Assessing Audit Control Risk at High (and Saving Time)

Assessing control risk at high is often an efficiency decision

At times, auditors errantly assess control risk at less than high. Why? Because the (lower) assessment is not supported by a test of controls.

So can you assess control risk at high without testing controls? Yes–and you may want to. Below you’ll see why.

We have been told that “you can’t default to maximum risk.” While we can’t default to maximum (the old pre-risk-assessment standards term), we can–and in many audits should–assess control risk at high (the present risk assessment term).

assess control risk

Picture is from AdobeStock.com

Assessing Control Risk at High

First, the auditor should determine the existence and location of risks–the purpose of risk assessment procedures. Once risk assessment procedures (walkthroughs, inquiries, analytics, etc.) are performed, we know more about what the risks are and where they are. Then we can assess control risk (CR) at whatever level we desire (if CR is below high, then controls must be tested to support the lower risk assessment).

The Efficiency Decision

At this point, our assessment of control risk becomes a question of efficiency. We can:

  1. Assess control risk at high and not perform additional tests of controls, or
  2. Assess control risk at low to moderate and test the operating effectiveness of controls

The salient question is, “Which option is most efficient?”

Risk Assessment Procedures

Risk assessment procedures, such as walkthroughs, generally are not sufficient to support a low to moderate control risk assessment. A walkthrough (often a test of one transaction) allows us to see if appropriate controls are in place. They don’t, however, tell us if the controls are consistently working.

Testing Controls

AU-C Section 330.08 states: The auditor should design and perform tests of controls to obtain sufficient appropriate audit evidence about the operating effectiveness of relevant controls if the auditor’s assessment of risks of material misstatement…includes an expectation that the controls are operating effectively (that is, the auditor intends to rely on the operating effectiveness of controls in determining…substantive procedures).

A test of one transaction–often performed in walkthroughs–generally is not considered “sufficient appropriate audit evidence” to assess control risk at less than high.

Back to the Efficiency Issue

image

To test and rely on controls, the auditor should examine more transactions. We might, for example, test forty disbursements for proper purchase orders. If the control is working, then we can assess control risk at low to moderate and decrease our substantive work. We could, for example, test fewer additions to plant, property and equipment.

If it takes longer to test controls (e.g., the forty purchase orders) than to perform substantive tests (e.g., vouching invoice support for additions to plant, property and equipment), then it makes more sense to assess control risk at high and perform substantive procedures. And we should do just that–if we desire to make a higher profit on the engagement (and I’m betting you do).

For example, if it takes six hours to test forty transactions for appropriate purchase orders, and it takes four hours to vouch all additions to plant, property, and equipment, then we should assess control risk at high and not perform the test of controls. We should perform the substantive procedure of vouching all significant additions to plant, property, and equipment.

Reducing Substantive Tests (Without Testing Controls)

Can we assess the risk of material misstatement (RMM) at low to moderate without testing controls?

Yes.

If the inherent risk (IR) is low to moderate, then our combined risk of material misstatement can easily be low to moderate. (Let me encourage you to assess risk at the assertion level and not at the transaction level, but I will save that topic for another post.)

For example, a low inherent risk and a high control risk can yield a low to moderate RMM. In an equation it looks like this:

 IR         CR         RMM            Audit Approach
Low X High = Moderate              Basic

This approach produces a moderate RMM without testing controls. A moderate RMM supports a basic approach, and a basic approach means we are performing fewer substantive tests (a high RMM means the auditor will perform more substantive tests).

In short, many times inherent risk is low to moderate. If you combine a low to moderate inherent risk with a high control risk, you can assess RMM at low to moderate. This low to moderate RMM comports with a basic audit approach. Continuing with our plant, property and equipment example from above, you can–with the low to moderate RMM–test fewer asset purchases. And no test of controls is necessary.

This approach–assessing control risk at high after performing risk assessment procedures–often creates greater audit efficiency and is compliant with audit standards. Alternatively, we should assess control risk below high and test controls if this approach takes less time.

Why Assessing Control Risk at High is (Often) More Efficient

Conclusion

I started this post by saying we sometimes errantly assess control risk. By this, I mean we sometimes assess control risk at low to moderate without a sufficient test of controls. If we assess control risk at less than high, then we must test controls.

What are your thoughts about assessing control risk?

The Why and How of Audit Risk Assessment

Post 2 - The Why and How of Auditing

Are auditors who see audit risk assessment as a waste of time leaving money on the table? Could this be a cause of lower profit realizations?

Risk Assessment

Picture is from AdobeStock.com

Audit Risk Assessment as a Friend

Audit risk assessment can be our best friend, particularly if we desire efficiency, effectiveness, and profit—and who doesn’t? This step, when properly performed, tells us what to do—and what can be omitted. In other words, risk assessment is the doorway to maximum impact with minimal effort.

So, why do some auditors avoid audit risk assessment? Here are two reasons:

  1. We don’t understand it
  2. We’d rather continue doing what we’ve always done

Too often auditors keep doing the same as last year (commonly referred to as SALY), no matter what. It’s more comfortable than using risk assessment. But what if SALY is faulty or inefficient? Or what if the “tried and true” has blind spots. Maybe it’s better to assess risk annually and to plan our work based on present conditions.

Working Backward

The old maxim “Plan your work, work your plan” is true in audits. Audits—according to standards—should flow as follows:

  1. Determine the risks of material misstatements (plan our work)
  2. Develop a plan to address those risks (plan our work)
  3. Perform substantive procedures (work our plan)
  4. Issue an opinion (the result of planning our work and working our plan)

Auditors sometimes go directly to step 3. and use the prior year audit programs to satisfy step 2. Later, before the opinion is issued, the documentation for step 1. is created “because we have to.” In other words, we work backward. So, how can we work appropriately?

A Better Way

Audit standards—in the risk assessment process—call us to do the following:

  1. Understand the entity and its environment
  2. Understand the transaction level controls
  3. Use planning analytics to identify risk
  4. Perform fraud risk analysis
  5. Assess risk

While we may not complete these steps in order, we do need to perform our risk assessment first (1.-4.) and then assess risk as a result. Okay, so what procedures should we use to carry out the risk assessment process?

Audit Risk Assessment Procedures

AU-C 315.06 states:

The risk assessment procedures should include the following:

a.    Inquiries of management, appropriate individuals within the internal audit function (if such function exists), others within the entity who, in the auditor’s professional judgment, may have information that is likely to assist in identifying risks of material misstatement due to fraud or error

b.    Analytical procedures

c.    Observation and inspection

I like to think of risk assessment procedures as tools, all used to sift through information and aid in the identification of risk.

Risk Assessment

Picture from AdobeStock.com

Just as a good detective uses fingerprints, lab results, and photographs to paint a picture, we are doing the same. First, we need to understand the entity and its environment.

Understand the Entity and Its Environment

The audit standards require that we understand the entity and its environment.

I like to start by asking management the question, “If you had a magic wand that you could wave over the business and remove one problem, what would it be?” The answer tells us a great deal about the entity’s risk.

I want to know what the owners and management think and feel. The visceral is a flashing light saying, “Important!” Every business leader worries about something. And understanding the source of those worries illuminates risk.

Think of risks as threats to objectives. Your client’s fears tell you what the objectives and threats are. Worries shine the light on threats to objectives.

To understand the entity and its related threats, ask questions such as:

  • How is the industry faring?
  • Are there any new competitive pressures or opportunities?
  • Have key vendor relationships changed?
  • Can the company obtain necessary knowledge or products?
  • Are there pricing pressures?
  • How strong is the company’s cash flow?
  • Has the company met its debt obligations?
  • Is the company increasing in market share?
  • Who are your key personnel and why are they important?
  • What is the company’s strategy?
  • Do you have any related party transactions?

As with all risks, we respond based on their severity. The higher the risk, the greater the response. We’ll respond to risks at these levels:

  • Financial statement level
  • Transaction level

Responses to risk at the financial statement level are general, such as appointing more experienced staff for complex engagements. Specific responses to risk occur at the transaction level, such as a search for unrecorded liabilities.

Understand the Transaction Level Controls

We must do more than just understand transaction flows; we need to understand the related controls. So, as we perform walkthroughs or other risk assessment procedures, we gain an understanding of the transaction cycle, but—more importantly—we gain an understanding of controls. Without appropriate controls, the risk of material misstatement increases.

The use of walkthroughs is probably the best way to understand internal controls. As you perform your walkthroughs, you are asking questions such as:

  • Who signs checks?
  • Who has access to checks (or electronic payment ability)?
  • Who approves payments?
  • Who initiates purchases?
  • Who can open and close bank accounts?
  • Who posts payments?
  • What software is used? Does it provide an adequate audit trail? Is the data protected? Are passwords used?
  • Who receives and opens bank statements? Does anyone have online access? Are cleared checks reviewed for appropriateness?
  • Who reconciles the bank statement? How quickly? Does a second person review the bank reconciliation?
  • Who creates expense reports and who reviews them?
  • Who bills clients? In what form (paper or electronic)?
  • Who opens the mail?
  • Who receipts monies?
  • Are there electronic payments?
  • Who receives cash onsite and where?
  • Who has credit cards? What are the spending limits?
  • Who makes deposits (and how)?
  • Who keys the receipts into the software?
  • What revenue reports are created and reviewed? Who reviews them?
  • Who creates the monthly financial statements? Who receives them?
  • Are there any outside parties that receive financial statements? Who are they?

Understanding the company’s controls illuminates risk. The company’s goal is to create financial statements without material misstatement. A lack of controls threatens this objective.

So, as we perform walkthroughs, we ask the payables clerk (for example) certain questions; and—as we do—we are also making observations about the segregation of duties. Also, we are inspecting certain documents such as purchase orders. This combination of inquiries, observations, and inspections allows us to understand where the risk of material misstatement is highest.

Another significant risk identification tool is the use of planning analytics.

Planning Analytics

Use planning analytics to shine the light on risks. How? I like to use:

  • Multiple-year comparisons of key numbers (at least three years, if possible)
  • Key ratios
Risk Assessment

Picture from AdobeStock.com

In creating planning analytics, use management’s metrics. If certain numbers are important to the company, they should be to us (the auditors) as well—there’s a reason they are reviewing particular numbers so closely. (When you read the minutes, ask for a sample monthly financial report; then you’ll know what is most important to management and those charged with governance.)

Sometimes, unexplained variations in the numbers are evidence of fraud.

Fraud Risks

In every audit, inquire about the existence of theft. In performing walkthroughs, look for control weaknesses that might allow fraud to occur. Ask if any theft has occurred. If yes, how?

Also, we should plan procedures related to:

  • Management override of controls, and
  • The intentional overstatement of revenues

My next blog post—in this series—addresses fraud risk, so this is all I will say about theft for now. Sometimes the greater risk is not fraud but errors.

Same Old Errors

Have you ever noticed that some clients make the same mistakes—every year? They are usually smaller clients. In the risk assessment process, we are looking for the risk of material misstatement whether by intention (fraud) or by error (accident).

One way to identify potential misstatements due to error is to maintain a summary of the larger audit entries you’ve made over the last three years. If your client tends to make the same mistakes, you’ll know where to look for potential errors.

Now it’s time to pull all of the above information together.

Creating the Risk Picture

Once all of the risk assessment procedures are completed, we synthesize the disparate pieces of information into a composite image. We are—at this point—bringing the information into one distilled risk snapshot. What are we bringing together? Here are examples:

  • Control weaknesses
  • Unexpected variances in significant numbers
  • Entity risk characteristics (e.g., level of competition)
  • Large related-party transactions
  • Occurrences of theft

Armed with this risk picture, we can now create our audit strategy and audit plan (also called an audit program). We are focusing these plans on the areas where the risk of material misstatement is highest.

How can we determine where risk is highest? Use the risk of material misstatement (RMM) formula.

Assess the Risk of Material Misstatement

Understanding the RMM formula is key to identifying high-risk areas.

What is the RMM formula?

Put simply, it is:

Risk of Material Misstatement = Inherent Risk X Control Risk

Using the RMM formula, we are assessing risk at the assertion level. While audit standards don’t require a separate assessment of inherent risk and control risk, consider doing so anyway. I think it provides a better representation of your risk of material misstatement.

Once we have completed our risk assessment process, control risk can be assessed at high–simply as an efficiency decision.

The Input and Output

The inputs in audit planning include all of the above audit risk assessment procedures.

The outputs (sometimes called linkage) of the audit risk assessment process are:

  • Audit strategy
  • Audit plan (audit programs)

We tailor the strategy and plan according to the risk assessment.

In a nutshell, we identify risks and then respond to them.

Next in the Series

In my next post in this series, we’ll take a look at the why and how of fraud auditing. So, stay tuned. If you haven’t subscribed to my blog, consider doing so.

Ten Most Popular CPA Scribo Blog Posts for 2016

10 most shared posts during 2016

Well, 2016 is in the books for CPA Scribo.

Here are the top ten 2016 posts (starting with number 10 and moving to number 1)–based on your social shares.

CPA Scribo

Picture from AdobeStock.com

Top 10 CPA Scribo Posts

 

10. Assessing Audit Control Risk at High (and Saving Time)

9. Getting More Done with My Favorite Accountant’s Device

8. How Honest People Steal

7. A List of Online Resources for CPAs

6. How to Add Value to Audits

5. How to Steal by Double Paying a Vendor

4. 25 Ways Fraud Happens

3. How $16 Million was Stolen from a Bakery

2. Seven Deadly Audit Sins

and drum roll…..

1.  Why Should Auditors Perform Audit Walkthroughs

Your Ideas for 2017

If you have an accounting or auditing idea that you’d like for me to address in 2017, please let me know–post a comment. Thanks.

Client Acceptance and Continuance: The Why and How

Post 1 - The Why and How of Auditing

Client acceptance and continuance may be the most important step in an audit, but it’s one that gets little attention. A prospective client calls saying, “Can you audit my company?” and we respond, “sure.” While new business can be a good thing,  relationships need appropriate vetting. Not doing so can lead to significant (and sometimes diastrous) problems.

Client Acceptance and Continuance

Picture from AdobeStock.com

New Relationships

My daughter recently met a young man on Instagram. Not unusual these days. But now the relationship is entering into its third month. They talk every day for two or three hours. So far, they have not been in the same room—and not even in the same city. Skype, yes. Physical presence, no. That’s happening at the end of this month. (He lives eight hours away.)

So what do Mom and Dad think about all of this? Well, it’s fine. My wife checked him out on Facebook (I know you’ve never done this). And my daughter has told us all about the “fella” and his family. We like what we’re hearing. He has similar beliefs. He has a job (Yay!), and he has graduated from college.  His family background is like ours.

Why do we want to know all the details about the young man? Because relationships impact people—my daughter, the young man, and their family members and friends. We want what is best for my daughter because we want her to be happy.

Client Acceptance 

And that’s what good relationships create. Happiness. The same is true with clients. As Steven Covey said, “think win, win.” When the customer wins and your CPA firm wins, everyone is happy. Mutual needs are met.

Careless CPAs accept business with only one consideration: Can I get paid? 

While getting paid is important, other factors are also critical.

Here are a few things to consider:

  1. Are they ethical?
  2. Are you independent?
  3. Do you have the technical ability to serve them?
  4. Do you the capacity to serve them?

Are They Ethical?

I want my daughter to marry a guy with beliefs that correspond with who she is. Is he honest? Would he steal? Is he transparent? Who are his associates? What do others think of him? 

We ask similar questions in accepting a new client. Audit standards require us to consider whether the prospective client has integrity. If the company is not morally straight, then there’s no need to move forward. 

Are You Independent?

The time to determine your firm’s independence is the beginning—not at the conclusion of the audit. As a peer reviewer, I can tell you that some firms don’t fully vet their independence. Consider what happens—during a peer review—when a firm is not independent, and it has issued an audit opinion. The original audit report will be recalled, and I’ll bet the company asks for and receives a full refund of the fee. Oh, and there’s that impact on the peer review report.

Pay attention to nonattest services—such as preparation of financial statements—that you are requested to provide. If the client has no one with sufficient skill, knowledge, and experience to accept responsibility for such services, you may not be independent. 

Do You Have the Technical Ability to Serve Them?

If you can pick up a client in an industry in which you have no experience, should you? Possibly, but it depends on whether you can appropriately understand the client and their industry before you conduct the engagement. Some new customers may not be complicated. In those cases, CPE may get you into position to provide the audit. 

But what if the potential engagement involves a highly sophisticated industry and related accounting standards for which you are ill equipped? It may be better to let the engagement go and refer it to an audit firm that has the requisite knowledge. Or maybe you can partner with the other firm. 

Do You Have the Capacity to Serve Them?

A prospective client calls saying, “Can you audit my company? We have a December 31 year-end, and we need the audit report by March 31.” After some discussion, I think the fee will be around $75,000. But my staff is already working sixty hours a week during this time of the year. Should I take the engagement? 

My answer would be no unless I can create the capacity. How? I can hire additional personnel or maybe I can contract with another firm to assist. If I can’t create additional capacity, then I’ll let the opportunity pass. 

Far too many firms accept work without sufficient capacity. When this happens, corners are cut, and staff members and partners suffer. Stuffingeven morework into a stressful time of the year is not a wise thing to do. You’ll lose people, and if the engagement is deficient, peer review results may be subpar.

When you don’t have the capacity to accept good clients, consider whether you should discontinue service to some present customers.

The Continuance Decision

Quality controls standards call for CPAs to not only develop acceptance procedures, but we are to create continuance protocols as well. I previously said CPAs often don’t give proper attention to acceptance procedures. So, how about continuance decisions? Even worse. It’s as though—once we accept a client—we permanently retain them. 

Continuance Decision

Picture from AdobeStock.com

Each year, we should ask, “If this was a new client opportunity, would I accept them?” If the answer is no, then why do we continue serving them? 

Here are a few questions to ponder:

  • Has the client paid their prior year fees? 
  • Am I still independent?
  • Does the client demand more from me than the fee merits?
  • Do I enjoy working with this client?
  • Is the client’s financial condition creating additional risks for my firm?
  • Is the client acting in an ethical manner?

Each year, well before the audit starts, ask yourself these questions. And then consider, is the bottom 10% of my book of business keeping me from accepting better clients? My experience has been that when I have the capacity, new business appears. When the capacity is lacking, I don’t. The decision to hold on to bad clients is a decision to close the door to better clients. Don’t be afraid to let go.

Risk Assessment Starts Now

When should we start thinking about risk assessment? Now.

Whether you are going through the initial acceptance procedures or you are making your continuance decision, start thinking about risk now. Assuming you accept the client, you’ll be a step ahead as you begin to develop your audit plan. Ask questions such as:

  • How is your cash flow?
  • Do you have any debt with covenants?
  • Who receives the financial statements?
  • Has the company experienced any fraud losses?
  • How experienced is management?
  • Why are you changing auditors?

Keep these notes for future reference and audit planning. 

Next Post in this Series

The above is the first post in “The Why and How of Auditing.” My next post will be “The Why and How of Risk Assessment.”  Subscribe to my blog to make sure you don’t miss anything.

How to Document Audit Walkthroughs

Part 3 - Documenting control weaknesses tells you where to audit

How do you document your audit walkthroughs? Is it better to use checklists, flowcharts or summarize narratively?

Audit Walkthroughs

Picture from AdobeStock.com

Audit Walkthrough Documentation

While you can use checklists, flowcharts, narratives, or any other method that enables you to gain your understanding of controls, my personal favorite is narrative mixed with screen shots. So how do I do this?

I determine the people involved in a transaction flow and schedule interviews with them. Usually, one or two people can explain a particular transaction flow (e.g., disbursement cycle), but some complicated processes require several interviews. 

Sometimes I don’t know how each person’s work fits into the whole, so it’s like gathering puzzle pieces—at this stage, I am reaching for bits of the picture. The interviews and information may feel random, even confusing. But when you put the pieces together, you will see the picture—and that’s what we’re after, understanding the accounting system and control environment.

The Interview

I document the conversations using:

  • A Livescribe pen
  • My iPhone camera

Taking Notes

Using a Livescribe pen, I write notes and record the conversations.

I begin the interview by saying, “Tell me what you do and how you do it. Treat me like I know nothing. I want to hear all the particulars.” 

As I listen, I write general notes. The Livescribe pen records the audio which syncs with my written notes. Later the conversation can be played from the pen—more in a moment about how I use this tool. 

I find that most interviewees talk too fast—at least faster than I can write. And as I’m writing their last comment, they are moving to the next (and I fall behind). So I write simple words in my Livescribe notebook such as:

  • Add vendor
  • Charlie opens mail
  • P.O. issued by Purchasing
  • Checks signed by the computer

Later as I’m typing the narrative into Word, I touch the letter “A” in “Add vendor” with the tip of my pen. The touching of the letter “A” causes the pen to play the audio for that part of the conversation. Likewise touching “C” with the tip of my pen–in “Checks signed by the computer”–causes the pen to play the discussion at that point. Since the audio syncs with my written notes, I can hear any part of the discussion by touching a letter with my pen.  

And since Livescribe captures the audio, I jot down words—such as “Add vendor”—so I can later retrieve particular parts of the interview.  These short phrases are markers for the audio and an outline of the conversation.

Taking Pictures

In addition to writing notes in my Livescribe notebook, I also take pictures with my iPhone. What am I taking snapshots of? Here are examples (from a payables interview):

  • Invoice with approver’s initials  
  • Screenshot of an invoice entry  
  • If several people are processing invoices, I take a group picture of them at their desks
  • A signed check 
  • The bank reconciliation 

So my inputs into the walkthrough document are as follows:

  • Livescribe notes and audio
  • Photos of documents and persons 

I write my narratives in Word and embed pictures as needed. The walkthrough documentation takes this shape:

  • Narrative
  • Pictures
  • Control identification
  • Control weakness identification

Why identify control deficiencies in the walkthrough? So I can link them to the audit procedures to be performed—what audit standards refer to as “further audit procedures.” The weaknesses tell me where to conduct substantive procedures.

Another key feature of the walkthrough documentation is the identification of who I spoke with and when. So at the top of the transaction cycle description, I name the persons I interview and the date of the conversation. For example:

Charles Hall interviewed Johnny Mann, Hector Nunez, and Suzanne Milton on October 25, 2016. 

Identification of Controls and Control Weaknesses

I note appropriate controls as follows: 

Control: Additions of new vendors is limited to three persons in the accounts payable department. Each time a new vendor is added, the computer system automatically sends an email to the CFO notifying her of the addition. Persons adding new vendors cannot process signed checks.

I note control weaknesses as follows:

Control Weakness: Only one signature is required on check disbursements. Johnny Mann signs checks, has possession of check stock, keys invoices into the payables system, and reconciles the related bank account. 

Response to Risks

The control weaknesses created by Johnny Mann’s performance of critical disbursement procedures increases the risk of theft. My response? I establish audit procedures in my audit program to address the risk such as:

  • Review one month’s cleared checks for propriety, examining the check signature and payee. 

How do you know what audit procedures to perform in response to the risk? Ask, “What can go wrong?” and design a test for that potential. Johnny can write checks to himself. My response? Scan cleared checks to see if the payees are appropriate, particularly on those checks with Johnny’s signature.  

Communication of Control Weaknesses

Though this article focuses upon planning and risk assessment, the identification of control weaknesses will impact our end-of-audit communications.

The bolded text (Control Weakness) makes it easy to locate control weaknesses. Upon completion of the walkthrough, I summarize all control deficiencies in separate memos so I can track the disposition of each one. Ultimately each weakness is deemed a:

  1. Material weakness
  2. Significant deficiency, or
  3. Other weakness 

I report material weaknesses and significant deficiencies in writing to management and those charged with governance. I communicate other deficiencies in a management letter (or verbally and document the discussion in my work papers). 

For more information about how to categorize control weaknesses, click here.

If you missed my first two walkthrough posts, see them here:

Why Should Auditors Perform Audit Walkthroughs?

How to Identify Risk of Material Misstatements with Walkthroughs

Click the pen below to see the Livescribe on Amazon.

Why Should Auditors Perform Audit Walkthroughs?

Post 1 - Why are walkthroughs important and are they required?

Do you ever struggle with audit walkthroughs? Maybe you’re not sure what areas to review or how extensive your documentation should be. Possibly you’re not even sure how walkthroughs are helpful.

Audit Walkthroughs

Picture is from AdobeStock.com

I hear some auditors protest that professional standards don’t require walkthroughs. Right, but we have an obligation to annually corroborate the existence and use of controls, and I know of no better way to achieve this goal than walkthroughs.

What are Walkthroughs?

Walkthroughs are cradle-to-grave reviews of transaction cycles. You start at the beginning of a transaction cycle (usually a source document) and walk the transaction to the end (usually posting to the general ledger). The auditor is gaining an understanding the genesis of the transaction and then each movement through the accounting system.

As we perform the walkthrough, we also:

  • Make inquiries
  • Inspect documents
  • Make observations

By asking questions, inspecting documents, making observations, we are evaluating internal controls to see if there are weaknesses that would allow errors and fraud to occur. And audit standards do not permit the use of inquiries alone. Observations or inspections must occur.

Some auditors believe that audit walkthroughs (or documentation of controls for significant transaction cycles) are not necessary if the auditor is assessing control risk at high. This is not true. While the auditor can assess control risk at high, she must first gain an understanding of the cycle and the related controls. For more information, see my related post.

Why Audit Walkthroughs?

Accountants are often more comfortable with numbers than processes. We like things that “tie,” “foot,” or “balance.” We may not enjoy probing accounting systems for risk—it’s too touchy-feely. Even so, passing this responsibility off to lower staff is not a good choice. It’s too complicated and too important. So there’s no getting around it. The walkthrough—or something like it—must be done, especially if you are mid- to upper-level auditors. Why? You’re developing your audit plan. Screw up the plan, and you screw up the audit.

What is the purpose of the walkthrough? Identification of risk. Once you know the risks, you know where to audit.

Too often auditors do the same as last year (SALY). And why do we do this?

First, it requires no thinking.

Second, out of fear. We think, “if the audit plan was appropriate last year, why would it not be this year?” In short, we believe it’s safe. After all, the engagement partner developed this approach seven years ago. But is it safe?

Why SALY is Dangerous

Suppose the accounts payable clerk realizes he can create fictitious vendors without notice, and his scheme allows him to steal over $10 million over a four-year period.

The audit firm has performed the engagement year after year using the same approach. On the planning side, the fraud inquiry and internal control documentation look the same. Walkthroughs have not been performed in the last five years.

On the substantive side, the auditor ties the payables detail to the trial balance. He conducts a search for unrecorded liabilities. He inquires about other potential liabilities. All, as he has done for years. Even so, in this year alone, the payables clerk walks away with $3 million—and the audit firm doesn’t know it.

Processes matter. And—for the auditor—understanding those processes is imperative.

Why Walkthroughs?

I will say it again: we are looking for risk. Our audit opinion says that we examine the company’s internal controls to plan the audit. The opinion goes on to say that this review of controls is not performed to opine on the accounting system. So we are not testing to render an opinion on controls, but we are probing the accounting processes to identify weaknesses. And once we know where risks lie, we can focus in those areas.

Check Your Work Papers for Audit Walkthroughs

Pick an audit file or two and review your internal control documentation. Have you corroborated your understanding of the controls by inquiring, inspecting, and observing the significant transaction cycles? Again walkthroughs are not technically required, but the corroboration of controls is. The walkthrough process is an  effective way to achieve this objective.

Fraud Risk Assessments: How to Perform

A new fraud brainstorming idea guaranteed to generate better results

Do your fraud brainstorming sessions lack vigor. In this video, I provide an idea that will liven up your discussions and result in better identification of potential thefts. I also discuss auditor’s responsibilities with regard to fraud and–as you perform risk assessments–ways to score points with your clients.

To see my previous (written) post about how to perform fraud risk assessments, click here.

Risk of Material Misstatement: How to Assess

Part 5: Appropriate risk assessments can put dollars in your pocket and result in higher quality audits

How do you assess the risk of material misstatement? How do you know when to assess inherent risk at high (or low)? Can you assess control risk at high for all assertions? What are significant risks? These are common questions about the risk assessment process.

Audit Risk Assessment

Picture is courtesy of DollarPhotoClub.com

Today we’ll discuss how auditors assess and document risk. We’ll cover:

  • Financial statement level risk
  • Transaction level risk
  • Risk of material misstatement
  • Inherent risk
  • Control risk

Understanding these concepts will put money in your pocket and will result in higher quality audits.

Financial Statement Level Risk

Before picking our audit team, we need a general understanding of the entity.

We must understand the business and its control environment to determine risks at the financial statement level (I think of this as the overall risk). The overall risk will dictate our broader responses such as who the audit team will be.

Consider whether the entity has:

  • Complex transactions
  • Related party transactions
  • New accounting pronouncements
  • Profit pressures
  • Problem vendor relationships
  • Going concern issues
  • Potential debt covenants violations
  • Cash flow problems

We also need to consider the risk of management override. This threat is always a possibility. If management is playing on the edges, consider how you will add muscle and insight to your audit team—or whether you should even perform the engagement.

Keep this thought in mind when considering financial statement level risk assessment: greater overall threats call for a stronger audit team.

Transaction Level Risks

In a previous post, we discussed risk assessment procedures such as walkthroughs, fraud inquiries, and planning analytics. The information gained from those steps is the basis for assessing risk at the transaction level.

Should the transaction risk assessment be performed at the assertion level or for the transaction cycle as a whole? Let’s answer this question by looking at how accounts payable risk might be documented.

If we assess our risk of material misstatement at high for payables (as a whole), what are we saying? That further audit procedures are necessary for all assertions. If we assess risk at high for all payable assertions, and we don’t perform audit procedures in response to the (high) risk assessment, we create an incongruity. We are saying that risk is high for all assertions, but our responses don’t agree.

Wouldn’t it be better to assess risk at the assertion level? For example, if we’ve historically proposed significant journal entries to record additional payables, maybe the risk of material misstatement for the completeness assertion is high. Our audit procedures will include a search for unrecorded liabilities. Now we have an appropriate risk assessment and response (what the audit standards refer to as linkage). The remaining accounts payable assertions could possibly be assessed at low.

Risk of Material Misstatement

We can express the risk of material misstatement (RMM) as:

RMM = Inherent Risk X Control Risk 

While audit standards don’t require that we assess inherent risk and control risk separately, it’s helpful to do so. In a moment, we’ll see that inherent risk often drives our audit responses.

Inherent Risk

So what is inherent risk? My simple definition is the risk that exists when no controls are present. (We are not saying controls don’t exist, just that we are disregarding them as we measure inherent risk.) 

Inherent risk can be a function of:

  • The complexity of the transaction (e.g., derivatives are harder to understand)
  • The nature of the financial statement item (e.g., cash is liquid and subject to theft)
  • The experience and knowledge of the client’s accounting personnel
  • Past audit issues in the area
  • The volume of transactions

As we assess inherent risk, we ask, “what’s the chance that material misstatement will occur assuming there are no related controls?”

Some areas are so risky that the audit standards refer to them as significant risks. These areas require special audit consideration. Significant risks relate to transactions that are complex, nonroutine, or involve judgment. For example, a bank’s allowance for loan losses—due to complexity—demands extra scrutiny. The inherent risk in such areas will always be high.

Now, let’s marry inherent risk with control risk so we can determine our risk of material misstatement.

Control Risk

For audits of smaller entities, control risk is often assessed at high—across the board. Why? To save time. While control risk can’t be assessed at high before performing our risk assessment procedures, we can do so afterward

Assessing control risk at high is permissible as an efficiency decision. (Risk assessment procedures are still required.)

If control risk is assessed at less than high, the auditor is required to test controls to support the lower risk assessment. It may be more economical to perform substantive procedures rather than testing controls. We might, for example, be able to vouch all of the additions to property and equipment in less time than it takes to test the related controls. If this is true, we will opt to use a substantive approach (vouching all significant additions to invoices), and we will assess control risk at high.

Also, it is possible to have a low to moderate risk of material misstatement if your inherent risk is low—even if your control risk is high. How? Consider the following equation.

Risk of Material Misstatement Formula

IR (low) X CR (high) = RMM (low or moderate)

What does this mean? Well, you can get to a low or moderate RMM without testing controls. Also, you may not need to perform any substantive procedures–depending on your final RMM for the area.

As an example of how this works, think about a low inherent risk assessment regarding plant, property, and equipment. 

  • What’s the inherent risk related to the existence of your client’s main office building? Low. 
  • If your client has no controls related to the existence of the building, would the lack of controls have any bearing on the overall RMM? No. 
  • Do you need to test any controls? No. 
  • Do you need to perform any substantive procedures? No.
  • Do you need any substantive audit steps (concerning the building) in your audit program? Probably not. The RMM is low, so you don’t need to do anything (other than document your risk assessment). 

Call to Action

Consider reviewing your risk assessments, and see if some of the inherent risk assessments will allow you to assess your RMMs at low to moderate–even if control risk is assessed at high.

This is the last in our series of posts about audit risk assessment. Thanks for joining in the journey.

If you have suggestions for other posts, please leave a comment with your idea. Thanks.

How to Perform Fraud Risk Assessments

Part 3: An overview of the risk assessment process as it relates to fraud

No appreciable change has occurred in the detection of fraud since the issuance of SAS 99, Consideration of Fraud. Why? I fear the problem lies in how we as auditors use the risk assessment standards.

I still hear auditors say, “we are not responsible for fraud.” But are we not?

Without question, auditing standards require that we perform particular fraud risk assessment procedures. And we also know that the detection of material misstatements—whether caused by error or fraud—is the heart and soul of an audit. So writing off our responsibility for fraud is not an option.

Picture is courtesy of DollarPhotoClub.com

Picture is courtesy of DollarPhotoClub.com

Why Auditors Don’t See Fraud Risk

Why do we not see fraud risks? Here are a few thoughts:

  • We don’t understand how fraud occurs, so we avoid it
  • We don’t know how to look for control weaknesses
  • We think our time is better spent in other areas (namely performing substantive procedures)
  • We still believe that a balance sheet approach to auditing is all we need

Signs of Weak Risk Assessments

So what are some signs of weak fraud risk assessments?

  • We ask just one or two questions about fraud
  • We limit our inquiries to as few people as possible (maybe even just one)
  • We discount the potential effects of fraud (even after a client tells us it has occurred)
  • We don’t perform walkthroughs
  • We don’t conduct brainstorming sessions
  • Our files reflect no responses to brainstorming and risk assessment procedures
  • Our files have vague responses to the brainstorming and risk assessment procedures (e.g., “no means for fraud to occur; see standard audit program”)

In effect, some auditors dismiss the fraud risk assessment process. And if we are not aware of fraud risks, we can’t adequately plan our responses. Put another way, if fraud risks are present, and we follow a standard audit program, are we responding to threats?

So how can we understand and respond to fraud risks? Here are a few thoughts.

Start with Potential Fraud Incentives

Fraud comes in two flavors:

  • Cooking the books (intentionally altering numbers)
  • Theft

Start your fraud risk assessment process by determining if there are any incentives to manipulate the financial statement numbers. Are there any bonuses or promotions based on profit or other metrics? Are there other potential motivations for playing with the numbers such as promotions? Cooking the books is more prominent in for-profit entities, but be aware that someone nonprofits also offer incentives based on financial statement targets.

Internal control weaknesses are the doorway to theft. Next we’ll see how to find those defects in accounting systems.

Look for Fraud Opportunities

My go-to procedure in looking for fraud opportunities is to perform walkthroughs.  Since accounting systems are varied, and there are no “forms” (practice aids) that capture all processes, walkthroughs can be challenging.

For most small businesses, performing a walkthrough is not that hard. Pick a transaction cycle and start at the beginning and follow the transaction to the end. Note who does what. Inspect the related documents.

Think of the accounting system as a story. Our job is to understand the narrative. As we (attempt to) describe the accounting system, we may find missing pieces. Sometimes we’ll need to go back and ask more questions to make the story flow from beginning to end.

The purpose of writing the storyline is to identify any “big, bad wolves.” The threats in our childhood stories were easy to recognize. Not so in the walkthroughs. It is only in connecting all the dots that the wolves materialize.

Picture is courtesy of DollarPhotoClub.com

Picture is courtesy of DollarPhotoClub.com

Our documentation of the walkthrough should be scalable. If the transaction cycle is simple, the documentation should be simple. If the cycle is complex, provide more detail.

In documenting workflows for complex businesses, the old saying “How do you eat an elephant?” comes to mind. Break complicated systems into pieces and you will understand them.

Observation of Control Weaknesses

The auditing standards require that we use the following:

  • Inquiry
  • Observation
  • Inspection

Audit standards state that inquiry alone is not sufficient for performing the risk assessment process. So we must marry inquiry with either observation or inspection or inquiry with both observation and inspection. May I suggest that you do the latter? Take pictures of your observations (use your smartphone) and make copies of documents you inspect. I like to write my narrative and then insert images into the “story.” (Tip: You can insert pictures in a Word document by clicking “Insert,” and “Object.” Then browse to the picture you desire to add.)

Our walkthroughs can include:

  1. Narrative
  2. Images
  3. Highlights of control strengths and weaknesses

I summarize the internal control strengths and weaknesses within the narrative and usually highlight the wording. For example:

Control weakness: The accounts payable clerk (Judy Ware) can add new vendors and can print checks with digital signatures. If effect, she can create a new vendor and have a check sent to that vendor without anyone else’s involvement.

Highlighting weaknesses makes them more prominent. Then–when I am done–I can use the identified fraud opportunities to create audit procedures that are responsive.

Fraud-Related Inquiries

Audit Standards (AU-C 240) state that we should inquire of management regarding:

  • Management’s assessment of the risk that the financial statements may be materially misstated due to fraud, including the nature, extent, and frequency of such assessments
  • Management’s process for identifying, responding to, and monitoring the risks of fraud in the entity, including any specific risks of fraud that management has identified or that have been brought to its attention, or classes of transactions, account balances, or disclosures for which a risk of fraud is likely to exist
  • Management’s communication, if any, to those charged with governance regarding its processes for identifying and responding to the risks of fraud in the entity
  • Management’s communication, if any, to employees regarding its views on business practices and ethical behavior
  • The auditor should make inquiries of management, and others within the entity as appropriate, to determine whether they have knowledge of any actual, suspected, or alleged fraud affecting the entity
  • For those entities that have an internal audit function, the auditor should make inquiries of appropriate individuals within the internal audit function to obtain their views about the risks of fraud; determine whether they have knowledge of any actual, suspected, or alleged fraud affecting the entity; whether they have performed any procedures to identify or detect fraud during the year; and whether management has satisfactorily responded to any findings resulting from these procedures

If management has no method of identifying fraud, might this be an indicator of a control weakness? Yes. It is management’s responsibility to develop control systems to lessen the risk of fraud. It is the auditor’s responsibility to review the accounting system to see if it is designed and operating appropriately.

Notice that in these inquiries, we are not only asking if fraud has occurred but does management have a prevention system in place? And does management communicate these processes to those charged with governance?

Planning Analytics

Another risk assessment procedure is the use of planning analytics. As we compare prior year numbers with current year numbers or as we compare budgeted numbers with current, we may see red flags. You can also use ratios in your hunt for potential risks.

As you review the preliminary numbers, ask, “do these numbers make sense in light of current operations?”

The audit standards state that there is a rebuttable presumption that revenues are overstated. Why? Because many past frauds were carried out by managers intentionally overstating income numbers. In some cases, management posted false journal entries at year-end to inflate income. Then in the following period the entries were reversed.

Brainstorming and Planning Your Responses – My Next Post

Once you perform your risk assessment procedures, you are ready to brainstorm about how fraud will occur and then plan your audit responses. That’s the topic of our next post—so stay tuned. Subscribe to my blog (it’s free) to ensure that you see the next post (see below).

Consider reading this post again and think about how you use your audit forms to perform risk assessments. Understanding the process is 90% of the battle.

If you missed my first two posts in this series, check them out here:

Part 1: How to Perform Audit Risk Assessments

Part 2: How to Understand the Risk Assessment Process