Category Archives for "Auditing"

Audit Planning Analytics
May 01

Audit Planning Analytics: What You Need to Know

By Charles Hall | Auditing

You can identify risks of material misstatement with audit planning analytics. 

Audit Planning Analytics

Audit Planning Analytics

The auditing standards provide four risk assessment procedures: 

  1. Inquiry
  2. Observation
  3. Inspection
  4. Analytical procedures

I previously provided you with information about the first three risk assessment procedures. Today, I provide you with the fourth, analytical procedures.

While analytical procedures should occur at the beginning and the end of an audit, this post focuses on planning analytics.

Below I provide the quickest and best way to develop audit planning analytics

What are Analytics?

If you're not an auditor, you may be wondering, "what are analytics?" Think of analytics as the use of numbers to determine reasonableness. For example, if a company's cash balance at December 31, 2017, was $100 million, is it reasonable for the account to be $5 million at December 31, 2018? Comparisons such as this one assist auditors in their search for errors and fraud.

Overview of this Post

We'll cover the following:

  • The purpose of planning analytics
  • When to create planning analytics (at what stage of the audit)
  • Developing expectations 
  • The best types of planning analytics
  • How to document planning analytics
  • Developing conclusions 
  • Linkage to the audit plan

Purpose of Planning Analytics

The purpose of planning analytics is to identify risks of material misstatement. Your goal as an auditor is to render an opinion regarding the fairness of the financial statements. So, like a good sleuth, you are surveying the accounting landscape to see if material misstatements exist.

A detective investigates a crime scene using various tools: fingerprints, forensic tests, interviews, timelines. Auditors have their own tools: inquiry, observation, inspection, analytical procedures. Sherlock Holmes looks for the culprit. The auditor (and I know this isn't as sexy) looks for material misstatements. 

The detective and the auditor are both looking for the same thing: evidence. And the deft use of tools can lead to success. A key instrument (procedure) available to auditors is planning analytics. 

When to Create Planning Analytics

Create your preliminary analytics after gaining an understanding of the entity. Why? Context determines reasonableness of numbers. And without context (your understanding of the entity), changes in numbers from one year to the next may not look like a red flag--though maybe they should.

Therefore, learn about the entity first. Are there competitive pressures?  What are the company's objectives? Are there cash flow issues? What is the normal profit margin percentage? Does the organization have debt? Context creates meaning.

Additionally, create your comparisons of numbers prior to creating your risk assessments. After all, the purpose of the analytical comparisons is to identify risk.

But before creating your planning analytics, you first need to know what to expect.

Developing Expectations 

Knowing what to expect provides a basis for understanding the changes in numbers from year to year. 

Expectations can include:

  • Increases in numbers
  • Decrease in numbers
  • Stable numbers (no significant change)

In other words, you can have reasons to believe payroll (for example) will increase or decrease. Or you might anticipate that salaries will remain similar to last year.

Examples of Expectations Not Met

Do you expect sales to decrease 5% based on decreases in the last two years? If yes, then an increase of 15% is a flashing light.

Or maybe you expect sales to remain about the same as last year? Then a 19% increase might be an indication of financial statement fraud.

But where does an auditor obtain expectations?

Sources of Expectations

Expectations of changes can come from (for example):

  • Past changes in numbers 
  • Discussions with management about current year operations
  • Reading the company minutes
  • Staffing reductions
  • Non-financial statistics (e.g., decrease the number of widgets sold)
  • A major construction project

While you'll seldom know about all potential changes (and that's not the goal), information--such as that above--will help you intuit whether change (or a lack of change) in an account balance is a risk indicator.

Now, let's discuss the best types of planning analytics. 

The Best Types of Planning Analytics

Auditing standards don't specify what types of planning analytics to use. But some, in my opinion, are better than others. Here's my suggested approach (for most engagements). 

Audit Planning Analytics

First, create your planning analytics at the financial statement reporting level. Why? Well, that's what the financial statement reader sees. So, why not use this level (if you can)? (There is one exception in regard to revenues. See Analytics for Fraudulent Revenue Recognition below.)

The purpose of planning analytics is to ferret out unexpected change. Using more granular information (e.g., trial balance) muddies the water. Why? There's too much information. You might have three hundred accounts in the trial balance and only fifty at the financial statement level. Chasing down trial-balance-level changes can be a waste of time. At least, that's the way I look at it.

Second, add any key industry ratios tracked by management and those charged with governance. Often, you include these numbers in your exit conference with the board (maybe in a slide presentation). If those ratios are important at the end of an audit, then they're probably important in the beginning.

Examples of key industry ratios include:

  • Inventory turnover
  • Return on equity
  • Days cash on hand
  • Gross profit 
  • Debt/Equity 

Okay, so we know what analytics to create, but how should we document them?

Analytics for Fraudulent Revenue Recognition

AU-C 240.22 says, "the auditor should evaluate whether unusual or unexpected relationships that have been identified indicate risks of material misstatement due to fraud. To the extent not already included, the analytical procedures, and evaluation thereof, should include procedures relating to revenue accounts." 

The auditing standards suggest a more detailed form of analytics for revenues. AU-C 240.A25 offers the following:

  • a comparison of sales volume, as determined from recorded revenue amounts, with production capacity. An excess of sales volume over production capacity may be indicative of recording fictitious sales.
  • a trend analysis of revenues by month and sales returns by month, during and shortly after the reporting period. This may indicate the existence of undisclosed side agreements with customers involving the return of goods, which, if known, would preclude revenue recognition.
  • a trend analysis of sales by month compared with units shipped. This may identify a material misstatement of recorded revenues.

In light of these suggested procedures, it may be prudent to create revenue analytics at a more granular level than that shown in the financial statements.

How to Document Planning Analytics

Here are my suggestions for documenting your planning analytics.

  1. Document overall expectations.
  2. Include comparisons of prior-year/current-year numbers at the financial statement level. (You might also include multiple prior year comparisons if you have that information.)
  3. Document key industry ratio comparisons.
  4. Summarize your conclusions. Are there indicators of increased risks of material misstatement? Is yes, say so. If no, say so.

Once you create your conclusions, place any identified risks on your summary risk assessment work paper (where you assess risk at the transaction level--e.g., inventory).

Use Filtered Analytical Reports with Caution (if at all)

Some auditors use filtered trial balance reports for their analytics. For instance, all accounts with changes of greater than $30,000. There is a danger in using such thresholds. 

What if  you expect a change in sales of 20% (approximately $200,000) but your filters include:

  •  all accounts with changes greater than $50,000, and 
  • all accounts with changes of more than 15%

If sales remain constant, then this risk of material misstatement (you expected change of 20%, but it did not happen) fails to appear in the filtered report. The filters remove the sales account because the change was minimal. Now, the risk may go undetected.

Developing Conclusions

I am a believer in documenting conclusions on key work papers. So, how do I develop those conclusions? And what does a conclusion look like on a planning analytics work paper?

First, develop your conclusions. How? Scan the comparisons of prior year/current year numbers and ratios. We use our expectations to make judgments concerning the appropriateness of changes and of numbers that remain stable. Remember this is a judgment, so, there's no formula for this. 

No Risk Identified

Now, you'll document your conclusions. But what if there are no unexpected changes? You expected the numbers to move in the manner they did. Then no identified risk is present. Your conclusion will read, (for example):

Conclusion: I reviewed the changes in the accounts and noted no unexpected changes. Based on the planning analytics, no risks of material misstatement were noted.

Risk Identified

Alternatively, you might see unexpected changes. You thought certain numbers would remain constant, but they moved significantly. Or you expected material changes to occur, but they did not. Again, document your conclusion. For example:

Conclusion: I expected payroll to remain constant since the company's workforce stayed at approximately 425 people. Payroll expenses increased, however, by 15% (almost $3.8 million). I am placing this risk of material misstatement on the summary risk assessment work paper at 0360 and will create audit steps to address the risk.

Now, it's time to place the identified risks (if there are any) on your summary risk assessment form.

Linkage to the Audit Plan

I summarize all risks of material misstatements on my summary risk assessment form. These risks might come from walkthroughs, planning analytics or other risk assessment procedures. Regardless, I want all of the identified risks--those discovered in the risk assessment process--in one place.

The final step in the audit risk assessment process is to link your identified risks to your audit program. 

Overview of Risk Assessment and Linkage

Now, I tailor my audit program to address the risks. Tailoring the audit program to respond to identified risks is known as linkage.

Audit standards call for the following risk assessment process:

  • Risk assessment procedures (e.g., planning analytics)
  • Identification of the risks of material misstatement
  • Creation of audit steps to respond to the identified risks (linkage)

Summary of Planning Analytics Considerations

So, now you know how to use planning analytics to search for risks of material misstatement--and how this powerful tool impacts your audit plan.

Let's summarize what we've covered:

  1. Planning analytics are created for the purpose of identifying risks of material misstatement
  2. Develop your expectations before creating your planning analytics (learn about the entity's operations and objectives; review past changes in numbers for context--assuming you've performed the audit in prior years)
  3. Create analytics at the financial statement level, if possible
  4. Use key industry ratios 
  5. Conclude about whether risks of material misstatement are present
  6. Link your identified risks of material misstatement to your audit program

If you have thoughts or questions about this post, please let me know below in the comments box. Thanks for reading.

First-Year Businesses and Planning Analytics

You may be wondering, "but what if I my client is new?" New entities don't have prior numbers. So, how can you create planning analytics? 

First Option

One option is to compute expected numbers using non-financial information. Then compare the calculated numbers to the general ledger to search for unexpected variances.

Second Option

A second option is to calculate ratios common to the entity’s industry and compare the results to industry benchmarks.

While industry analytics can be computed, I’m not sure how useful they are for a new company. An infant company often does not generate numbers comparable to more mature entities. But we’ll keep this choice in our quiver--just in case.

Third Option

A more useful option is the third: comparing intraperiod numbers. 

Discuss the expected monthly or quarterly revenue trends with the client before you examine the accounting records. The warehouse foreman might say, “We shipped almost nothing the first six months. Then things caught fire. My head was spinning the last half of the year.” Does the general ledger reflect this story? Did revenues and costs of goods sold significantly increase in the latter half of the year?

Fourth Option

The last option we’ve listed is a review of the budgetary comparisons. Some entities, such as governments, lend themselves to this alternative. Others, not so–those that don’t adopt budgets.

Summary

So, yes, it is possible to create useful risk assessment analytics–even for a first-year company.

audit and work paper mistakes
Apr 23

Forty Audit and Work Paper Mistakes

By Charles Hall | Auditing

Today, I offer you a list of forty audit and work paper mistakes.

audit and work paper mistakes

The list is based on my observations from over over thirty years of audit reviews (and not on any type of formal study).

You will, however, shake your head in agreement as you read these. I know you’ve seen them as well. The list is not comprehensive. So, you can add others in the comments section of this post.

Here’s the list.

  1. No preparer sign-off on a work paper
  2. No evidence of work paper reviews
  3. Placing documents in the file with no purpose (the work paper provides no evidential matter for the audit)
  4. Signing off on unperformed audit program steps
  5. No references to supporting documentation in the audit program
  6. Using canned audit programs that aren’t based on risk assessments for the particular entity
  7. Not documenting expectations for planning analytics
  8. Inadequate explanations for variances in planning analytics (“revenue went up because sales increased”)
  9. Planning analytics with obvious risk of material misstatement indicators, but no change in the audit plan to address the risk (sometimes referred to as linking)
  10. Not documenting who inquiries were made of
  11. Not documenting when inquiries were made
  12. Significant deficiencies or material weaknesses that are not communicated in written form
  13. Verbally communicating control deficiencies (those not significant deficiencies or material weaknesses) without documenting the conversation
  14. Performing needed substantive tests with no related audit program steps (i.e., the audit program was not amended to include the necessary procedures)
  15. Assessing control risk below high without testing controls
  16. Assessing the risk of material misstatement at low without a basis (reason) for doing so
  17. Documenting significant risks (e.g., allowance for uncollectible receivable estimates in healthcare entities) but no high inherent risks (when inherent risk are separately documented)
  18. Not documenting the predecessor auditor communication in a first-year engagement
  19. Not documenting the qualifications and objectivity of a specialist
  20. Not documenting all nonattest services provided
  21. Not documenting independence
  22. Not documenting the continuance decision before an audit is started
  23. Performing walkthroughs at the end of an engagement rather than the beginning
  24. Not performing walkthroughs or any other risk assessment procedures
  25. Not performing risk assessment procedures for all significant transaction areas (e.g., risk assessment procedures performed for billing and collections but not for payroll which was significant)
  26. Not retaining the support for opinion wording in the file (especially for modifications)
  27. Specific items tested are not identified (e.g., “tested 25 disbursements, comparing amounts in the check register to cleared checks” — we don’t know which particular payments were tested)
  28. Making general statements that can’t be re-performed based on the information provided (e.g., “inquired of three employees about potential fraud” — we don’t know who was interviewed or what was asked or their responses)
  29. Retrospective reviews of estimates are not performed (as a risk assessment procedure)
  30. Going concern indicators are present but no documentation regarding substantial doubt
  31. IT controls are not documented
  32. The representation letter is dated prior to final file reviews by the engagement partner or a quality control partner
  33. Consultations with external or internal experts are not documented
  34. No purpose or conclusion statement on key work papers
  35. Tickmarks are not defined (at all)
  36. Inadequately defining tickmarks (e.g., ## Tested) — we don’t know what was done
  37. No group audit documentation though a subsidiary is included in the consolidated financial statements
  38. No elements of unpredictability were performed
  39. Not inquiring of those charged with governance about fraud
  40. Not locking the file down after 60 days 

That’s my list. What would you add?

supplementary information
Apr 11

Supplementary Information, Other Information and Required Supplementary Information

By Charles Hall | Auditing

What’s the difference in supplementary information, additional information, and required supplementary information? What language should be included in the audit opinion when such information is included in the financial statements?  What audit procedures must be performed? Below I provide the answers.

supplementary information

1. Supplementary Information

Supplementary information is defined as information presented outside the basic financial statements, excluding required supplementary information (see below), that is not considered necessary for financial statements to be fairly-presented in accordance with the applicable financial reporting framework (e.g. FASB).  (See AU-C 725 for more guidance about supplementary information.)

Supplementary information may include:

  • Accounting information and
  • Nonaccounting information

Supplementary information examples include:

  • Detail of “Other Income” as shown in the statement of operations*
  • Detail of “General and Administrative” expenses as shown in the statement of operations*
  • Number of employees in a given payroll period**

* Derived from financial statements

** Not derived from the financial statements

Procedures to Perform

Procedures to be performed include:

  • Determine whether the information is fairly stated, in all material respects, in relation to the financial statements as a whole

Sample Opinion Language

Example auditor’s report paragraph:

The [identify accompanying supplementary information] is presented for purposes of additional analysis and is not a required part of the financial statements. Such information is the responsibility of management and was derived from and relates directly to the underlying accounting and other records used to prepare the financial statements. The information has been subjected to the auditing procedures applied in the audit of the financial statements and certain additional procedures, including comparing and reconciling such information directly to the underlying accounting and other records used to prepare the financial statements or to the financial statements themselves, and other additional procedures in accordance with auditing standards generally accepted in the United States of America. In our opinion, the information is fairly stated in all material respects in relation to the financial statements as a whole.

For examples of presenting the supplementary language (1) in the standard opinion or (2) separately, click here.

Notice that an opinion is rendered on supplementary information. No opinion is given in regard to other information.

2. Other Information

Other information is financial and nonfinancial information (other than the financial statements and the audit report) that is included in a document containing audited financial statements and the audit report (e.g., an annual report), excluding required supplementary information. An auditor can use this option when he or she is not engaged to render an opinion on such information. (See AU-C 720 for more guidance about other information.)

Other information examples include:

  • Financial summaries
  • Employment data
  • Planned capital expenditures
  • Names of officers and directors

Procedures to Perform

Procedure to be performed:

  • Reading the other information in order to identify any material inconsistencies with audited financial statements

Sample Opinion Language

The auditor can use an other-matter paragraph to disclaim an opinion regarding other information. Sample language follows:

Our audit was conducted for the purpose of forming an opinion on the basic financial statements as a whole. The [identify the other information] is presented for purposes of additional analysis and is not a required part of the basic financial statements. Such information has not been subjected to the auditing procedures applied in the audit of the basic financial statements, and accordingly, we do not express an opinion or provide any assurance on it.

3. Required Supplementary Information

Required supplementary information (RSI) is information that a designated accounting standard-setter (e.g., FASB, GASB) requires to accompany the basic financial statements. RSI is not part of the basic financial statements. However, the designated accounting standard-setter has determined that the information is an essential part of financial reporting. (See AU-C 730 for more guidance about required supplementary information.)

Required supplementary information examples include:

  • Management discussion and analysis (MD&A) for governments
  • Estimates of current or future costs of future major repairs and replacements for common interest realty associations

Procedures to Perform

Procedures to be performed include:

  • Inquiry of management about methods used to create information
  • Comparing the information for consistency with management responses and the financial statements
  • Obtaining written representations from management

Sample Opinion Language

Example auditor’s report paragraph:

Accounting principles generally accepted in the United States of America require that the [identify the required supplementary information] on page XX be presented to supplement the basic financial statements. Such information, although not a part of the basic financial statements, is required by the Financial Accounting Standards Board who considers it to be an essential part of financial reporting for placing the basic financial statements in an appropriate operational, economic, or historical context. We have applied certain limited procedures to the required supplementary information in accordance with auditing standards generally accepted in the United States of America, which consisted of inquiries of management about the methods of preparing the information and comparing the information for consistency with management’s responses to our inquiries, the basic financial statements, and other knowledge we obtained during our audit of the basic financial statements. We do not express an opinion or provide any assurance on the information because the limited procedures do not provide us with sufficient evidence to express an opinion or provide any assurance.

Some governments exclude the MD&A. Here is sample opinion wording when the MD&A is omitted.

Supplementary Information in Compilations and Review Engagements

You can see information about supplementary information wording for compilation or review reports here. Also, see my post about presenting supplementary information in compilation and preparation engagements.

Hosting Services can impair your independence
Jan 09

Hosting Services Impair a CPA’s Independence

By Charles Hall | Auditing

Hosting services impair a CPA’s independence, so says the AICPA. And most firms are providing hosting services (though they may not know it). This article explains why your possession of client records, whether electronic or hard-copy, can affect your independence.

Hosting Services Impair a CPA’s Independence

Starting September 1, 2018, your possession of client documents (e.g., tax records) or information (e.g., the housing of QuickBooks files on our server) can, in some instances, create an independence impairment. (If you temporarily possess original documents (e.g., tax records) but return them to the client in a short period, then the possession of the original documents does not impair your independence.)

The AICPA recently adopted a new interpretation, “Hosting Services,” which appears in the Code of Conduct under nonattest services. See 1.295.143 of the Code.

Why would possessing documents or information potentially impair independence? Because you accepted the responsibility for designing, implementing or maintaining internal controls for the records in your possession. And this is considered a management function.

In effect, the AICPA is saying there is an implicit understanding that you (the CPA) will safeguard the client’s records. And to safeguard the information, you agree to create controls to ensure the safety of the information in your possession.

To understand the actions that would impair your independence, see Catherine Allen’s article in the Journal of Accountancy. Specifically, look at her examples of where independence is impaired and where it is not. 

Continue reading

Better client interviews
Dec 13

Four Keys to Better Client Interviews

By Charles Hall | Auditing

Many times I have interviewed accounting staff and walked away thinking, “I have no idea what they just said to me.” Do you ever have this problem? If yes, this article is for you. Below I provide four keys to better client interviews.

Better client interviews

In my early years–fresh out of college–I would think: “I must be stupid. It’s obvious, he understands what he just said, but I don’t.” Often my anxiety would increase when I realized the interviewee (e.g, accounts payable clerk) had no college degree (and me, a masters in accounting).

Reasons We Don’t Understand

After years of performing interviews, I realized that I wasn’t dense (at least, not as much as I thought), and that I was encountering what The Art of Explanation calls, the “curse of knowledge.”

What is the “curse of knowledge?” It’s when someone knows a subject very well, and, consequently, has a difficult time imagining what it is like to not know it. I was experiencing the “curse of knowledge.” Those I interviewed thought knew what they knew. As a result, they left out details.

Also, those I interviewed had years of experience doing the same job day after day. Of course they understood what they did. But I had less than an hour, in many cases, to grasp their duties.

Additionally, those I interviewed used a language unique to their office, and I, mistakenly, tried to use a different language—one I had learned in college. The result: we did not understand one another. So how can I communicate and comprehend better?

Four Keys to Interviewing

1. Pay attention to their language and use it.

If they call it a thingy, then I call it a thingy.

2. Seek understanding more than trying to impress.

I often want to impress more than I desire to understand. The remedy: Admit (maybe even out loud) I don’t know everything.

I tell the clerk, “Treat me like I don’t know anything. I’ve never been here, so I need your help in understanding what you do.”

To higher level personnel (e.g., CFO), I might say, “I have worked in this industry for fifteen years, but I need your help to understand how you guys operate.”

3. Repeat what is said to you.

For example, “May I repeat what you just said to make sure I understand? ‘The thingy is created once per week on Mondays to ensure that total receipts agree with deposits.’”

4. Use your cell phone to take pictures and to record parts of the interview.

Just last week, I reviewed a complex accounting system (for about three hours). As I did so, I used my cell phone Evernote app to take pictures of computer screens and printed reports. I also used the app to record parts of the conversation. Later, I summarized the conversation in memo form (complete with pictures).

Scanbot is another useful iPhone app if you take pictures of client information. By using your phone to take pictures, you can leave your physical scanner in your office.

Your Interviewing Ideas

Have I left out any key interviewing ideas? Please share your thoughts.

Check out my series of articles about auditing.

how to capture and communicate internal control deficiencies
Nov 29

How to Capture and Communicate Internal Control Deficiencies

By Charles Hall | Auditing

Too many times auditors fail to capture control deficiencies in the audit process. So, today I’ll show you how to capture and communicate internal control deficiencies.

A Common End-of-Audit Problem

We’re concluding another audit, and it’s time to consider whether we will issue a letter communicating internal control deficiencies. A month ago we noticed some control issues in accounts payable, but presently we’re not clear about how to describe them. We hesitate to call the client to rehash the now-cold walkthrough. After all, the client thinks we’re done, and quite frankly, they are tired of seeing us. We know that boiler-plate language will not clearly communicate the weakness or how to fix it. Now we’re kicking ourselves for not taking more time to document the control deficiencies.

Here’s a post to help capture and document internal control issues as we audit.

How to Capture and Communicate Internal Control Deficiencies

Today, we’ll take a look at the following control weakness objectives:

  1. How to communicate them
  2. How to discover them
  3. How to capture them
how to capture and communicate internal control deficiencies

Picture is courtesy of AdobeStock.com

As we begin, let’s define three types of weaknesses:

  • Material weaknesses – A deficiency, or a combination of deficiencies, in internal control, such that there is a reasonable possibility that a material misstatement of the entity’s financial statements will not be prevented, or detected and corrected, on a timely basis.
  • Significant deficiencies – A deficiency, or a combination of deficiencies, in internal control that is less severe than a material weakness yet important enough to merit attention by those charged with governance.
  • Other deficiencies – For purposes of this blog post, we’ll define other deficiencies as those less than material weaknesses or significant deficiencies.

As we look at these definitions, we see that categorizing control weaknesses is subjective. Notice the following terms:

  • Reasonable possibility
  • Material misstatement
  • Less severe
  • Merits attention by those charged with governance

Categorizing a control weakness is not a science, but an art. With this thought in mind, let’s start our journey with how control weaknesses should be reported.

1. How to Communicate Control Weaknesses

Material weaknesses and significant deficiencies must be communicated in writing to management and those charged with governance. Other deficiencies can be given verbally to management, but you must document those discussions in your work papers.

2. How to Discover Control Weaknesses

Capture control weaknesses as you perform the audit. You might identify control weaknesses in the following audit stages:

  1. Planning – Risk assessment and walkthroughs
  2. Fieldwork – Transaction-level work
  3. Conclusion – Wrapping up

A. Planning Stage

You will discover deficiencies as you perform walkthroughs which are carried out in the early stages of the engagement. Correctly performed walkthroughs allow you to see process shortcomings and where duties are overly concentrated (what auditors refer to as a lack of segregation of duties).

Segregation of Duties

Are accounting duties appropriately segregated with regard to:

  • Custody of assets
  • Reconciliations
  • Authorization
  • Bookkeeping

Notice the first letters of these words spell CRAB (I know it’s cheesy, but it helps me remember).

Auditors often make statements such as, “Segregation of duties is not possible due to the limited number of employees.”

I fear such statements are made only to protect the auditor (should fraud occur in the future). It is better that we be specific about the control weakness and what the potential impact might be. For example:

The accounts payable clerk can add new vendors to the vendor file. Since checks are signed electronically as they are printed, there is a possibility that fictitious vendors could be added and funds stolen. Such amounts could be material.

Such a statement tells the client what the problem is, where it is, and the potential damage. 

Fraud: A Cause of Misstatements

While I just described how a lack of segregation of duties can open the door to theft, the same idea applies to financial statement fraud (or cooking the books). When one person controls the reporting process, there is a higher risk of financial statement fraud. Appropriate segregation lessens the chance that someone will manipulate the numbers.

Within each transaction cycle, accounting duties need to be performed by different people. Doing so lessens the possibility of theft. If one person performs multiple duties, ask yourself, “Is there any way this person could steal funds?” If yes, then the client should add a control in the form of a second-person review.

If possible, the client should have a second person examine reports or other supporting documentation. How often should the review be performed? Daily, if possible. If not daily, as often as possible. Regardless, a company should not allow someone with the ability to steal to work alone without review. The fear of detection lessens fraud.

If a transaction cycle lacks segregation of duties, then consider the potential impact from the control weakness. Three possible impacts exist:

  • Theft that is material (material weakness)
  • Theft that is not material but which deserves the attention of management and the board anyway (significant deficiency)
  • Theft of insignificant amounts (other deficiency)

My experience has been that if any potential theft area exists, the board wants to know about it. But this is a decision you will make as the auditor.

Errors: Another Cause of Misstatements

While auditors should consider control weaknesses that allow fraud, we should also consider whether errors can lead to potential misstatements. So, ask questions such as:

  • Do the monthly financial statements ever contain errors?
  • Are invoices mistakenly omitted from the payable system?
  • Do employees forget to obtain purchase order numbers prior to buying goods?
  • Are new employees ever unintentionally left off the payroll?
  • Do bookkeepers fail to reconcile the bank statements on a timely basis? 

B. Fieldwork Stage

While it is more likely you will discover process control weaknesses in the planning stage of an audit, the results of control deficiencies sometimes surface during fieldwork. How? Audit journal entries. What are audit entries but corrections? And corrections imply a weakness in the accounting system.

When an auditor makes a material journal entry, it’s difficult to argue that a material weakness does not exist. We know the error is “reasonably possible” (it happened). We also know that prevention did not occur on a timely basis.

C. Conclusion Stage

When concluding the audit, review all of the audit entries to see if any are indicators of control weaknesses. Also, review your internal control deficiency work papers (more on this in a moment). If you have not already done so, discuss the noted control weaknesses with management. 

Your firm may desire to have a policy that only managers or partners make these communications. Why? Management can see the auditor’s comments as a criticism of their own work. After all, they designed the accounting system (or at least they oversee it). So, these discussions can be a little challenging.

Now let’s discuss how to capture control weaknesses.

3. How to Capture Control Weaknesses

So, how do you capture the control weakness?

First, and most importantly, document internal control deficiencies as you see them.

Why should you document control weaknesses when you initially see them?

  1. You may not be on the engagement when it concludes (because you are working elsewhere) or
  2. You may not remember the issue (weeks later).

Second, create a standard form (if you don’t already have one) to capture control weaknesses. 

Internal Controls

Picture is courtesy of AdobeStock.com

Internal Control Capture Form

 What should be in the internal control form? At a minimum include the following:

  1.  Check-mark boxes for:
    • Significant deficiency
    • Material weakness
    • Other control deficiency
    • Other issues (e.g., violations of laws or regulations) 
  2. Whether the probability of occurrence is at least reasonably possible and whether the magnitude of the potential misstatement is material
    • If the probability of occurrence is at least reasonably possible and the magnitude of the potential misstatement is material, then the client has a material weakness
  3. Description of the deficiency and the verbal or written communications to the client; also the client’s response
  4. The cause of the condition
  5. The potential effect of the condition
  6. Recommendation to correct the issue
  7. Person who identified the issue and the date when the issue was identified
  8. Whether the issue is a repeat from the prior year
  9. An area for the partner to sign off that he or she agrees with the description of the deficiency and the category assigned to it (e.g., material weakness)
  10. Reference to related documentation in the audit file

Summary

The main points in capturing and communicating internal control deficiencies are:

  1. Capture control weaknesses as soon as you see them
  2. Develop a form to document the control weaknesses

How Do You Capture and Report Control Deficiencies?

Whew! We’ve covered a lot of ground today. How do you capture and report control deficiencies? I’m always looking for new ideas: Please share.

understand and communicate material weaknesses and significant deficiencies
Nov 24

Understand and Communicate Material Weaknesses and Significant Deficiencies

By Charles Hall | Auditing

In today’s post, I tell you how to understand and communicate material weaknesses and significant deficiencies.

How do you categorize a control weakness? Is the weakness a material weakness, a significant deficiency or something less? This seems to be the most significant struggle in addressing internal control issues.

understand and communicate material weaknesses and significant deficiencies

And if you’ve been in the business for any time at all, you know that management can take offense regarding control weakness communications. For instance, a CFO may believe that a material weakness reflects poorly upon him. After all, he controls the design of the accounting system. So, communicating control weaknesses can result in disagreements. Therefore, it’s even more important that these communications be correct.

Before telling you how to distinguish material weaknesses from significant deficiencies, let’s review control weakness definitions.

Definitions of Control Weaknesses

A deficiency in internal control is defined as follows: A deficiency in internal control over financial reporting exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent, or detect and correct, misstatements on a timely basis. A deficiency in design exists when (a) a control necessary to meet the control objective is missing, or (b) an existing control is not properly designed so that, even if the control operates as designed, the control objective would not be met. A deficiency in operation exists when a properly designed control does not operate as designed or when the person performing the control does not possess the necessary authority or competence to perform the control effectively.

Now let’s define (1) material weaknesses, (2) significant deficiencies, and (3) other deficiencies.

  1. Material weakness. A deficiency, or a combination of deficiencies, in internal control, such that there is a reasonable possibility that a material misstatement of the entity’s financial statements will not be prevented, or detected and corrected, on a timely basis.
  2. Significant deficiency. A deficiency, or a combination of deficiencies, in internal control that is less severe than a material weakness yet important enough to merit attention by those charged with governance.
  3. Other deficiencies. For the purposes of this blog post, an other deficiency is a control weakness that is less than a material weakness or a significant deficiency.

How to Categorize a Control Weaknesses

Now that we have defined material weaknesses and significant deficiencies, we can discuss how to distinguish between the two.

Material Weakness

First, ask these two questions:

  1. Is there a reasonable possibility that a misstatement could occur?
  2. Could the misstatement be material?

If your answer to both questions is yes, then the client has a material weakness. (By the way, if you propose a material audit adjustment, it’s difficult to argue that there is no material weakness. As you write your control letter, examine your proposed audit entries.)

Significant Deficiency

If your answer to either of the questions is no, then ask the following:

Is the weakness important enough to merit the attention of those charged with governance? In other words, are there board members who would see the weakness as important.

If the answer is yes, then it is a significant deficiency.

If no, then it is not a significant deficiency or a material weakness.

How to Communicate Material Weaknesses and Significant Deficiencies

The following deficiencies must be communicated in writing to management and to those charged with governance:

  • Material weaknesses
  • Significant deficiencies

The written communication (according to AU-C section 265) must include:

  • the definition of the term material weakness and, when relevant, the definition of the term significant deficiency
  • a description of the significant deficiencies and material weaknesses and an explanation of their potential effects
  • sufficient information to enable those charged with governance and management to understand the context of the communication
  • the fact that the audit included consideration of internal control over financial reporting in order to design audit procedures that are appropriate in the circumstances and that the audit was not for the purpose of expressing an opinion on the effectiveness of internal control
  • the fact that the auditor is not expressing an opinion on the effectiveness of internal control
  • that the auditor’s consideration of internal control was not designed to identify all deficiencies in internal control that might be material weaknesses or significant deficiencies, and therefore, material weaknesses or significant deficiencies may exist that were not identified
  • an appropriate alert, in accordance with section 905, Alert That Restricts the Use of the Auditor’s Written Communication

Next, I explain how to communicate other deficiencies (those that are less than a material weakness or a significant deficiency).

How to Communicate Other Deficiencies

Other deficiencies can be communicated in writing or orally and need only be communicated to management (and not to those charged with governance). The communication must be documented in the audit file. So if you communicate orally, then follow up with a memo to the file addressing who you spoke with, what you discussed, and the date of the discussion.

photo

Stand-alone management letters are often used to communicate other deficiencies. Since there is no authoritative guidance for management letters, you may word them as you wish. Alternatively, you can, if you like, include other deficiencies in your written communication of significant deficiencies or material weaknesses.

A Key Word of Warning

Always provide a draft of any written communications to management before final issuance. It is much better to provide a draft and find out (before issuance) that it contains an error or a miscommunication. Then, corrections can be made.

Additional Information

Writing your internal control letter is a part of the wrap-up process for audits. Click here for additional information concerning wrapping up an audit.

unnecessary work papers
Nov 19

Seven Excuses for Unnecessary Audit Work Papers

By Charles Hall | Auditing

Unnecessary audit work papers create clutter and can create legal problems.

I see two problems in most audit work paper files:

(1) Too much documentation, and
(2) Not enough documentation

I recently wrote a post tilted: Audit Documentation: If It’s Not Documented, It’s Not Done. Since I have already covered the “not enough documentation” issue, today we’ll look at the other problem, too much documentation.

unnecessary audit work papers

Seven Excuses for Unnecessary Audit Work Papers

Over the last thirty years, I have reviewed audit files for CPA firms and have commonly asked this question: Why is this work paper in the file?

Here are a few standard answers.

1. It was there last year.

But is it relevant this year? Resist the temptation just to copy or bring forward work papers from the prior year. Performing a proper audit entails risk assessment (e.g., walkthroughs, analytics), planning (i.e., creating an audit plan), and execution (i.e., carrying out the audit plan). Likewise, compilations and reviews should reflect current year planning and performance.

2. The client gave it to me.

For some reason, young auditors tend to put everything given to them in the file. I think they believe, “if the client gave it to me, it must be important.”

There is one reason to place documentation is the file: It provides audit evidence to support the opinion.

3. I may need it next year.

Then save it—somewhere other than the audit file—for next year. If the information does not provide current year engagement evidence, then it does not belong in the current year file.

Consider setting up a file for next year and placing next year’s information in that file. Or create a folder in the current year file titled: next year’s work papers; then move this section from the current year file as you wrap up the engagement.

4. I might need it this year.

Before going paperless (back in the days of moving work papers with a hand truck), I kept a manila folder titled: File 13. The physical folder was my hang-on-to-it-in-case-I-need-it repository.

Since my files are now paperless, I create an electronic folder titled “Recycle Bin” that sits at the bottom of my file. If I receive information that is not relevant to the current year work, I move it to the recycle bin, and while I am wrapping up the engagement, I dispose of the entire folder.

5. It’s an earlier version of an existing work paper.

Move earlier versions of work papers (e.g., initial financial statements) to your recycle bin.

6. I need it for my tax work.

Then it belongs in the tax file (unless it’s related to your attestation work – e.g., deferred taxes).

7. We missed a fraud ten years ago, so we always include these work papers.

Fraud procedures (and all procedures for that matter) should reflect the current year audit risk assessment and planning.

Closing Comments

The most important reason for minimizing work paper content is to reduce your legal exposure. Excess work papers may provide an attorney ammunition. “Mr. Hall, here’s a work paper from your own audit file that reveals fraud was occurring, and you didn’t see it?” (So don’t, for example, leave the full general ledger in your work papers.)

Hear my podcast based on this post.

What are your thoughts about removing unnecessary audit work papers?

theft stings auditor
Nov 14

Fraud Stings Auditor: Another Reason Detection is Important

By Charles Hall | Auditing

Auditors think about how fraud affects audit clients, but could it be that fraud might affect auditors? After all, auditors do have responsibility for detecting fraud. In this article, I show how undetected theft can adversely affect audit firms.

theft stings auditor

The Phone Call

An audit client discovers, through an inside tip, an employee fraud and you, the audit engagement partner, receive the following phone call:

“George, we just found out our controller has stolen about $70,000 per year for the last three years. Since you guys have been doing our audit, I thought I’d call and discuss what we need to do.” The caller does not verbally say it, but he intimates, “where were you guys?” and “how are you going to resolve this?”

Your first thought is this amount is immaterial, and you begin to explain that audits are not designed to detect immaterial fraud–the first time your client has ever heard these words. It sounds technical, evasive, and hollow. Your client is thinking, “what did I pay you for?” as you are reading his mind and thinking, “not for this.”

The First Mistake

The first mistake is not clearly explaining to your client what an audit is, and, more importantly, what it is not.

The Association of Certified Fraud Examiners’ (ACFE) biennial fraud survey notes that most frauds have a life of about 18 months before they are detected, and less than 10% of frauds are detected by external audits. Even if the external auditor is performing the engagement in accordance with generally accepted auditing standards, the procedures are designed to detect material fraud, something your client needs to know before you start the audit.

Your client files a claim with his insurance company in order to recoup the stolen funds, and, at this point, the insurance company contacts you and asks, “may we have a copy of your internal control letter?” You’ve known all along that there were significant deficiencies in controls, but you’ve been afraid to communicate the weaknesses in writing, knowing that doing so might jeopardize your relationship with management (the guys and gals who hired you).

The Second Mistake

The second mistake is not communicating all significant weaknesses and material weaknesses in writing.

Now things go from bad to worse: the insurance company sues your firm and subpoenas your work papers as they prepare to take you to court. The insurance company’s attorney obtains copies of your fraud work for the last three years, and he notes that the three respective audit files have the same fraud inquiry form. All three annual fraud forms reflect your CPA firm interviewed the same two management personnel who noted, “the company has high ethical standards and there are no known ways to commit fraud.” No other fraud work exists in the files.

In the deposition, the insurance company’s attorney asks you four times, “did you perform any fraud tests other than inquiring of management?” Now you wish you had.

The Third Mistake

The third mistake is inquiring of the same personnel year after year and not performing an annual fraud test (at least one).

Lessons Learned

You now resolve to do the following on all future audits:

  1. Resolved – I will explain to my client that an audit does not address immaterial fraud.
  2. Resolved – I will communicate all significant control deficiencies and material weaknesses in writing.
  3. Resolved – I will perform at least one new fraud test each year (and those tests will relate to control weaknesses noted in planning walk-throughs and inquiries); additionally, I will perform fraud inquiries of different personnel each year.

More Fraud-Related Articles

For more information about fraud detection and prevention, check out my list of articles here.

If you are looking for examples of fraud tests (that you can use in your audits), check out:

Disbursement Fraud Audit Tests: Five Powerful But Simple Ideas

Three Receipt Fraud Tests

Comment from Stephen Pedneault

Stephen Pedneault, the principal of Forensic Accounting Services, made the following comment about the above article:

You truly have to live through one of these phone calls from a client to appreciate what happens when this occurs. I completely concur that better auditor communications up front during the planning phase, long before fieldwork starts, would decrease the risk a client’s expectations are beyond what an audit can accomplish (and detect). Documented for your files, the conversation you had with your client will help “remind” the client, who is now enraged and reacting emotionally versus rationally due to the discovered fraud, that you discussed the associated audit risks. The representation letter your client signed will augment your defense should your client commence litigation, which is becoming more and more commonplace. Your best defense – avoidance altogether. Perform fraud-related tests as part of your audit.

Stephen has written several fraud books that are available on Amazon. Check him out here.

1 2 3 6
>