Monthly Archives: February 2017

solve accounting problems
Feb 28

Solve Accounting Problems Quickly: The Crystal Ball

By Charles Hall | Accounting

Do you ever need to solve accounting problems quickly?

I often hear the words, “Hey Charles, I’ve got a quick question,” and they launch into their issue, hopeful I can look into my crystal ball and give them an answer. As it turns out, I do have one. I keep it on my desktop. You probably have one too.

Most CPAs, when confronted with an accounting Gordian Knot, begin their quest to cut through the problem with their mighty sword–the GAAP Guide. Ah, an excellent choice for sure, but is it the best place to start? Or how about the granddaddy of them all? The FASB Codification. Another fine choice, but it’s an 800-pound gorilla. So where’s the best place to start? The crystal ball.

solve accounting problems

And what is the crystal ball? It’s your disclosure checklist.

You say, “but it’s just a laundry list of accounting requirements.” Yes, but it’s a great pointer (to answers).

To solve accounting problems quickly, do a word search in your disclosure checklist. My checklist is in Word, so I use the find feature (click control, find) to locate a keyword. Try to use a unique word where possible–such as noninterest or contingent. You may have to click next a few times to locate the relevant text. Once you find the relevant text, the pathway to your solution lies before you: the checklist provides you with the applicable FASB Codification ASC section (e.g., 850-10-50-5). You can key the number in the FASB Codification or your research library to find your answer.

Now you can provide a quick answer to that difficult question (and look like a genius). When your peers ask, “How did you find the answer so quickly?” Tell them, “My crystal ball.”

White Collar Crime
Feb 27

White Collar Crime is Knocking at Your Door: Are You Prepared?

By Charles Hall | Fraud

If your business has money and employees, then you’re a candidate for white collar crime.

White Collar Crime

White Collar Crime Happens!

For most organizations, it’s not a matter of if fraud will occur, it’s a question of how much will be stolen. The Association of Certified Fraud Examiners’ biennial survey shows that the average business loses 5% of its revenues to fraud. Imagine adding that amount to your bottom line, because when theft occurs, your net income is reduced by the amount stolen.

Learn About Fraud Prevention

Subscribe to get our latest weekly newsletter by email.

Powered by ConvertKit

As a Certified Fraud Examiner, I have taught thousands of people how to reduce the threat of white collar crime. My teaching–for the most part–has been through the Carl Vinson Institute of Government, a division of the University of Georgia. While I love teaching in a classroom, sharing fraud prevention through CPA-Scribo is loads of fun as well!

No One Steals from My Business

Most business owners, board members, governments, and nonprofits think “fraud may happen in other organizations, but not in our place. Our people are honest.” Well, let me say I’ve seen plenty of “honest” people steal.

In almost every fraud I’ve seen, the business owners and fellow employees are dumbfounded by the occurrence of theft–usually by a trusted employee. People steal because they can. You may be thinking, “What?” Let me repeat, the reason people take is because they can. In fraud prevention parlance, we call this “opportunity.”

White Collar Crime Knocking at Your Door

Picture from

So, am I saying that all people with opportunity steal? No, but individuals who steal have an open door to do so. It’s our job to remove the ability to steal without detection–and to eliminate the temptation.

And why do employees have the opportunity? Because we trust them. Trustworthy people move up the organization chart. And the further up the org chart they advance, the greater the opportunity.

Fraud Cycle

And, how do trusted employees move into positions of authority?

A strange cycle happens in white collar crime:

  • We hire a likable, trustworthy person
  • The employee serves the organization well, proving his merit
  • As he moves to higher positions, he greater ability to steal
  • No one monitors the employee because he is (seen as) honest
  • The employee realizes he can take without detection
  • Small amounts of money are taken to test the water
  • Later, the stealing of larger amounts occurs

So, the employee goes from trusted employee to fraudster. The transformation occurs gradually. Often the fraudster rationalizes his theft by saying to himself, “I’m borrowing this money. I will put it back.” Then when the discovery of fraud occurs, everyone is shocked.

Examples of People Who Steal

And what kinds of trusted people steal?

I have seen the following individuals take money:

  • Chief executive officer
  • Board member
  • Pastor
  • Church secretary
  • Healthcare executive
  • A lady who was dying
  • Doctor
  • College president
  • Swim club volunteer
  • Seminary Foundation employee
  • School principal

I could go on, but you get my point. People who we think would never steal, do.

So, how can we prevent–or at least lessen–the threat of fraud? Transparency is a key.

Transparency Lessens Fraud

If transparency is important, why don’t businesses have it?

Small businesses often lack the ability to segregate accounting duties, and this lack of segregation creates opportunities for theft. Why? One employee controls several critical accounting processes, resulting in the ability to steal without being seen.

To lessen the possibility of fraud, we must create transparency in accounting processes. Employees are less likely to take when their actions are visible to others. That’s why segregation of duties is necessary–more eyes are on accounting transactions, making it more difficult for theft to occur without someone noticing. Even if an organization has few employees, it’s possible to create transparency. Many of the blog posts in CPA Scribo are about creating this transparency.

How CPA Scribo Helps

CPA Scribo is designed to provide you with fraud prevention information.

I can’t visit everyone that needs fraud prevention assistance, but I can provide (free) information about how theft occurs and how you can lead the way–in your organization–in preventing fraud.

Here are some of my fraud prevention posts:

Finally, I hope you’ll join us here at CPA Scribo for more information about fraud prevention, accounting, and auditing. See the subscription box below.

Account for cash overdrafts
Feb 21

How to Account for Cash Overdrafts

By Charles Hall | Accounting

How should you account for cash overdrafts (also called negative cash balances) on a balance sheet and in a cash flow statement?

It is year-end and your audit client has three bank accounts at the same bank. Two of the accounts have positive balances (the first with $50,000 and the second with $200,000). The third account has a negative cash balance of $400,000. Since a net overdraft of $150,000 exists, how should we present cash in the financial statements?

Cash overdrafts

Picture Courtesy of

Balance Sheet

In the balance sheet, show the negative cash balance as Cash Overdraft in the current liabilities. Or you can also include the amount in accounts payable.

If you are netting the three bank accounts, consider using the Cash Overdraft option. If you bury the overdraft in accounts payable, the financial statement reader may think, “there is a mistake, where is cash?” Using Cash Overdraft communicates more clearly. (The right of offset must exist in order to net bank accounts. The right of offset commonly exists for multiple bank accounts with one bank.)

Some companies have multiple bank accounts with multiple banking institutions. In such cases, the net balance of one bank might be positive and the net balance of the second bank might be negative. Then the company would reflect the positive balance as cash and the negative cash balance (of the second bank) as an overdraft.  

Suppose a company has bank accounts with two different banks and the net balance of the first bank is $1,350,000 and the net balance of the second bank is an overdraft of $5,000. Then show cash as one amount on the balance sheet ($1,345,000). The $5,000 overdraft is not material.

Cash Flow Statement

Some companies do not include cash overdrafts in the definition of cash; instead, they include the overdraft in accounts payable. Consequently, the company treats the overdraft as an operating activity (change in accounts payable). So, the company includes the overdraft as a change in a liability in the operating section of the cash flow statement. (Some accountants treat overdrafts as a financing activity, but overdrafts clear quickly. Therefore, an operating activity classification is more appropriate.)

Alternatively, include the overdraft in the definition of cash (rather than in accounts payable). In doing so, you combine the cash overdraft with other cash (that with positive balances) in the cash flow statement. The beginning and ending cash–in the cash flow statement–should include cash overdrafts.

FASB ASC 230-10-45-4 requires that the total amounts of cash and cash equivalents in the cash flow statement agree with similarly titled line items or subtotals in the balance sheet. If a cash overdraft is included in the definition of cash, the cash captions in the statement of cash flows should be revised accordingly (e.g., Cash (Cash Overdraft) at end of year).

If the balance sheet contains a positive cash balance in assets and a cash overdraft in liabilities, provide a reconciliation at the bottom of the cash flow statement (or in a disclosure). In the reconciliation, show the composition of cash (cash overdraft)–one line titled Cash, one line titled Cash Overdraft, and a total line titled Total Cash (Cash Overdraft)

One Other Consideration

If checks are created but not released by year-end, reverse the payment. Merely printing checks does not relieve payables. Payables are relieved when payment is made (checks are printed and mailed, or electronic payments are processed).

Restricted Cash

FASB recently issued a new standard dealing with how restricted cash is to be reported in the cash flow statement. Click here for more information.

Efficient Way to Issue Financial Statements
Feb 16

The Most Efficient Way to Issue Financial Statements

By Charles Hall | SSARS

What is the most efficient way to issue financial statements?

Tax basis financial statements without disclosure, using the Preparation of Financial Statements option (Section 70 of SSARS 21).

efficient way to issue financial statements

This answer assumes you are preparing financial statements in conjunction with a tax return and that those financial statements are issued separately—apart from the tax return—to your client.

Continue reading

Auditing receivables and sales
Feb 15

Auditing Receivables and Sales: The Why and How Guide

By Charles Hall | Auditing

In this post, we look at how to audit accounts receivable and sales. We’ll answer questions such as, “should I confirm receivables or examine subsequent receipts?” and “why assume an overstatement of revenues?”

Auditing receivables and sales

Picture from

Auditing Receivable and Sales — An Overview

In this post, we will cover the following:

  1. Primary accounts receivable and sales assertions
  2. Accounts receivable and sales walkthrough
  3. Directional risk for accounts receivable and sales
  4. Primary risks for accounts receivable and sales
  5. Common accounts receivable and sales control deficiencies
  6. Risk of material misstatement for accounts receivable and sales
  7. Substantive procedures for accounts receivable and sales
  8. Common accounts receivable and sales work papers

1. Primary Accounts Receivable and Sales Assertions

First, let’s look at assertions. The primary relevant accounts receivable and sales assertions are:

  • Existence and occurrence
  • Completeness
  • Classification
  • Accuracy
  • Valuation
  • Cutoff

Of these assertions, I believe—in general—existence and occurrence and valuation are most important. So, the client is asserting that the accounts receivable exist and sales balances occurred and that they are valued properly.

Accuracy comes into play if the customer has complex receivable transactions.  Additionally, the cutoff assertion is often seen as relevant, especially if the client has increased incentives to inflate the receivables balance (e.g., bonuses triggered by certain income levels).

2. Accounts Receivable and Sales Walkthrough

Second, think about performing your risk assessment work in lights of the relevant assertions.

As we perform walkthroughs of accounts receivable and sales, we are looking for ways that accounts receivable and sales are overstated (though they can also be understated as well). We are asking, “What can go wrong—whether intentionally or by mistake?” 

In performing accounts receivable and sales walkthroughs, ask questions such as:

  • Are receivables subsidiary ledgers reconciled to the general ledger?
  • Is a consistent allowance methodology used?
  • What method is used to compute the allowance and is it reasonable?
  • Who records and approves the allowance?
  • Who reviews aged receivables?
  • What controls ensure sales are recorded in the right period?
  • Is there adequate segregation of duties between persons recording, billing, and collecting payments?
  • What software is used to track billings and collections?
  • Are there any decentralized collection locations?
  • When are sales recognized and is the recognition in accordance with the reporting framework?
  • What receivables and sales reports are provided to the owners or governing body?

As we ask questions, we also inspect documents (e.g., aged receivable reports) and make observations (who is doing what?).

If controls weaknesses exist, we create audit procedures to respond to them. For example, if—during the walkthrough—we see inconsistent allowance methods, we will perform more substantive work to prove the allowance balances.

3. Directional Risk for Accounts Receivable and Sales

Third, consider the directional risk of accounts receivable and sales.

The directional risk for accounts receivable and sales is an overstatement. So, in performing your audit procedures, perform procedures to ensure that accounts receivables and sales are not overstated. For example, review the cutoff procedures at period-end. Be sure that no subsequent period sales are recorded in the current fiscal year.

Audit standards require that auditors review estimates for management bias. So, consider the current year allowance and bad debt write-offs in light of the prior year allowance. This retrospective review allows the auditor to see if the current estimate is fair. The threat is that management might reduce allowances to inflate earnings.

Moreover, the audit standards state there is a presumption (unless rebutted) that revenues are overstated. Again, the threat is an overstatement of income.

4. Primary Risks for Accounts Receivable and Sales

Fourth, think about the risks related to receivables and sales.

The main risks are:

  1. The company overstates accounts receivable and sales  
  2. Company employees steal collections  
  3. Without proper cutoff, an overstatement of accounts receivables and sales occurs  
  4. Allowances are understated

Look for risks specific to the entity you are auditing. Risk vary from company to company.

auditing receivables and sales

Picture is from

5. Common Accounts Receivable and Sales Control Deficiencies

Fifth, think about the control deficiencies noted during your walkthroughs and other risk assessment work.

In smaller entities, the following control deficiencies are common:

  • One person performs one or more of the following: 
    • billing customers, 
    • receipts monies, 
    • makes deposits, 
    • records those payments in the general ledger 
    • reconciles the related bank account
  • The person computing allowances doesn’t possess sufficient knowledge to do so correctly
  • No surprise audits of receivables and sales 
  • Multiple people work from one cash drawer
  • Receipts are not appropriately issued
  • Receipts are not reconciled to daily collections
  • Daily receipts are not reviewed by a second person
  • No one reconciles subsidiary receivable ledgers to the general ledger
  • Individuals with the ability to adjust customer receivable accounts also collect cash (with no second-person approval or review of the adjustments)
  • Inconsistent bad debt recognition with no approval process
  • The revenue recognition policy is not clear and may not be in accordance with the reporting framework

6. Risk of Material Misstatement for Accounts Receivable and Sales

Sixth, now it’s time to assess your risks.

In smaller engagements, I usually assess control risk at high for each assertion. Controls must be tested to support the lower control risk assessments. Assessing risks at high is often more efficient than testing controls. 

When control risk is assessed at high, inherent risk becomes the driver of the risk of material misstatement (controls risk X inherent risk = risk of material misstatement). The assertions that concern me the most are existence, occurrence, and valuation. So my RMM for these assertions is usually moderate to high. 

My response to higher risk assessments is to perform certain substantive procedures: namely, receivable confirmations and tests of subsequent collections. As RMM increases I send more confirmations and examine more subsequent collections. 

Additionally, I thoroughly test management’s allowance computation. I pay particular attention to uncollected amounts beyond 90 days. Uncollected amounts beyond 90 days should usually be heavily reserved. And amounts beyond 120 days should–generally–be fully reserved.  

7. Substantive Procedures for Accounts Receivable and Sales

And finally, it’s time to determine your substantive procedures in light of your identified risks.

My customary audit procedures are as follows:

  1. Confirm accounts receivable balances (especially larger amounts)
  2. Vouch subsequent period collections, making sure the subsequent collections relate to the period-end balances (sampling can be used)
  3. Thoroughly review allowance computations to see if they are consistent with prior years, agree to supporting documentation, and are appropriately computed
  4. Create comparative summaries of all significant revenue accounts, comparing the current year amounts with at least three years of historical data
  5. Create summaries of average customer income and compare with prior years 
  6. Compute average profit margins by sales categories and compare with previous years

8. Common Accounts Receivable and Sales Work Papers

My accounts receivable and sales work papers frequently include the following:

  • An understanding of accounts receivable and sales-related internal controls 
  • Risk assessment of accounts receivable and sales at the assertion level
  • Documentation of any control deficiencies
  • Accounts receivable and sales audit program
  • A detail of receivables comprising amounts on the general ledger 
  • Copies of confirmations sent
  • A summary of confirmations received
  • Subsequent collections work papers 
  • Allowance work paper

In Summary

In conclusion, today we looked at how to perform accounts receivable and sales risk assessment procedures, the relevant accounts receivable and sales assertions, the accounts receivable and sales risk assessments, and substantive accounts receivable and sales procedures. 

If you audit accounts receivable and sales differently, please share your ideas below. 

Continuing Audit Series

This post is a part of my series titled the Why and How of Auditing. If you’ve missed the previous series articles, click here

Next week, we’ll look at how to audit plant, property, and equipment.

Feb 14

Look for Management Bias with Retrospective Reviews

By Charles Hall | Auditing

Auditing standards require a retrospective review of estimates. Why? Because management can manipulate estimates to inflate earnings and assets.

Suppose a company has an established policy of reserving 90% of receivables that are 90 days or older. If in the current year, the greater-than-90-days-bucket contains $1 million, then management can increase earnings $400,000 by decreasing the reserve percentage to 50%.

Manipulating estimates is easy. Complex estimates (such as the allowance for loan losses in a bank) are even easier to change. Why? Because complex estimates are harder to understand, making it easier to explain away variations.

Retrospective Review in Financial Statement Audits

AU-C 240, Consideration of Fraud in a Financial Statement Audit, says (in paragraph .32) the auditor should do the following:

review accounting estimates for biases and evaluate whether the circumstances producing the bias, if any, represent a risk of material misstatement due to fraud. In performing this review, the auditor should

    1. evaluate whether the judgments and decisions made by management in making the accounting estimates included in the financial statements, even if they are individually reasonable, indicate a possible bias on the part of the entity’s management that may represent a risk of material misstatement due to fraud. If so, the auditor should reevaluate the accounting estimates taken as a whole, and
    2. perform a retrospective review of management judgments and assumptions related to significant accounting estimates reflected in the financial statements of the prior year. Estimates selected for review should include those that are based on highly sensitive assumptions or are otherwise significantly affected by judgments made by management.

The retrospective review is–like the tests of journal entries required in all audits–a response to potential management override of controls.

Does Bias Exist?

Financial statement fraud occurs when a business willfully manipulates numbers. Why would management intentionally alter profits? There are many potential reasons including profit-based bonuses and the need to meet debt covenant requirements. Regardless of the reason, auditors are to perform a retrospective review of judgments and assumptions used in computing the estimate. Are the judgments and assumptions the same? If they changed, why?

A retrospective review means the auditor places the current year judgments and assumptions next to those of the prior year. Why? To gain perspective. Consider doing so for at least two years. Then see if there is a trend that favors the company.

Document Your Retrospective Review

You should reference your audit program to the work paper containing the retrospective review documentation.

Consider heading up the work paper as “Retrospective Review.” Or on the work paper, use a label (Retrospective Review) to show the purpose of the trend information. Also, consider adding a purpose and conclusion statements such as:

  • Purpose of work paper: To perform a retrospective review of the judgments and assumptions used in computing the estimate.
  • Conclusion: While the allowance estimate is higher in the current year, the judgments and assumptions are the same. It does not appear that management bias is present.

Other examples of conclusions are as follows:

  • Conclusion: Based on our review of the economic lives of assets in the depreciation schedule, no management bias was noted.
  • Conclusion: We reviewed specific bad debt write-offs in the current year and compared them to the estimate for bad debts in the prior year. No management bias was noted.
elements of unpredictability
Feb 13

Elements of Unpredictability in Financial Statement Audits

By Charles Hall | Auditing

The audit standards require elements of unpredictability. Why? So clients can’t guess what the auditor is going to do. Clients naturally observe and learn what auditors normally do. The client’s knowledge of what is audited (and what is not) makes it easier to steal–simply take from unaudited places. This knowledge also enables the company to manipulate numbers–do so in unaudited balances.

The purpose of the unpredictable element is to create uncertainty–in the client’s mind–about what we will audit.

elements of unpredictability

Picture from

Elements of Unpredictability – The Audit Standards

AU-C 240.29 states the following:

In determining overall responses to address the assessed risks of material misstatement due to fraud at the financial statement level, the auditor should…incorporate an element of unpredictability in the selection of the nature, timing, and extent of audit procedures.

AU-C 240.A42 states:

Incorporating an element of unpredictability in the selection of the nature, timing, and extent of audit procedures to be performed is important because individuals within the entity who are familiar with the audit procedures normally performed on engagements may be better able to conceal fraudulent financial reporting. This can be achieved by, for example,

  • performing substantive procedures on selected account balances and assertions not otherwise tested due to their materiality or risk.
  • adjusting the timing of audit procedures from that otherwise expected.
  • using different sampling methods.
  • performing audit procedures at different locations or at locations on an unannounced basis.

Examples of Unpredictable Audit Procedures

To introduce elements of unpredictability, perform procedures such as these:

  • Examine payments less than your normal threshold in your search for unrecorded liabilities (e.g., in the last three years your threshold was $7,000; this year, it’s $3,000)
  • Perform a surprise unannounced review of teller cash (for a bank client)
  • Make a physical visit to the inventory location one month after the end of the year and review inventory records (assuming you don’t normally do so)
  • Review payroll salary authorization sheets for ten employees and agree to amounts in the payroll master table (in the payroll software)
  • Test a bank reconciliation for the seventh month in the year being audited (in addition to the year-end bank reconciliation)
  • Confirm an immaterial bank account that you haven’t confirmed in the past
  • Pick ten vendors at random and perform procedures to verify their existence (as a test for fictitious vendors)

Document Your Unpredictable Test

Since unpredictable tests are required in every audit, document where you performed this procedure. Reference your audit program step for unpredictable tests to the work performed. Title your work paper, “Unpredictable Test,” and then add a purpose statement such as, “Purpose: To confirm the immaterial bank account with ABC Bank as an unpredictable test.” Doing so will eliminate the potential for a peer reviewer to say, “that’s a normal procedure.” You are overtly stating the purpose of the test is to satisfy the unpredictable test requirement.

Change Your Unpredictable Tests Annually

Change your unpredictable tests annually. Otherwise, they will–over time–become predictable.

Searching your Evernote account
Feb 10

Tips on Searching Your Evernote Account

By Charles Hall | Technology

Are you looking for tips on searching your Evernote account?

Today I was working on a fair value note disclosure and needed to find information about the reconciliation required for level 3 changes. I knew I had, several weeks ago, fed my Evernote account with an example fair value disclosure. So I typed “fair value” “level 3” in my Evernote search box. Presto, there it was, and it took me about ten seconds.

Once you add hundreds and, yes, thousands of notes to your Evernote account, you need to know how to find the needle in the haystack.

Searching your Evernote account

Searching Your Evernote Account

Back in the 60s, when I was a mere child, I could call the operator if I needed help locating someone. While you can’t call Evernote operators, they are just as helpful in finding, not people, but information.


You can use operators in an Evernote search box to locate particular information. Some of the more commonly used operators are:

1. And
2. Any
3. Tag
4. Notebook
5. Intitle
6. Created

And – Normally you will not type the word “and” as an operator; it’s implied. So if you type: comprehensive income in the search box, Evernote will locate all notes with the words comprehensive and income. If you want to see all notes with the phrase “comprehensive income,” then type: “comprehensive income”–using quotation marks.

Any – Typing the words “any: compilation review” will provide all notes with either the word “compilation” or the word “review.” If a note has the word “compilation” (and not “review”), then it will appear in your search list. If a note has the word “review” (and not “compilation”), then it will also appear in the list.

Tag – By typing “tag:Bank” into the search box, you’re telling Evernote that you want to see all notes tagged “Bank.” (You can tag each note regardless of which notebook it is in; for example, you might have four different notes in four different notebooks, but each tagged “Bank.”)

Notebook – Let’s say you have a notebook titled: Auditing (along with 70 other notebooks). You can type: “notebook:Auditing” in the search box and Evernote will locate your auditing notebook.

Intitle – Typing “intitle:derivative” will yield all notes with the word “derivative” in the title. So if you have one note titled “Mitigating Risk with Derivatives” and another note titled “Derivative Disclosures,” both notes will appear in your search list.

Created – “created:day-1” will provide you with a list of all notes created yesterday and today. You can substitute “day” with “week,” “month,” or “year”. If you want to see all the notes created in the last two weeks, issue a search with “created:week-1.”

Combining Operators

Searching becomes even more powerful when you combine operators.

For example, typing:

Intitle:derivative swap “cash flow hedge”

will provide you with all notes that have the word “derivative” in the title and the words (1) “swap” and (2) “cash flow hedge” as a phrase.

Another example, typing:

Notebook:Accounting any:swap “cash flow hedge”

will provide you with a list of all notes from your accounting notebook that have either the word “swap” or the words “cash flow hedge” as a phrase.

Finally, typing:

Notebook:Bank tag:Deposits FDIC “Due to Due from”

will provide you with notes from your Bank notebook that have a “Deposits” tag and that contain the words FDIC and “Due to Due from” as a phrase.

Give It a Try

Go ahead, try some of these tips with your Evernote account. You’ll soon be sifting through your notes with ease.

Evernote offers a free version, so if you haven’t tried it, give it a test drive.

You’ll find more information about Evernote in the following posts:

Feb 08

Confirmation of Receivables: Is It Required?

By Charles Hall | Auditing

When is the confirmation of receivables required?

confirmation of receivables

accounts receivable

Confirmation of Receivables is Usually Required

AU-C 330 paragraph 20 states the following:

The auditor should use external confirmation procedures for accounts receivable, except when one or more of the following is applicable:

  1. The overall account balance is immaterial.
  2. External confirmation procedures for accounts receivable would be ineffective.
  3. The auditor’s assessed level of risk of material misstatement at the relevant assertion level is low, and the other planned substantive procedures address the assessed risk. In many situations, the use of external confirmation procedures for accounts receivable and the performance of other substantive procedures are necessary to reduce the assessed risk of material misstatement to an acceptably low level.

If receivables are material and confirmation procedures will be effective, then confirmations must be sent. (Normally, the existence assertion related to receivables is moderate to high. So, 3. above is not in play.)

When are Confirmations Ineffective?

AU-C 330.A56 states:

External confirmation procedures may be ineffective when based on prior years’ audit experience or experience with similar entities:

  • response rates to properly designed confirmation requests will be inadequate; or
  • responses are known or expected to be unreliable.

If the auditor has experienced poor response rates to properly designed confirmation requests in prior audits, the auditor may instead consider changing the manner in which the confirmation process is performed, with the objective of increasing the response rates or may consider obtaining audit evidence from other sources.

Alternative Procedures When Confirmations are not Sent

What audit procedure should be performed if confirmations are not sent? Usually, the auditor will examine cash collections after the period-end. Care must be taken to ensure that the subsequent collections examined relate to receivables that existed at period-end and not to sales occurring after period-end.

Required Documentation When Confirmations are not Sent

AU-C 330.31 states that “the auditor should include in the audit documentation the basis for any determination not to use external confirmation procedures for accounts receivable when the account balance is material.” So, it is not sufficient to simply state that the use of confirmations is ineffective. We should state that we tried to confirm receivables in a prior year without effective results or that we tried to confirm receivables for clients in a similar industry, but without effective results.

The auditor should include a memo to the file or add comments on the receivables work paper explaining why confirmations were not sent.

when are SOC reports needed
Feb 06

When are SOC Reports Needed by an External Auditor?

By Charles Hall | Auditing

Service organization control (SOC) reports are often necessary to understand outsourced accounting services. So, when are SOC reports needed? 

when are SOC reports needed

When are SOC Reports Needed?

SOC reports are needed when:

  • The user entity’s complementary controls are not sufficient to lessen the possibility of material misstatements
  • The SOC report provides information concerning a significant transactions cycle

Many organizations outsource portions of their accounting to service organizations. Think ADP–a service organization that provides payroll services. External auditors need to understand a service organization’s system and related controls–particularly if that work could allow material misstatements in the user’s financial statements. This understanding is provided in SOC reports.

All financial statement audits focus upon whether material misstatements are occurring. Moreover, the auditor’s opinion is supported by audit evidence proving the financial statements are fairly stated. But does (some of this) audit evidence come from SOC reports? Sometimes, yes.

A financial statement auditor is concerned with material misstatements, regardless of how or where they occur–and regardless of who allows the misstatement. Therefore, auditors look for internal controls weaknesses in both the entity being audited and outsourced service organizations.

As we will see, the external auditor may not need all SOC reports. On the other hand, some SOC reports may be needed but don’t exist.

Definitions Related to Service Organizations

Before delving into the details of service organization controls, let’s define a few key words. These definitions come from AU-C 402.

Complementary user entity controls. Controls that management of the service organization assumes, in the design of its service, will be implemented by user entities and are necessary to achieve the control objectives stated in management’s description of the service organization’s system, are identified as such in that description.

Service auditor. A practitioner who reports on controls at a service organization.

Service organization. An organization or segment of an organization that provides services to user entities that are relevant to those user entities’ internal control over financial reporting.

User auditor. An auditor who audits and reports on the financial statements of a user entity.

User entity. An entity that uses a service organization and whose financial statements are being audited.

Audit Standard for Service Organizations

AU-C 402, Audit Considerations Relating to an Entity Using a Service Organization, states the following:

Services provided by a service organization are relevant to the audit of a user entity’s financial statements when those services and the controls over them affect the user entity’s information system, including related business processes, relevant to financial reporting. Although most controls at the service organization are likely to relate to financial reporting, other controls also may be relevant to the audit, such as controls over the safeguarding of assets. A service organization’s services are part of a user entity’s information system, including related business processes, relevant to financial reporting if these services affect any of the following:

  1. The classes of transactions in the user entity’s operations that are significant to the user entity’s financial statements;
  2. The procedures within both IT and manual systems by which the user entity’s transactions are initiated, authorized, recorded, processed, corrected as necessary, transferred to the general ledger, and reported in the financial statements;
  3. The related accounting records, supporting information, and specific accounts in the user entity’s financial statements that are used to initiate, authorize, record, process, and report the user entity’s transactions. This includes the correction of incorrect information and how information is transferred to the general ledger; the records may be in either manual or electronic form;
  4. How the user entity’s information system captures events and conditions, other than transactions, that are significant to the financial statements;
  5. The financial reporting process used to prepare the user entity’s financial statements, including significant accounting estimates and disclosures; and
  6. Controls surrounding journal entries, including nonstandard journal entries used to record nonrecurring, unusual transactions, or adjustments.

If a service organization’s work affects any of the items listed in a. through f., those services are a part of the audited entity’s information system.

When is a SOC report not needed?

When does the external auditor not need SOC reports or other information related to a service organization? Paragraph .05 of AU-C 402 answers that question as follows:
This section does not apply to services that are limited to processing an entity’s transactions that are specifically authorized by the entity, such as the processing of checking account transactions by a bank or the processing of securities transactions by a broker (that is, when the user entity retains responsibility for authorizing the transactions and maintaining the related accountability).
Additionally, complementary user entity controls may be strong enough to eliminate the need for information about the service organization’s controls.

Complementary User Entity Controls

The user entity–an entity that uses a service organization and whose financial statements are being audited–may have controls sufficient to eliminate the need for SOC reports or other information from the service organization. Sometimes the user entity has controls that mitigate the risk of material misstatements caused by service organization deficiencies. Such controls are referred to as “complementary user entity controls.” If the complementary controls operate effectively, the user auditor–an auditor who audits and reports on the financial statements of a user entity–may not need SOC reports or other service organization information.

Alternatively, if the service organization initiates, executes, and does the processing and recording of the user entity’s transactions, then the user auditor may need SOC reports or other service organization information.

Is the Placement of a SOC Report in the Audit File Sufficient?

Placing a SOC report in an audit file without reading and understanding it provides little-to-no audit evidence.

A SOC report provides information about how the service organization’s controls lessen the possibility of material misstatement. So, the user auditor needs to read and document how the service organization’s controls lessen the risk of material misstatement. This understanding of controls is necessary if the service organization’s work affects a significant transaction cycle such as payroll.

Think of SOC reports in this manner: Pretend there is no service organization and the company being audited performs the same processes and controls. If the audited entity performs these controls–and no service organization exists–the auditor gains an understanding of the controls using risk assessment procedures such as inquiry, observations, and inspections of documents. Potential control weaknesses are exposed by the risk assessment process. Thereafter, the identified risks are used to develop the audit program and substantive procedures. The same audit process is true when there is a service organization. But when a service organization is used, the user auditor is using the SOC report to gain the understanding of the service organization’s part of the entity’s accounting system.

If controls weaknesses are noted in the SOC report, the user auditor may–as a response–perform substantive procedures. By doing so the auditor lowers the overall audit risk (which is the risk that the auditor will issue an unmodified opinion when one is not merited).

Type 1 or Type 2 SOC Reports?

Service organization auditors can issue type 1 or type 2 reports.

A type 1 SOC report provides a description of a service organization’s system and the suitability of the design of controls.

A type 2 SOC report includes a service organization auditor’s opinion on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design and operating effectiveness of the controls.

The type 1 report provides information about the service organization’s system and related controls. The type 2 report provides an opinion on the system description and the design and effectiveness of the controls. A type 1 or a type 2 report can be used to gain an understanding of the controls.

Should the Auditor Visit the Service Organization?

Usually, the auditor does not need to visit the service organization, but sometimes it is necessary to do so. If the service organization provides no SOC report and the complementary user controls are not sufficient, then the auditor may have no choice but to review the service organization’s system and controls. Only do so if the service organization handles significant parts of the accounting system.