How to Review Financial Statements Efficiently and Effectively

Tips to quickly review financial statements and to ensure effectiveness

Most CPA firms create financial statements for their clients. This blog post tells you how to create and review financial statements efficiently and effectively.

Review Financial Statements

Picture is courtesy of

How to Create Financial Statements

First, staff members create the original financial statements. Where possible, electronically link the trial balance to the financial statements. Doing so will expedite the financial statement process and enhance the integrity of the numbers. Ask the staff member to do the following:

  • Prepare the initial draft of the statements
  • Create clear disclosures
  • Complete a current financial statement disclosure checklist 
  • Research any nonstandard opinion or report language (place sample reports from PPC or other sources in the file) — later the partner will compare this supporting document to the opinion or report
  • Research any additional reports (e.g., Yellow Book, Single Audit); place copy of such reports in the file — the partner or manager will have such reports available for their review
  • The staff person should review the partner’s planning document to see if any new standards are to be incorporated into this to year’s financial statements

How to Proof the Financial Statements

Second, proof your financial statements. The proofer usually does the following before the partner or managers’ review:

  • Add (foot the numbers for) all statements, notes, schedules
  • Tick and tie numbers such as:
    • Total assets equal total liabilities and equity
    • Ending cash on the cash flow statement agrees with the balance sheet
    • Net income on the income statement agrees with the beginning number of an indirect method cash flow statement
    • Numbers in the notes agree with the financial statements
    • Numbers in the supplementary schedules agree with the financial statements
  • Review financial statements for compliance with firm formatting standard 
  • Read financial statements for appropriate grammar and punctuation (consider using Grammarly)
  • Compare the table of contents to all pages in the report
  • Review page numbers

Partner or Manager Review

Finally, the partner or manager reviews the financial statements. Having the proofer do their part will minimize the review time for this final-stage review.

Here are tips for the final review:

  • Scan the complete set of financials to get a general feel for the composition of the report (e.g., Yellow Book report, supplementary information, the industry, etc.) — this is a cursory review taking three or four seconds per page
  • Read the beginning part of the summary of significant accounting policies taking note of the reporting framework (e.g., GAAP), type of entity (e.g., nonprofit), and whether the statements are consolidated or combined — doing so early provides context for the remaining review of the financials
  • Read the opinion or report noting any nonstandard language (e.g., going concern paragraph)
    • Agree named financial statement titles in the opinion or report to the financial statements
    • Agree the dates (e.g., year-end) in the opinion or report and compare to the statements
    • Compare supporting sample report (as provided by your staff member and noted above) to the opinion or report
    • Compare representation letter date to the opinion or review report date
  • Review the balance sheet making mental notes of line items that should have related notes (retain those thoughts for review of the notes)
  • Review the income statement
  • Review the statement of changes in equity (if applicable)
  • Review the cash flow statement
  • Review the notes (making mental notes regarding sensitive or important disclosures so you can later see if the communication with those charged with governance appropriately contains references to these notes)
  • Return to the balance sheet to see if there are additional disclosures needed (since you just read the notes, you will be more aware of omissions — e.g., intangibles are not disclosed)
  • Review supplementary information (and related opinion for this information if applicable)
  • Review other reports such as Yellow Book and Single Audit (the staff member preparing the financial statements should have placed supporting examples in the file; refer to the examples as necessary)
  • If the review is performed with a printed copy of the statements, use yellow highlighter to mark reviewed sections and numbers
  • If the review is done on paper, pencil in corrections and provide corrected pages to the staff member for amendments to be made
  • If the review is performed on the computer, take screenshots of pages needing corrections and provide to the staff member
  • Alternatively, make corrections using Track Changes if the financial statements are in a Word document; these changes will appear in a different color so you can visually see what was changed; Word also provides a different color for each person who makes a change, so you can see who changed what

Last Step

Destroy all drafts–or at a minimum, don’t leave them in the file. Once the financial statements are complete, there is no reason to retain drafts.

Your Suggestions

What other review procedures do you use?

AICPA Code of Professional Conduct: Answers to Your Ethical Questions

Check out this post for two helpful AICPA resources

Are you a CPA looking for answers to independence or other ethical questions? Below, you’ll see two handy AICPA resources:

  • AICPA Code of Professional Conduct
  • Plain English Guide to Independence
AICPA Code of Conduct

Picture from

AICPA Code of Professional Conduct

The AICPA provides online access to the Code of Conduct. You can also download a PDF copy here (this PDF covers all standards issued through August 31, 2016).

Online access is free, and users are able to save searches and bookmark content.

The Code is organized into three parts:

  1. Public practice
  2. Members in Business
  3. All other members (including those who are in between jobs or retired)

The Code includes a threats and safeguards framework. CPAs should identify threats and then consider safeguards to mitigate those threats. The CPAs can proceed with the engagement if threats–after considering safeguards–are at an acceptance level.

Plain English Guide to Independence

As the Quality Control partner for our firm, I receive quite a few questions about ethical issues (mainly about independence). Nine out of ten times I find the answers to those questions in the AICPA’s Plain English Guide to Independence. I download this guide and keep it handy. When I need to research an issue, I open the document and perform word searches. If you aren’t already using this resource, I highly recommend it. 

How to Report Debt Covenant Violations

Violations may require debt to be shown as current

How does a debt covenant violation affect the presentation of debt on a balance sheet?

If a debt covenant violation occurs, the debt should be classified as current unless the lender provides a waiver for at least one year from the balance sheet date or the debtor is able to cure the violation subsequent to the balance sheet date but before the issuance date (or date available for issuance) of the financial statements.

Some loans provide for a grace period. If the violation is cured during the grace period, the debt–other than current maturities–will be reported as as long-term. Also if the cure has not already occurred but the company demonstrates it is probable that it (the cure) will occur within the grace period, then, again, the debt will be reported as long-term.

report debt covenant violations

Picture is courtesy of

The Main Consideration

The main consideration in classifying long-term debt is whether the amount is due or callable within one year of the balance sheet date. (By definition, a liability is current when due within one year of the balance sheet date.) If due or callable within the year subsequent to the period-end, the amount generally should be reported as current. (One exception: when it is probable the cure will occur within the grace period.) If a debt covenant violation is timely cured, then the debt is no longer callable and will, therefore, remain long-term. The same is true if the creditor provides a waiver that extends one year beyond the balance sheet date.

Note–Even minor violations of debt agreements may allow the creditor to call a loan.

FASB Codification Guidance

470-10-45 of the FASB Codification provides the following guidance:

Some long-term loans require compliance with quarterly or semiannual covenants that must be met on a quarterly or semiannual basis. If a covenant violation occurs that would otherwise give the lender the right to call the debt, a lender may waive its call right arising from the current violation for a period greater than one year while retaining future covenant requirements. Unless facts and circumstances indicate otherwise, the borrower shall classify the obligation as noncurrent, unless both of the following conditions exist:

a. A covenant violation that gives the lender the right to call the debt has occurred at the balance sheet date or would have occurred absent a loan modification.
b. It is probable that the borrower will not be able to cure the default (comply with the covenant) at measurement dates that are within the next 12 months.

Is Disclosure Required if a Waiver is Obtained?

If the company obtains a waiver for one year from the balance sheet date, must the financials disclose this fact (that a waiver was obtained)?

The AICPA answers this question–in Q&A section 3200 (paragraph 17)–with the following:

The authoritative literature applicable to nonpublic entities does not address disclosure of debt covenant violations existing at the balance-sheet date that have been waived by the creditor for a stated period of time. Nevertheless, disclosure of the existing violation(s) and the waiver period should be considered* for reasons of adequate disclosure. If the covenant violation resulted from nonpayment of principal or interest on the debt, inability to maintain required financial ratios, or other such financial covenants, that information may be vital to users of the financial statements even though the debt is not callable.

*Emphasis added by CPA-Scribo

Translation: It is wise to disclose the debt covenant violation and the existence of the waiver.

FASB’s Current Work on a New Standard

On January 10, 2017, the FASB issued the Exposure Draft, Debt (Topic 470): Simplifying the Classification of Debt in a Classified Balance Sheet (Current versus Noncurrent). Click here for more information.

Wire Transfer Theft: How to Prevent It

How to steal $6.9 million in less than an hour

In one of the easiest thefts I’ve read about, a nonprofit administrative officer wired $6.9 million from an Ohio bank account to another account in Austria. The wire transfer originated with the fax of a letter (which took less than an hour to create). Since the officer was authorized to make wire transfers, no one at the bank questioned the transaction–until it was too late. The fraudster landed in Austria, called his wife and said, “I’m not coming home.” Interestingly, the wife called the police and turned her husband in; he later came back to the states of his own volition (after his wife gave him an earful). He went to jail. I guess, after a few boat rides down the Danube, he missed his family.

Preventing wire transfer theft

Picture from

Wire Transfer Theft is Easy

It’s easy for an accounting clerk (or other authorized company official) to wire funds and to cover their tracks with a journal entry – too easy in many cases. If a company  accountant or official has the ability to (1) wire funds by himself and (2) make journal entries without a second-person review, then the organization has left the fraud door wide open. Such a situation is not uncommon in small businesses, nonprofits and governments.

As you think about wire transfers, consider that they can be originated with a fax, a phone call, a personal visit to the bank, or a computer. Determine how your bank handles wire transfers and craft your internal controls based on those dynamics.

Wire Transfer Internal Controls

Organizations should do the following to mitigate wire transfer fraud:

  1. Require the bank to limit daily wire transfer amounts (e.g., $25,000 per day for each employee)
  2. Require two persons to consummate all wire transfers to external parties (the most important control in my opinion)
  3. If the wire transfer request is by phone or by fax, require the bank to call your organization back before the wire transfer is consummated
  4. The bank should require the use of unique passwords to access wire-transfer software; consider using a bank that provides bank token keys (small hand-held devices that generate unique identification numbers; these numbers are keyed into the bank software as a part of the transfer request)
  5. Restrict the bank accounts from which a wire transfer can be made (the organization may want to limit external wire transfers to just one bank account)
  6. Restrict certain bank accounts so that wire transfers can only be made to other bank accounts of the organization (e.g., transfer from operating bank account to payroll bank account)
  7. Have someone peruse the daily bank account activity (using online access); at a minimum, reconcile bank statements in a timely fashion (large organizations should consider reconciling bank accounts more frequently than once a month; some reconcile daily)
  8. Require sufficient documentation for all wire transfer journal entries; require a second-person review of these journal entries
  9. Consider using a dedicated computer for all wire transfers; do not use this computer for any other purpose (malware is often picked up by computers as they visit Internet websites)
  10. Use all bank-provided wire transfer controls
  11. Any transactions over a certain high dollar amount (e.g., $50,000) must have the approval of the business owner/CEO

Use Fraud Prevention Controls Offered by Banks

Not using controls offered by banks may make your organization liable should funds be stolen by hackers. One company sued its bank when hackers took $440,000 from its bank account with a wire transfer; the judge ruled against the company because it had opted out of control procedures offered by the bank. Also make sure your company uses appropriate firewall and antivirus protection.

Closing Words

If one person can make external wire transfers and journal entries to record those transactions, you have the makings of wire fraud–soon you may see that employee on Facebook, riding down the old Danube.

Video from Gary Zeune

You can see a news video about the nonprofit fraud mentioned above at Gary Zeune’s website: The Pros and The Cons. (If you have not heard Gary speak about fraud, you should do so. He does a great job.)

Assessing Audit Control Risk at High (and Saving Time)

Assessing control risk at high is often an efficiency decision

At times, auditors errantly assess control risk at less than high. Why? Because the (lower) assessment is not supported by a test of controls.

So can you assess control risk at high without testing controls? Yes–and you may want to. Below you’ll see why.

We have been told that “you can’t default to maximum risk.” While we can’t default to maximum (the old pre-risk-assessment standards term), we can–and in many audits should–assess control risk at high (the present risk assessment term).

assess control risk

Picture is from

Assessing Control Risk at High

First, the auditor should determine the existence and location of risks–the purpose of risk assessment procedures. Once risk assessment procedures (walkthroughs, inquiries, analytics, etc.) are performed, we know more about what the risks are and where they are. Then we can assess control risk (CR) at whatever level we desire (if CR is below high, then controls must be tested to support the lower risk assessment).

The Efficiency Decision

At this point, our assessment of control risk becomes a question of efficiency. We can:

  1. Assess control risk at high and not perform additional tests of controls, or
  2. Assess control risk at low to moderate and test the operating effectiveness of controls

The salient question is, “Which option is most efficient?”

Risk Assessment Procedures

Risk assessment procedures, such as walkthroughs, generally are not sufficient to support a low to moderate control risk assessment. A walkthrough (often a test of one transaction) allows us to see if appropriate controls are in place. They don’t, however, tell us if the controls are consistently working.

Testing Controls

AU-C Section 330.08 states: The auditor should design and perform tests of controls to obtain sufficient appropriate audit evidence about the operating effectiveness of relevant controls if the auditor’s assessment of risks of material misstatement…includes an expectation that the controls are operating effectively (that is, the auditor intends to rely on the operating effectiveness of controls in determining…substantive procedures).

A test of one transaction–often performed in walkthroughs–generally is not considered “sufficient appropriate audit evidence” to assess control risk at less than high.

Back to the Efficiency Issue


To test and rely on controls, the auditor should examine more transactions. We might, for example, test forty disbursements for proper purchase orders. If the control is working, then we can assess control risk at low to moderate and decrease our substantive work. We could, for example, test fewer additions to plant, property and equipment.

If it takes longer to test controls (e.g., the forty purchase orders) than to perform substantive tests (e.g., vouching invoice support for additions to plant, property and equipment), then it makes more sense to assess control risk at high and perform substantive procedures. And we should do just that–if we desire to make a higher profit on the engagement (and I’m betting you do).

For example, if it takes six hours to test forty transactions for appropriate purchase orders, and it takes four hours to vouch all additions to plant, property, and equipment, then we should assess control risk at high and not perform the test of controls. We should perform the substantive procedure of vouching all significant additions to plant, property, and equipment.

Reducing Substantive Tests (Without Testing Controls)

Can we assess the risk of material misstatement (RMM) at low to moderate without testing controls?


If the inherent risk (IR) is low to moderate, then our combined risk of material misstatement can easily be low to moderate. (Let me encourage you to assess risk at the assertion level and not at the transaction level, but I will save that topic for another post.)

For example, a low inherent risk and a high control risk can yield a low to moderate RMM. In an equation it looks like this:

 IR         CR         RMM            Audit Approach
Low X High = Moderate              Basic

This approach produces a moderate RMM without testing controls. A moderate RMM supports a basic approach, and a basic approach means we are performing fewer substantive tests (a high RMM means the auditor will perform more substantive tests).

In short, many times inherent risk is low to moderate. If you combine a low to moderate inherent risk with a high control risk, you can assess RMM at low to moderate. This low to moderate RMM comports with a basic audit approach. Continuing with our plant, property and equipment example from above, you can–with the low to moderate RMM–test fewer asset purchases. And no test of controls is necessary.

This approach–assessing control risk at high after performing risk assessment procedures–often creates greater audit efficiency and is compliant with audit standards. Alternatively, we should assess control risk below high and test controls if this approach takes less time.

Why Assessing Control Risk at High is (Often) More Efficient


I started this post by saying we sometimes errantly assess control risk. By this, I mean we sometimes assess control risk at low to moderate without a sufficient test of controls. If we assess control risk at less than high, then we must test controls.

What are your thoughts about assessing control risk?

Yellow Book Independence: When Should You Apply Safeguards?

Safeguards are to be applied when significant independence threats are present

When I was a kid living in Donalsonville, Georgia, my mother would drive into our open garage, leave the keys in the ignition (where they remained for the evening), and then would walk into our home (which had not been locked all day).

Over time, I noticed that she left the keys in the car less and less, and we began to lock the doors of our home. At one point we even bought deadlocks.


It seems our neighbors were, from time to time, having small thefts, and one even had a burglar in the home as they returned one afternoon.

My parents were responding to risks. The greater the thefts and burglaries, the greater the safeguards.

Safeguards Required by Yellow Book

Whenever an external auditor performs nonattest services (e.g., preparation of financial statements), then the auditor should consider whether the nonattest service adversely affects his independence.

The Government Auditing Standards (known as the Yellow Book) requires that safeguards be applied whenever independence threats are significant – but only if they are significant – in order to eliminate or reduce such threats to an acceptable level.

Yellow Book Independence Safeguards

Yellow Book Independence Safeguards

Examples of safeguards that may eliminate or reduce significant threats to an acceptable level include the following:

  • Discussing independence issues with those charged with governance of the entity
  • Assigning separate engagement personnel for the audit and nonaudit service
  • Obtaining secondary reviews of the nonaudit services by professional personnel who were not members of the audit engagement team (e.g., second partner review of financial statements prepared by the external audit firm)
  • Discussing the significance of the threats to management participation or self-review with the engagement team and emphasizing the risks associated with such threats
  • Educating management on the nonaudit services performed by reviewing and explaining the reason and basis for all significant transactions, as well as authoritative standards, so that management is in a position to determine or approve all assumptions and judgments and take responsibility for the nonaudit services
  • When financial statement preparation is the nonaudit service being performed, determining that there has been review of the financial statements and successful completion of a disclosure checklist by the audited entity

Not all safeguards listed would be appropriate for all significant threats identified and, often, may require combinations of more than one safeguard. When determining the type and number of safeguards to be applied, the auditor should consider the significance of the threats, both individually and in the aggregate.

Some safeguards have a higher level of mitigation of threats than others. Also safeguards that involve personnel who are independent of the audit process are generally more effective than those who are not independent.

Determining which safeguards to apply involves professional judgment and is dependent on the facts and circumstances of each specific situation.

Prohibited Services

Finally remember that safeguards cannot be used to ameliorate risk related to prohibited services (e.g., the external audit firm signs checks for the client); if the external auditor performs prohibited services, then safeguards cannot remedy the lack of independence. Examples of prohibited services follow:

  • Setting policies and the strategic direction for the audited entity
  • Directing and accepting responsibility for the actions of the audited entity’s employees in the performance of their routine, recurring activities
  • Having custody of an audited entity’s assets
  • Accepting responsibility for designing, implementing, or maintaining internal control

Preparing Financial Statements 

 If you are an external auditor that also prepares the client’s financial statements (a nonattest service), see my post concerning Yellow Book independence.

Consulting or Agreed Upon Procedures Engagement: Which is Best?

Which should I use? Consulting or AUP

Consulting or agreed upon procedures–which should a CPA use?

Consulting or agreed upon procedures

Picture from

I am often asked, “should this be an agreed-upon-procedures (AUP) engagement or a consulting engagement?” (The question usually comes just after a client says, “I don’t need an audit. They cost too much.”)

So what’s the difference in an AUP and a consulting engagement?

Agreed Upon Procedures Engagement

The AUP option is more precise and is mainly composed of:

  1. Procedures
  2. Findings

An example follows:

Procedure – Agreed all January 2012 disbursements greater than $20,000 to checks that cleared the bank statement; compared the payee on each check to the payee per the check register.

Finding – All check payees agreed with the exception of check # 2394 for $45,000; the payee for this check was I. Cheatum,  and the check register reflected a payment to King’s Supply Company.

Consulting Engagement

A consulting engagement–based on the AICPA Consulting Standards–is less precise and does not necessarily need to follow the procedure-finding format. There are no specific reporting standards for a consulting engagement, so a CPA can more easily design the engagement to meet various needs. The consulting standards are more flexible than the attestation standards (and the requirements for agreed-upon-procedures engagements).

A consulting report might address the following:

  1. Reading of minutes
  2. Interviews of individual employees
  3. Flowcharting of internal controls
  4. Summary of production statistics
  5. Narrative of business goals and enterprise risks

As you can tell, there are no procedures and findings.

Which is Best?

It all depends on the purpose of the report. Consider the following:

  1. Will there be external parties (e.g. creditors) placing reliance on the report?
  2. Is the purpose of the report to add credibility to the information (by having the CPA attest to procedures and findings)?

If the answer to these questions is yes, then use the AUP option.

If there is no third party relying on the information, then a consulting engagement may be better. But always ask, “Who will receive the report?” The CPA needs to know who will read and potentially place reliance upon the report.

AUP Procedures (Not Appropriate and Appropriate)

The key consideration in performing an AUP is specificity.

Procedures that would not be appropriate include:

  • General review of inventory internal controls
  • Reading the minutes
  • Testing accounts payable

Procedures that would be appropriate include:

  • Examine every fifth journal entry in the month of May 2017 to determine if each is signed by the CFO.
  • Agree each balance on the May 2017 balance sheet to the general ledger.

Clarified AUP Guidance

For the new AICPA AUP guidance (including sample reports), click here. These standards are effective for reports dated on or after May 1, 2017.

The AICPA Consulting Standards: Another Arrow in Your Quiver

Many CPAs don't know that these standards exist, but they can be quite helpful

I find that many CPAs aren’t aware of the AICPA Consulting Standards. So, here’s a post about them.

Are you ever asked to perform an atypical engagement (e.g., creating a schedule of water losses for a city)–and then you wonder “what professional standards should I follow?”

Audit standards? No, you’re not opining on anything.

Maybe the compilation and review standards? No, a schedule is not a financial statement.

How about agreed upon procedures? Well, no again–AUPs normally include tests and conclusions.

We need another arrow in our quiver!

AICPA Consulting Standards

Picture from

Most CPAs are familiar with compilation and review standards (Statement on Standards for Accounting and Review Services – SSARS) and audit standards (Statement on Auditing Standards – SAS) and even attestation standards (Statement on Standards for Attestation Engagements – SSAEs – commonly used for agreed upon procedures), but many are not familiar with the consulting standards (Statement on Standards for Consulting Services – SSCS).


I’m not really sure. But I seldom see consulting standard CPE classes. Yet many services are subject to this guidance.

AICPA Consulting Standards Primer

You might call the AICPA Consulting Standards the CPA’s swiss army knife.

AICPA Consulting Standards

What services fall under the consulting standards?

The consulting standards specifically address six areas:

  1. Consultations – e.g., reviewing a business plan
  2. Advisory services – e.g., assistance with strategic planning
  3. Implementation services – e.g., assistance with a merger
  4. Transaction services – e.g., litigation services
  5. Staff and other support services – e.g., controllership services
  6. Product services – e.g., providing packaged training services

CPAs often provide consulting services such as the following:

  • Consultations with regard to complex transactions
  • Fraud investigation services
  • Internal control services
  • Bankruptcy services
  • Divorce settlement services
  • Controllership services
  • Business plan preparation
  • Cash management
  • Software selection
  • Business disposition planning

When can I use the consulting standards?

Usually when the information will not be provided to a third party.

When performing work under the consulting standards, you are not attesting (providing comfort) on the work performed. Usually, you need to follow the SASs, SSARS, or SSAEs if you are attesting (providing comfort to an outside party).

Characteristics of a Consulting Engagement

  • Generally nonrecurring
  • Requires a CPA with specialized knowledge and skills
  • More interaction with client
  • Generally performed for the client (usually, no third party sees the information)

Consulting Work Paper Requirements

Consulting work paper requirements are minimal. Nevertheless, documentation is always wise.

The understanding with the client can be oral or in writing (I recommend the latter).

The consulting standards do not require the CPA to prepare work papers, but you should do so anyway – the work papers are the link between your work and your report. Also the general standards of the profession, contained in the AICPA Code of Professional Conduct, apply to all services performed by members. The general standards state:

Sufficient Relevant Data. Obtain sufficient relevant data to afford a reasonable basis for conclusions or recommendations in relation to any professional services performed.

Consulting Reports

The report content and format are up to you and your client.

No Opinion or Accountant’s Report

For consulting engagements, the CPA does not issue an opinion or any other attestation report (e.g., accountant’s report on agreed-upon procedures ).

Subject to Peer Review?

Are products created using the Consulting Standards subject to peer review? No.

Where Can I Find the AICPA Consulting Standards?

You can see the consulting standards here.

Photos above are courtesy of

Auditing Payroll: The Why and How Guide

Here's an overview of how to audit payroll and related accounts

What are the keys to auditing payroll correctly? While payroll is often seen as a low-risk audit area, it’s a place where considerable damages can occur (such as the $800,000 theft I witnessed last year). Today, we’ll answer questions such as, “how should I test payroll?” and “when should I perform fraud-related payroll procedures?” 

auditing payroll

Picture from

Auditing Payroll — An Overview

In many governments, nonprofits, and small businesses payroll exceeds fifty percent of total expenses. Consequently, it is often a significant transaction area. 

In this post, we will cover the following:

  • Primary payroll assertions
  • Payroll walkthroughs
  • Directional risk for payroll
  • Primary risks for payroll
  • Common payroll control deficiencies
  • Risk of material misstatement for payroll
  • Substantive procedures for payroll
  • Common payroll work papers

Should You Perform Audit Walkthroughs Annually?

Post 4 - Corroborating your understanding of controls

Audit walkthroughs, sometimes referred to as “cradle to grave” reviews of transaction cycles, are performed for significant transaction cycles and should be performed early in the audit process. The auditor starts at the beginning of a transaction cycle and walks a transaction completely through the accounting system while observing controls. Why? To see if controls exist and are in use–and ultimately, to identify risks.

audit walkthroughs

Picture from

Are Internal Control Walkthroughs Required?

How often is the auditor required to perform a walkthrough?

Answer: Once per year, if this is how you corroborate your understanding of the cycle. Walkthroughs are not required, but you do need to verify your understanding of the accounting system and related controls–and I can think of no better way.

Recently, I was asked, “If a walkthrough is not used, what else can I do?” While questionnaires can be used, there is a risk that key internal controls will be missed. What if the questionnaire doesn’t address a critical piece of the control structure? Walking a transaction through the accounting system and reviewing related controls ensures a full understanding.

AICPA Guidance Concerning Annual Walkthroughs

TIS Section 8200.12, as issued by the AICPA, states the following:

Inquiry—AU section 314 (now AU-C 315) requires the auditor to obtain an understanding of internal control. An auditor might perform walkthroughs to confirm his or her understanding of internal control. If the auditor decides to use walkthroughs to confirm his or her understanding of internal control, how often do walkthroughs need to occur?

Reply—In accordance with AU Section 314 (now AU-C 315), the auditor is required to obtain an understanding of internal control to evaluate the design of controls and to determine whether they have been implemented. To do that, performing a walkthrough would be a good practice. Accordingly, auditors might perform a walkthrough of significant accounting cycles every year [emphasis added].

Controls Documented in Prior Period

In some situations, AU-C section 315 allows the auditor to rely on audit evidence obtained in prior periods. In those situations, the auditor is required to perform audit procedures to establish the continued relevance of the audit evidence obtained in prior periods (for example, by performing a walkthrough). So, an auditor might perform walkthroughs every year to update his or her understanding. (I know the TIS says “might,” but it does appear the AICPA encourages annual walkthroughs.)

Summary Thoughts

Remember, a walkthrough is a risk assessment procedure. As such, it should be performed early in the audit–not as we are finalizing the work paper file. Identify risks and then create audit steps to respond.

Too many auditors see walkthroughs as “something we do because we have to,” rather than as procedures that inform the audit process. That’s why some auditors document walkthroughs at the end of the audit. 

Audits should be performed in the following order:

  1. Identify risk
  2. Assess risk
  3. Create an audit plan
  4. Execute the audit plan
  5. If necessary, revise the risk assessment and audit plan (if new risks are identified during step 4.)

Walkthroughs should be performed in step 1., not after step 4.

See my prior walkthrough posts:

Post 1 – Why Should Auditors Perform Audit Walkthroughs?

Post 2 – How to Identify Risks of Material Misstatements with Audit Walkthroughs

Post 3 – How to Document Audit Walkthroughs