in response to the risk? Ask, “What can go wrong?” and design a test for that potential. Johnny can write checks to himself. My response? Scan cleared checks to see if the payees are appropriate, particularly on those checks with Johnny’s signature.
Though this article focuses upon planning and risk assessment, the identification of control weaknesses will impact our end-of-audit communications.
The bolded text (Control Weakness) makes it easy to locate control weaknesses. Upon completion of the walkthrough, I summarize all control deficiencies in separate memos so I can track the disposition of each one. Ultimately each weakness is deemed a:
I report material weaknesses and significant deficiencies in writing to management and those charged with governance. I communicate other deficiencies in a management letter (or verbally and document the discussion in my work papers).
For more information about how to categorize control weaknesses, click here.
If you missed my first two walkthrough posts, see them here:
Click the pen below to see the Livescribe on Amazon.
While we know that an audit walkthrough is an excellent way to probe accounting systems for risk, many auditors aren’t sure how to use this procedure. I hear questions such as:
An audit walkthrough is the tracking of a transaction through an accounting system while examining related controls. The purpose of the audit walkthrough is to see if controls exist and are in use (or, as the audit standards say, “implemented”). The results of our risk assessment procedures will illuminate the weaknesses in the accounting system. And we use this information about risk to create our audit plan.
So we do the following:
Walkthroughs fall in the “identify risk” category, and, consequently, are done early in the audit process.
Following a transaction through the system–without reviewing controls–is not an audit walkthrough. We must examine controls to see if they exist and are implemented.
Placing a copy of the operating and accounting system manual in the audit file is not a walkthrough. While such manuals may tell you what the client intends to do, they don’t say what is done. In other words, they don’t answer the implementation question.
Lastly, asking a client, “Is everything the same as last year?” is not a walkthrough. Auditors must do more than inquire.
Usually, audit walkthroughs are not sufficient as support for lower control risk assessments. If the auditor assesses control risk at less than high, she is required to test the effectiveness of the control. Since audit walkthroughs are usually a test of one transaction, they typically don’t validate operating effectiveness. Regarding computer controls, a walkthrough of one transaction might be sufficient to prove effectiveness if general computer controls are working—namely, change control for software. Why? Computer controls—usually—operate consistently.
The purpose of an audit walkthrough is to test for the existence and implementation of controls rather than operating effectiveness. Remember the following:
An auditor can determine implementation of controls with a test of one transaction. Effectiveness, on the other hand, usually requires sampling tests—e.g., test of 40 transactions for appropriate purchase orders.
There are three key procedures that auditors use in performing walkthroughs:
Inquiry alone is never sufficient in performing risk assessments. So we must marry inquiry with observation and inspection.
The use the three procedures listed above will depend on the transaction cycle you are examining.
For example, in reviewing the debt cycle, you will usually focus on inquiry and inspection. Why? Well, legal agreements and approvals of debt transactions are key. So I might inspect the following (for example):
In examining the disbursement cycle, you will typically focus on inquiry, observation, and inspection. My questions might include:
As I inquire about the disbursement cycle, I also observe and inspect. Here are some procedures I might perform:
You may wonder, “How do I know which procedures to perform?” Ah, that’s the $10,000 question. Always ask, “What can go wrong?” and determine if a control is in place to lessen that threat. That question will drive your risk assessment. The diversity of accounting systems makes it all but impossible to create a checklist that covers all possible issues. What does this mean? You must use your judgment.
Always ask who performs the control procedures when key persons are out. Why? An unknown person might have the power to carry out the role. If someone else can—even though they don’t normally—perform a key control procedure, you need to know this. Why? Well, here’s an example of what can happen: If a third person usually does not issue checks but can and that person also reconciles the bank statement, he might issue fraudulent checks. Why? He knows his fraudulent checks will not be detected through the bank reconciliation control.
Always look beyond accounting policies and routine procedures to see what can happen. I often have clients say to me, “John is the only one who approves the purchase orders,” for example. But I know this is not true because purchases would cease to occur when John is out. So I ask, “Who issues purchase orders when John in on vacation?”
We’ll continue our discussion about walkthroughs next week. I still need to answer the following questions:
If you have any questions about walkthroughs, please post them here, and I will try to respond. Also, please post any comments you have.
If you missed last week’s post about walkthroughs (Why Should Auditors Perform Audit Walkthroughs), check it out here. Subscribe to my blog to receive weekly updates.
The Accounting and Review Services Committee (ARSC) issued SSARS 22 Compilation of Pro Forma Financial Information. You may remember that ARSC did not address pro forma information in SSARS 21. SSARS 22 clarifies AR 120 Compilation of Pro Forma Information and codifies it as AR-C 120.
So what is pro forma information? It is a presentation that shows what the significant effects on historical financial information might have been had a consummated or proposed transaction (or event) occurred at an earlier date.
To understand SSARS 22, let’s answer a few questions.
Examples of pro forma information include presenting financial statements for the following:
Again we are providing financial information as though the transaction or event has–already–occurred.
In pro forma financial information, what should be disclosed?
Must the accountant consider his or her independence? Yes, since this is a compilation engagement. (Note: The preparation of the pro forma information is considered a nonattest service.)
Should the accountant perform acceptance and continuance procedures? Yes.
Is an engagement letter required? Yes, and it must be signed by the accountant’s firm and management or those charged with governance.
What compilation procedures should be performed?
Can the pro forma engagement be performed in conjunction with a compilation, review or an audit? Yes. Alternatively, the pro forma engagement can be performed separately.
What documentation is to be retained in the file?
Is a compilation report to be issued? Yes. (See sample report below.)
Is the accountant offering any assurance regarding the pro forma information? No.
Can the pro forma compilation report be added to the accountant’s report on historical financial statements? Yes. Alternatively, the pro forma compilation report can be presented separately.
What’s the effective date of SSARS 22? The standard is effective for compilation reports on pro forma financial information dated on or after May 1, 2017.
If you are not already providing pro forma information to clients, consider suggesting this service when appropriate. Clients may find pro forma information helpful in evaluating the potential sale of stock, the borrowing of funds for a project, or the sale of a part of the business.
Exhibit B of SSARS 22 provides the following sample compilation report on pro forma financial information:
Management is responsible for the accompanying pro forma condensed balance sheet of XYZ Company as of December 31, 20X1, and the related pro forma condensed statement of income for the year then ended (pro forma financial information), based on the criteria in Note 1. The historical condensed financial statements are derived from the financial statements of XYZ Company, on which I (we) performed a compilation engagement, and of ABC Company, on which other accountants performed a compilation engagement. The pro forma adjustments are based on management’s assumptions described in Note 1. (We) have performed a compilation engagement in accordance with Statements on Standards for Accounting and Review Services promulgated by the Accounting and Review Services Committee of the AICPA. I (we) did not examine or review the pro forma financial information nor was (were) I (we) required to perform any procedures to verify the accuracy or completeness of the information provided by management. Accordingly, I (we) do not express an opinion, a conclusion, nor provide any form of assurance on the pro forma financial information.
The objective of this pro forma financial information is to show what the significant effects on the historical financial information might have been had the underlying transaction (or event) occurred at an earlier date. However, the pro forma condensed financial statements are not necessarily indicative of the results of operations or related effects on financial position that would have been attained had the above mentioned transaction (or event) actually occurred at such earlier date.
[Additional paragraph(s) may be added to emphasize certain matters relating to the compilation engagement or the subject matter.]
[Signature of accounting firm or accountant, as appropriate] [Accountant’s city and state]
[Date of the accountant’s report]
The Accounting and Review Services Committee of the AICPA has issued SSARS 22 Compilation of Pro Forma Information. The effective date of the standard is May 1, 2017.
In the coming days, I will provide a detailed post about this standard. A new compilation report and engagement letter (for pro forma financial statements) are included in SSARS 22.
Do you ever struggle with audit walkthroughs? Maybe you’re not sure what areas to review or how extensive your documentation should be. Possibly you’re not even sure how walkthroughs are helpful.
I hear some auditors protest that professional standards don’t require walkthroughs. Right, but we have an obligation to annually corroborate the existence and use of controls, and I know of no better way to achieve this goal than walkthroughs.
Walkthroughs are cradle-to-grave reviews of transaction cycles. You start at the beginning of a transaction cycle (usually a source document) and walk the transaction to the end (usually posting to the general ledger). The auditor is gaining an understanding the genesis of the transaction and then each movement through the accounting system.
As we perform the walkthrough, we also:
By asking questions, inspecting documents, making observations, we are evaluating internal controls to see if there are weaknesses that would allow errors and fraud to occur. And audit standards do not permit the use of inquiries alone. Observations or inspections must occur.
Some auditors believe that audit walkthroughs (or documentation of controls for significant transaction cycles) are not necessary if the auditor is assessing control risk at high. This is not true. While the auditor can assess control risk at high, she must first gain an understanding of the cycle and the related controls. For more information, see my related post.
Accountants are often more comfortable with numbers than processes. We like things that “tie,” “foot,” or “balance.” We may not enjoy probing accounting systems for risk—it’s too touchy-feely. Even so, passing this responsibility off to lower staff is not a good choice. It’s too complicated and too important. So there’s no getting around it. The walkthrough—or something like it—must be done, especially if you are mid- to upper-level auditors. Why? You’re developing your audit plan. Screw up the plan, and you screw up the audit.
What is the purpose of the walkthrough? Identification of risk. Once you know the risks, you know where to audit.
Too often auditors do the same as last year (SALY). And why do we do this?
First, it requires no thinking.
Second, out of fear. We think, “if the audit plan was appropriate last year, why would it not be this year?” In short, we believe it’s safe. After all, the engagement partner developed this approach seven years ago. But is it safe?
Suppose the accounts payable clerk realizes he can create fictitious vendors without notice, and his scheme allows him to steal over $10 million over a four-year period.
The audit firm has performed the engagement year after year using the same approach. On the planning side, the fraud inquiry and internal control documentation look the same. Walkthroughs have not been performed in the last five years.
On the substantive side, the auditor ties the payables detail to the trial balance. He conducts a search for unrecorded liabilities. He inquires about other potential liabilities. All, as he has done for years. Even so, in this year alone, the payables clerk walks away with $3 million—and the audit firm doesn’t know it.
Processes matter. And—for the auditor—understanding those processes is imperative.
I will say it again: we are looking for risk. Our audit opinion says that we examine the company’s internal controls to plan the audit. The opinion goes on to say that this review of controls is not performed to opine on the accounting system. So we are not testing to render an opinion on controls, but we are probing the accounting processes to identify weaknesses. And once we know where risks lie, we can focus in those areas.
Pick an audit file or two and review your internal control documentation. Have you corroborated your understanding of the controls by inquiring, inspecting, and observing the significant transaction cycles? Again walkthroughs are not technically required, but the corroboration of controls is. The walkthrough process is an effective way to achieve this objective.
I will be speaking at the Georgia Government Finance Officers’ Conference on October 4, 2016. My presentation is titled “Steal Like a Boss,” a tongue-in-cheek view of how fraudsters think and act. Hope to see you there.
|Date:||October 4, 2016|
|Event:||Georgia Government Finance Officers' Conference|
|Topic:||Steal Like a Boss|
|Sponsor:||Georgia Government Finance Officers|
|Venue:||Evergreen Marriott Conference Resort | Stone Mountain GA|