Do you ever struggle with audit walkthroughs? Maybe you’re not sure what areas to review or how extensive your documentation should be. Possibly you’re not even sure how walkthroughs are helpful.
I hear some auditors protest that professional standards don’t require walkthroughs. Right, but we have an obligation to annually corroborate the existence and use of controls, and I know of no better way to achieve this goal than walkthroughs.
What are Walkthroughs?
Walkthroughs are cradle-to-grave reviews of transaction cycles. You start at the beginning of a transaction cycle (usually a source document) and walk the transaction to the end (usually posting to the general ledger). The auditor is gaining an understanding the genesis of the transaction and then each movement through the accounting system.
As we perform the walkthrough, we also:
- Make inquiries
- Inspect documents
- Make observations
By asking questions, inspecting documents, making observations, we are evaluating internal controls to see if there are weaknesses that would allow errors and fraud to occur. And audit standards do not permit the use of inquiries alone. Observations or inspections must occur.
Some auditors believe that audit walkthroughs (or documentation of controls for significant transaction cycles) are not necessary if the auditor is assessing control risk at high. This is not true. While the auditor can assess control risk at high, she must first gain an understanding of the cycle and the related controls. For more information, see my related post.
Why Audit Walkthroughs?
Accountants are often more comfortable with numbers than processes. We like things that “tie,” “foot,” or “balance.” We may not enjoy probing accounting systems for risk—it’s too touchy-feely. Even so, passing this responsibility off to lower staff is not a good choice. It’s too complicated and too important. So there’s no getting around it. The walkthrough—or something like it—must be done, especially if you are mid- to upper-level auditors. Why? You’re developing your audit plan. Screw up the plan, and you screw up the audit.
What is the purpose of the walkthrough? Identification of risk. Once you know the risks, you know where to audit.
Too often auditors do the same as last year (SALY). And why do we do this?
First, it requires no thinking.
Second, out of fear. We think, “if the audit plan was appropriate last year, why would it not be this year?” In short, we believe it’s safe. After all, the engagement partner developed this approach seven years ago. But is it safe?
Why SALY is Dangerous
Suppose the accounts payable clerk realizes he can create fictitious vendors without notice, and his scheme allows him to steal over $10 million over a four-year period.
The audit firm has performed the engagement year after year using the same approach. On the planning side, the fraud inquiry and internal control documentation look the same. Walkthroughs have not been performed in the last five years.
On the substantive side, the auditor ties the payables detail to the trial balance. He conducts a search for unrecorded liabilities. He inquires about other potential liabilities. All, as he has done for years. Even so, in this year alone, the payables clerk walks away with $3 million—and the audit firm doesn’t know it.
Processes matter. And—for the auditor—understanding those processes is imperative.
I will say it again: we are looking for risk. Our audit opinion says that we examine the company’s internal controls to plan the audit. The opinion goes on to say that this review of controls is not performed to opine on the accounting system. So we are not testing to render an opinion on controls, but we are probing the accounting processes to identify weaknesses. And once we know where risks lie, we can focus in those areas.
Check Your Work Papers for Audit Walkthroughs
Pick an audit file or two and review your internal control documentation. Have you corroborated your understanding of the controls by inquiring, inspecting, and observing the significant transaction cycles? Again walkthroughs are not technically required, but the corroboration of controls is. The walkthrough process is an effective way to achieve this objective.
Subscribe to the 4 Days of Walkthroughs
Subscribe to receive four emails explaining how to
use walkthroughs to identify risks in your audits