Twenty Mistakes that CPAs Make
Here are twenty mistakes that CPAs make:
- We hire people without sufficient knowledge and temperament
- We accept more work than we can possibly perform
- We don’t cull our bad clients (which contributes to #2.)
- We work without taking breaks
- We don’t exercise
- We try to be experts in too many industries
- We use outdated computers and software (e.g., we are not paperless)
- We don’t plan our continuing education (and take anything we can find at the end of the year)
- We have no strategy, moving from one engagement to another because it’s pressing
- We work sitting down all day (when standup desks are available)
- We bill our clients months after the service is provided (rather than a couple of weeks)
- We allow email to drive our day (we are reactive)
- We don’t express sincere appreciation to our peers and employees (those fully deserving of “thank you!”)
- We don’t use engagement letters to define our work
- We have no exit strategy, hoping someone will knock on our door and offer to buy the practice
- We ignore those we love (because we are overworked and irritable)
- We don’t stay current on evolving standards
- We don’t fire unproductive or difficult employees
- We don’t deal with problems (bad clients or employees) because doing so is awkward
- We never pause to evaluate our lives
Since 1984, I have worked in public accounting, a profession I dearly love. One thing I’ve noticed about CPAs is we are too immersed in our work–to a point of blindness. We don’t step back and evaluate what or how we do things. Would we be better off if we intentionally removed certain responsibilities? Might we not be even more profitable and happier?
Two things–more than anything else–will sap your energy and productivity: (1) difficult clients and (2) unproductive or difficult employees.
The 80/20 rule is applicable in our profession. We make 80% of our money from 20% of our work. And 80% of our headaches come from 20% of our clients and employees. (Were you awake last night thinking about one of these?) While the exact percentages may not be true for you, the concept is highly relevant.
I’ve given you twenty mistakes that CPAs make. Are there others you would add?
In this post, we will explore how to develop your audit plan so that it is effective (in compliance with audit standards) and efficient (so you can make money). Now it’s time to link your risk assessment work to your audit strategy and plan.
AU-C 300 states, “The objective of the auditor is to plan the audit so that it will be performed in an effective manner.” We also desire—though not an objective of the audit standards—to plan for efficiency, so the engagement is profitable. As you plan, consider two words: effectiveness and efficiency.
Audit Strategy and Plan
To be in compliance with audit standards, you need to develop:
- Your audit strategy
- Your audit plan
Developing Your Audit Strategy
What’s in the audit strategy? The audit strategy includes the following:
- The characteristics of the engagement that define its scope
- The reporting objectives of the engagement
- The significant factors to be used in directing the engagement team
- The results of preliminary engagement activities
- Whether knowledge gained on other engagements performed by the engagement partner for the entity is relevant
- The resources necessary to perform the engagement
Think of the audit strategy as the big picture. You are documenting:
- The scope (the boundaries of the work)
- The objectives (what are the deliverables?)
- The significant factors (e.g., is this a new or complex entity?)
- The risk assessment (what are the risk areas?)
- The planned resources (e.g., the engagement team)
Strategy for Walking on the Moon
When NASA planned to put a man on the moon, they—I am sure—created a strategy for Apollo 11. It could have read as follows:
We will put a man on the moon. The significant factors of our mission include mathematical computations, gravitational pull, thrust, and mechanics. The risks include threats to our astronauts’ lives, so we need to provide sufficient food, air, sound communications, and a safe vessel. The deliverable will be the placement of one man on the moon and the safe return of our three astronauts. The engagement team will include three astronauts, launch personnel at Kennedy Space Center, and mission-control employees in Houston, Texas.
The strategy led to Neil Armstrong’s historic walk on July 20, 1969.
Our audit strategy—in a more pedestrian pursuit—is a summary of objectives, resources, and risk. It’s the big picture. Our strategy leads to the successful issuance of our audit opinion (not quite as exciting as walking on the moon, but still important).
Did NASA perform any risk assessments before creating its strategy and plans? You bet. The lives of Neil Armstrong, Michael Collins, and Buzz Aldrin counted on it. So, the Agency took every precaution. NASA used the risks to define the project details—what we call our audit plan (or audit program). As with all projects, you must know your risks before you develop your plan. Doing so led to “one small step for man, one giant leap for mankind,” and—more importantly—the return of three brave astronauts. In a word: Success.
What’s in an Audit Strategy?
The audit strategy doesn’t have to be complicated or long, especially for smaller entities—it can be a short memo. What are we after? A summary of risks, needed resources, and objectives.
My firm uses an internally-developed strategy form—mainly, to ensure consistency. The form contains structure, such as references to risk assessment work and blank boxes in certain areas—such as partner directions—so it is flexible. As a result, the form has structure and flexibility.
Here are the main areas we cover:
- Deliverables and deadlines
- A short time budget
- The audit team
- Key client contacts
- New accounting standards affecting the audit
- Problems encountered in the prior year
- Anticipated challenges in the current year
- Partner directions regarding key risk areas
- References to work papers addressing risk
Who Creates the Audit Strategy?
Who should create the strategy? The in-charge can create it with the assistance of the engagement partner, or the partner can do so by himself.
Audit Strategy as the Central Document
If you want to see one document that summarizes the entire audit, this is it. As you can see, the strategy is general in nature, but you also need a detailed plan to satisfy the demands of the strategy—this is the audit plan (commonly referred to as the audit program). NASA had a mission statement for Apollo 11, but—I’m sure—written guidelines directed the step-by-step execution of the project.
Audit Plan (or Audit Program)
Now we create the detailed planning steps—the audit program. Think of the audit program as the final stage of audit planning. What have we done to get to this stage of the audit?
- Performed risk assessment procedures
- Developed our audit strategy
Now it’s time to create the audit plan.
The audit plan is the linkage between planning and further audit procedures. What are “further audit procedures”? They are the tactical steps to address risk including substantive procedures and test of controls. The audit program links back to the identified risks and points forward to the substantive procedures and test of controls.
Creating the Audit Program
How—in a practical sense—do we create the audit programs? Most auditors tailor the prior year audit programs. That works—as long as we revise them to address the current year risks. Audit programs are not—at least, they should not be—static documents. Even so, the current year audit program can be the same as last year—as long as the risks are the same.
Sufficient Audit Steps
How do we know if we have adequate audit program steps? Look at your risks of material misstatement (RMM)—which, hopefully, are assessed at the assertion level (e.g., completeness). For material areas, audit steps should address all high and moderate RMMs.
Integrating Risk Assessment with the Audit Program
How else can we integrate our documentation? Put the relevant assertions next to each audit step—this makes the connections between the RMMs (at the assertion level) and the audit steps clear.
AU-C 330.18 says the auditor is required to apply substantive procedures to all relevant assertions related to each material class of transactions, account balance, and disclosure. So, the audit program should reflect steps for all material areas.
Creating Efficiency in the Audit Plan
Once you complete your risk assessment work, you want to ask, “Which is the more efficient route? Testing controls or performing substantive procedures.” Then go with your instincts.
Generally, I assess control risk at high. While we can’t default to a high control, we can—once the risk assessment work is complete—decide to assess control risk at high as an efficiency measure. Why? If we assess control risk at below high, we must test the controls as a basis for the lower risk assessment. The testing of controls can—sometimes—take longer than substantive procedures.
For example, is it better to test the controls related to fixed asset additions or is it more efficient to vouch the invoices for significant additions? Usually, the vouching of the invoices will get you to your desired destination quicker than testing controls. Generally—at least in my opinion—this line of reasoning is less true for more complex organizations. Larger organizations process more transactions and tend to have better controls. So it can be better to test controls for larger entities.
There you have it—the creation of the audit strategy and the audit plan. Your strategy includes the risks, needed resources, and objectives. And your audit program contains the tactical steps to address risks. You are set to go. Now it’s time to execute our audit program.
Stay with me. In my upcoming posts, I will delve into the details of auditing by transaction areas. What specific steps should an auditor perform for cash, receivables, payables—for example? In the coming weeks, I will share with you audit approaches for significant transaction cycles. Subscribe below to ensure you don’t miss out.
To see my earlier posts in this series, click here.
Today, we’ll answer various questions regarding bookkeeping, preparations, compilations, and review engagement.
Q: Should I issue management letters for preparation, compilation, or review engagements?
A: While not required, it is advisable to provide management letters when performing SSARS 21 services. Why? Two reasons: (1) It’s a way to add value to the engagement, and (2) it’s a way to protect yourself from potential litigation. Clients do–sometimes–sue CPAs in these so-called “lower risk” engagements. If we see control weaknesses (while performing a compilation for example), we should communicate those–even though standards don’t require it. Then, if theft occurs in that area and you are later sued regarding the fraud, you have a defense. If you don’t issue a management letter, at least send an email regarding the issues noted and retain a copy.
Q: Why obtain an engagement letter for nonattest services such as bookkeeping and tax (standards don’t require it)?
A: In all engagements, we want to state exactly what we are doing. Why? So, it is obvious what the client has hired us to do–and what they have not hired us to do. If a client says, “I told you to do my monthly bookkeeping and to file my property tax returns,” but you have no recollection of being asked to perform the latter, you need an engagement letter that specifies monthly bookkeeping (and nothing else).
Q: Should I say–in a bookkeeping engagement letter–the service is not designed to prevent fraud?
A: We should obtain a signed engagement letter for bookkeeping services, even though not required by standards. And yes, by all means, include a statement that the bookkeeping service is not designed to detect or prevent fraud.
Q: If I note fraud while performing a bookkeeping, preparation, compilation, or review engagement, should I report it to the appropriate levels of management?
A: Standards require this communication for review engagements. I would do likewise for the other services (though not required in SSARS 21).
Q: Am I required to be independent if I perform bookkeeping and preparation services?
A: No, since both are nonattest services.
Q: If I create financial statements as a byproduct of an 1120 tax return, am I subject to AR-C 70 Preparation of Financial Statements?
A: No, you are only subject to AR-C 70 if you are engaged to prepare financial statements.
Q: If I perform bookkeeping services in a cloud-based accounting package such as QuickBooks, am I subject to AR-C 70 (SSARS 21)?
A: It depends. Yes, if you are engaged to prepare financial statements. No, if you were not engaged to prepare financial statements. Who “pushes the button” to print the financial statements has no bearing on the applicability of AR-C 70.
Q: Am I required to have a signed engagement letter for all preparation, compilation and review engagements?
Q: Can I act as a controller-for-hire and perform a compilation engagement?
A: Yes, but you need to state that you are not independent in the compilation report.
Q: Can I act as the controller-for-hire and perform a review engagement?
A: No. Independence is required for review engagements.
Q: If I prepare financial statements and perform a compilation, am I performing one service (as I did under SSARS 19) or are these considered two separate services?
A: They are two separate services. The preparation is a nonattest service, and the compilation is an attest engagement. Both can be specified in one engagement letter.
What is an auditor’s responsibility for fraud in a financial statement audit? Today, I’ll answer that question. Let’s take a look at the following:
- Auditor’s responsibility for fraud
- Turning a blind eye to fraud
- Signs of auditor disregard for fraud
- Incentives for fraud
- Discovering fraud opportunities
- Inquiries required by audit standards
- The accounting story and big bad wolves
- Documenting control weaknesses
- Brainstorming and planning your response to fraud risk
Auditor’s Responsibility for Fraud
I still hear auditors say, “We are not responsible for fraud.” But are we not? We know that the detection of material misstatements—whether caused by error or fraud—is the heart and soul of an audit. So writing off our responsibility for fraud is not an option. But auditors often turn a blind eye to it.
Turning a Blind Eye to Fraud
Why do auditors not perceive fraud risks?
Here are a few reasons:
- We don’t understand fraud, so we avoid it
- We don’t know how to look for control weaknesses
- We believe that auditing the balance sheet is enough
Think of these reasons as an attitude—a poor one—regarding fraud. This disposition manifests itself—in the audit file—with signs of disregard for fraud.
Signs of Auditor Disregard for Fraud
A disregard for fraud appears in the following ways:
- Asking just one or two questions about fraud
- Limiting our inquiries to as few people as possible (maybe even just one)
- Discounting the potential effects of fraud (after known theft occurs)
- The auditor does not perform walkthroughs
- We don’t conduct brainstorming sessions and window-dress related documentation
- Our files reflect no responses to brainstorming and risk assessment procedures
- Our files contain vague responses to the brainstorming and risk assessment (e.g., “no means for fraud to occur; see standard audit program” or “company employees are ethical; extended procedures are not needed”)
- The audit program doesn’t change though control weaknesses are noted
In effect, auditors—at least some—dismiss the possibility of fraud, relying on a balance sheet approach.
So how can we understand fraud risks and respond to them? First, let’s look at fraud incentives.
Incentives for Fraud
The reasons for theft vary by each organization, depending on the dynamics of the business and people who work there. Fraudsters can enrich themselves indirectly (by cooking the books) or directly (by stealing).
Fraud comes in two flavors:
- Cooking the books (intentionally altering numbers)
Cooking the Books
Start your fraud risk assessment process by asking, “Are there any incentives to manipulate the financial statement numbers.” For example, does the company provide bonuses or promote employees based on profit or other metrics? If yes, an employee can indirectly steal by playing with the numbers. Think about it. The chief financial officer can inflate profits with just one journal entry—not hard to do. While false financial statements is a threat, the more common fraud is theft.
If employees don’t receive compensation for reaching specific financial targets, they may enrich themselves directly through theft. But employees can only steal if the opportunity is present. And where does opportunity come from? Weak internal controls. So, it’s imperative that auditors understand the accounting system and—more importantly—related controls.
Discovering Fraud Opportunities
My go-to procedure in gaining an understanding of the accounting system and controls is walkthroughs. Since accounting systems are varied, and there are no “forms” (practice aids) that capture all processes, walkthroughs can be challenging. So, we may have to “roll up our sleeves,” and “get in the trenches”—but the level of the challenge depends on the complexity of the business.
For most small businesses, performing a walkthrough is not that hard. Pick a transaction cycle; start at the beginning and follow the transaction to the end. Ask questions and note who does what. Inspect the related documents. As you do, ask yourself two questions:
- What can go wrong?
- Will existing control weakness allow material misstatements?
In more complex companies, break the transaction cycle into pieces. You know the old question, “How do you eat an elephant?” And the answer, “One bite at a time.” So, the process for understanding a smaller company works for a larger one. You just have to break it down—and allow more time.
Discovering fraud opportunities requires the use of risk assessment procedures such as observations of controls, inspections of documents and inquiries. Of the three, the more commonly used is inquiries.
Inquiries Required by Audit Standards
Audit Standards (AU-C 240) state that we should inquire of management regarding:
- Management’s assessment of the risk that the financial statements may be materially misstated due to fraud, including the nature, extent, and frequency of such assessments
- Management’s process for identifying, responding to, and monitoring the risks of fraud in the entity, including any specific risks of fraud that management has identified or that have been brought to its attention, or classes of transactions, account balances, or disclosures for which a risk of fraud is likely to exist
- Management’s communication, if any, to those charged with governance regarding its processes for identifying and responding to the risks of fraud in the entity
- Management’s communication, if any, to employees regarding its views on business practices and ethical behavior
- The auditor should make inquiries of management, and others within the entity as appropriate, to determine whether they have knowledge of any actual, suspected, or alleged fraud affecting the entity
- For those entities that have an internal audit function, the auditor should make inquiries of appropriate individuals within the internal audit function to obtain their views about the risks of fraud; determine whether they have knowledge of any actual, suspected, or alleged fraud affecting the entity; whether they have performed any procedures to identify or detect fraud during the year; and whether management has satisfactorily responded to any findings resulting from these procedures
Notice that AU-C 240 requires the auditor to ask management about its procedures for identifying and responding to the risk of fraud. If management has no method of detecting fraud, might this be an indicator of a control weakness? Yes. What are the roles of management and auditors regarding fraud?
- Management develops control systems to lessen the risk of fraud.
- Auditors review the accounting system to see if fraud-prevention procedures are designed and operating appropriately.
So, the company creates the accounting system, and the auditor gains an understanding of the same. As auditors gain an understanding of the accounting system and controls, we are putting together the pieces of a story.
The Accounting Story and Big Bad Wolves
Think of the accounting system as a story. Our job is to understand the narrative of that story. As we (attempt to) describe the accounting system, we may find missing pieces. When we do, we’ll go back and ask more questions to make the story complete.
The purpose of writing the storyline is to identify any “big, bad wolves.”
The threats in our childhood stories were easy to recognize—the wolves were hard to miss. Not so in the walkthroughs. It is only in connecting the dots—the workflow and controls—that the wolves materialize. So, how long is the story? That depends on the size of the organization.
Scale your documentation. If the transaction cycle is simple, the documentation should be simple. If the cycle is complex, provide more details. By focusing on control weaknesses that allow material misstatements, you’ll avoid unneeded—and distracting—details.
Documenting Control Weaknesses
I summarize the internal control strengths and weaknesses within the description of the system and controls and highlight the wording “Control weakness.” For example:
Control weakness: The accounts payable clerk (Judy Jones) can add new vendors and can print checks with digital signatures. If effect, she can create a new vendor and have a check sent to that provider without anyone else’s involvement.
Highlighting weaknesses makes them more prominent. Then I can use the identified fraud opportunities to brainstorm about how theft might occur and to develop my responses to the threats.
Brainstorming and Planning Your Responses
Now, you are ready to brainstorm about how fraud might occur and to plan your audit responses.
The risk assessment procedures—discussed above and in my prior post—provide the fodder for the brainstorming session.
Armed with knowledge about the company, the industry, fraud incentives, and the control weaknesses, we are ready to be creative.
In what way are we to be creative? We think like a thief. By thinking like a fraudster, we unearth ways that stealing might occur. And why? So we can audit those possibilities. And this is the reason for the fraud risk assessment procedures in the first place.
What we discover in the risk assessment stage informs the audit plan—in other words, it has bearing upon the audit programs.
The Auditor’s Responsibility for Fraud
In conclusion, I started this post saying I’d answer the question, “What is an auditor’s responsibility for fraud?” Hopefully, you now have a better understanding of the fraud-related procedures we are to perform. But to understand the purpose of these procedures, look at the language in a standard audit opinion:
The procedures selected depend on the auditor’s judgment, including the assessment of the risks of material misstatement of the consolidated financial statements, whether due to fraud or error. In making those risk assessments, the auditor considers internal control relevant to the entity’s preparation and fair presentation of the consolidated financial statements in order to design audit procedures that are appropriate in the circumstances, but not for the purpose of expressing an opinion on the effectiveness of the entity’s internal control. Accordingly, we express no such opinion.
The purpose of fraud risk assessments is not to opine on internal control systems or to discover every fraud. It is to assist the auditor in determining where material misstatements—due to fraud—might occur.
The What and Why of Auditing: A Blog Series About Basics
Have you been following my series of posts: The What and Why of Auditing? If not, you may want to review the prior posts:
- The What and Why of Auditing: A Blog Series about Basics
- The What and Why of Audit Acceptance and Continuance
- The What and Why of Audit Risk Assessment
Also subscribe (below) to my blog to receive future installments in this series (we have several more coming). This series is a great way for seasoned auditors to refresh their overall audit knowledge and for new auditors to gain a better understanding of the audit process.
Many accountants have asked, “When am I subject to SSARS 21?” This question often arises when a CPA provides bookkeeping services using a cloud-based accounting package such as Quickbooks. Bookkeeping or preparation of financial statements–which is it? Why the confusion? Well, once the bookkeeping is complete, the CPA or the client can print the financial statements–and we know that SSARS 21 is triggered when we are engaged to prepare financial statements.
Bookkeeping or Preparation of Financial Statements
Suppose you enter the client’s monthly transactions in QuickBooks, and you reconcile the bank statements. Now you or the client can print the financial statements. Have you unintentionally wandered into a requirement to follow SSARS 21? Let me answer this question with another question.
Has your client engaged you to prepare financial statements? If yes, then SSARS 21 is in play. If not, then compliance is not required. The AICPA says, “the accountant has only been engaged to prepare financial statements when the client has ‘hired’ the accountant to do so.”
Using QuickBooks to provide bookkeeping services does not–necessarily–mean you have been engaged to prepare financial statements. But how can you be clear? When in doubt spell it out–in an engagement letter. Use an engagement letter for all client services–even nonattest work such as bookkeeping. When you provide bookkeeping services, and the customer has not “hired” you to prepare financial statements, make it clear that you are not engaged to provide financial statements. The AICPA’s 2016/17 Audit Risk Alert–regarding Preparation services–advises that you might include this sentence when you are not engaged to prepare financial statements: This engagement does not contemplate us preparing financial statements.
More Information About Preparation Services
For more a fuller explanation regarding whether the use of QuickBooks triggers SSARS 21, click here.
For a deep dive into Preparation services, see my book on Amazon: Preparation of Financial Statements and Compilation Engagements.
Do you ever find yourself digging through hundreds of emails to find one message? You know it’s there somewhere, but you can’t put your electronic finger on it. Use Slack to communicate by project–that way, you’ll have all messages (by project, e.g., individual audit engagement) in one place.
What is Slack?
Slack is software designed to allow project teams–e.g., audit team–to send and store messages. Why use Slack rather than traditional email? Messages are stored by channel (by project), making it much easier to see project conversations.
The Slack website says the following:
Most conversations in Slack are organized into public channels which anyone on your team can join. You can also send messages privately, but the true power of Slack comes from having conversations everyone on the team can see. This transparency means it’s quick to find out what’s going on all across the team, and when someone new joins, all the information they need is laid out, ready for them to read up on.
How CPAs Use Slack
How can you as a CPA or auditor use Slack?
Create a channel for each project, and ask all team members to communicate using Slack (rather than email).
In CPA firms, some activities are year-round such as quality control reviews (we perform several hundred a year). Other activities are a true project, such as an audit engagement. Either way, you can use a separate (Slack) channel to communicate and store all related messages.
Using Slack for Quality Control Reviews — An Example
Below you see an example of how Heather, my associate, and I use Slack to communicate about file reviews in our quality control department. By doing so, we can see who is doing what and when. Also, all of the messages are searchable by channel. So, suppose I’m wondering when we reviewed the ABC Bank engagement. I can search the CPR (cold partner review) channel to see who performed the review and when. Notice, in this channel, Heather and I are posting status comments. We do so for the following reasons:
- To create a history of each review
- To notify each other that the review has commenced (Slack automatically sends a notification message to those included in a channel)
To select our quality control channel, I click the CPR channel on the left (where all the channels appear). Once I click CPR, I see the most recent messages for this channel.
Audits – Another Example
Think about a typical audit. You have three to five team members, with some individuals coming and going. To maintain continuity, you need a message board that allows all audit team members to see what is going on. That’s what Slack does when you create a channel for a particular audit. Think of it as a message board in the cloud since the designated personnel can see the audit communications with their PC, iPad, or cell phone.
Other Advantages of Slack
Advantages of Slack include the following:
- Accessibility from all devices, including cell phones and tablets
- Shareability of documents such as PDFs and spreadsheets
- Integration with other apps such as Trello and Google Calendar
- Configurable notifications of messages to team members
- Private messaging (when needed)
- Basic plan is free
Give It a Try
The best way to see how Slack works is to try it yourself. You don’t need any training since it’s easy to use. To see more information about Slack, click here.
Are auditors who see audit risk assessment as a waste of time leaving money on the table? Could this be a cause of lower profit realizations?
Audit Risk Assessment as a Friend
Audit risk assessment can be our best friend, particularly if we desire efficiency, effectiveness, and profit—and who doesn’t? This step, when properly performed, tells us what to do—and what can be omitted. In other words, risk assessment is the doorway to maximum impact with minimal effort.
So, why do some auditors avoid audit risk assessment? Here are two reasons:
- We don’t understand it
- We’d rather continue doing what we’ve always done
Too often auditors keep doing the same as last year (commonly referred to as SALY), no matter what. It’s more comfortable than using risk assessment. But what if SALY is faulty or inefficient? Or what if the “tried and true” has blind spots. Maybe it’s better to assess risk annually and to plan our work based on present conditions.
The old maxim “Plan your work, work your plan” is true in audits. Audits—according to standards—should flow as follows:
- Determine the risks of material misstatements (plan our work)
- Develop a plan to address those risks (plan our work)
- Perform substantive procedures (work our plan)
- Issue an opinion (the result of planning our work and working our plan)
Auditors sometimes go directly to step 3. and use the prior year audit programs to satisfy step 2. Later, before the opinion is issued, the documentation for step 1. is created “because we have to.” In other words, we work backward. So, how can we work appropriately?
A Better Way
Audit standards—in the risk assessment process—call us to do the following:
- Understand the entity and its environment
- Understand the transaction level controls
- Use planning analytics to identify risk
- Perform fraud risk analysis
- Assess risk
While we may not complete these steps in order, we do need to perform our risk assessment first (1.-4.) and then assess risk as a result. Okay, so what procedures should we use to carry out the risk assessment process?
Audit Risk Assessment Procedures
AU-C 315.06 states:
The risk assessment procedures should include the following:
a. Inquiries of management, appropriate individuals within the internal audit function (if such function exists), others within the entity who, in the auditor’s professional judgment, may have information that is likely to assist in identifying risks of material misstatement due to fraud or error
b. Analytical procedures
c. Observation and inspection
I like to think of risk assessment procedures as tools, all used to sift through information and aid in the identification of risk.
Just as a good detective uses fingerprints, lab results, and photographs to paint a picture, we are doing the same. First, we need to understand the entity and its environment.
Understand the Entity and Its Environment
The audit standards require that we understand the entity and its environment.
I like to start by asking management the question, “If you had a magic wand that you could wave over the business and remove one problem, what would it be?” The answer tells us a great deal about the entity’s risk.
I want to know what the owners and management think and feel. The visceral is a flashing light saying, “Important!” Every business leader worries about something. And understanding the source of those worries illuminates risk.
Think of risks as threats to objectives. Your client’s fears tell you what the objectives and threats are. Worries shine the light on threats to objectives.
To understand the entity and its related threats, ask questions such as:
- How is the industry faring?
- Are there any new competitive pressures or opportunities?
- Have key vendor relationships changed?
- Can the company obtain necessary knowledge or products?
- Are there pricing pressures?
- How strong is the company’s cash flow?
- Has the company met its debt obligations?
- Is the company increasing in market share?
- Who are your key personnel and why are they important?
- What is the company’s strategy?
- Do you have any related party transactions?
As with all risks, we respond based on their severity. The higher the risk, the greater the response. We’ll respond to risks at these levels:
- Financial statement level
- Transaction level
Responses to risk at the financial statement level are general, such as appointing more experienced staff for complex engagements. Specific responses to risk occur at the transaction level, such as a search for unrecorded liabilities.
Understand the Transaction Level Controls
We must do more than just understand transaction flows; we need to understand the related controls. So, as we perform walkthroughs or other risk assessment procedures, we gain an understanding of the transaction cycle, but—more importantly—we gain an understanding of controls. Without appropriate controls, the risk of material misstatement increases.
The use of walkthroughs is probably the best way to understand internal controls. As you perform your walkthroughs, you are asking questions such as:
- Who signs checks?
- Who has access to checks (or electronic payment ability)?
- Who approves payments?
- Who initiates purchases?
- Who can open and close bank accounts?
- Who posts payments?
- What software is used? Does it provide an adequate audit trail? Is the data protected? Are passwords used?
- Who receives and opens bank statements? Does anyone have online access? Are cleared checks reviewed for appropriateness?
- Who reconciles the bank statement? How quickly? Does a second person review the bank reconciliation?
- Who creates expense reports and who reviews them?
- Who bills clients? In what form (paper or electronic)?
- Who opens the mail?
- Who receipts monies?
- Are there electronic payments?
- Who receives cash onsite and where?
- Who has credit cards? What are the spending limits?
- Who makes deposits (and how)?
- Who keys the receipts into the software?
- What revenue reports are created and reviewed? Who reviews them?
- Who creates the monthly financial statements? Who receives them?
- Are there any outside parties that receive financial statements? Who are they?
Understanding the company’s controls illuminates risk. The company’s goal is to create financial statements without material misstatement. A lack of controls threatens this objective.
So, as we perform walkthroughs, we ask the payables clerk (for example) certain questions; and—as we do—we are also making observations about the segregation of duties. Also, we are inspecting certain documents such as purchase orders. This combination of inquiries, observations, and inspections allows us to understand where the risk of material misstatement is highest.
Another significant risk identification tool is the use of planning analytics.
Use planning analytics to shine the light on risks. How? I like to use:
- Multiple-year comparisons of key numbers (at least three years, if possible)
- Key ratios
In creating planning analytics, use management’s metrics. If certain numbers are important to the company, they should be to us (the auditors) as well—there’s a reason they are reviewing particular numbers so closely. (When you read the minutes, ask for a sample monthly financial report; then you’ll know what is most important to management and those charged with governance.)
Sometimes, unexplained variations in the numbers are evidence of fraud.
In every audit, inquire about the existence of theft. In performing walkthroughs, look for control weaknesses that might allow fraud to occur. Ask if any theft has occurred. If yes, how?
Also, we should plan procedures related to:
- Management override of controls, and
- The intentional overstatement of revenues
My next blog post—in this series—addresses fraud risk, so this is all I will say about theft for now. Sometimes the greater risk is not fraud but errors.
Same Old Errors
Have you ever noticed that some clients make the same mistakes—every year? They are usually smaller clients. In the risk assessment process, we are looking for the risk of material misstatement whether by intention (fraud) or by error (accident).
One way to identify potential misstatements due to error is to maintain a summary of the larger audit entries you’ve made over the last three years. If your client tends to make the same mistakes, you’ll know where to look for potential errors.
Now it’s time to pull all of the above information together.
Creating the Risk Picture
Once all of the risk assessment procedures are completed, we synthesize the disparate pieces of information into a composite image. We are—at this point—bringing the information into one distilled risk snapshot. What are we bringing together? Here are examples:
- Control weaknesses
- Unexpected variances in significant numbers
- Entity risk characteristics (e.g., level of competition)
- Large related-party transactions
- Occurrences of theft
Armed with this risk picture, we can now create our audit strategy and audit plan (also called an audit program). We are focusing these plans on the areas where the risk of material misstatement is highest.
How can we determine where risk is highest? Use the risk of material misstatement (RMM) formula.
Assess the Risk of Material Misstatement
Understanding the RMM formula is key to identifying high-risk areas.
What is the RMM formula?
Put simply, it is:
Risk of Material Misstatement = Inherent Risk X Control Risk
Using the RMM formula, we are assessing risk at the assertion level. While audit standards don’t require a separate assessment of inherent risk and control risk, consider doing so anyway. I think it provides a better representation of your risk of material misstatement.
Once we have completed our risk assessment process, control risk can be assessed at high–simply as an efficiency decision.
The Input and Output
The inputs in audit planning include all of the above audit risk assessment procedures.
The outputs (sometimes called linkage) of the audit risk assessment process are:
- Audit strategy
- Audit plan (audit programs)
We tailor the strategy and plan according to the risk assessment.
In a nutshell, we identify risks and then respond to them.
Next in the Series
In my next post in this series, we’ll take a look at the why and how of fraud auditing. So, stay tuned. If you haven’t subscribed to my blog, consider doing so.
Do You Need to Verify that Someone is a CPA?
Do you need to verify that someone is a CPA?
If yes, click here for CPAVerify.org.
Their website says:
Free and open to the public, CPAverify.org is a CPA lookup tool populated by official state regulatory data sent from Boards of Accountancy to a central database. The website represents the first ever single-source national database of licensed CPAs and CPA firms. Determine a CPA or CPA firm’s credentials without having to search each of the 55 Boards of Accountancy website individually.