Audit Planning Analytics for First-Year Businesses

How to create planning analytics when there is no prior year

How do you create audit planning analytics for first-year businesses? We commonly compare current year numbers to the prior period, but, in this case, there are no prior year numbers. What other options are available?

Audit Planning Analytics for First Year

Courtesy of iStockphoto.com

Planning Analytics for First-Year Businesses

Audit standards don’t require the use of any particular analytics, so let’s think outside the box (of comparing current and prior year numbers). There are at least four alternatives:

  1. Nonfinancial information
  2. Ratios compared to industry averages
  3. Intraperiod totals (e.g., monthly or quarterly)
  4. Budgetary comparisons

How can we use nonfinancial information?

AU-C 315, paragraph .A7 states:

Analytical procedures performed as risk assessment procedures may include both financial and nonfinancial information (for example, the relationship between sales and square footage of selling space or volume of goods sold).

First Option

So one option is to compute expected numbers using nonfinancial information. Then compare the calculated numbers to the general ledger to search for unexpected variances.

Second Option

A second option is to calculate ratios common to the entity’s industry and compare the results to industry benchmarks. While industry analytics can be computed, I’m not sure how useful they are. An infant company often will not generate numbers comparable to more mature entities. But we’ll keep this choice in our quiver, just in case.

Third Option

A more useful option is the third–comparing intraperiod numbers. First, discuss the expected monthly or quarterly revenue trends with the client before you examine the accounting records. The warehouse foreman might say, “We shipped almost nothing the first six months. Then things caught fire. My head was spinning the last half of the year.” Does the general ledger reflect this story? Did revenues and costs of goods sold significantly increase in the latter half of the year?

Fourth Option

The last option we’ve listed is a review of the budgetary comparisons. Some entities, such as governments, lend themselves to this alternative; others, not so–those that don’t adopt budgets.

Summary

So, yes, it is possible to create useful risk assessment analytics–even for the first year of operation.

Remember: planning analytics are for the purpose of detecting risk. If the numbers don’t line up as expected, then you have a risk indicator. It is here that you may need to respond with substantive procedures.

Other Ideas?

What planning analytics do you perform for first-year audit clients?

Stay in the Know with CPA Scribo

Stay up to date with CPA Scribo. It’s free and takes less than a minute. Then, about once per week, you will receive an email with my new blog posts.

The Balance Sheet Audit Approach: Slaying a Sacred Cow

Why the risk based audit approach is better

Sacred cows make great steaks. Richard Nicolosi.

Risk-based audit standards have existed for years, but I still see a resistance to risk assessment procedures. Why? A reliance on the traditional balance sheet audit approach. I think many auditors prefer to test a bank reconciliation (ticking off each cleared transaction) to interviewing the company’s CFO. They enjoy the certainty of vouching payables (yep, the invoice agrees with the payable detail) and disdain the difficulty of walking a transaction through the accounting system. Regardless, many CPA firms struggle to slay the sacred cow of balance sheet audits.

What is a Balance Sheet Audit?

So what is a balance sheet audit approach?

It’s the examination of period-end balance sheet totals (the results of accounting processes) rather than the accounting processes themselves. For example, the auditor might confirm receivables and not perform a walkthrough of billing and collections. The balance sheet audit approach lacks any significant focus on the income statement.

While it is true that nailing down (or “beating up”) the balance sheet provides helpful audit evidence, there are some downsides.

The Downside of Balance Sheet Audits

So what are the weaknesses of a balance sheet audit approach?

First, the balance sheet approach does not address the income statement. Consequently, income statement line items may be misclassified (e.g., expenses netted with revenues). If the balance sheet is correct, net income (the result of revenues and expenses) is correct. But revenues and expenses can still be misclassified. (I once saw grant revenue of $300,000 netted with related grant expenses resulting in a $0 impact to revenues and expenses.)

Secondly, and more importantly, the balance sheet audit method does not address the possibility of theft (and some forms of fraudulent reporting of revenues and expenses). Sure we can confirm cash and reconcile the balance to the general ledger. So what? If someone steals $1 million in cash receipts (or $10 million or whatever number you want to use), the balance sheet approach may not address the risk of theft.

The same is true if the CFO steals money by cutting checks to himself (or to fictitious vendors). The accounts payable balance can be reconciled to a detail, and a search for unrecorded liabilities can be performed–typical balance sheet audit steps–but these procedures don’t address theft.

Finally, audit standards require walkthroughs, fraud inquiries, planning analytics, and an understanding of the business. Without these steps, we cannot truly understand audit risks that lie hidden in accounting processes.

balance sheet audit

Picture from AdobeStock.com

The Upside of Risk-Based Audits

I still believe that auditors can save time using a risk-based audit approach.

Understanding the business and its processes requires time, but doing so can lead to a leaner audit. You can decrease some substantive procedures when you know where your risks are. We can also mitigate audit risk (because we know what the risks are).

And this is the beauty and logic of risk-based audits. We determine where the risks are, and then we perform procedures to address those risks. We cease to blindly focus on the balance sheet. 

Less time, less risk.

Sounds good to me–but slaying a sacred cow is necessary. I like my steaks medium rare. How about you?

Agree or disagree? Please let me know.

How to Identify and Manage Audit Stakeholders

Identifying your audit stakeholders can assist in identifying audit risks

This is a guest post by Harry Hall. He is a Project Management Professional (PMP) and a Risk Management Professional (PMI-RMP). He blogs at ProjectRiskCoach. You can also follow Harry on Twitter.

Some auditors perform the same procedures year after year. These individuals know the drill. Their thought is: been there; done that.

Imagine a partner or an in-charge (i.e., project manager) with this attitude. He does little analysis and makes some costly stakeholder mistakes. As the audit team starts the audit, they encounter surprises:

  • Changes in the client stakeholders – accounting personnel and management
  • Changes in accounting systems and reporting
  • Changes in business processes
  • Changes in third-party vendors
  • Changes in the client’s external stakeholders
Identifying audit stakeholders

Picture from AdobeStock.com

Furthermore, imagine the team returning to your office after the initial work is done. The team has every intention of continuing the audit; however, some members are being pulled for urgent work on a different audit.

These changes create audit risks–both the risk that the team will issue an unmodified opinion when it’s not merited and the risk that engagement profit will diminish. Given these unanticipated factors, the audit will likely take longer and cost more than planned. And here’s another potential wrinkle: Powerful, influential stakeholders may insist on new deliverables late in the project.

So how can you mitigate these risks early in your audit?

Perform a stakeholder analysis.

“Prior Proper Planning Prevents Poor Performance.” – Brian Tracy

How to Identify Risk of Material Misstatements with an Audit Walkthrough

Post 2 - Knowing what risk assessment procedures to use

While we know that an audit walkthrough is an excellent way to probe accounting systems for risk, many auditors aren’t sure how to use this procedure. I hear questions such as:

  • What is an audit walkthrough?
  • Will a walkthrough allow me to assess control risk at less than high?
  • What procedures should I perform?
  • How many procedures should I perform?
  • How can I document my walkthroughs?
  • Should I perform walkthroughs annually?
  • What transaction cycles merit walkthroughs?
Audit Walkthrough

Picture from AdobeStock.com

What is an Audit Walkthrough?

An audit walkthrough is the tracking of a transaction through an accounting system while examining related controls. The purpose of the audit walkthrough is to see if controls exist and are in use (or, as the audit standards say, “implemented”). The results of our risk assessment procedures will illuminate the weaknesses in the accounting system.  And we use this information about risk to create our audit plan.

So we do the following:

  1. Identify risk
  2. Assess risk
  3. Create an audit plan to address risk

Walkthroughs fall in the “identify risk” category, and, consequently, are done early in the audit process.

What is not a Walkthrough?

Following a transaction through the system–without reviewing controls–is not an audit walkthrough. We must examine controls to see if they exist and are implemented. 

Placing a copy of the operating and accounting system manual in the audit file is not a walkthrough. While such manuals may tell you what the client intends to do, they don’t say what is done. In other words, they don’t answer the implementation question.

Lastly, asking a client, “Is everything the same as last year?” is not a walkthrough. Auditors must do more than inquire.

Will Audit Walkthroughs Allow a Lower Control Risk Assessment?

Usually, audit walkthroughs are not sufficient as support for lower control risk assessments. If the auditor assesses control risk at less than high, she is required to test the effectiveness of the control. Since audit walkthroughs are usually a test of one transaction, they typically don’t validate operating effectiveness. Regarding computer controls, a walkthrough of one transaction might be sufficient to prove effectiveness if general computer controls are working—namely, change control for software. Why? Computer controls—usually—operate consistently.

The purpose of an audit walkthrough is to test for the existence and implementation of controls rather than operating effectiveness. Remember the following:

  • Focus on implementation of controls — During risk assessment
  • Focus on effectiveness of controls — When testing controls to support lower control risk

An auditor can determine implementation of controls with a test of one transaction. Effectiveness, on the other hand, usually requires sampling tests—e.g., test of 40 transactions for appropriate purchase orders.

What Procedures and How Many Should I Perform?

There are three key procedures that auditors use in performing walkthroughs:

  1. Inquiry
  2. Observation
  3. Inspection

Inquiry alone is never sufficient in performing risk assessments. So we must marry inquiry with observation and inspection. 

The use the three procedures listed above will depend on the transaction cycle you are examining.

Debt Cycle Example

For example, in reviewing the debt cycle, you will usually focus on inquiry and inspection. Why? Well, legal agreements and approvals of debt transactions are key. So I might inspect the following (for example):

  • Debt agreement
  • Minutes showing approval of the debt
  • Approvals of debt service payments

Disbursement Cycle Example

In examining the disbursement cycle, you will typically focus on inquiry, observation, and inspection. My questions might include:

  • How are purchase orders issued?
  • What persons issue purchase orders?
  • Who receives invoices?
  • What persons approve the payments?
  • Are checks signed physically or electronically and by whom?
  • Who reconciles the bank statements?
  • What persons monitor aged payables (and how)?

As I inquire about the disbursement cycle, I also observe and inspect. Here are some procedures I might perform:

  • Examine I.T. lists of who can add vendors to the system
  • Inspect a purchase order to see who approves it
  • Observe who issues the purchase order (multiple people might release P.O.s)
  • Inspect an invoice for initials of a department head as approval for payment
  • Observe who is receiving and approving the invoices
  • Watch the processing of a check batch (I want to know who can sign checks)
  • Inspect aged accounts payable detail and one bank reconciliation to determine who reconciles the payables total and bank account to the general ledger

Knowing Which Procedures to Use

You may wonder, “How do I know which procedures to perform?” Ah, that’s the $10,000 question. Always ask, “What can go wrong?” and determine if a control is in place to lessen that threat. That question will drive your risk assessment. The diversity of accounting systems makes it all but impossible to create a checklist that covers all possible issues. What does this mean? You must use your judgment.

Look Beyond the Normal Client Procedures

Always ask who performs the control procedures when key persons are out. Why? An unknown person might have the power to carry out the role. If someone else can—even though they don’t normallyperform a key control procedure, you need to know this. Why? Well, here’s an example of what can happen: If a third person usually does not issue checks but can and that person also reconciles the bank statement, he might issue fraudulent checks. Why? He knows his fraudulent checks will not be detected through the bank reconciliation control.

Always look beyond accounting policies and routine procedures to see what can happen. I often have clients say to me, “John is the only one who approves the purchase orders,” for example. But I know this is not true because purchases would cease to occur when John is out. So I ask, “Who issues purchase orders when John in on vacation?”

More Answers Next Week

We’ll continue our discussion about walkthroughs next week. I still need to answer the following questions:

  • How can I document my walkthroughs?
  • Should I perform walkthroughs annually?
  • What transaction cycles merit walkthroughs?

If you have any questions about walkthroughs, please post them here, and I will try to respond. Also, please post any comments you have.

If you missed last week’s post about walkthroughs (Why Should Auditors Perform Audit Walkthroughs), check it out here. Subscribe to my blog to receive weekly updates. 

Why Should Auditors Perform Audit Walkthroughs?

Post 1 - Why are walkthroughs important and are they required?

Do you ever struggle with audit walkthroughs? Maybe you’re not sure what areas to review or how extensive your documentation should be. Possibly you’re not even sure how walkthroughs are helpful.

Audit Walkthroughs

Picture is from AdobeStock.com

I hear some auditors protest that professional standards don’t require walkthroughs. Right, but we have an obligation to annually corroborate the existence and use of controls, and I know of no better way to achieve this goal than walkthroughs.

What are Walkthroughs?

Walkthroughs are cradle-to-grave reviews of transaction cycles. You start at the beginning of a transaction cycle (usually a source document) and walk the transaction to the end (usually posting to the general ledger). The auditor is gaining an understanding the genesis of the transaction and then each movement through the accounting system.

As we perform the walkthrough, we also:

  • Make inquiries
  • Inspect documents
  • Make observations

By asking questions, inspecting documents, making observations, we are evaluating internal controls to see if there are weaknesses that would allow errors and fraud to occur. And audit standards do not permit the use of inquiries alone. Observations or inspections must occur.

Some auditors believe that audit walkthroughs (or documentation of controls for significant transaction cycles) are not necessary if the auditor is assessing control risk at high. This is not true. While the auditor can assess control risk at high, she must first gain an understanding of the cycle and the related controls. For more information, see my related post.

Why Audit Walkthroughs?

Accountants are often more comfortable with numbers than processes. We like things that “tie,” “foot,” or “balance.” We may not enjoy probing accounting systems for risk—it’s too touchy-feely. Even so, passing this responsibility off to lower staff is not a good choice. It’s too complicated and too important. So there’s no getting around it. The walkthrough—or something like it—must be done, especially if you are mid- to upper-level auditors. Why? You’re developing your audit plan. Screw up the plan, and you screw up the audit.

What is the purpose of the walkthrough? Identification of risk. Once you know the risks, you know where to audit.

Too often auditors do the same as last year (SALY). And why do we do this?

First, it requires no thinking.

Second, out of fear. We think, “if the audit plan was appropriate last year, why would it not be this year?” In short, we believe it’s safe. After all, the engagement partner developed this approach seven years ago. But is it safe?

Why SALY is Dangerous

Suppose the accounts payable clerk realizes he can create fictitious vendors without notice, and his scheme allows him to steal over $10 million over a four-year period.

The audit firm has performed the engagement year after year using the same approach. On the planning side, the fraud inquiry and internal control documentation look the same. Walkthroughs have not been performed in the last five years.

On the substantive side, the auditor ties the payables detail to the trial balance. He conducts a search for unrecorded liabilities. He inquires about other potential liabilities. All, as he has done for years. Even so, in this year alone, the payables clerk walks away with $3 million—and the audit firm doesn’t know it.

Processes matter. And—for the auditor—understanding those processes is imperative.

Why Walkthroughs?

I will say it again: we are looking for risk. Our audit opinion says that we examine the company’s internal controls to plan the audit. The opinion goes on to say that this review of controls is not performed to opine on the accounting system. So we are not testing to render an opinion on controls, but we are probing the accounting processes to identify weaknesses. And once we know where risks lie, we can focus in those areas.

Check Your Work Papers for Audit Walkthroughs

Pick an audit file or two and review your internal control documentation. Have you corroborated your understanding of the controls by inquiring, inspecting, and observing the significant transaction cycles? Again walkthroughs are not technically required, but the corroboration of controls is. The walkthrough process is an  effective way to achieve this objective.

Fraud Risk Assessments: How to Perform

A new fraud brainstorming idea guaranteed to generate better results

Do your fraud brainstorming sessions lack vigor. In this video, I provide an idea that will liven up your discussions and result in better identification of potential thefts. I also discuss auditor’s responsibilities with regard to fraud and–as you perform risk assessments–ways to score points with your clients.

To see my previous (written) post about how to perform fraud risk assessments, click here.

Risk of Material Misstatement: How to Assess

Part 5: Appropriate risk assessments can put dollars in your pocket and result in higher quality audits

How do you assess the risk of material misstatement? How do you know when to assess inherent risk at high (or low)? Can you assess control risk at high for all assertions? What are significant risks? These are common questions about the risk assessment process.

Audit Risk Assessment

Picture is courtesy of DollarPhotoClub.com

Today we’ll discuss how auditors assess and document risk. We’ll cover:

  • Financial statement level risk
  • Transaction level risk
  • Risk of material misstatement
  • Inherent risk
  • Control risk

Understanding these concepts will put money in your pocket and will result in higher quality audits.

Financial Statement Level Risk

Before picking our audit team, we need a general understanding of the entity.

We must understand the business and its control environment to determine risks at the financial statement level (I think of this as the overall risk). The overall risk will dictate our broader responses such as who the audit team will be.

Consider whether the entity has:

  • Complex transactions
  • Related party transactions
  • New accounting pronouncements
  • Profit pressures
  • Problem vendor relationships
  • Going concern issues
  • Potential debt covenants violations
  • Cash flow problems

We also need to consider the risk of management override. This threat is always a possibility. If management is playing on the edges, consider how you will add muscle and insight to your audit team—or whether you should even perform the engagement.

Keep this thought in mind when considering financial statement level risk assessment: greater overall threats call for a stronger audit team.

Transaction Level Risks

In a previous post, we discussed risk assessment procedures such as walkthroughs, fraud inquiries, and planning analytics. The information gained from those steps is the basis for assessing risk at the transaction level.

Should the transaction risk assessment be performed at the assertion level or for the transaction cycle as a whole? Let’s answer this question by looking at how accounts payable risk might be documented.

If we assess our risk of material misstatement at high for payables (as a whole), what are we saying? That further audit procedures are necessary for all assertions. If we assess risk at high for all payable assertions, and we don’t perform audit procedures in response to the (high) risk assessment, we create an incongruity. We are saying that risk is high for all assertions, but our responses don’t agree.

Wouldn’t it be better to assess risk at the assertion level? For example, if we’ve historically proposed significant journal entries to record additional payables, maybe the risk of material misstatement for the completeness assertion is high. Our audit procedures will include a search for unrecorded liabilities. Now we have an appropriate risk assessment and response (what the audit standards refer to as linkage). The remaining accounts payable assertions could possibly be assessed at low.

Risk of Material Misstatement

We can express the risk of material misstatement (RMM) as:

RMM = Inherent Risk X Control Risk 

While audit standards don’t require that we assess inherent risk and control risk separately, it’s helpful to do so. In a moment, we’ll see that inherent risk often drives our audit responses.

Inherent Risk

So what is inherent risk? My simple definition is the risk that exists when no controls are present. (We are not saying controls don’t exist, just that we are disregarding them as we measure inherent risk.) 

Inherent risk can be a function of:

  • The complexity of the transaction (e.g., derivatives are harder to understand)
  • The nature of the financial statement item (e.g., cash is liquid and subject to theft)
  • The experience and knowledge of the client’s accounting personnel
  • Past audit issues in the area
  • The volume of transactions

As we assess inherent risk, we ask, “what’s the chance that material misstatement will occur assuming there are no related controls?”

Some areas are so risky that the audit standards refer to them as significant risks. These areas require special audit consideration. Significant risks relate to transactions that are complex, nonroutine, or involve judgment. For example, a bank’s allowance for loan losses—due to complexity—demands extra scrutiny. The inherent risk in such areas will always be high.

Now, let’s marry inherent risk with control risk so we can determine our risk of material misstatement.

Control Risk

For audits of smaller entities, control risk is often assessed at high—across the board. Why? To save time. While control risk can’t be assessed at high before performing our risk assessment procedures, we can do so afterward

Assessing control risk at high is permissible as an efficiency decision. (Risk assessment procedures are still required.)

If control risk is assessed at less than high, the auditor is required to test controls to support the lower risk assessment. It may be more economical to perform substantive procedures rather than testing controls. We might, for example, be able to vouch all of the additions to property and equipment in less time than it takes to test the related controls. If this is true, we will opt to use a substantive approach (vouching all significant additions to invoices), and we will assess control risk at high.

Also, it is possible to have a low to moderate risk of material misstatement if your inherent risk is low—even if your control risk is high. How? Consider the following equation.

Risk of Material Misstatement Formula

IR (low) X CR (high) = RMM (low or moderate)

What does this mean? Well, you can get to a low or moderate RMM without testing controls. Also, you may not need to perform any substantive procedures–depending on your final RMM for the area.

As an example of how this works, think about a low inherent risk assessment regarding plant, property, and equipment. 

  • What’s the inherent risk related to the existence of your client’s main office building? Low. 
  • If your client has no controls related to the existence of the building, would the lack of controls have any bearing on the overall RMM? No. 
  • Do you need to test any controls? No. 
  • Do you need to perform any substantive procedures? No.
  • Do you need any substantive audit steps (concerning the building) in your audit program? Probably not. The RMM is low, so you don’t need to do anything (other than document your risk assessment). 

Call to Action

Consider reviewing your risk assessments, and see if some of the inherent risk assessments will allow you to assess your RMMs at low to moderate–even if control risk is assessed at high.

This is the last in our series of posts about audit risk assessment. Thanks for joining in the journey.

If you have suggestions for other posts, please leave a comment with your idea. Thanks.

How’s Your Brainstorming and Linkage?

Part 4: How can brainstorming result in better audits? How are we to link identified risks to our audit plans?

You’ve performed your risk assessment procedures, and now it’s time to consider the information you’ve obtained. What are your walkthroughs telling you? Are any variances in your planning analytics begging for attention? What about your fraud inquiries? Are they pointing you in a particular direction?

Now that you see the weaknesses in controls, and you know where your client is most likely to make mistakes, you can plan to address those areas where the risk of material misstatement is most likely to occur.

But before we plan, we need to brainstorm.

Picture is courtesy of DollarPhotoClub.com

Picture is courtesy of DollarPhotoClub.com

Brainstorming

Section 315 of the audit standards requires a discussion among the key engagement team members, including the engagement partner. This discussion is to include an exchange of ideas, often referred to as brainstorming, about where the financial statements might possess a risk of material misstatement due to fraud.

So when should the brainstorming session occur? Logically the “exchange of ideas” follows your risk assessment procedures.

The overall audit sequence is as follows:

  1. We gather information using risk assessment procedures
  2. We discuss the identified risk
  3. We plan our responses

In military battles, soldiers do this same thing. The army sends reconnaissance troops to check the lay of the land and to see where the enemy might lie. Why? To determine how the infantry can move forward most effectively and with the least risk. So soldiers gather information (risk assessment) prior to discussing how to respond (brainstorming). The discussion leads to a battle plan (in our world, the audit plan)

Can you imagine soldiers going into battle without surveying the land and discussing the plan of attack? Yet this what auditors do when we default to a standard audit program. Continuing with the battle analogy, does it make sense to use the same battle plan for every encounter? (We have met the enemy, and he is us.)

Once we discuss the entity’s risks, we know what our greatest threats are.

A Threat

In my last post, I provided an example internal control weakness identified in a walkthrough of accounts payable:

Control weakness: The accounts payable clerk (Judy Jones) can add new vendors and can print checks with digital signatures. In effect, she can create a new vendor and have checks sent to that vendor without anyone else’s involvement.

What’s the threat? Judy can create a fictitious vendor and send checks to herself or an accomplice.

The Response

And what can we do about the risk?

We can print a list of vendors added during the last year and have another person review the list for appropriateness. That other person might be the owner of a small business, a board member in a nonprofit, or the purchasing director in a government. We want a person in the know to review the list for improprieties. Alternatively, we can data mine the vendor addresses for a match with Judy’s home address. There are many ways to address this threat, but my point here is that we need to link our procedures with our identified risk. 

Think of the risk assessment process in the following manner:

  1. We perform risk assessment procedures
  2. We assess our risks
  3. We create responses to the identified risks

If we don’t perform risk assessment procedures such as walkthroughs, we may not be aware of risks. If we don’t assess our risks, we may not know what threats are most important. And if we don’t create responses (alter our standard audit plan), then what’s the point of risk assessment? (Surely not to please our peer reviewer.)

Auditing is a holistic art, not a science. Are there formulas? Yes, but if we audit in a formulaic manner (alone), we will miss critical pieces in developing our audit plan. Practice aids (forms) can’t think for us. So I encourage you to use your audit forms, but at some stage, it is good to push them aside and ask:

  • Am I connecting the dots (understanding the client and the risks inherent in their accounting system)?
  • Am I determining which risks are most threatening?
  • Am I creating responses that sufficiently reduce the risk of material misstatement?

My Next Post

Well, we’ve covered much of the risk assessment process, but I still want to take a deeper dive concerning assessing risk at the assertion level and the financial statement level. I’ll do that in my next post in this series.

What can you take away from the above post? Think about your last three audits. After you performed your risk assessment procedures, consider how you altered your audit plan. Do you feel like there is an appropriate linkage between your risk assessment procedures and your audit plan? Are there ways to improve the process?

How to Perform Fraud Risk Assessments

Part 3: An overview of the risk assessment process as it relates to fraud

No appreciable change has occurred in the detection of fraud since the issuance of SAS 99, Consideration of Fraud. Why? I fear the problem lies in how we as auditors use the risk assessment standards.

I still hear auditors say, “we are not responsible for fraud.” But are we not?

Without question, auditing standards require that we perform particular fraud risk assessment procedures. And we also know that the detection of material misstatements—whether caused by error or fraud—is the heart and soul of an audit. So writing off our responsibility for fraud is not an option.

Picture is courtesy of DollarPhotoClub.com

Picture is courtesy of DollarPhotoClub.com

Why Auditors Don’t See Fraud Risk

Why do we not see fraud risks? Here are a few thoughts:

  • We don’t understand how fraud occurs, so we avoid it
  • We don’t know how to look for control weaknesses
  • We think our time is better spent in other areas (namely performing substantive procedures)
  • We still believe that a balance sheet approach to auditing is all we need

Signs of Weak Risk Assessments

So what are some signs of weak fraud risk assessments?

  • We ask just one or two questions about fraud
  • We limit our inquiries to as few people as possible (maybe even just one)
  • We discount the potential effects of fraud (even after a client tells us it has occurred)
  • We don’t perform walkthroughs
  • We don’t conduct brainstorming sessions
  • Our files reflect no responses to brainstorming and risk assessment procedures
  • Our files have vague responses to the brainstorming and risk assessment procedures (e.g., “no means for fraud to occur; see standard audit program”)

In effect, some auditors dismiss the fraud risk assessment process. And if we are not aware of fraud risks, we can’t adequately plan our responses. Put another way, if fraud risks are present, and we follow a standard audit program, are we responding to threats?

So how can we understand and respond to fraud risks? Here are a few thoughts.

Start with Potential Fraud Incentives

Fraud comes in two flavors:

  • Cooking the books (intentionally altering numbers)
  • Theft

Start your fraud risk assessment process by determining if there are any incentives to manipulate the financial statement numbers. Are there any bonuses or promotions based on profit or other metrics? Are there other potential motivations for playing with the numbers such as promotions? Cooking the books is more prominent in for-profit entities, but be aware that someone nonprofits also offer incentives based on financial statement targets.

Internal control weaknesses are the doorway to theft. Next we’ll see how to find those defects in accounting systems.

Look for Fraud Opportunities

My go-to procedure in looking for fraud opportunities is to perform walkthroughs.  Since accounting systems are varied, and there are no “forms” (practice aids) that capture all processes, walkthroughs can be challenging.

For most small businesses, performing a walkthrough is not that hard. Pick a transaction cycle and start at the beginning and follow the transaction to the end. Note who does what. Inspect the related documents.

Think of the accounting system as a story. Our job is to understand the narrative. As we (attempt to) describe the accounting system, we may find missing pieces. Sometimes we’ll need to go back and ask more questions to make the story flow from beginning to end.

The purpose of writing the storyline is to identify any “big, bad wolves.” The threats in our childhood stories were easy to recognize. Not so in the walkthroughs. It is only in connecting all the dots that the wolves materialize.

Picture is courtesy of DollarPhotoClub.com

Picture is courtesy of DollarPhotoClub.com

Our documentation of the walkthrough should be scalable. If the transaction cycle is simple, the documentation should be simple. If the cycle is complex, provide more detail.

In documenting workflows for complex businesses, the old saying “How do you eat an elephant?” comes to mind. Break complicated systems into pieces and you will understand them.

Observation of Control Weaknesses

The auditing standards require that we use the following:

  • Inquiry
  • Observation
  • Inspection

Audit standards state that inquiry alone is not sufficient for performing the risk assessment process. So we must marry inquiry with either observation or inspection or inquiry with both observation and inspection. May I suggest that you do the latter? Take pictures of your observations (use your smartphone) and make copies of documents you inspect. I like to write my narrative and then insert images into the “story.” (Tip: You can insert pictures in a Word document by clicking “Insert,” and “Object.” Then browse to the picture you desire to add.)

Our walkthroughs can include:

  1. Narrative
  2. Images
  3. Highlights of control strengths and weaknesses

I summarize the internal control strengths and weaknesses within the narrative and usually highlight the wording. For example:

Control weakness: The accounts payable clerk (Judy Ware) can add new vendors and can print checks with digital signatures. If effect, she can create a new vendor and have a check sent to that vendor without anyone else’s involvement.

Highlighting weaknesses makes them more prominent. Then–when I am done–I can use the identified fraud opportunities to create audit procedures that are responsive.

Fraud-Related Inquiries

Audit Standards (AU-C 240) state that we should inquire of management regarding:

  • Management’s assessment of the risk that the financial statements may be materially misstated due to fraud, including the nature, extent, and frequency of such assessments
  • Management’s process for identifying, responding to, and monitoring the risks of fraud in the entity, including any specific risks of fraud that management has identified or that have been brought to its attention, or classes of transactions, account balances, or disclosures for which a risk of fraud is likely to exist
  • Management’s communication, if any, to those charged with governance regarding its processes for identifying and responding to the risks of fraud in the entity
  • Management’s communication, if any, to employees regarding its views on business practices and ethical behavior
  • The auditor should make inquiries of management, and others within the entity as appropriate, to determine whether they have knowledge of any actual, suspected, or alleged fraud affecting the entity
  • For those entities that have an internal audit function, the auditor should make inquiries of appropriate individuals within the internal audit function to obtain their views about the risks of fraud; determine whether they have knowledge of any actual, suspected, or alleged fraud affecting the entity; whether they have performed any procedures to identify or detect fraud during the year; and whether management has satisfactorily responded to any findings resulting from these procedures

If management has no method of identifying fraud, might this be an indicator of a control weakness? Yes. It is management’s responsibility to develop control systems to lessen the risk of fraud. It is the auditor’s responsibility to review the accounting system to see if it is designed and operating appropriately.

Notice that in these inquiries, we are not only asking if fraud has occurred but does management have a prevention system in place? And does management communicate these processes to those charged with governance?

Planning Analytics

Another risk assessment procedure is the use of planning analytics. As we compare prior year numbers with current year numbers or as we compare budgeted numbers with current, we may see red flags. You can also use ratios in your hunt for potential risks.

As you review the preliminary numbers, ask, “do these numbers make sense in light of current operations?”

The audit standards state that there is a rebuttable presumption that revenues are overstated. Why? Because many past frauds were carried out by managers intentionally overstating income numbers. In some cases, management posted false journal entries at year-end to inflate income. Then in the following period the entries were reversed.

Brainstorming and Planning Your Responses – My Next Post

Once you perform your risk assessment procedures, you are ready to brainstorm about how fraud will occur and then plan your audit responses. That’s the topic of our next post—so stay tuned. Subscribe to my blog (it’s free) to ensure that you see the next post (see below).

Consider reading this post again and think about how you use your audit forms to perform risk assessments. Understanding the process is 90% of the battle.

If you missed my first two posts in this series, check them out here:

Part 1: How to Perform Audit Risk Assessments

Part 2: How to Understand the Risk Assessment Process