Audit walkthroughs, sometimes referred to as “cradle to grave” reviews of transaction cycles, are performed for significant transaction cycles and should be performed early in the audit process. The auditor starts at the beginning of a transaction cycle and walks a transaction completely through the accounting system while observing controls. Why? To see if controls exist and are in use–and ultimately, to identify risks.
Are Internal Control Walkthroughs Required?
How often is the auditor required to perform a walkthrough?
Answer: Once per year, if this is how you corroborate your understanding of the cycle. Walkthroughs are not required, but you do need to verify your understanding of the accounting system and related controls–and I can think of no better way.
Recently, I was asked, “If a walkthrough is not used, what else can I do?” While questionnaires can be used, there is a risk that key internal controls will be missed. What if the questionnaire doesn’t address a critical piece of the control structure? Walking a transaction through the accounting system and reviewing related controls ensures a full understanding.
AICPA Guidance Concerning Annual Walkthroughs
TIS Section 8200.12, as issued by the AICPA, states the following:
Inquiry—AU section 314 (now AU-C 315) requires the auditor to obtain an understanding of internal control. An auditor might perform walkthroughs to confirm his or her understanding of internal control. If the auditor decides to use walkthroughs to confirm his or her understanding of internal control, how often do walkthroughs need to occur?
Reply—In accordance with AU Section 314 (now AU-C 315), the auditor is required to obtain an understanding of internal control to evaluate the design of controls and to determine whether they have been implemented. To do that, performing a walkthrough would be a good practice. Accordingly, auditors might perform a walkthrough of significant accounting cycles every year [emphasis added].
Controls Documented in Prior Period
In some situations, AU-C section 315 allows the auditor to rely on audit evidence obtained in prior periods. In those situations, the auditor is required to perform audit procedures to establish the continued relevance of the audit evidence obtained in prior periods (for example, by performing a walkthrough). So, an auditor might perform walkthroughs every year to update his or her understanding. (I know the TIS says “might,” but it does appear the AICPA encourages annual walkthroughs.)
Remember, a walkthrough is a risk assessment procedure. As such, it should be performed early in the audit–not as we are finalizing the work paper file. Identify risks and then create audit steps to respond.
Too many auditors see walkthroughs as “something we do because we have to,” rather than as procedures that inform the audit process. That’s why some auditors document walkthroughs at the end of the audit.
Audits should be performed in the following order:
- Identify risk
- Assess risk
- Create an audit plan
- Execute the audit plan
- If necessary, revise the risk assessment and audit plan (if new risks are identified during step 4.)
Walkthroughs should be performed in step 1., not after step 4.
See my prior walkthrough posts:
Post 3 – How to Document Audit Walkthroughs