Search Results for: audit documentation

audit documentation
Aug 15

Audit Documentation: Peer Review Finding

By Charles Hall | Auditing

Peer reviewers are saying, “If it’s not documented, it’s not done.” Why? Because standards require sufficient audit documentation in AU-C 230. And if it’s not documented, the peer reviewer can’t give credit. Work papers are your vehicle of communication. 

But what does sufficient documentation mean? What should be in our work papers? How much is necessary? This article answers these questions.

audit documentation

Insufficient Audit Documentation

Insufficient audit documentation has been and continues to be a hot-button peer review issue. And it’s not going away. 

But auditors ask, “What is sufficient documentation?” That’s the problem, isn’t it? The answer is not black and white. We know good documentation when we see it–and poor as well. It’s the middle that is fuzzy. Too often audit files are poor-to-midland. But why? 

First, many times it boils down to profit. Auditors can make more money by doing less work. So, let’s go ahead and state the obvious: Quality documentation takes more time and may lessen profit. But what’s the other choice? Poor work.

Second, the auditor may not understand what the audit requirements are. So, in this case, it’s not motive (make more money), it’s a lack of understanding.

Thirdly, another contributing factor is that firms often bid for work–and low price usually carries the day. Then, when it’s time to do the work, there’s not enough budget (time)–and quality suffers. Corners are cut. Planning is disregarded. Confirmations, walkthroughs, fraud inquiries are omitted. And yes, it’s easier–at least in the short run.

But we all know that quality is the foundation of every good CPA firm. And work papers tell the story–the real story–about a firm’s character. How would you rate your work paper quality? Is it excellent, average, poor? If you put your last audit file on a website and everyone could see it, would you be proud? Or does it need improvement?

Sufficient Audit Documentation According to AU-C 230

Let’s see what constitutes sufficient documentation.

AU-C 230 Audit Documentation defines how auditors are to create audit evidence. It says that an experienced auditor with no connection to the audit should understand:

  • Nature, timing, and extent of procedures performed
  • Results and evidence obtained
  • Significant findings, issues, and professional judgments

While most auditors are familiar with this requirement, the difficulty lies in how to accomplish this. What does it look like? Here are some pointers for complying with AU-C 230. 

Experienced Auditor’s Understanding

Here’s the key: When an experienced auditor reviews the documentation, does she understand the work?

Any good communicator makes it her job to speak or write in an understandable way. The communicator assumes responsibility for clear messages. In creating work papers, we are the communicators. The responsibility for transmitting messages lies with us (the auditors creating work papers).  

A Fog in the Work Papers

So what creates fogginess in work papers? We forget we have an audience. Others will review the audit documentation to understand what was done. As we prepare work papers, we need to think about those who will see our work. All too often, the person creating a work paper understands what he is doing, but the reviewer doesn’t. Why? The message is not clear.

Just because I know why I am doing something does not mean that someone else will. So how can we create clarity?

Creating Clarity

Work papers should include the following:

  • A purpose statement (what is the reason for the work paper?)
  • The source of the information (who provided it? where did they obtain it and how?)
  • An identification of who prepared and reviewed the work paper
  • The audit evidence (what was done)
  • A conclusion (does the audit evidence support the purpose of the work paper?)

When I make these suggestions, some auditors push back saying, “We’ve already documented some of this information in the audit program.” That may be true, but I am telling you–after reviewing thousands of audit files–the message (what is being done and why) can get lost in the audit program. The reviewer often has a difficult time tieing the work back to the audit program and understanding its purpose and whether the documentation provides sufficient audit evidence.

Remember, the work paper preparer is responsible for clear communication. 

And here’s another thing to consider: You (the work paper preparer) might spend six hours on one document, so you are keenly aware of what you did. The reviewer, on the other hand, might spend five minutes–and she is trying (as quickly as she can) to understand your work.

Help Your Reviewers

To help your reviewers:

  1. Tell them what you are doing (purpose statement)
  2. Do it (document the test work)
  3. Then, tell them how it went (the conclusion)

Now let’s move from proper to improper documentation.

Examples of Poor Work Paper Documentation

So, what does insufficient audit documentation look like? In other words, what are some of the signs that we are not complying with AU-C 230?

Here are examples of poor audit work paper documentation:

  • Signing off on audit steps with no supporting work papers (and no explanation on the audit program)
  • Placing a document in a file without explaining why (what is its purpose?)
  • Not signing off on audit steps
  • Failing to reference audit steps to supporting work papers
  • Listing a series of numbers on an Excel spreadsheet without explaining their source (where did they come from? who provided them?)
  • Not signing off on work papers as a preparer
  • Not signing off on work papers as the reviewer
  • Failing to place excerpts of key documents in the file (e.g., debt agreement)
  • Performing fraud inquiries but not documenting who was interviewed (their name) and when (the date)
  • Not documenting the selection of a sample (why and how and the sample size)
  • Failing to explain the basis for low inherent risk assessments
  • Key bank accounts and debt are not confirmed
  • Not documenting the reason for not sending receivable confirmations
  • A lack of retrospective reviews
  • A failure to document the current year walkthroughs for significant transaction cycles (the file contains a generic description of controls with no evidence of a current year review)
  • Not documenting entity-level controls (e.g., tone at the top, management’s risk assessment procedures)
  • A failure to document risk assessments
  • Low control risk assessments without a test of controls
  • A lack of linkage from the risk assessment to the audit plan
  • No independence documentation though nonattest services are provided

This list is not comprehensive, but it provides examples to consider. This list is based on my past experiences. Probably the worst offense (at least in my mind) is signing off on an audit program with no support.

Strangely, however, poor work papers are not the result of insufficient documentation, but too much documentation. 

Too Much Audit Documentation

Many CPAs say to me, “I feel like I do too much,” meaning they believe they are auditing more than is necessary. To which I often respond, “I agree.”

In looking at audit files, I see:

  • The clutter of unnecessary work papers
  • Files received from clients that don’t support the audit opinion
  • Unnecessary work performed on extraneous documents

For whatever reason, clients usually provide more information than we request. And then–for some other reason–we retain those documents, even if not needed.

If auditors add purpose statements to each work paper, then they will discover that some work papers are unnecessary. In writing the purpose statement, we might realize it has none. Which is nice–now, we can eliminate it.

One healthy exercise is to pretend we’ve never audited the company and that we have no prior year audit files. Then, with a blank page, we plan the audit. Once done, we compare the new plan to prior year files. If there’s any fat, start cutting. 

The key to eliminating unnecessary work lies in performing the following steps (in the order presented):

  1. Perform risk assessment
  2. Plan your audit based on the identified risks
  3. Perform the audit procedures

Too often, we roll the prior year file forward and rock on. If the prior year file has extraneous audit procedures, we repeat them. This creates waste year after year after year.

Before I close this article, here is one good work paper suggestion from my friend Jim Bennett of Bennett & Associates: transaction area maps. 

Transaction Area Maps

Include transaction area maps in your file. A summary creates organization and makes it easier to find your work papers. It also provides a birds-eye view of what you have done. Here’s an example:

ACCOUNTS RECEIVABLE WORKPAPER MAP

4-02 Audit Program

4-10 Risk Assessment Analyticals

ACCOUNTS RECEIVABLE AGING

4-20 Customer aging report

4-21 AR break-out of intercompany balances

4-23 AR aging tie in to TB

4-24 Review of AR aging

ACCOUNTS RECEIVABLE CONFIRMATIONS

4-50 Planning worksheet – substantive procedures

4-51 AR confirmation reconciliation

4-52 AR confirmation replies

4-60 Allowance for doubtful accounts

4-70 Intercompany balances and sales to significant customers

4-80 Sales analytics

4-90 Sales cut-off testing

4-95 Revenue recognition 606 support and disclosures

Summary

In summary, audit documentation continues to be a significant peer review problem. We can enhance the quality of our work papers by remembering we are not just auditing. We are communicating. It is our responsibility to provide a clear message. We need to do so to comply with AU-C 230, Audit Documentation

Additional Guidance

The AICPA also provides some excellent guidance regarding work paper documentation. Download their work paper template; it’s very helpful. 

Also, see my article titled 10 Steps to Better Audit Workpapers.

Auditing Payroll
Dec 13

Auditing Payroll: A Step by Step Guide

By Charles Hall | Auditing

Auditing payroll is a critical skill. Today I explain how.

While payroll is often seen as a low-risk area, considerable losses can occur here. So, knowing how to audit payroll is important.

Auditing Payroll

Auditing Payroll – An Overview

Payroll exceeds fifty percent of total expenses in many governments, nonprofits, and small businesses. Therefore, it is often a significant transaction area.

To assist you in understanding how to audit payroll, let me provide you with an overview of a typical payroll process.

First, understand that entities have payroll cycles (e.g., two weeks starting on Monday). Then, payments are made at the end of this period (e.g., the Tuesday after the two-week period). Also, understand that most organizations have salaried and hourly employees. Salaried personnel are paid a standard amount each payroll, and hourly employees earn their wages based on time.

Second, an authorized person (e.g., department head) hires a new employee at a specified rate (e.g., $80,000 per year).

Third, human resources assists the new-hire with the completion of payroll forms, including tax forms and elections to purchase additional benefits such as life insurance.

Fourth, a payroll department employee enters the approved wage in the accounting system. The employee’s bank account number is entered into the system (if direct deposit is used).

Fifth, employees clock in and out so that time can be recorded.

Sixth, once the payroll period is complete, a person (e.g., department supervisor) reviews and approves the recorded time.

Seventh, a second person (e.g., payroll supervisor) approves the overall payroll.

Eighth, the payroll department processes payments. Direct deposit payments are made (and everyone is happy).

In this article, we will cover the following:

  • Primary payroll assertions
  • Payroll walkthroughs
  • Payroll fraud
  • Payroll mistakes
  • Directional risk for payroll
  • Primary risks for payroll
  • Common payroll control deficiencies
  • Risk of material misstatement for payroll
  • Substantive procedures for payroll
  • Common payroll work papers

Primary Payroll Assertions

The primary relevant payroll assertions are:

  • Completeness
  • Cutoff
  • Occurrence

I believe—in general—completeness and cutoff (for accrued payroll liabilities) and occurrence (for payroll expenses) are the most important payroll assertions. When a company accrues payroll liabilities at period-end, it is asserting that they are complete and that they are recorded in the right period. Additionally, the company is saying that recorded payroll expenses are legitimate.

Additionally, payroll auditing requires an understanding of threats in light of these assertions. So how do I gain this knowledge? Payroll walkthroughs.

Payroll Walkthroughs

YouTube player

 

Perform a walkthrough of payroll to see if there are any control weaknesses. How? Walk transactions from the beginning (the hiring of an employee) to the end (a payroll payment and posting). And ask questions such as the following:

  • Does the company have a separate payroll bank account?
  • How often is payroll processed? What time period does the payroll cover? On what day is payroll paid?
  • Who has the authority to hire and fire employees?
  • What paperwork is required for a new employee? For a terminated employee?
  • Is payroll budgeted?
  • Who monitors the budget to actual reports? How often?
  • Who controls payroll check stock? Where is it stored? Is it secure?
  • If the company uses direct deposit, who keys the bank account numbers into the payroll system? Who can change those numbers?
  • Do larger salary payments require multiple approvals?
  • Who approves overtime payments?
  • Who monitors compliance with payroll laws and regulations?
  • Who processes payroll and how?
  • Who signs checks or makes electronic payments? If physical checks are used, are they signed electronically (as checks are printed) or physically?
  • How are payroll tax payments made? How often? Who makes them?
  • Who creates the year-end payroll tax documents (e.g., W-2s) and how?
  • What controls ensure the recording of payroll in the appropriate period?
  • Are the following duties assigned to different persons:
    • Approval of each payroll,
    • Processing and recording payroll,
    • The reconciliation of related bank statements
    • Possession of processed payroll checks
    • Ability to enter or change employee bank account numbers
    • Ability to add employees to the payroll system or to remove them
  • Who can add or remove employees from the payroll system? What is the process for adding and removing employees from the payroll system?
  • Who can change the master pay rate file? Does the computer system provide an audit trail of those changes?
  • Who approves salary rates and how?
  • Who reconciles the payroll bank statements and how often?
  • Who approves bonuses?
  • What benefits (e.g., retirement accounts) does the company offer? Who pays for the benefits (e.g., employee) and how (e.g., payroll withholding)?
  • Who reconciles the payroll withholding accounts and how often?
  • Are any salaries capitalized rather than expensed? If yes, how and why?
  • Are surprise payroll audits performed? If yes, by whom?
  • Does the company outsource its payroll to a service organization? If yes, does the payroll company provide a service organization control (SOC) report? What are the service organization controls? What are the complementary controls (those performed by the employing company)?

Moreover, as we ask these questions, we need to inspect documents (e.g., payroll ledger) and make observations (e.g., who signs checks or makes electronic payments?).

If controls weaknesses exist, we create audit procedures to respond to them. For example, during the walkthrough, if we see that one person prints and signs checks, records payments, and reconciles the bank statement, then we will plan fraud-related substantive procedures.

As we perform payroll walkthroughs, we are asking, “What can go wrong—whether intentionally or by mistake?”

Payroll Fraud

When payroll fraud occurs, understatements or overstatements of payroll expense may exist.

If a company desires to inflate its profit, it can—using bookkeeping tricks—understate its expenses. As (reported) costs go down, profits go up.

On the other hand, overstatements of payroll can occur when theft is present. For example, if a payroll accountant pays himself twice, payroll expenses are higher than they should be.

Payroll Mistakes

Mistakes also lead to payroll misstatements. Payroll errors can occur when payroll personnel lack sufficient knowledge to carry out their duties. Additionally, misstatements occur when employees fail to perform internal control procedures such as reconciling bank statements.

Directional Risk for Payroll

auditing payroll

The directional risk for payroll is an understatement. So, audit for completeness (determining that all payroll is recorded). Nevertheless, when payroll theft occurs (e.g., duplicate payments), overstatements can occur.

Primary Risks for Payroll

The primary payroll risks include:

  1. Payroll is intentionally understated
  2. Inappropriate parties receive payments
  3. Employees receive duplicate payments

As you think about these risks, consider the control deficiencies that allow payroll misstatements.

Common Payroll Control Deficiencies

In smaller entities, it is common to have the following control deficiencies:

  • One person performs two or more of the following:
    • Approves payroll payments to employees,
    • Enters time or salary rates in the payroll system,
    • Issues payroll checks or makes direct deposit payments,
    • Adds or removes employees from the payroll system
    • Reconciles the payroll bank account
  • No one reviews and approves recorded time
  • No one reviews and approves payroll before processing
  • No one performs surprise audits of payroll
  • Appropriate procedures for adding and removing employees are not present
  • No one reviews the removal of terminated employees from payroll
  • No one compares payroll expenses to a budget

(Here are suggestions to make your payroll controls stronger.)

Another key to auditing payroll is understanding the risks of material misstatement.

Risk of Material Misstatement for Payroll

In auditing payroll, the assertions that concern me the most are completeness, occurrence, and cutoff. So my risk of material misstatement for these assertions is usually moderate to high.

My response to higher risk assessments is to perform certain substantive procedures: namely, a reconciliation of payroll in the general ledger to quarterly 941s. Why? The company has an incentive to accurately file 941s since the returns are subject to audit by governmental authorities. So, if the 941s are correct, the reconciliation provides support for recorded payroll.

Additionally, consider theft which can occur in numerous ways, such as duplicate payments or ghost employees.

In a duplicate payment fraud, the thief, usually a payroll department employee, pays himself twice.

Ghost employees exist when payroll personnel leave a terminated employee on the payroll. Why would someone in the payroll department intentionally leave a terminated employee in the payroll system? To steal the second payment. How? By changing the terminated employee’s direct deposit bank account number to his own. The result? He receives two payments (his own and that of the terminated employee).

Once your payroll risk assessment is complete, decide what substantive procedures to perform.

Substantive Procedures for Auditing Payroll

My customary tests for auditing payroll are as follows:

  1. Reconcile 941s to payroll
  2. Recompute accrued payroll liability (amount recorded at period-end)
  3. Review payroll withholding accounts for appropriateness and vouch subsequent payments for any significant amounts
  4. Compare payroll expenses (including benefits) to budget and examine any unexplained variances
  5. When control weaknesses are present, design and perform procedures to address the related risks
  6. Compare accrued vacation to prior periods and current payroll activity

In light of my risk assessment and substantive procedures, what payroll work papers do I normally include in my audit files?

Common Payroll Work Papers

My payroll work papers normally include the following:

  • An understanding of payroll-related internal controls
  • Risk assessment of payroll at the assertion level
  • Documentation of any payroll control deficiencies
  • Payroll audit program
  • Accrued salaries detail at period-end
  • A summary of any significant payroll withholding accounts with supporting information
  • A detail of vacation payable (if material) with comparisons to prior periods
  • Budget to actual payroll reports
  • A reconciliation of payroll in the general ledger to quarterly 941s
  • Fraud-related payroll work papers (when needed)

In Summary

In this article we looked at the keys to auditing payroll. Those keys include risk assessment procedures, determining relevant assertions, assessing risks, and developing substantive procedures. My go-to substantive procedure is to reconcile payroll to 941s. I also review payroll withholding accounts and recompute salary accruals. Comparisons of payroll expenses are useful. Finally, if merited, I perform fraud-related payroll procedures.

See my book on Amazon: The Why and How of Auditing.

SAS 143
Feb 18

SAS 143, Auditing Accounting Estimates

By Charles Hall | Auditing

In this article, I explain SAS 143, Auditing Accounting Estimates and Related Disclosuresa new audit standard applicable for periods ending on or after December 15, 2023.   

We'll look at the objectives of SAS 143, auditor responsibilities (including risk assessment and responses), the nature of estimates, documentation requirements, and overall evaluation of your work to ensure appropriateness and completeness. 

Auditing estimates

Estimate Examples

To get us started, here are a few examples of estimates:

So, what is an accounting estimate? It's a monetary amount for which the measurement is subject to estimation uncertainty. Of course, you need to consider the financial reporting framework as you think about the estimate. For example, an estimate might be significantly different when using GAAP versus a regulatory basis. 

But what is estimation uncertainty? It's the susceptibility of an estimate to an inherent lack of precision in measurement. In layperson's terms, it's an estimate that is hard to pin down.

SAS 143 Objectives

The objective of SAS 143 is to see if the accounting estimate and related disclosures are reasonable by obtaining sufficient appropriate audit evidence. 

Nature of Estimates

Some estimates are simple, while others are difficult. For example, estimating the economic life of a vehicle is straightforward, but computing an allowance for uncollectible receivables might be complex.

But even one type of estimate, such as an allowance for uncollectible, can vary in complexity. For example, the allowance computation for uncollectible receivables is usually more complex for a healthcare entity (e.g., more payor types) than for a small business. Why? Because it is more complex and more challenging to determine. Therefore, the estimation uncertainty for a healthcare entity (with many payor types) is higher than that of a small business with one type of customer. Additionally, the volume of transactions could be higher for a healthcare entity versus a small business. 

Estimation Uncertainty

So, the inherent subjectivity of an estimate creates estimation uncertainty. 

Consider estimation uncertainty in this manner: ask twenty people to compute the allowance for a hospital and then ask them to do the same for the small business's uncollectible estimate. How much variation would you expect? Yes, much more for the hospital because the inherent risk is higher. 

SAS 143 tells us to increase our risk assessment procedures and further audit procedures as the estimation uncertainty increases. We perform more risk assessment work concerning the hospital's allowance than that of the small business. Moreover, we complete more extensive further audit procedures for the hospital's allowance than for the small business's estimate. 

More risk, more work. 

To understand SAS 143, we need to know the underlying concepts.

SAS 143 Concepts

SAS 143

Relevant Assertions

You need to assess the risk of material misstatement at the relevant assertion level. Further, you are required to assess inherent risk and control risk separately. And as you assess inherent risk, you might encounter significant risks. 

The Spectrum of Inherent Risk

Usually, a hospital's valuation assertion related to receivables is relevant, and the inherent risk is often high due to its subjectivity, complexity, and volume of transactions (i.e., inherent risk factors). Therefore, the valuation assertion's risk might fall toward the end of the spectrum of inherent risk. On a ten-point scale, we might assess the inherent risk as a nine or a ten. And if we do, it is a significant risk, affecting our professional skepticism.

Professional Skepticism and Estimates

Our professional skepticism increases as the estimation uncertainty rises (or at least, it should). Why? The potential for management bias may be present since it's easier to manipulate complex estimates. And complexity can be a smokescreen to hide bias, increasing the need for internal controls.

Estimate Controls

As estimates become more complex, entities increase internal controls (or at least, they should). And consequently, auditors need to evaluate the design and implementation of those controls. Additionally, auditors must determine whether they will test the controls for effectiveness. 

Another SAS 143 concept is the reasonableness of the estimate.

Reasonableness of Estimates

For an estimate to be reasonable, the applicable financial reporting framework must be its basis. Additionally, management should consider the facts and circumstances of the entity and the related transactions. In creating a reasonable estimate, management will often use the following:

  • A method
  • Certain assumptions
  • Data

Let's consider these elements using the allowance for uncollectible receivables. 

First, management considers the financial reporting framework. If the entity uses GAAP, it makes sense to create the estimate. No allowance is necessary if the cash basis of accounting is in use. In this example, we'll assume the company is using GAAP.

Estimate Method

In computing an allowance for uncollectible, an entity might calculate the estimate as a total of the following:

  • 20% of receivables outstanding for more than 60 days
  • 60% of receivables outstanding for more than 90 days
  • 90% of receivables outstanding for more than 120 days

Estimate Assumptions

And what assumptions might management consider? Bad debt percentages have stayed the same over time. The company needs to increase the percentages if collectible amounts erode. 

Estimate Data

Finally, consider the allowance data. In this example, it would typically be an aged receivable listing. Such a listing breaks receivables into aging categories (e.g., 0 to 30 days; 31 to 60 days; etc.). Such data should be consistent. Suppose the company purchases new software that computes the aged amounts differently using different data than previously. If this occurs, management and the auditors need to consider the reasonableness of the new data. 

Is the Estimate Reasonable?

Most importantly, estimates need to make sense (to be reasonable) in light of the circumstances. While consistent methods, assumptions, and data are desirable, change, such as a slowdown in the economy, can require new ways of computing estimates.

One more concept is that of management's point estimate and disclosure.

Management's Point Estimate and Disclosure

The auditor will examine management's point estimate and the related disclosures to see if they are reasonable. How? Review the estimate's development (how was it computed?) and the nature, extent, and sources of estimation uncertainty. 

If circumstances are similar to the prior year, then the estimate's method, assumptions, and data will typically be similar. Likewise, the disclosure will be much like the preceding period. 

But if, for example, the economy slows significantly, the percentages applied to the aged receivable categories (see above) may need to increase so that the allowance for uncollectible is higher. The auditor might question the estimate if management did not raise these percentages. 

The company should disclose how the estimate is created and the nature, extent, and sources of estimation uncertainty. 

Now, let's see what the SAS 143 requirements are.

SAS 143 Requirements

SAS 143

The requirements for estimates are conceptually the same as in any area. The auditor does the following:

  • Perform risk assessment procedures
  • Identify and assess the risk of material misstatement
  • Develop responses to the identified risks and carry those out

1. Perform Risk Assessment Procedures for Estimates

As you consider the entity and its environment, consider the following:

  • Transactions and other events that give rise to the need for estimates and changes in estimates
  • The applicable financial reporting framework as it relates to estimates
  • Regulatory factors affecting estimates, if any
  • The nature of estimates and related disclosures

Next, as you consider internal control, ask about the following:

  • Nature and extent of estimate oversight (who oversees the estimate? how often is the estimate being reviewed?)
  • How does management identify the need for specialized skills or knowledge concerning the estimate?
  • How do the entity's risk assessment protocols identify and address risks related to estimates?
  • What are the classes of transactions, events, and conditions giving rise to estimates and related disclosures?
  • How does management identify the estimate's methods, assumptions, and data sources?
  • Regarding the degree of estimation uncertainty, how does management determine the range of potential measurement outcomes?
  • How does management address the estimation uncertainty, including a point estimate and related disclosures?
  • What are the control activities relevant to the estimate? (e.g., second-person review of the computation)
  • Does management review prior estimates and the outcome of those estimates? How does management respond to that review?

Additionally, the auditor reviews the outcome of prior estimates for potential management bias

If there are any significant risks (inherent risk falling toward the end of the spectrum of risk), the auditor should understand the related controls and, after that, see if they are designed appropriately and implemented. 

And finally, the auditor considers if specialized skills or knowledge are needed to perform risk assessment procedures related to estimates. 

Of course, after you do your risk assessment work, it's time to assess the risk.

2. Identify and Assess the Risk of Material Misstatement

SAS 143, as we have already seen, requires a separate assessment of inherent risk and control risk for each relevant assertion.

In assessing inherent risk, the auditor will consider risk factors such as complexity, subjectivity, and change. It's also important to consider the estimate method and the data used in computing management's point estimate. 

Some estimates represent significant risks. So, for example, if the computation of warranty liability is complex or has a high degree of estimation uncertainty, then identify the liability as a significant risk since the valuation assertion is high risk (toward the upper end of the spectrum of inherent risk).

Auditing estimates

3. Responses to Assessed Risk of Material Misstatement

Once the assessment of risk is complete, you are in a position to create responses. As usual, document linkage from the risk level to the planned procedures. Higher risk calls for more extensive actions. 

If, for example, the auditor identifies an estimate as a significant risk, go beyond basic techniques (i.e., more than a basic audit program). 

Additionally, base those responses on the reasons for the assessments. In other words, create audit procedures based on the nature of the risk. Performing more procedures unrelated to the identified risk is of no help. 

Three Responses to Risks Related to Estimates

The audit procedures need to include one or more of the following three steps:

  1. Obtain audit evidence from events occurring up to the date of the auditor's report
  2. Test how management made the accounting estimate by reviewing the following: 
    • Methods in light of: 
      • Reporting framework
      • Potential management bias
      • The estimation computation (is it mathematically correct?)
      • Use of complex modeling, if applicable
      • Maintenance of the assumptions and data integrity (does this information have integrity?)
    • Assumptions; address the following: 
      • Whether the assumptions are appropriate
      • Whether the judgments made in selecting the assumptions give rise to potential bias
      • Whether assumptions are consistent with each other
      • When applicable, whether management has the intent and ability to carry out specific courses of action
    • Data; address the following: 
      • Whether the data is appropriate
      • Whether judgments made in selecting the data give rise to management bias
      • Whether the data is relevant and reliable
      • Whether management appropriately understands and interprets the data
    • Management's point estimate and related disclosure; address the following: 
      • How management understands estimation uncertainty
      • See if management took appropriate steps in developing the point estimate and related disclosure
      • If the auditor believes management has not sufficiently addressed estimation uncertainty, the following should occur: 
        • Request management perform additional procedures to understand the estimation uncertainty; consider disclosing more information about the estimation uncertainty
        • Develop an auditor's point estimate or range if management's response to the auditor's request in the prior step is not sufficient
        • Evaluate whether an internal control deficiency exists
  3. Develop an auditor's point estimate or range; do the following: 
    • Include procedures to evaluate whether methods, assumptions, or data are appropriate
    • When the auditor develops a range,  
      • Determine whether the range includes only amounts supported by sufficient audit evidence and are reasonable in the context of the reporting framework
      • Review disclosures related to estimation uncertainty, design and perform procedures regarding the risk of material misstatement (i.e., determine if the disclosure provides sufficient information regarding estimation uncertainty)

Once you complete your audit work related to estimates, evaluate what you've done. 

Overall Evaluation of Estimate Work

SAS 143

Evaluate the sufficiency of your estimate work by considering the following:

  • Are the risk assessments at the relevant assertion level still appropriate?
  • Do management's decisions regarding recognition, measurement, presentation, and disclosure of the estimates agree with the financial reporting framework? 
  • Has sufficient appropriate evidential matter been obtained?
  • If evidence is lacking, consider the impact on the audit opinion
  • Has management included disclosures beyond those required by the financial reporting framework when needed for fair presentation?

Here are some additional considerations in determining if your work is complete.

Documentation of Estimate Work

SAS 143 says that the auditor's documentation should include the following:

  • The auditor's understanding of the entity and its environment, including internal controls related to estimates
  • Linkage of further audit procedures with the risks of material misstatement at the assertion level
  • Auditor's responses when management has not taken appropriate steps to understand and address estimation uncertainty
  • Indicators of possible management bias related to estimates
  • Significant judgments related to estimates and related disclosures in light of the reporting framework

Governance Communication Regarding Estimates

Finally, consider whether you should communicate estimate matters to those charged with governance, especially if a high estimation uncertainty is present. 

SAS 143 Summary

While SAS 143 requires that auditors understand the estimation process and then perform procedures to ensure the reasonableness of the numbers and disclosures, there's nothing unusual about this. We gain an understanding of the estimates, assess the risk, and create responses. 

Many estimates, such as plant, property, and equipment depreciation, are simple. In those areas, there's little to do. But as always, our risk assessment and responses will increase as complexity and uncertainty increase. 

You may also be interested in my article titled SAS 145: New Risk Assessment Standard.

Auditing Equity
Jun 22

Auditing Equity: Why and How Guide

By Charles Hall | Auditing

Auditing equity is easy, until it’s not. 

Auditing equity is usually one of the easiest parts of an audit. For some equity accounts, you agree the year-end balances to the prior year ending balance, and you’re done. For instance paid-in-capital seldom changes. Often, the only changes in equity are from current year profits and owner distributions. And testing those equity additions and reductions in equity takes only minutes.

Nevertheless, auditing equity can be challenging, especially for businesses that desire to attract investors. Such companies offer complicated equity instruments. Why? The desire to attract cash without giving away (too much) power. And this balancing act can lead to complex equity instruments.  

Regardless of whether a company’s equity is easy to audit or not, below I show you how to focus on important equity issues.

Auditing Equity

Auditing Equity — An Overview

In this post, we will cover the following:

  • Primary equity assertions
  • Equity walkthroughs
  • Equity-related fraud and errors
  • Directional risk for equity
  • Primary risks for equity
  • Common equity control deficiencies
  • Risk of material misstatement for equity
  • Substantive procedures for equity
  • Common equity work papers
Continue reading
Auditing Debt
Apr 25

Auditing Debt: The Why and How Guide

By Charles Hall | Auditing

What are the keys to auditing debt?

While auditing debt can be simple, sometimes it’s tricky.  For instance, classification issues can arise when debt covenant violations occur. Should the debt be classified as current or noncurrent? Likewise, some forms of debt (with detachable warrants) have equity characteristics, again leading to classification issues. Is it debt or equity—or both? Additionally, leases can create debt, even if that is not the intent. 

Most of the time, however, auditing debt is simple. A company borrows money. An amortization schedule is created. And thereafter, debt service payments are made and recorded. 

Either way, whether complicated or simple, below I show you how to audit debt.

Auditing Debt

Auditing Debt — An Overview

In many governments, nonprofits, and small businesses, debt is a significant part of total liabilities. Consequently, it is often a significant transaction area.

In this post, we will cover the following:

  • Primary debt assertions
  • Debt walkthroughs
  • Debt-related fraud
  • Debt mistakes
  • Directional risk for debt
  • Primary risks for debt
  • Common debt control deficiencies
  • Risk of material misstatement for debt
  • Substantive procedures for debt
  • Common debt work papers

Primary Debt Assertions

The primary relevant debt assertions include:

  • Completeness
  • Classification
  • Obligation

I believe, in general, completeness and classification are the most important debt assertions. When a company shows debt on its balance sheet, it is asserting that it is complete and classified correctly. By classification, I mean it is properly displayed as either short-term or long-term. I also mean the instrument is debt and recorded as such (and not equity). By obligation, I mean the debt is legally owed by the company and not another entity.

Keep these three assertions in mind as you perform your transaction cycle walkthroughs.

Debt Walkthroughs

Early in your audit, perform a walkthrough of debt to see if there are any control weaknesses. As you perform this risk assessment procedure, what questions should you ask? What should you observe? What documents should you inspect? Here are a few suggestions.

Debt Walkthrough

As you perform your debt walkthrough ask or perform the following:

  • Are there any debt covenant violations?
  • If the company has violations, is the debt classified appropriately (usually current)?
  • Is someone reconciling the debt in the general ledger to a loan amortization schedule?
  • Inspect amortization schedules.
  • Does the company have any unused lines of credit or other credit available?
  • Inspect loan documents.
  • Has the company refinanced its debt with another institution? Why?
  • Who approves the borrowing of new money?
  • Who approves new leases? Who handles lease accounting and are they competent?
  • Does the company have any leases that should be recorded as debt?
  • Inspect new loan and lease approvals. 
  • How are debt service payments made (e.g., by check or wire)? Who makes those payments?
  • Are there any sinking funds? If yes, who is responsible for making deposits and how is this done?
  • Observe the segregation of duties for persons:
    • Approving new loans,
    • Receipting loan proceeds,
    • Recording debt in the general ledger, and
    • Reconciling the debt in the general ledger to the loan amortization schedules
  • Is the company required to file periodic (e.g., quarterly) reports with the lender? Inspect sample debt-related reports, if applicable.
  • Does the company have any convertible debt or debt with detachable warrants? Are they properly recorded?
  • Is the company following reporting framework requirements (e.g., FASB Codification) for debt?
  • Has collateral been pledged? If yes, what?
  • What are the terms of the debt agreements?
  • Has all debt of the company been recorded in the general ledger?
  • Have debt issuance costs been accounted for properly based on the reporting framework requirements? (FASB requires the netting of such costs with debt.)
  • Has the company guaranteed the debt of another entity?

If control weaknesses exist, create audit procedures to address them. For example, if—during the walkthrough—we see that one person approves loans, deposits loan proceeds, and records the related debt, then we will perform fraud-related substantive procedures.

Debt-Related Fraud

A company can fraudulently inflate its equity by intentionally omitting debt from its balance sheet. (Total assets equal liabilities plus equity. Therefore, if debt is not reported, equity increases.) 

As we saw with Enron, some entities place their debt on another company’s balance sheet. (Enron did so using special purpose entities.) So auditors need to consider that companies can intentionally omit debt from their balance sheets.

Another potential fraudulent presentation is showing short-term debt as long-term. When might this happen? When debt covenant violations occur. Such violations can trigger a requirement to classify the debt as current. If accounting personnel are aware of the requirement to classify debt as current and don’t do so, then the reporting can be considered fraudulent.  

Additionally, mistakes can lead to errors in debt accounting.

Debt Mistakes

Errors in accounting for debt can occur when debt service payments are misclassified as expenses rather than a reduction of debt. Also, debt can—in error—be presented as long-term when it is current. Why? Maybe the company’s accountant doesn’t understand the accounting rules.

Some forms of debt, such as leases, can be difficult to interpret. Consequently, a company might errantly fail to record debt when required. 

So, what is the directional risk for debt? An overstatement or an understatement?

Directional Risk for Debt

Auditing Debt

The directional risk for debt is an understatement. So, audit for completeness (and determine that all debt is recorded).

Primary Risks for Debt

Primary risks for debt include:

  1. Debt is intentionally understated (or omitted)
  2. Debt is recorded as noncurrent (due more than one year from the balance sheet date) though the amount is current (due within one year of the balance sheet date)

It’s obvious why a company might want to understate its debt. The company looks healthier. But why would a business desire to classify current debt as noncurrent? For the same reason: to make the company look stronger. By recording current debt as noncurrent, the company’s working capital ratio (current assets divided by current liabilities) improves. 

As you think about the above risks, consider the control deficiencies that allow debt misstatements.

Common Debt Control Deficiencies

In smaller entities, it is common to have the following control deficiencies:

  • One person performs two or more of the following:
    • Approves the borrowing of new funds,
    • Enters the new debt in the accounting system, 
    • Deposits funds from the debt issuance
  • Funds are borrowed without appropriate approval
  • Debt postings are not agreed to amortization schedules
  • Accounting personnel don’t understand the accounting standards for debt (including lease accounting)

Another key to auditing debt is understanding the risks of material misstatement.

Risk of Material Misstatement for Debt

In auditing debt, the assertions that concern me the most are classification, completeness, and obligation. So my risk of material misstatement for these assertions is usually moderate to high. 

Auditing Debt

My response to the higher risk assessments is to perform certain substantive procedures: namely, a review of debt covenant compliance and a review of debt and lease agreements—and the related accounting. Why?

As we saw above, debt covenant violations may require the company to reclassify debt from noncurrent to current. Doing so can be significant. The loan could be called by the lender, depending on the loan agreement. So, proper classification of debt can be critical. 

Also, some leases should be recorded as debt. If such leases are not recorded, the company looks healthier than it is. Our audit should include procedures that address the completeness of debt and the obligations of the company.

Once your risk assessment is complete, decide what substantive procedures to perform.

Substantive Procedures for Debt

My customary tests for auditing debt are as follows:

  1. Summarize and test debt covenants
  2. Review new leases to determine if debt should be recorded
  3. Confirm all significant debt with lenders
  4. Determine if all debt is classified appropriately (as current or noncurrent)
  5. Agree the end-of-period balances in the general ledger to the amortization schedules
  6. Agree future debt service payment summaries to amortization schedules 
  7. Review accruals of any significant interest 
  8. Review interest expense (usually comparing current and prior year interest)

In light of my risk assessment and substantive procedures, what debt work papers do I normally include in my audit files?

Common Debt Work Papers

My debt work papers normally include the following:

  • An understanding of debt-related internal controls 
  • Documentation of any internal control deficiencies related to debt
  • Risk assessment of debt at the assertion level
  • Debt audit program
  • A copy of all significant debt agreements (including lease and line-of-credit agreements)
  • Minutes reflecting the approval of new debt
  • A summary of debt activity (beginning balance plus new debt minus principal payments and ending balance)
  • Amortization schedules for each debt
  • Summary of all debt information for disclosure purposes (e.g., future debt service to be paid, interest rates, types of debt, collateral, etc.) 

If there are questions regarding debt agreements and their presentation, I include additional language in the representation letter to address the issues. For example, if an owner loans funds to the company but there is no written  debt agreement, the owner or management might verbally explain the arrangement. In such cases, I include language in the management representation letter to cover the verbal responses.

In Summary

In this article we’ve looked at the keys to auditing debt. Those keys include risk assessment procedures, determining relevant assertions, creating risk assessments, and developing substantive procedures. The most important issues to address are usually (1) the classification of debt (especially if debt covenant violations exist) and (2) lease accounting.

To understand the new lease standard (ASC 842) from the lessee’s perspective, see my lease article: Account for Finance and Operating Leases

Next we’ll look at how to audit equity.


1 2 3 10
>