Category Archives for "Risk Assessment"

control risk
Jan 14

Control Risk: Financial Statement Audits

By Charles Hall | Auditing , Risk Assessment

Control risk continues to create confusion in audits. Some auditors assess control risk at less than high when they shouldn’t. Others assess control risk at high when it would be better if they did not. The misunderstandings about this risk can result in faulty audits and problems in peer review. In this article, I explain what control risk is and how you can best leverage it to perform quality audits in less time.

control risk

Control Risk Defined

What is control risk? It’s the chance that an entity’s internal controls will not prevent or detect material misstatements in a timely manner. 

Companies develop internal controls to manage inherent risk. The greater the inherent risk, the greater the need for controls.

Audit Risk Model

As we begin this article, think about control risk in the context of the audit risk model:

Audit risk = Inherent risk X Control risk X Detection risk

Recall the client’s risk is made up of inherent risk and control risk. And the remainder, detection risk, is what the auditor controls. Auditors gain an understanding of inherent risk and control risk. Why? To develop their audit plan and lower their detection risk (the risk that the audit will not detect material misstatements). Put more simply, the auditor understands the client’s risk in order to lower her own.

Further Audit Procedures

And how does the auditor reduce detection risk? With further audit procedures. Those include test of controls and substantive procedures (test of details or substantive analytics). 

After the auditor gains an understanding of the entity and its environment, including internal controls, control risk is often assessed at high. Why? Two reasons: one has to do with efficiency and the other with weak internal controls.

YouTube player

Assessing Control Risk at High

Consider the first reason for high control risk assessments: efficiency

Control risk can be assessed at high, even if—during your walkthroughs— you see that controls are properly designed and in use. But why would you assess this risk at high when controls are okay? 

Let me answer that question with a billing and collection example. 

Risk At High: Efficiency Decision

You can test billing and collection internal controls for effectiveness (assuming your walkthrough reveals appropriate controls). But if this test takes eight hours and a substantive approach takes five hours, which is more efficient? Obviously, the substantive approach. And if you use a fully substantive approach, you must assess control risk at high for all relevant assertions. 

At this point, you may still be thinking, But, Charles, if controls are appropriately designed and implemented, why is control risk high? Because a test of controls is required for control risk assessments below high: the auditor needs a basis (evidence) for the lower assessment. And a walkthrough is not (in most cases) considered a test of controls for effectiveness: it does not provide a sufficient basis for the lower risk assessment. A walkthrough provides an initial impression about controls, but that impression can be wrong. That’s why a test of controls is necessary when control risk is below high, to prove the effectiveness of the control.

In our example above, a substantive approach is more efficient than testing controls. So we plan a substantive approach and assess control risk at high for all relevant assertions. 

Risk at High: Weak Controls

Now, let’s look at the second reason for high control risk assessments: weak internal controls. Here again, allow me to explain by way of example. 

If the billing and collection cycle walkthrough reveals weak internal controls, then control risk is high. Why? Because the controls are not designed appropriately or they are not in use. In other words, they would not prevent or detect a material misstatement. You could test those controls for effectiveness. But why would you? They are ineffective. Consequently, risk has to be high. Why? Again, because there is no basis for the lower risk assessment. (Even if you tested controls, the result would not support a lower risk assessment: the controls are not working.)

If, on the other hand, controls are appropriate, then you might test them (though you are not required to). 

Assessing Control Risk at Less than High

What if, based on your walkthrough, controls are okay. And you believe the test of controls will take four hours while a substantive approach will take eight hours? Then you can test controls for effectiveness. And if the controls are effective, you can assess the risk at less than high. Now you have support for the lower risk assessment. 

But what if you test controls for effectiveness and the controls are not working? Then a substantive approach is your only choice. 

Many auditors don’t test controls for this reason: they are afraid the test of controls will prove the controls are ineffective. For example, if you test sixty transactions for the issuance of a purchase order, and seven transactions are without purchase orders, the sample does not support effectiveness. The result: the test of controls is a waste of time. 

Some auditors mistakenly believe they don’t need an understanding of controls because they plan to use a fully substantive audit approach. But is this true?

Fully Substantive Audit Approach

Weak internal controls can result in more substantive procedures, even if you normally use a substantive approach

Suppose you assess control risk at high for all billing and collection cycle assertions and plan to use a fully substantive approach. Now, consider two scenarios, one where the entity has weak controls, and another where controls are strong.

Billing and Collection Cycle – Weak Controls

Think about a business that has a cash receipt process with few internal controls. Suppose the following is true:

  • Two employees receipt cash  
  • They both work from one cash drawer 
  • The two employees provide receipts to customers, but only if requested
  • They apply the payments to the customer’s accounts, but they also have the ability to adjust (reduce or write off) customer balances 
  • At the end of the day, one of the two employees creates a deposit slip and deposits the money at a local bank (though this is not always done in a timely manner)
  • These same employees also create and send bills to customers 
  • Additionally, they reconcile the related bank account 

Obviously, a segregation of duties problem exists and theft could occur. For example, the clerks could steal money and write off the related receivables. Child’s play. 

Billing and Collection Cycle – Strong Controls

But suppose the owner detects theft and fires the two employees. He does background checks on the replacements. Now the following is true:

  • A separate cash drawer is assigned to each clerk
  • The controller is required to review customer account adjustments on a daily basis (the controller can’t adjust receivable accounts)
  • The cash receipt clerks reconcile their daily activity to a customer receipts report, and the money along with the report is provided to the controller 
  • The controller counts the daily funds received and reconciles the money to the cash receipts report
  • Then the controller creates a deposit slip and provides the funds and deposit slip to a courier
  • Once the deposit is made, the courier gives the bank deposit receipt to the controller
  • A fourth person (that does not handle cash) reconciles the bank statement in a timely manner
  • The monthly customer bills are created and mailed by someone not involved in the receipting process
  • Moreover, the owner reviews a monthly cash receipts report 

Now, let me ask you: would you use the same substantive audit procedures for each of the above scenarios? Hopefully not. The first situation begs for a fraud test. For example, we might test the adjustments to receivables on a sample basis. Why? To ensure the clerks are not writing off customer balances and stealing cash. 

Audit Procedures: Basic and Extended

Basic audit procedures for the billing and collection cycle might include:

  • Test the period-end bank reconciliation
  • Create substantive analytics for receivable balances and revenues
  • Confirm receivable accounts and examine subsequent receipts

We perform these basic procedures whether controls are good or weak. But we would add—when controls are weak and might allow theft—extended substantive procedures such as testing accounts receivable adjustments. 

Do you see how the understanding of controls impacts planning (even when control risk is assessed at high)? If we were unaware of the control weaknesses, we would not plan the needed fraud detection procedures. 

In summary, we need to understand controls even if we plan to use a fully substantive approach, and even if risks are assessed at high for all assertions. More risk means more audit work. 

A Simple Summary

  • Control risk is the probability that an entity’s internal controls will not prevent or detect material misstatements in a timely manner
  • Internal control weaknesses may require a control risk assessment of high
  • Control risk can only be assessed below high when a test of control proves the control to be effective (the test of control provides the basis for the lower risk assessment)
  • If walkthroughs show controls to be appropriately designed and implemented, the auditor can (1) assess control risk at high and use a fully substantive approach, or (2) assess control risk below high and test controls for effectiveness, whichever is most efficient
  • Even if an auditor intends to use a fully substantive approach, walkthroughs are necessary to determine if additional substantive tests are needed; additional substantive procedures may be necessary when material fraud is possible due to internal control weaknesses

See my inherent risk article here

For additional information about risk assessment, see the AICPA’s SAS 145, Understanding the Entity and Its Environment and Assessing the Risk of Material Misstatement The guidance was issued in October 2021. 

inherent risk
Oct 04

Inherent Risk: How to Understand

By Charles Hall | Auditing , Risk Assessment

Do you know how to assess inherent risk? Knowing when this risk is low is a key to efficient audits. In this article, I tell you how to assess inherent risk--and how lower risk assessments (potentially) decrease the amount of work you perform. I also provide inherent risk examples, and I define inherent risk.  

inherent risk

While audit standards don't require a separate assessment on inherent risk (IR) and control risk (CR), it's wise to do so. Why? So you know what drives the risk of material misstatement (RMM). 

Many auditors assess control risk at high (after performing their risk assessment procedures). Why? So they don't have to test controls. 

If control risk is high, then inherent risk is the only factor that can lower your risk of material misstatement. For example, a high control risk and a low inherent risk results in a moderate risk of material misstatement. Why is this important? Lower RMMs provide the basis for less substantive work.

The Audit Risk Model

Before we delve deeper into inherent risk assessment, let's do a quick review of the audit risk model. Auditing standards (AU-C 200.14) define audit risk as “The risk that the auditor expresses an inappropriate audit opinion when the financial statements are materially misstated. Audit risk is a function of the risks of material misstatement and detection risk.”

Audit risk is defined as follows:

Audit Risk = IR X CR X Detection Risk

Inherent risk and control risk live within the entity to be audited.

Detection risk lies with the auditor.

A material misstatement may develop within the company because the transaction is risky or complex. Then, controls may not be sufficient to detect and correct the misstatement. 

If the auditor fails to detect the material misstatement, audit failure occurs. The auditor issues an unmodified opinion when a material misstatement is present.

Risk of Material Misstatement

As we plan an audit, we assess the risk of material misstatement. It is defined as follows:

RMM = IR X CR

Auditors assess the risk of material misstatement at the assertion level so they can determine the level of substantive work. Substantive work is the response to risk.

If the RMM is high, more substantive work is needed. Why? To reduce detection risk. 

But if the RMM is low to moderate, less substantive work is needed. 

Inherent Risk Definition

Let’s define inherent risk. It is the susceptibility of an assertion about a class of transaction, account balance, or disclosure to a misstatement that could be material, either individually or when aggregated with other misstatements, before consideration of any related controls.

The following inherent risk video is from my YouTube playlist: Audit Risk Assessment Made Easy. (The videos correspond to each chapter in my risk assessment book by the same name, available on Amazon.)

Inherent Risk Examples

The risk for cash is greater than that of a building. Cash is easily stolen. Buildings are not.  

The risk of a hedge transaction is greater than that of a trade receivable. Hedges can be complicated to compute. Trade receivables are not. 

Post-retirement liabilities are inherently risky. Why? It's a complex accounting area. The numbers usually come from an actuary. There are estimates in the form of assumptions.

Inherent Risk Factors 

Consider factors such as the following in assessing risk:

  • Susceptibility to theft or fraudulent reporting
  • Complex accounting or calculations
  • Accounting personnel’s knowledge and experience
  • Need for judgment
  • Difficulty in creating disclosures
  • Size and volume of accounts balance or transactions
  • Susceptibility to obsolescence
  • Prior year period adjustments

Inherent risk is not an average of the above factors. Just one risk factor can make an account balance or transaction cycle or disclosure high risk.

Inherent Risk at Less Than High

When inherent risk is less than high, you can perform fewer or less rigorous substantive procedures.

An example of a low inherent risk is the existence assertion for payables. If experienced payables personnel accrue payables, then the existence assertion might be assessed at low. (The directional risk of payables is an understatement, not an overstatement.) The lower risk assessment for existence allows the auditor to perform little if any procedures in relation to this assertion. 

Conversely, the completeness assertion for accounts payable is commonly a high inherent risk. Businesses can inflate their profits by accruing fewer payables. Fraudulent reporting of period-end payables is possible. Therefore, the risk of completeness for payables is often high. That's why auditors perform a search for unrecorded liabilities.

Base your risk assessment on factors such as those listed above. If inherent risk is legitimately low, then great. You can perform less substantive work. But if the assertion is high risk, then it should be assessed accordingly--even if that means more work. (The AICPA has included questions in peer review checklists regarding the basis for lower risk assessments. Their concern (I think) is that auditors might manipulate this risk in order to perform less work. I've heard no one from the AICPA say this. But I can see how they might be concerned about this possibility.)

Control Risk

So, what is the relationship between inherent risk and control risk?

Companies develop internal controls to manage areas that are inherently risky.

A business might create internal controls to lessen the risk that payables are understated. Examples of such controls include:

  • The CFO reviews the payables detail at period-end, inquiring about the completeness of the list
  • A payables supervisor reviews all invoices entered into the payables system
  • The payables supervisor inquires of all payables clerks about any unprocessed invoices at period-end
  • A budget to actual report is provided to department heads for review

Inherent risk exists independent of internal controls.

Control risk exists when the design or operation of a control does not remove the risk of misstatement. 

Audit Risk Assessment Update - SAS 145

SAS 145 will be effective for years ending December 31, 2023. This standard provides new inherent risk guidance, particularly in regard to inherent risk factors. See my SAS 145 article for details. 

Audit Risk Assessment Book

My new book, Audit Risk Assessment Made Easy, is now available on Amazon. If you struggle with internal control walkthroughs, preliminary analytics, understanding the entity and its environment, risk assessment and linkage, then this book is for you. Click the book cover to see it now on Amazon. 

Audit risk assessment
management override of internal controls
Nov 11

Management Override of Internal Controls

By Charles Hall | Auditing , Fraud , Risk Assessment

Management can override internal controls, resulting in fraudulent financial reporting. Below I provide examples of management override of internal controls and how you can audit for these potential threats. 

Controls can be overridden, even when properly designed and operating. Accounting personnel usually comply with the wishes of management either out of loyalty or fear. So if a trusted C.E.O. asks the accounting staff to perform questionable actions, they will sometimes comply because they trust the leader. Alternatively, management can threaten accounting personnel with the loss of their jobs if they don’t comply. Either way, management gets what it wants by overriding internal controls. 

Examples of Management Override of Internal Controls

Here are examples of management override of internal controls:

  1. Booking journal entries to inflate profits or cover up theft
  2. Using significant transactions outside the normal course of business to dress up the financial statements
  3. Manipulating estimates 
  4. Transferring company cash to their personal accounts 

Auditors consider management override in all audits (or at least, they should). Why? Because it’s always possible. That's why audit standards require that we respond to the risk of management override in all audits. 

First, let’s consider how management overrides controls with journal entries.

1. Journal Entry Fraud

Think about the WorldCom fraud. Expenses were capitalized to inflate profits. Income statement amounts were moved to the balance sheet with questionable entries. Once the fraud was discovered, the internal auditors were told the billion-dollar entries were based on what management wanted. The entries were not in accordance with generally accepted accounting principles. And why was this done? To increase stock prices. Management owned shares of WorldCom, so they profited from the climbing stock values. The fraud led to prison sentences and the demise of the company, all because of management override. 

Journal entries are an easy way to override controls. Consider this scenario: Management meets at year-end, and they have not met their goals; so they manipulate earnings by recording nonexistent receivables and revenues, or they record revenues before they are earned. For example, management accrues $10 million in fake revenue, or they book January revenues in December. 

Journal Entry Testing

Auditors should test journal entries for potential fraud, but how? First, understand the normal process for making journal entries: who makes them, when are they made, and how. Also, inquire about journal entry controls and consider any fraud incentives, such as bonuses related to profits. Then think about where fraudulent entries might be made and test those areas. Fraudulent journal entries are often made at year-end, so make sure you test those. Here are some additional journal entry test ideas:

  • Examine entries made to seldom-used accounts
  • Review consolidating entries (also known as top-side entries)
  • Test entries made at unusual hours (e.g., during the night) 
  • Vet entries made by persons that don’t normally make journal entries
  • Look at suspense account entries
  • Review round-dollar entries (e.g., $100,000)
  • Test entries made to unusual accounts

You don’t need to perform all of the above tests, just the ones that are higher risk in light of journal entry controls and fraud incentives. Data mining software can be helpful in vetting journal entries. For example, you can search for journal entries made by unauthorized persons. Just extract all journal entries from the general ledger and group them by persons making the entries; thereafter, scan the list for unauthorized persons. 

Fraudulent journal entries are not the only way to override controls. The books can be cooked with related party transactions. 

2. Funny Business

Sometimes, as an auditor, you’ll see funny transactions. No, I don’t mean they are amusing. I mean they are unusual. Management can alter profits with transactions outside the normal course of business, and these are often related party transactions. 

For example, Burning Fire, an audit client, is owned by Don Jackson. Mr. Jackson also owns another business, Placid Lake. As you are auditing Burning Fire, you see it received a check for $10 million dollars from Placid Lake. So you ask for transaction support, but there is little. The CFO says the payment was made for “prior services rendered,” but it doesn’t ring true. This could be fraud and is an example of a transaction outside the normal course of business. Why would a company record such an entry? Possibly to bolster Burning Fire’s financial statements. When you see such a transaction, consider whether a fraud incentive is present. For example, do loan covenants require certain financial ratios and does this transaction bring them into compliance? 

Next, we look at how management can juice up profits by manipulating estimates. 

management override of internal controls

3. Manipulating Estimates

Auditing standards require a retrospective review of estimates as a risk assessment procedure. Why? Because management can manipulate estimates to inflate earnings and assets. Auditing standards call such tendencies bias, a sign that fraudulent financial reporting might exist. That’s why auditors review prior estimates and related results. 

For instance, suppose a company has a policy of reserving 90% of receivables that are ninety days or older. If at year-end the greater-than-ninety-days bucket contains $1,000,000, management can increase earnings $400,000 by lowering the reserve to 50%. What an easy way to increase net income! 

Retrospective Review of Estimates

So, how does an auditor perform a retrospective review of an allowance for uncollectible accounts? Compare the year-end reserve with that of the last two or three years. If the reserve decreases, ask why. There might be legitimate reasons for the decline. But if there is no reasonable basis for the smaller allowance, bias could be present. Note such changes in your risk assessment summary. For example, in the accounts receivable section, you might say: The allowance for uncollectible accounts appears to have decreased without a reasonable basis. Why? Because you’ve identified a fraud risk that deserves attention. 

Complex estimates are easier to manipulate without detection than simple ones. Why? Because intricate estimates are harder to understand, and complexity creates a smokescreen, making bias more difficult to spot. As an example, consider pension plan assumptions and estimates. Very complex. And changes in the assumptions can dramatically affect the balance sheet and net income. 

Now, let's look at how to document your retrospective review. 

Documenting Your Retrospective Review

Document your retrospective review. How? List the current and prior year estimates and explain the basis for each. Also, examine the results of the prior year estimates. For example, compare the current year bad debts with the prior year uncollectible allowance. Additionally, consider including incentives for manipulating profits such as bonuses. 

Label the workpaper Retrospective Review of Estimates to communicate its purpose. Also, consider adding purpose and conclusion statements such as:

  • Purpose of workpaper: To perform a retrospective review of estimates to see if bias is present.
  • Conclusion: While the allowance estimate is higher in the current year, the judgments and assumptions are the same. It does not appear that bias is present. All other prior year estimates appear reasonable. 

Other conclusion examples follow:

  • Conclusion: The rate of return used in computing the pension liability increased by 1%. The increase does not appear to be warranted given the mix of investments and past history. Bias appears to be present and is noted in the risk assessment summary form (in the payroll and benefits section).
  • Conclusion: Based on our review of the economic lives of assets in the prior year depreciation schedule, no bias is noted.
  • Conclusion: We reviewed bad debt write-offs in the current year and compared them to the uncollectible allowance in the prior year. No management bias is noted.

Is there another way that management might override controls? Yes, sometimes management requires accounting personnel to transfer company cash to personal bank accounts. 

4. Transferring Company Cash to Personal Accounts

Years ago I audited a hospital in Alabama. The C.E.O. would sometimes go to Panama City Beach, and while there, direct his accounting staff to wire funds to his personal account—and they did. Why? The threat of losing their jobs. Some management personnel, especially those with muscle, can intimidate the accounting employees into doing the unbelievable. I’ve seen this happen and once the C.E.O. is called out, he pretends to know nothing about the prior conversations with accounting.  

Management Override of Internal Controls

In your future audits, consider that management override of internal controls is always a possibility.

So don't allow yourself to believe that management is too honest to commit fraud. (A personal friend of mine just went to jail for stealing $3.5 million; he was part of the company's management team. I've known him for twenty years, so I was stunned to hear this.) Conduct your audits to detect material misstatements, including fraud--even if you've known the management team for many years. 

audit walkthrough
Oct 25

Audit Walkthroughs: The Why and How

By Charles Hall | Accounting and Auditing , Risk Assessment

What is the purpose of audit walkthroughs? How do you document walkthroughs? Is it better to use checklists, flowcharts or summarize narratively? How often should walkthroughs be performed? Are they required? Will a walkthrough allow me to assess control risk at less than high?

In this post, I answer these questions about one of the most important risk assessment procedures: walkthroughs. I share techniques I’ve used for over five years. They work for me, and they will work for you.

Let’s dive right in.

audit walkthrough

What are Audit Walkthroughs?

Walkthroughs are cradle-to-grave reviews of transaction cycles. You start at the beginning of a transaction cycle (usually a source document) and walk the transaction to the end (usually posting to the general ledger). The auditor is gaining an understanding of how a transaction makes its way through the accounting system and about related internal controls.

As we perform a walkthrough, we:

  • Make inquiries
  • Inspect documents
  • Make observations

By asking questions, inspecting documents, and making observations, we are evaluating internal controls to see if there are weaknesses that would allow errors or fraud to occur. Audit standards do not permit the use of inquiries alone. Observations and inspections must also occur.

Some auditors believe that audit walkthroughs (or documentation of controls for significant transaction cycles) are not necessary if the auditor is assessing control risk at high. This is not true. While the auditor can assess control risk at high, she must first gain an understanding of the cycle and the related controls. In other words, the auditor can’t default to high. Risk assessment procedures are required.

What is not an Audit Walkthrough?

Following a transaction through the accounting system–without reviewing controls–is not an audit walkthrough. We must examine controls to see if they have been implemented and to see if they are properly designed. 

Placing a copy of the operating and accounting system manual in the audit file is not a walkthrough. While manuals tell you what the client intends to do, they don’t tell you what is occurring. In other words, they don’t answer the implementation question.

Lastly, asking a client, “Is everything the same as last year?” is not a walkthrough. Auditors must do more than inquire. 

Internal Controls Documented in Prior Audits

In some situations, AU-C section 315 allows the auditor to rely on audit evidence obtained in prior periods. In those situations, the auditor is required to perform audit procedures to establish the continued relevance of the audit evidence obtained in prior periods (for example, by performing a walkthrough). 

Here’s what AU-C 315.A20 says about prior year audit information used in the current year:

Paragraph .10 requires the auditor to determine whether information obtained in prior periods remains relevant if the auditor intends to use that information for the purposes of the current audit. For example, changes in the control environment may affect the relevance of information obtained in the prior year. To determine whether changes have occurred that may affect the relevance of such information, the auditor may make inquiries and perform other appropriate audit procedures, such as walk-throughs of relevant systems.

Why Audit Walkthroughs?

Accountants are often more comfortable with numbers than processes. We like things that “tie,” “foot,” or “balance.” We may not enjoy probing accounting systems for risk. It’s too touchy-feely. Even so, passing this responsibility off to lower staff is not a good choice. It’s too complicated–and too important. So there’s no getting around it. The walkthrough—or something like it—must be done. Why? We’re gaining an understanding of risks and responding to them. We’re developing our audit plan. Screw up the plan, and we screw up the audit.

What is the purpose of the walkthrough? Identification of risk—specifically, the risk of material misstatement. Once we know the risks, we know where to audit.

Walkthroughs and Lower Control Risk Assessment

Usually, audit walkthroughs are not sufficient to support lower control risk assessments (those less than high). If the auditor assesses control risk at less than high, she is required to test the effectiveness of the control. Since audit walkthroughs are usually a test of one transaction, they typically don’t prove operating effectiveness.

Regarding computer controls, a walkthrough of one transaction might be sufficient to prove effectiveness if general computer controls are working—namely, change control. Why? Computer controls are usually consistent. 

An auditor can determine whether a control has been implemented with a test of one transaction. Effectiveness, on the other hand, normally requires a test of transactions. For example, a test of 40 transactions for appropriate purchase orders.

YouTube player

Audit Walkthrough Documentation

While you can use checklists, flowcharts, narratives, or any other method that enables you to gain your understanding of controls, my favorite is a narrative mixed with screenshots.

So how do I do this?

I interview personnel. Usually, one or two people can explain a particular transaction flow (e.g., disbursement cycle), but some complicated processes may require several interviews. 

Early on, I may not know how each person’s work fits into the whole. It’s like gathering puzzle pieces. The interviews and information may feel random, even confusing. But, later, when you put the parts together, the picture speaks more clearly. Then, you’ll understand the accounting system and control environment.

My Audit Walkthrough Tools

I document the conversations using:

  • A Livescribe pen
  • My iPhone camera

Taking Notes

Using a Livescribe pen, I write notes and record the conversations.

I begin the interview by saying, “Tell me what you do and how you do it. Treat me as if I know nothing. I want to hear all the details.” (For sample transaction-level walkthrough questions, see my audit series titled The Why and How of Auditing.)

As I listen, I write notes. At the same time, my Livescribe pen records the audio. Later the conversation can be played from the pen. (For more information about Livescribe, see my article: Livescribe, Note Taking Magic (for CPAs). )

Click the pen below to see Livescribe on Amazon.

I find that most interviewees talk too fast—at least faster than I can write. As I’m writing about the last thing they’ve said, they are moving to the next, and I fall behind. So I write simple phrases in my Livescribe notebook such as:

  • Add vendor
  • Charlie opens mail
  • P.O. issued by Purchasing
  • Checks signed by the computer

Later, as I’m typing the walkthrough narrative, I touch the letter “A” in “Add vendor” with the tip of my pen (I’m doing so in my Livescribe notes). This action causes the pen to play the audio for that part of the conversation. Likewise, touching “C” with the tip of my pen–in “Checks signed by the computer”–causes the pen to play that part of the discussion. Since the audio syncs with my notes, I can hear any part of the discussion by touching a letter with my pen.  

Taking Pictures

In addition to writing notes in my Livescribe notebook, I take pictures with my iPhone. Of what? Here are examples (from a payables interview):

  • Invoice with approver’s initials  
  • Screenshot of an invoice entry  
  • If several people are processing invoices, I take a group picture of them at their desks
  • A signed check 
  • The bank reconciliation 

So my inputs into the walkthrough document are as follows:

  • Livescribe notes and audio
  • Photos of documents and persons 

 Audit Walkthrough Summary

I write my narratives in Word and embed pictures as needed. The walkthrough documentation takes this shape:

  • Narrative
  • Pictures
  • Control identification
  • Control weakness identification

Why identify control deficiencies in the walkthrough? So I can link them to my risk assessment summary. The system’s weaknesses tell me where risks exist.

Another key feature of the walkthrough documentation is the identification of who I spoke with and when. So, at the top of the transaction cycle description, I name the persons I interviewed and the date of the conversation. For example:

Charles Hall interviewed Johnny Mann, Hector Nunez, and Suzanne Milton on October 25, 2019. 

Look Beyond the Normal Client Procedures

It’s easy for clients to tell you about normal procedures, but they may not think about unusual situations such as the absence of an employee or how errors are corrected.

Always ask who performs control procedures when a key person is out. Why? If someone can—even though they don’t normallyperform key controls, you need to know. Why? Such a situation can lead to fraud. For example, if a person does not normally issue checks but can, and that person also reconciles the bank statement, he might issue fraudulent checks. He knows the theft will not be detected through normal controls–in this case, the bank reconciliation.

Always look beyond accounting policies and routine procedures to see what can happen. I often have clients say to me, “John is the only one who approves the purchase orders,” for example. But I know this is not true because purchases would cease to occur when John is out. So I ask, “Who issues purchase orders when John is on vacation?”

Additionally, ask how errors are corrected. When things go wrong (and they sometimes do), you want to know how they are made right.

Identification of Controls and Control Weaknesses

As you write your narrative of the accounting system and controls, highlight both controls and control weaknesses.

I note appropriate controls as follows: 

Control: Additions of new vendors is limited to three persons in the accounts payable department. Each time a new vendor is added, the computer system automatically sends an email to the CFO notifying her of the addition. Persons adding new vendors cannot process signed checks.

I note control weaknesses as follows:

Control Weakness: Only one signature is required on check disbursements. Johnny Mann signs checks, has possession of check stock, keys invoices into the payables system, and reconciles the related bank account. 

Response to Risk of Material Misstatement

The control weakness created by Johnny Mann’s duties increases the risk of theft. My response? I establish audit procedures in my audit program to address the risk such as:

  • Review one month’s cleared checks for appropriate payees. 

How do you know what audit procedures to perform in response to the risk? Ask, “What can go wrong?” and design a test for that potential. Johnny can write checks to himself. My response? Scan cleared checks to see if the payees are appropriate.

Communication of Internal Control Weaknesses

Though this article focuses on planning and risk assessment, the identification of control weaknesses will impact our end-of-audit communications.

The words Control Weakness (as shown above) makes it easy to locate control weaknesses. Upon completion of the walkthrough, I summarize all control deficiencies so I can track the disposition of each one. Each weakness is a:

  1. Material weakness
  2. Significant deficiency, or
  3. Other weakness 

I report material weaknesses and significant deficiencies in writing to management and those charged with governance. I communicate other deficiencies in a management letter (or verbally and document the discussion in my work papers). 

See my article about classifying control weaknesses.

Audit Walkthrough Frequency

How often are walkthroughs required?

Answer: Once per year, if this is how you corroborate your understanding of the cycle. While walkthroughs are not specifically required in the audit standards, you do need to verify your understanding of the accounting system and related controls. And I know of no better way.

audit walkthrough

AICPA Guidance on Walkthrough Frequency

TIS Section 8200.12, as issued by the AICPA, states the following:

Inquiry—AU section 314 (now AU-C 315) requires the auditor to obtain an understanding of internal control. An auditor might perform walkthroughs to confirm his or her understanding of internal control. If the auditor decides to use walkthroughs to confirm his or her understanding of internal control, how often do walkthroughs need to occur?

Reply—In accordance with AU Section 314 (now AU-C 315), the auditor is required to obtain an understanding of internal control to evaluate the design of controls and to determine whether they have been implemented. To do that, performing a walkthrough would be a good practice. Accordingly, auditors might perform a walkthrough of significant accounting cycles every year [emphasis added].

If we’ve documented walkthroughs in prior years, then we need to do so again in the current year to prove the continuing relevance of the audit documentation. 

The Value of Walkthroughs

Walkthroughs tell us where risks are so we can plan our engagements to detect material misstatements.

Additionally, they allow us to add value to our audits. Clients want more than just an opinion. They desire to keep assets safe and to maintain accurate records. Well written management letters that highlight control weaknesses allow you to do just that. Time to start walking.

For additional information about risk assessment, see my article Audit Risk Assessment: The Why and How.

Also, see my new book: Audit Risk Assessment Made Easy. Click the book below to see it on Amazon:

 

internal controls
Sep 26

Internal Controls: How to Understand and Develop

By Charles Hall | Accounting and Auditing , Risk Assessment

Many CPAs don't understand internal controls. Sure, we know that segregation of duties is a positive, but we are sometimes unaware of internal control weaknesses though they lie right before us. Why is this? Well, there are about a million ways that an accounting system can be designed, and no two businesses are the same. So seeing control weaknesses can be challenging. 

internal controls

If you work for a business, you need to understand controls so you can build a safer accounting system.

If you are an auditor, you need to understand controls so you can appropriately design your audit. 

Today, I show you how to design an accounting system with sound internal controls. And if you are an auditor, you'll better understand how to see control weaknesses. We'll start with the COSO framework and later we'll examine the importance of separation of duties.

The focus of this article is building an internal control structure that ensures financial statement accuracy and prevents fraud.

COSO Internal Control Framework

COSO provides a framework for developing internal controls. Think of this framework as your ecosystem to ensure a healthy internal control system. The five elements of the framework are:

  1. Control environment
  2. Risk assessment
  3. Control activities
  4. Monitoring 
  5. Communication and information

Though accountants and auditors tend to focus on the third element, control activities, all five are important in the development of a sound internal control system. 

1. Control Environment

Control environment is often referred to as tone at the top. It's the leadership part of the organization, and it's here that internal controls live or die. 

If you are a board member, demand internal control reports from management. Those reports should explain the organization's processes and controls as well as monitoring activities. In other words, management should demonstrate not only that controls exist, but that they are working.

My experience with boards is they often don't think about internal controls until it's too late. When fraud happens, then the board wants to know how it happened and why. Boards need to know what is happening and why, before theft occurs. Then they can devote enough resources---hire the right people with the right experience--to ensure system development and monitoring. 

Developing a strong internal control system is an ongoing process. Companies need to constantly evaluate their accounting system and its operation. How? First, by performing risk assessments. 

2. Risk Assessment

An organization should determine if its accounting system allows misstatements. How? By examining the various transaction cycles such as billing and receipting; payables and disbursements; and payroll. As you examine each transaction cycle, ask what can go wrong?  Then create controls to address accounting system weaknesses.

Are daily receipts being reconciled to the general ledger? If not, then develop a control requiring that this be done. Are new vendors vetted for appropriateness? If not, require procedures to ensure the propriety of new vendors. (My book, The Why and How of Auditing, provides lists of questions to ask by transaction cycle. You'll find it on Amazon.)

The risk assessment process naturally leads to the develop of appropriate controls. Once you know what can go wrong, you fix it by developing a control. This is the third element of COSO: control activities. 

3. Control Activities

Control activities is the core component of internal controls. This is where the action is, where you develop your controls. The other four components of COSO (control environment, risk assessment, monitoring, and communication) support this central core. Examples of control activities include:

  • Bank reconciliations
  • Purchase orders
  • Signatures on checks by authorized personnel
  • Review of cash receipting activity by the receipts supervisor (after cash drawers are balanced at the end of a shift)
  • Periodic physical inventories of plant, property, and equipment 
  • Reconciliation of debt in the general ledger to amortization schedules

In risk assessment, we determine what could go wrong? Now we create a control to lessen the risk that the event could occur. For instance, with regard to cash, we might think, "cash balances could be incorrectly stated." Therefore, we implement a control--bank reconciliations--to ensure correctness. 

Separation of accounting duties is important in regard to control development. We'll discuss that area in more detail below.

4. Monitoring

Once controls are in place, you want to monitor them to ensure their use. What good is a control if it is not performed? An example of monitoring is having a supervisor inspect bank reconciliations to ensure that they were created (and that they are correct). 

So, the idea here is you develop internal controls and then monitor them. Why? To ensure the control is in use and that it is performed correctly.

Next, document the accounting system and controls to make them understandable. 

5. Communication and Information

In the fifth COSO element, we are documenting the internal control system. You can document the controls in several different ways including:

  • Memos
  • Flowcharts
  • Formal manuals
  • In Excel workbooks
  • Mindmaps

Which is best? That depends on the complexity of your system. Small organizations can use simple memos. Large entities should create formal manuals. 

What is the goal? To make sure everyone understands how controls work and the reason for their existence.

In many organizations (especially smaller ones), controls are never written down. They are passed down. What do I mean? When a new accountant is hired, he or she is told what to do. Often there is no manual explaining procedures and controls. These oral instructions may not explain why internal controls are performed or how they interact with other parts of the accounting system. Consequently, new employees blindly follow oral instructions without understanding their importance. Worse yet, some don't perform the controls at all. 

An added benefit of documenting controls is it makes system weaknessses more transparent. For instance, if you are documenting your accounts payable system, you might realize that an inappropriate person can add vendors. Or you might see that the payables process lacks segregation of duties. 

Now let's take a look at a key feature of developing an internal control system: separation of accounting duties. 

Separation of Accounting Duties

In the third COSO element above (control activities), we mentioned separation of accounting duties (also known as segregation of duties). What is this? It's dividing accounting responsibilities among multiple people in order to enhance safety. More eyes equals greater safety. Why? Well, if a mistake or theft occurs, it is more likely to be seen. 

separation of accounting duties

There are four actions that are performed in most accounting transaction cycles. They are:

  1. Authorization
  2. Bookkeeping
  3. Custody
  4. Reconciliation

A potential fraud danger exists when one person performs two or more of the above. For example, if Mark enters payments in the accounting system (bookkeeping) and signs checks (authorization), there is a threat that Mark will write checks to myself--especially if he knows that no one compares cleared checks to the general ledger.

The determination of whether danger exists is dependent on the full picture. If Mark knows that Joan--the person reconciling the bank statement--compares cleared checks to the general ledger and that she reviews the payee's on each check, then the danger of theft goes down. If Joan just compares the amount on the bank statement to the general ledger (and does not review the payee on the cleared check), the danger increases.

If all four of the above actions are performed by one person, then a significant control weakness exists. Auditors call this a material weakness. In such situations, it's advisable to include additional personnel in the accounting system. Why? So duties can be separated among various people. 

Some companies are unable create separation of duties. Why? There may not be enough people to do so (it's hard to segregate duties with only one person in accounting) and it costs money to hire additional personnel. Without a sufficient number of people, it is difficult to design a safe environment. Even so, there are still ways to make your accounting system safer

Financial Statement Misstatements

There are two ways that financial statements can be misstated: one is by mistake, and the second is intentionally. The first is just part of being human, the second is fraud. We need a system that reduces both threats. 

Misstatements Due to Mistakes

We all make mistakes. Entries are coded to the wrong chart of accounts line. We forget to enter an invoice in payables. We fail to reconcile our bank accounts. We use inappropropriate revenue recognition methods. 

How do we become aware of our mistakes? By review. These reviews are performed by the person that does the initial accounting work and by others--a supervisor, for example. The supervisor's review is an internal control. 

Some accounting systems point out our errors in real time. For example, if I try to enter the same invoice twice, the system will tell me. The accounting system notice is an internal control. 

So, internal controls can involve both humans (the review) and computers (input notices). The purpose of each is to ensure the correction of errors. 

Misstatements that are Intentional

Sometimes companies intentionally misstate their numbers. Why? Usually to make themselves look better than they are. If profits are declining, the CEO or CFO might pressure the staff to create fictitious entries. Consider that an organization can make one journal entry on the last day of a year to inflate it's profits such as:

                                            Dr.                                  Cr.

Receivables                    10,000,000

Revenue                                                    10,000,000

This is an example of financial statement fraud. Know that there are hundreds of ways that financial statement fraud can occur. Also understand that when assets are stolen from a business, fraudsters often hide theft with false accounting entries. 

In developing internal controls, you want to create a system that prevents these types of intentional misstatements. Even when a good accounting system exists, management override is always a concern. Consider the WorldCom fraud. What is management override? It's when management forces staff members to ignore internal controls and perform inappropriate procedures. 

Closing Comments

Now you have a better understanding of internal controls.

If you work for a business, nonprofit, or government, make your system better by applying these ideas.

If you're auditor, use the above to assist you in your risk assessments and walkthroughs. (See my article about documenting your walkthroughs.)

>