How to Identify Risk of Material Misstatements with an Audit Walkthrough

Post 2 - Knowing what risk assessment procedures to use

While we know that an audit walkthrough is an excellent way to probe accounting systems for risk, many auditors aren’t sure how to use this procedure. I hear questions such as:

  • What is an audit walkthrough?
  • Will a walkthrough allow me to assess control risk at less than high?
  • What procedures should I perform?
  • How many procedures should I perform?
  • How can I document my walkthroughs?
  • Should I perform walkthroughs annually?
  • What transaction cycles merit walkthroughs?
Audit Walkthrough

Picture from AdobeStock.com

What is an Audit Walkthrough?

An audit walkthrough is the tracking of a transaction through an accounting system while examining related controls. The purpose of the audit walkthrough is to see if controls exist and are in use (or, as the audit standards say, “implemented”). The results of our risk assessment procedures will illuminate the weaknesses in the accounting system.  And we use this information about risk to create our audit plan.

So we do the following:

  1. Identify risk
  2. Assess risk
  3. Create an audit plan to address risk

Walkthroughs fall in the “identify risk” category, and, consequently, are done early in the audit process.

What is not a Walkthrough?

Following a transaction through the system–without reviewing controls–is not an audit walkthrough. We must examine controls to see if they exist and are implemented. 

Placing a copy of the operating and accounting system manual in the audit file is not a walkthrough. While such manuals may tell you what the client intends to do, they don’t say what is done. In other words, they don’t answer the implementation question.

Lastly, asking a client, “Is everything the same as last year?” is not a walkthrough. Auditors must do more than inquire.

Will Audit Walkthroughs Allow a Lower Control Risk Assessment?

Usually, audit walkthroughs are not sufficient as support for lower control risk assessments. If the auditor assesses control risk at less than high, she is required to test the effectiveness of the control. Since audit walkthroughs are usually a test of one transaction, they typically don’t validate operating effectiveness. Regarding computer controls, a walkthrough of one transaction might be sufficient to prove effectiveness if general computer controls are working—namely, change control for software. Why? Computer controls—usually—operate consistently.

The purpose of an audit walkthrough is to test for the existence and implementation of controls rather than operating effectiveness. Remember the following:

  • Focus on implementation of controls — During risk assessment
  • Focus on effectiveness of controls — When testing controls to support lower control risk

An auditor can determine implementation of controls with a test of one transaction. Effectiveness, on the other hand, usually requires sampling tests—e.g., test of 40 transactions for appropriate purchase orders.

What Procedures and How Many Should I Perform?

There are three key procedures that auditors use in performing walkthroughs:

  1. Inquiry
  2. Observation
  3. Inspection

Inquiry alone is never sufficient in performing risk assessments. So we must marry inquiry with observation and inspection. 

The use the three procedures listed above will depend on the transaction cycle you are examining.

Debt Cycle Example

For example, in reviewing the debt cycle, you will usually focus on inquiry and inspection. Why? Well, legal agreements and approvals of debt transactions are key. So I might inspect the following (for example):

  • Debt agreement
  • Minutes showing approval of the debt
  • Approvals of debt service payments

Disbursement Cycle Example

In examining the disbursement cycle, you will typically focus on inquiry, observation, and inspection. My questions might include:

  • How are purchase orders issued?
  • What persons issue purchase orders?
  • Who receives invoices?
  • What persons approve the payments?
  • Are checks signed physically or electronically and by whom?
  • Who reconciles the bank statements?
  • What persons monitor aged payables (and how)?

As I inquire about the disbursement cycle, I also observe and inspect. Here are some procedures I might perform:

  • Examine I.T. lists of who can add vendors to the system
  • Inspect a purchase order to see who approves it
  • Observe who issues the purchase order (multiple people might release P.O.s)
  • Inspect an invoice for initials of a department head as approval for payment
  • Observe who is receiving and approving the invoices
  • Watch the processing of a check batch (I want to know who can sign checks)
  • Inspect aged accounts payable detail and one bank reconciliation to determine who reconciles the payables total and bank account to the general ledger

Knowing Which Procedures to Use

You may wonder, “How do I know which procedures to perform?” Ah, that’s the $10,000 question. Always ask, “What can go wrong?” and determine if a control is in place to lessen that threat. That question will drive your risk assessment. The diversity of accounting systems makes it all but impossible to create a checklist that covers all possible issues. What does this mean? You must use your judgment.

Look Beyond the Normal Client Procedures

Always ask who performs the control procedures when key persons are out. Why? An unknown person might have the power to carry out the role. If someone else can—even though they don’t normallyperform a key control procedure, you need to know this. Why? Well, here’s an example of what can happen: If a third person usually does not issue checks but can and that person also reconciles the bank statement, he might issue fraudulent checks. Why? He knows his fraudulent checks will not be detected through the bank reconciliation control.

Always look beyond accounting policies and routine procedures to see what can happen. I often have clients say to me, “John is the only one who approves the purchase orders,” for example. But I know this is not true because purchases would cease to occur when John is out. So I ask, “Who issues purchase orders when John in on vacation?”

More Answers Next Week

We’ll continue our discussion about walkthroughs next week. I still need to answer the following questions:

  • How can I document my walkthroughs?
  • Should I perform walkthroughs annually?
  • What transaction cycles merit walkthroughs?

If you have any questions about walkthroughs, please post them here, and I will try to respond. Also, please post any comments you have.

If you missed last week’s post about walkthroughs (Why Should Auditors Perform Audit Walkthroughs), check it out here. Subscribe to my blog to receive weekly updates. 

Learn from the CPA Scribo newsletter!

Get my free weekly accounting and auditing digest with the latest content.

Powered by ConvertKit

Please note: I reserve the right to delete comments that are offensive or off-topic.

Leave a Reply

Your email address will not be published. Required fields are marked *

4 thoughts on “How to Identify Risk of Material Misstatements with an Audit Walkthrough