Category Archives for "Accounting and Auditing"

understand and communicate material weaknesses and significant deficiencies
Nov 24

Understand and Communicate Material Weaknesses and Significant Deficiencies

By Charles Hall | Auditing

In today’s post, I tell you how to understand and communicate material weaknesses and significant deficiencies.

How do you categorize a control weakness? Is the weakness a material weakness, a significant deficiency or something less? This seems to be the most significant struggle in addressing internal control issues.

understand and communicate material weaknesses and significant deficiencies

And if you’ve been in the business for any time at all, you know that management can take offense regarding control weakness communications. For instance, a CFO may believe that a material weakness reflects poorly upon him. After all, he controls the design of the accounting system. So, communicating control weaknesses can result in disagreements. Therefore, it’s even more important that these communications be correct.

Before telling you how to distinguish material weaknesses from significant deficiencies, let’s review control weakness definitions.

Definitions of Control Weaknesses

A deficiency in internal control is defined as follows: A deficiency in internal control over financial reporting exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent, or detect and correct, misstatements on a timely basis. A deficiency in design exists when (a) a control necessary to meet the control objective is missing, or (b) an existing control is not properly designed so that, even if the control operates as designed, the control objective would not be met. A deficiency in operation exists when a properly designed control does not operate as designed or when the person performing the control does not possess the necessary authority or competence to perform the control effectively.

Now let’s define (1) material weaknesses, (2) significant deficiencies, and (3) other deficiencies.

  1. Material weakness. A deficiency, or a combination of deficiencies, in internal control, such that there is a reasonable possibility that a material misstatement of the entity’s financial statements will not be prevented, or detected and corrected, on a timely basis.
  2. Significant deficiency. A deficiency, or a combination of deficiencies, in internal control that is less severe than a material weakness yet important enough to merit attention by those charged with governance.
  3. Other deficiencies. For the purposes of this blog post, an other deficiency is a control weakness that is less than a material weakness or a significant deficiency.

How to Categorize a Control Weaknesses

Now that we have defined material weaknesses and significant deficiencies, we can discuss how to distinguish between the two.

Material Weakness

First, ask these two questions:

  1. Is there a reasonable possibility that a misstatement could occur?
  2. Could the misstatement be material?

If your answer to both questions is yes, then the client has a material weakness. (By the way, if you propose a material audit adjustment, it’s difficult to argue that there is no material weakness. As you write your control letter, examine your proposed audit entries.)

Significant Deficiency

If your answer to either of the questions is no, then ask the following:

Is the weakness important enough to merit the attention of those charged with governance? In other words, are there board members who would see the weakness as important.

If the answer is yes, then it is a significant deficiency.

If no, then it is not a significant deficiency or a material weakness.

How to Communicate Material Weaknesses and Significant Deficiencies

The following deficiencies must be communicated in writing to management and to those charged with governance:

  • Material weaknesses
  • Significant deficiencies

The written communication (according to AU-C section 265) must include:

  • the definition of the term material weakness and, when relevant, the definition of the term significant deficiency
  • a description of the significant deficiencies and material weaknesses and an explanation of their potential effects
  • sufficient information to enable those charged with governance and management to understand the context of the communication
  • the fact that the audit included consideration of internal control over financial reporting in order to design audit procedures that are appropriate in the circumstances and that the audit was not for the purpose of expressing an opinion on the effectiveness of internal control
  • the fact that the auditor is not expressing an opinion on the effectiveness of internal control
  • that the auditor’s consideration of internal control was not designed to identify all deficiencies in internal control that might be material weaknesses or significant deficiencies, and therefore, material weaknesses or significant deficiencies may exist that were not identified
  • an appropriate alert, in accordance with section 905, Alert That Restricts the Use of the Auditor’s Written Communication

Next, I explain how to communicate other deficiencies (those that are less than a material weakness or a significant deficiency).

How to Communicate Other Deficiencies

Other deficiencies can be communicated in writing or orally and need only be communicated to management (and not to those charged with governance). The communication must be documented in the audit file. So if you communicate orally, then follow up with a memo to the file addressing who you spoke with, what you discussed, and the date of the discussion.

photo

Stand-alone management letters are often used to communicate other deficiencies. Since there is no authoritative guidance for management letters, you may word them as you wish. Alternatively, you can, if you like, include other deficiencies in your written communication of significant deficiencies or material weaknesses.

A Key Word of Warning

Always provide a draft of any written communications to management before final issuance. It is much better to provide a draft and find out (before issuance) that it contains an error or a miscommunication. Then, corrections can be made.

Additional Information

Writing your internal control letter is a part of the wrap-up process for audits. Click here for additional information concerning wrapping up an audit.

unnecessary work papers
Nov 19

Seven Excuses for Unnecessary Audit Work Papers

By Charles Hall | Auditing

Unnecessary audit work papers create clutter and can create legal problems.

I see two problems in most audit work paper files:

(1) Too much documentation, and
(2) Not enough documentation

I recently wrote a post tilted: Audit Documentation: If It’s Not Documented, It’s Not Done. Since I have already covered the “not enough documentation” issue, today we’ll look at the other problem, too much documentation.

unnecessary audit work papers

Seven Excuses for Unnecessary Audit Work Papers

Over the last thirty years, I have reviewed audit files for CPA firms and have commonly asked this question: Why is this work paper in the file?

Here are a few standard answers.

1. It was there last year.

But is it relevant this year? Resist the temptation just to copy or bring forward work papers from the prior year. Performing a proper audit entails risk assessment (e.g., walkthroughs, analytics), planning (i.e., creating an audit plan), and execution (i.e., carrying out the audit plan). Likewise, compilations and reviews should reflect current year planning and performance.

2. The client gave it to me.

For some reason, young auditors tend to put everything given to them in the file. I think they believe, “if the client gave it to me, it must be important.”

There is one reason to place documentation is the file: It provides audit evidence to support the opinion.

3. I may need it next year.

Then save it—somewhere other than the audit file—for next year. If the information does not provide current year engagement evidence, then it does not belong in the current year file.

Consider setting up a file for next year and placing next year’s information in that file. Or create a folder in the current year file titled: next year’s work papers; then move this section from the current year file as you wrap up the engagement.

4. I might need it this year.

Before going paperless (back in the days of moving work papers with a hand truck), I kept a manila folder titled: File 13. The physical folder was my hang-on-to-it-in-case-I-need-it repository.

Since my files are now paperless, I create an electronic folder titled “Recycle Bin” that sits at the bottom of my file. If I receive information that is not relevant to the current year work, I move it to the recycle bin, and while I am wrapping up the engagement, I dispose of the entire folder.

5. It’s an earlier version of an existing work paper.

Move earlier versions of work papers (e.g., initial financial statements) to your recycle bin.

6. I need it for my tax work.

Then it belongs in the tax file (unless it’s related to your attestation work – e.g., deferred taxes).

7. We missed a fraud ten years ago, so we always include these work papers.

Fraud procedures (and all procedures for that matter) should reflect the current year audit risk assessment and planning.

Closing Comments

The most important reason for minimizing work paper content is to reduce your legal exposure. Excess work papers may provide an attorney ammunition. “Mr. Hall, here’s a work paper from your own audit file that reveals fraud was occurring, and you didn’t see it?” (So don’t, for example, leave the full general ledger in your work papers.)

Hear my podcast based on this post.

What are your thoughts about removing unnecessary audit work papers?

theft stings auditor
Nov 14

Fraud Stings Auditor: Another Reason Detection is Important

By Charles Hall | Auditing

Auditors think about how fraud affects audit clients, but could it be that fraud might affect auditors? After all, auditors do have responsibility for detecting fraud. In this article, I show how undetected theft can adversely affect audit firms.

theft stings auditor

The Phone Call

An audit client discovers, through an inside tip, an employee fraud and you, the audit engagement partner, receive the following phone call:

“George, we just found out our controller has stolen about $70,000 per year for the last three years. Since you guys have been doing our audit, I thought I’d call and discuss what we need to do.” The caller does not verbally say it, but he intimates, “where were you guys?” and “how are you going to resolve this?”

Your first thought is this amount is immaterial, and you begin to explain that audits are not designed to detect immaterial fraud–the first time your client has ever heard these words. It sounds technical, evasive, and hollow. Your client is thinking, “what did I pay you for?” as you are reading his mind and thinking, “not for this.”

The First Mistake

The first mistake is not clearly explaining to your client what an audit is, and, more importantly, what it is not.

The Association of Certified Fraud Examiners’ (ACFE) biennial fraud survey notes that most frauds have a life of about 18 months before they are detected, and less than 10% of frauds are detected by external audits. Even if the external auditor is performing the engagement in accordance with generally accepted auditing standards, the procedures are designed to detect material fraud, something your client needs to know before you start the audit.

Your client files a claim with his insurance company in order to recoup the stolen funds, and, at this point, the insurance company contacts you and asks, “may we have a copy of your internal control letter?” You’ve known all along that there were significant deficiencies in controls, but you’ve been afraid to communicate the weaknesses in writing, knowing that doing so might jeopardize your relationship with management (the guys and gals who hired you).

The Second Mistake

The second mistake is not communicating all significant weaknesses and material weaknesses in writing.

Now things go from bad to worse: the insurance company sues your firm and subpoenas your work papers as they prepare to take you to court. The insurance company’s attorney obtains copies of your fraud work for the last three years, and he notes that the three respective audit files have the same fraud inquiry form. All three annual fraud forms reflect your CPA firm interviewed the same two management personnel who noted, “the company has high ethical standards and there are no known ways to commit fraud.” No other fraud work exists in the files.

In the deposition, the insurance company’s attorney asks you four times, “did you perform any fraud tests other than inquiring of management?” Now you wish you had.

The Third Mistake

The third mistake is inquiring of the same personnel year after year and not performing an annual fraud test (at least one).

Lessons Learned

You now resolve to do the following on all future audits:

  1. Resolved – I will explain to my client that an audit does not address immaterial fraud.
  2. Resolved – I will communicate all significant control deficiencies and material weaknesses in writing.
  3. Resolved – I will perform at least one new fraud test each year (and those tests will relate to control weaknesses noted in planning walk-throughs and inquiries); additionally, I will perform fraud inquiries of different personnel each year.

More Fraud-Related Articles

For more information about fraud detection and prevention, check out my list of articles here.

If you are looking for examples of fraud tests (that you can use in your audits), check out:

Disbursement Fraud Audit Tests: Five Powerful But Simple Ideas

Three Receipt Fraud Tests

Comment from Stephen Pedneault

Stephen Pedneault, the principal of Forensic Accounting Services, made the following comment about the above article:

You truly have to live through one of these phone calls from a client to appreciate what happens when this occurs. I completely concur that better auditor communications up front during the planning phase, long before fieldwork starts, would decrease the risk a client’s expectations are beyond what an audit can accomplish (and detect). Documented for your files, the conversation you had with your client will help “remind” the client, who is now enraged and reacting emotionally versus rationally due to the discovered fraud, that you discussed the associated audit risks. The representation letter your client signed will augment your defense should your client commence litigation, which is becoming more and more commonplace. Your best defense – avoidance altogether. Perform fraud-related tests as part of your audit.

Stephen has written several fraud books that are available on Amazon. Check him out here.

Uncollected prior year fees affect your independence
Nov 06

Uncollected Prior Year Fees: Can They Impair Your Independence?

By Charles Hall | Auditing

Can uncollected prior year fees impair your independence?

Answer: It depends. If a covered member has unpaid fees from an attest client for any previously rendered professional service provided more than one year before the date of the current-year report, he is not independent.

Section 1.230.010 (Unpaid Fees) of the Code of Professional Code states:

Threats to the covered member’s compliance with the “Independence Rule” would not be at an acceptable level and could not be reduced to an acceptable level by the application of safeguards if a covered member has unpaid fees from an attest client for any previously rendered professional service provided more than one year prior to the date of the current-year report (my bold). Accordingly, independence would be impaired. Unpaid fees include fees that are unbilled or a note receivable arising from such fees.

uncollected prior year fees

The picture is courtesy of DollarPhotoClub.com.

Applies to All Fees

Note that the rule states that independence is impaired if a covered member has unpaid fees from an attest client for any previously rendered professional service. Impairment exists when any prior year fee has not been paid, including tax or consulting work.

Billed or Unbilled Services

Also, the CPA should look back one year from the report date to see if billed or unbilled amounts exist. Here’s an example:

  1. The CPA provided tax services to ABC Company on April 25, 2015.
  2. The CPA billed for the tax services on June 1, 2015.
  3. ABC Company needs an audit report with a May 15, 2016, date.
  4. ABC Company has not paid the June 1, 2015, bill.

Is the CPA independent? If the audit report is dated May 15, 2016, the CPA is not independent.

Why? If we look back one year from the report date of May 15, 2016, we see that the April 25, 2015 work has not been paid. So an unpaid service for more than one year before the report date exists. If the CPA issues the May 15, 2016 report, he is in violation of the Code of Conduct.

How do you cure the independence impairment? ABC Company has to pay for the April 25, 2015 service.

An Odd Collection Procedure

Oddly, the potential impairment of independence may assist you in collecting past-due accounts. If the client needs the current year audit report, and the CPA can’t provide it to him without payment for the prior-year work, then the client may be willing to come up with the money.

Oct 30

Fake Bank Confirmation Responses: How One Man Defrauded Investors of $6 Million

By Charles Hall | Auditing

The Western District of North Carolina U.S. Attorney’s Office issued a press release on June 17, 2013, detailing how James Shepherd, an investment company owner, defrauded over 100 investors of approximately $6 million. How? By misusing funds and tricking his company’s external auditors with fake bank confirmation responses.

fake bank confirmation responses

Hiding Theft with Fake Bank Confirmation Responses

The press release states, “Documents indicate that Shepherd built a $2 million residence in Vass, North Carolina, and used investor money to make mortgage payments on the residence.” The U.S. Attorney’s Office said, “For seven years Shepherd used his investment fund as his personal piggy bank and repeatedly lied to his investors who trusted him with their savings.” The release goes on to say the fraud was concealed as “Shepherd sent to investors certified financial statements…accompanied by an Independent Auditor’s Report.” The fraudulent December 31, 2012, financial statement reflected a $6,041,850 cash balance when in reality the fund had less than $100,000. So, how was Shepherd able to get an independent auditor’s report based on fraudulent numbers?

The auditor sent bank confirmations to a P.O. Box address provided by Shepherd. Additionally, the confirmations were sent to the attention of a “Charles Fisher”–a fictitious bank employee.

And who controlled the P.O. Box? Mr. Shepherd.

According to the U.S. Attorney’s Office, Shepherd would receive the bank confirmations, “forge the name Fisher on a fake bank letter” and “send forged bank statements with fake balances” to the auditor. The responses came in the form of both letters and faxes.

So, how were the forged bank statements created? The press release stated that “Shepherd generated the fraudulent bank statements using a version of Adobe Acrobat that enabled him to type false numbers over true bank statements.”

Given the false bank confirmations, how was Mr. Shepherd ever caught? In March 2013 the auditors “insisted on verifying the cash balance of funds’ bank account electronically through the audit confirmation website www.confirmation.com.” Shepherd then refused to give the accountant authority to utilize the site to verify the cash balance. After that, the auditor notified the National Futures Association that his audit opinion could no longer be relied upon.

Given this cautionary tale, how can auditors combat the threat of false bank contact information?

Designing Confirmations 

A while back, my friend James Ulvog brought to my attention the following clarified auditing section about confirmations.

AU-C Section 505.A7 states:

Determining that requests are properly addressed includes verifying the accuracy of the addresses, including testing the validity of some or all of the addresses on the confirmation requests before they are sent out, regardless of the confirmation method used. When a confirmation request is sent by e-mail, the auditor’s determination that the request is being properly directed to the appropriate confirming party may include performing procedures to test the validity of some or all of the e-mail addresses supplied by management.

Auditors confirm bank accounts using:

  1. Letters
  2. Faxes
  3. Emails

Regardless of how an account is confirmed, auditors need to verify the contact information provided by the auditee–at least for some of the confirmations.

Bottom line

Audit standards require that steps be taken to ensure that confirmations are sent to the appropriate persons.

Using Confirmation.com reduces risk related to faulty confirmations. If you don’t use Confirmation.com, then consider checking street addresses by Googling them, or you might call the confirming party–especially for high-risk accounts.

The procedures used to verify mailing addresses, fax numbers, and email addresses should be documented in the auditor’s work papers.

Postscript

On February 11, 2015, Mr. Shepherd was sentenced to 84 months in prison and three years of supervised release. Shepherd pleaded guilty to one count of securities fraud in June 2013.

modified audit opinions
Oct 18

Modified Audit Opinions: Determining Which is Appropriate

By Charles Hall | Auditing

You are performing an audit that has a material misstatement, and the client is unwilling to post the proposed audit adjustment. So, you are wondering, “how do I modify the opinion?”

First, let’s take a look at a summary of opinion options, and then we will review sample opinion language.

modified audit opinions

 

Opinion Modification Options

Opinion TypeCircumstance
QualifiedMaterial misstatement is not pervasive
AdverseMaterial misstatements are pervasive
DisclaimerSufficient audit evidence not available; potential material misstatements are pervasive
QualifiedSufficient audit evidence not available; potential material misstatement is not pervasive

Definitions

Before we explore potential opinions, let’s review relevant definitions included in AU-C 705:

Modified opinion. A qualified opinion, an adverse opinion, or a disclaimer of opinion

Pervasive. A term used in the context of misstatements to describe the effects on the financial statements of misstatements or the possible effects on the financial statements of misstatements, if any, that are undetected due to an inability to obtain sufficient appropriate audit evidence [my italics]. Pervasive effects on the financial statements are those that, in the auditor’s professional judgment:

  • are not confined to specific elements, accounts, or items of the financial statements;
  • if so confined, represent or could represent a substantial proportion of the financial statements; or
  • with regard to disclosures, are fundamental to users’ understanding of the financial statements.

Sample Modified Audit Opinions 

1. Qualified Opinion

Suppose your audit reveals inventories are materially misstated, the client will not record your proposed audit adjustment, and there are no other material misstatements. If this is your situation (a material misstatement exists that is not pervasive), then audit standards allow for the issuance of a qualified opinion.

The sample opinion language provided by AU-C 705 is as follows:

Basis for Qualified Opinion

The Company has stated inventories at cost in the accompanying balance sheets. Accounting principles generally accepted in the United States of America require inventories to be stated at the lower of cost or market. If the Company stated inventories at the lower of cost or market, a write-down of $XXX and $XXX would have been required as of December 31, 20X1 and 20X0, respectively. Accordingly, cost of sales would have been increased by $XXX and $XXX, and net income, income taxes, and stockholders’ equity would have been reduced by $XXX, $XXX, and $XXX, and $XXX, $XXX, and $XXX, as of and for the years ended December 31, 20X1 and 20X0, respectively.

Qualified Opinion

In our opinion, except for the effects of the matter described in the Basis for Qualified Opinion paragraph, the financial statements referred to above present fairly, in all material respects, the financial position of ABC Company …

2. Adverse Opinion

Now let’s suppose that you are auditing a consolidated entity, and your client is not willing to include a material subsidiary and which, if included, would have a pervasive impact on the statements.

The sample opinion language provided by AU-C 705 is as follows:

Basis for Adverse Opinion

As described in Note X, the Company has not consolidated the financial statements of subsidiary XYZ Company that it acquired during 20X1 because it has not yet been able to ascertain the fair values of certain of the subsidiary’s material assets and liabilities at the acquisition date. This investment is therefore accounted for on a cost basis by the Company. Under accounting principles generally accepted in the United States of America, the subsidiary should have been consolidated because it is controlled by the Company. Had XYZ Company been consolidated, many elements in the accompanying consolidated financial statements would have been materially affected. The effects on the consolidated financial statements of the failure to consolidate have not been determined.

Adverse Opinion

In our opinion, because of the significance of the matter discussed in the Basis for Adverse Opinion paragraph, the consolidated financial statements referred to above do not present fairly the financial position of ABC Company and its subsidiaries as of …

3. Disclaimer of Opinion

Finally, let’s suppose you are performing an audit in which insufficient audit information is provided with regard to receivables and inventories (both of which are material) and that the misstatements have a pervasive impact on the financial statements as a whole.

The sample opinion language provided by AU-C 705 is as follows:

Basis for Disclaimer of Opinion

We were not engaged as auditors of the Company until after December 31, 20X1, and, therefore, did not observe the counting of physical inventories at the beginning or end of the year. We were unable to satisfy ourselves by other auditing procedures concerning the inventory held at December 31, 20X1, which is stated in the balance sheet at $XXX. In addition, the introduction of a new computerized accounts receivable system in September 20X1 resulted in numerous misstatements in accounts receivable. As of the date of our audit report, management was still in the process of rectifying the system deficiencies and correcting the misstatements. We were unable to confirm or verify by alternative means accounts receivable included in the balance sheet at a total amount of $XXX at December 31, 20X1. As a result of these matters, we were unable to determine whether any adjustments might have been found necessary in respect of recorded or unrecorded inventories and accounts receivable, and the elements making up the statements of income, changes in stockholders’ equity, and cash flows.

Disclaimer of Opinion

Because of the significance of the matters described in the Basis for Disclaimer of Opinion paragraph, we have not been able to obtain sufficient appropriate audit evidence to provide a basis for an audit opinion. Accordingly, we do not express an opinion on these financial statements.

Resolving Conflict with Clients

If, as described above, you have a client that is unwilling to post a material audit adjustment, consider creating a draft of the opinion and providing it to them. This is not a threat, just a clear way to communicate the effect of not posting the adjustment. 

Before doing anything, allow the client to fully explain their position. There is no profit in upsetting a client with needless talk about a modified opinion, if they are correct (and I am wrong). But after the discussion, if the auditor is still convinced there is a material misstatement, a modified opinion may be necessary.

Research

Deciding on the opinion is often the most important decision you will make in an audit. So, do your research, and, if needed, consult with others to gain assurance about your decisions. 

Using Project Management in Audits
Oct 17

Using Project Management in Audits: The How and the Why

By Charles Hall | Auditing

On the first day of your audit, you’re confident you’ll deliver your report on time. You have visions of a happy client and happy firm partners. But, somewhere along the way, things break down. Your best auditor transfers to another job. You learn–as the audit progresses–that your junior staff member lacks sufficient training. Your client is not providing information as requested. And, additionally, your audit team has unearthed a fraud.

How can you lessen or respond to these problems? Project management. In this post, I’ll tell you what it is and how you can start using project management in audits, including software selection and practical implementation steps.

Using Project Management in Audits

 

Using Project Management in Audits

Auditors need to be effective (by complying with professional standards), but we also need to be efficient (if we want to make money). And project management creates efficiency.

Managing resources, identifying impediments to audit processes, responding to scope creep–these are just a few of the issues that we encounter. And these challenges can increase engagement time and decrease profits. Worse yet, that promise regarding timely completion can go unmet. 

Either we will manage our audits, or they will manage us. 

So, what are the keys to using project management in audits?

  • Audit team members
  • Project management software
  • Create a project management plan
  • Be aware
  • Be vigilant

Audit Team Members

The number one ingredient to a successful audit is your team members. Even more important is the person managing the engagement.

Have you noticed that some people–regardless of the obstacles–just get things done? If possible, get and keep people like this on your audit teams. You may be thinking–at this moment–“but our firm has a difficult time hiring and retaining great employees.” Then revisit your hiring and retention practices.

Having great team members is essential, but they need to work together. So, how do we get them to play their roles at the right time? A project management plan defined in project management software.

Project Management Software

There are plenty of useful project management software packages. They include:

Pricing varies. Some are free while others are expensive. So, you’ll need to do your research to determine which solution is best for you. Personally, I use Basecamp at $50 per month. If you want to start with a free application, try Trello or Asana. Another option is Smartsheet (an Excel-spreadsheet-based product) at $25 per month. Larger firms may desire to take a look at XCMWorkflow.

Regardless, get your feet wet. If you’ve never used a project management package, it’s hard to understand the beauty of doing so.

Basecamp

Here’s how I got my own feet wet.

Four years ago I started using Basecamp. And why did I pick this software? Mainly, because of ease of use. I can create cloud-based to-do lists for my audit teams and my clients. Also, Basecamp allows me to hide my audit team’s to-do list from my client. So, my audit team can see the client’s to-do list, but the client can’t see my audit team’s list.

Additionally, I can assign each to-do item to an audit team member or client personnel. And even better, I can assign a due date. When the to-do item is due, the designated person receives a reminder email. (As you can see, I no longer need to send a client assistance checklist to my clients. Those tasks that once resided in a Word doc now live in Basecamp.)

Basecamp provides iPad and iPhone apps so that I can see my projects on those devices. Additionally, I access my projects on my Windows desktop using the Internet. So, Basecamp is accessible from anywhere.

Here’s a video overview of Basecamp:

Once you’ve picked your project management software, you need to create a project management plan.

Create a Project Management Plan

What is a project management plan? It’s deciding what, when, and who. These three factors are dependent upon the deliverables, and in our case, the deliverable is the audit report.

Who

First, let’s start with who will perform the actions.

A partner, an in-charge, and one or two staff members often comprise an audit team. Regardless of the team size, your first decision is “who is going to work on the engagement?” and as we said above, this is the most crucial element in getting your audit done. But notice that an audit involves not only your team members but client personnel. You can’t audit unless they provide information, answer questions, and allow you to inspect documents. You might also work with specialists or attorneys

Add all persons to your project management software, including audit team members, client staff, and others. (In Basecamp, I add persons to the project by sending an invitation email from within the software.) But how do we know who we will work with? That depends on what we plan to do.

What

Second, determine what needs to be done. But how do we do this? The development of our audit plan.

The audit plan is our response to risk assessment which is performed early in the engagement. Once we perform walkthroughs, make inquiries, inspect documents, and make observations, we become aware of risks. And in response, we create an audit plan to address those risks. Now we know what needs to be done. The audit plan feeds the project management plan.

Notice the risk assessment process and audit plan informs the project management plan. Notice also that the project management plan is not the same as the audit plan; they are distinctly different. One addresses risk and the other addresses the how, when, and who of getting things done. For me, my audit plan lives in the audit programs (inside my audit software), and my project management plan lives in Basecamp in the cloud. 

Here’s an example of how the risk assessment process feeds my project management plan. As I perform my risk assessment procedures, I see that one person makes disbursements, records the payment, and reconciles the bank statement. Now I know the client lacks segregation of duties in the payables area and has a fraud risk. I will respond to those risks by performing procedures such testing disbursements. Now I know what I am to do. In my project management plan, I need to marry this audit procedure (the testing of disbursements) to a team member. So, I add the task to my project management plan and assign it to one of my people. I also specify a performance date.

Some audit tasks are performed in every audit, regardless of the audit risks, such as obtaining a signed representation letter.  These tasks can be set up in a project management template which can be used to create your initial project management plan. Then you can add the client-specific tasks as needed.

When

Thirdly, we need to specify a date for each action.

Project management software allows you to specify when an action is to occur. Once I know who is on the audit team and what is to be done, my remaining duty is to specify a date for the action. You may wonder, “how do I know when each action will occur?” You may not know precisely, but you have an idea. So, go ahead and specify a date. If later you need to change that date, you can. There is no sin in amending the plan. 

Now that I have a project management plan, I need to be aware and vigilant to keep the plan on track.

Be Aware

The purpose of project management is to enable you to control your audit. But many times the original scope and particulars of our audits change. And if our project management plan doesn’t change concurrently, we lose control.

using project management in audits

For example, if your audit team discovers a fictitious vendor fraud, then your time budget may need to expand. Let’s say we believe the audit will now take an additional 80 hours, and that we need to bring in a fraud specialist. At this point, if we don’t amend the engagement letter, we’ll eat this additional cost. So, it’s time to ask the client for an additional fee. The fraud was not anticipated in the original contract. Now, you need to amend the contract to cover the additional work. (Construction contractors do this all the time with change orders. But auditors are often hesitant to do so.)

As you perform your audit, be aware of scope creep. If your client asks you to perform additional services, then amend your contract. Otherwise, your profit realization will diminish quickly. This is especially true for bid audits such as governmental engagements.

More times than not, changes will occur during the engagement. And regardless of the cause, we must amend our plan. For me, I’m going back into Basecamp and adding additional steps.

In addition to being aware of potential changes, we need to be vigilant.

Be Vigilant

We know from experience that it is natural for the audit process to fall apart. It’s like most things in our universe. Entropy happens.

When it does, you must fight to restore order. Why is this so hard to do? Because you have so much going on. You aren’t working on one audit. You’re working on two–or three. You have office meetings, client meetings, tax deadlines. You are busy! Therefore, if you don’t have a way to maintain control, you will feel desperate.

But that’s the beauty of project management. With it, you can maintain control.

Think of your project management plans as dashboards that flash green or red lights. And those indicators allow you to see how things are progressing–or not. Moreover, this knowledge allows you to react in real time–and to stay vigilant. As you monitor your audits, you can take corrective actions to keep your projects on track.

Summary of Using Project Management in Audits

Project management is simple in concept. You plan tasks, you assign them, and you specify due dates. Then you need project management software to track the actions, assignments and due dates. Once the system is in place, you can monitor your projects and manage change.

So why do most auditors not use project management? Because many think they can do so in their heads–and I know many who feel this way. Sorry, but I have to disagree. If you’re like me (and I bet you are), you have a million things going on. So without project management, you’ll do your work by the seat of your pants. The result? Missed deadlines. Frustrated clients and disappointed partners. Not what you desire.

So, give it try. You will find yourself delivering audits on time and on budget.

Auditing Blog Series

This post is a part of my auditing series. In it, I take you from the start to the end of the audit process. Click here if you’ve missed my prior posts.

Oct 03

Wrapping Up Audits: The How and The Why

By Charles Hall | Auditing

Sometimes we think we are almost done with an audit, but then–days later–we realize we were nowhere near the finish line. Very frustrating! For our clients and us. Why does this happen? That’s the question I’ll answer in this post. Wrapping up audits is not always easy, but–in this article–you’ll learn how to finish them efficiently and effectively.

wrapping up audits

Wrapping Up Audits: An Overview

In the final stages of an audit, we are (among other things):

  • Reviewing the file
  • Updating subsequent events
  • Obtaining a management representation letter
  • Summarizing passed journal entries
  • Considering going concern
  • Creating final analytics
  • Creating management letters
  • Communicating control deficiencies

Reviewing the File

If we review our audit work as we perform the engagement, then the review process (at the end) will not be difficult. The thorns and snares come when we allow a junior staff person to work without supervision and without a timely review process. Then, when the manager or partner begins to review the file (at the end of the engagement), it’s a disaster.

The review problem starts at the beginning of the audit, namely in the scheduling of the engagement. Too many times, audit firms send an untrained person out–just to get a warm body on the job. Sure, someone is onsite with the client, but does he know what he’s doing? I said this “warm body” effort could be the result of scheduling, but look even deeper. The root problems could be poor hiring or retention practices or insufficient training. If audit firms are to properly schedule work, they must first hire, retain, and train. Only then will sufficient staff be available.

Once a firm has sufficient personnel, then it needs discipline. Review files daily (or at least weekly)–not at the end of the engagement. Why are timely reviews more efficient and effective? Because the work is still fresh in the staff member’s mind. As he receives review comments, he is better able to respond. Also, timely reviews enable junior staff members to learn as they go, and the reviews provide them with confidence as they work. But in terms of wrap-up, you are much closer to your goal of completing the engagement.

In short, review work and provide feedback as soon as possible, at least weekly.

Updating Subsequent Events

The financial statements should disclose material subsequent events such as legal settlements, the issuance of new debt, the adoption of a new benefit plan, or the sale of stock. And while disclosure is important, subsequent events–such as legal settlements–can have a bearing upon the recognition of amounts in the financial statements.

Here are common subsequent event procedures:

  • Inquire of management about subsequent events
  • Review subsequent receipts and payments
  • Consider attorneys’ responses to request for litigation information
  • Read subsequent minutes
  • Review subsequent interim financial statements
  • Obtain an understanding of management’s methods for accumulating subsequent event information

Perform these procedures so that audit evidence is obtained through the audit report date. Auditors often need to update attorney’s response to coincide with the audit report date. You want the attorney’s letter to be as close as to the audit report date as possible. How close? Usually within two weeks of the audit report date. If there are significant issues, you may want to bring the written response even closer.

Obtaining a Management Representation Letter

Another part of wrapping up in obtaining a written representation letter. The letter should address issues such as:

  • Management’s responsibility for the financial statements
  • Management’s responsibility for internal controls
  • Assurances that all transactions have been recorded
  • Whether known fraud has occurred
  • Whether known non-compliance with laws or regulations
  • The effects of uncorrected misstatements
  • Litigation
  • The assumptions used in computing estimates
  • Related party transactions
  • Subsequent events
  • Supplementary information
  • Responsibility for nonattest services

The date of the representation letter should be the same as the date of the audit report. Also, the representation letter should be for all financial statements and periods referred to in the auditor’s report. If management refuses to provide the management letter, then consider the effect upon the audit report. Such a refusal constitutes a limitation on the scope of the audit and will usually preclude the issuance of an unmodified opinion.

If your audit firm creates the financial statements, then provide them to management in a timely manner. Management needs to review the financial statements prior to signing the representation letter.

Summarizing Passed Journal Entries

Prior to creating the representation letter, the auditor needs to summarize passed journal entries. Why? You need to attach the passed entries to the representation letter. Audit standards require management to provide a written assertion regarding whether the uncorrected misstatements are material. That wording could, for example, read “the effects of uncorrected misstatements are immaterial.”

Once you summarize the uncorrected misstatements, you as the auditor should consider whether they are material. Review your audit materiality and performance materiality documentation and consider if the passed adjustments are acceptable. If the uncorrected misstatements are material, then an unmodified opinion is not appropriate.

Considering Going Concern

Even in the planning stage, auditors need to think about going concern, especially if financial weaknesses are present. But as you approach the end of the audit, the going concern evaluation should crystallize. Now you have your audit evidence, and it’s time to determine if a going concern opinion is in play. Also, consider whether the going concern disclosures are sufficient. If substantial doubt is present, then the entity should include going concern disclosures (whether doubt is alleviated by management’s plans or not).

Substantial Doubt

And what is substantial doubt? The Financial Accounting Standards Board defines it this way:

Substantial doubt about the entity’s ability to continue as a going concern is considered to exist when aggregate conditions and events indicate that it is probable that the entity will be unable to meet obligations when due within one year of the date that the financial statements are issued or are available to be issued.

So for nongovernmental entities, ask “Is it probable that the company will meet its obligations for one year from the opinion date?” If it is likely that the entity will meet its obligations, then substantial doubt does not exist. If it is not probable that the entity will meet its obligations, then substantial doubt exists.

Evaluation Period

And what is the period to be considered when assessing going concern? One year from the audit report date unless the entity is a government. If the entity is a government, then the evaluation period is one year from the financial statement date (though this period can be lengthened in certain circumstances).

Who Makes the Evaluations?

The going concern evaluation is one that management makes as it considers whether disclosures are necessary.

Then the auditor considers going concern from an audit perspective. Based on the audit evidence, the auditor could possibly issue a going concern opinion or qualify the opinion if required going concern disclosures are not included in the financial statements.

Creating Final Analytics

Another part of wrapping up is the creation and review of final analytics.

Auditors create planning analytics as a risk assessment procedure. Why? We are looking for risk. So, what is the purpose of final analytics? We are performing analytical procedures, near the end of the audit, to assist in forming an overall conclusion about whether the financial statements are consistent with our understanding of the entity.

What type of analytics should be used? Audit standards don’t specify the particular analytics. Those standards say that a wide variety of procedures can be used, including reading the financial statements. An auditor can also use analytics similar to those used in the planning stage of the engagement. Regardless of the procedures used, they should be documented. So, if you read the financial statements as an analytical procedure, you should say so in a work paper.

I commonly use the same analytics in the close of the audit that I used in the beginning. I want to know that the questions raised in the beginning have been answered by the end of the engagement.

Creating Management Letters

At the conclusion of an audit, you can provide a written management letter.

wrappping up audits

What should be included in such a letter? It’s up to the auditor, but here are some examples:

  • Communication of control weaknesses that are not significant or material
  • Recommendations concerning the implementation of new accounting standards
  • Efficiency recommendations such as how to process cash receipts
  • Warnings regarding cyber attacks and suggestions for preventing them
  • Suggestions that may expedite next year’s audit
  • Recommendations regarding procurement
  • Suggestion for the creation of a code of conduct
  • Recommendation that an accounting manual be created
  • Suggestion to use excess cash to pay off high-interest rate leases
  • Suggestion to create a more robust IT change management process

Significant internal control deficiencies and material weaknesses must be reported in writing. Other control weaknesses (those not significant or material) can be communicated in writing or orally. If such weaknesses are orally communicated, then they must be documented in some manner such as in a work paper. Alternatively, the control weaknesses can be included in a management letter.

If a management letter is provided, consider providing a draft to the client prior to issuance. Doing so will allow you to avoid the embarrassment of making inaccurate or inappropriate suggestions. Also, the auditor, if desired, can include client responses (e.g., the status of implementation) in the management letter.

Communicating Control Deficiencies

Audit standards require that significant control deficiencies and material weaknesses be reported in writing to management and to those charged with governance. As we saw in the previous section, control weaknesses that are not significant or material are normally communicated in the management letter. Significant deficiencies and material weaknesses are defined as follows:

  1. Significant deficiency. A deficiency, or a combination of deficiencies, in internal control that is less severe than a material weakness yet important enough to merit attention by those charged with governance.
  2. Material weakness. A deficiency, or a combination of deficiencies, in internal control, such that there is a reasonable possibility that a material misstatement of the entity’s financial statements will not be prevented, or detected and corrected, on a timely basis.

Control deficiencies are often noted during the risk assessment procedures, particularly when walkthroughs are performed. They may also be noted as audit journal entries are created, especially when material adjustments are made. It is best to capture control weaknesses as they are noted. Otherwise, you may forget your notice of them. Also, if control weaknesses are material, you may desire to communicate them to management as they are discovered.

As recommended for the management letter, a draft of this internal control report should be provided to management prior to final issuance to avoid potential misunderstandings. Management can better assess the correctness of a control weakness communication once they see it in black and white. If there’s a disagreement between management and the auditor, it’s best to clear the issue prior to final issuance of the internal control weaknesses letter.

Wrapping Up Audits

Now you have an overview of how to wrap up your audits. You may have thought while reading the above, “How does an auditor make all of this happen at the appropriate time?” Sound project management.

While this article covers wrapping up audits from a professional standards perspective, you’ll find additional insights into managing your engagements by reading my Basecamp post. What is Basecamp? It’s a cloud-based project management application. As you can see in the above wrap-up article, there are a lot of moving parts. So, use of sound project management software and procedures can significantly increase your efficiency.

You’ll also find my twin brother’s article How to Identify and Manage Audit Stakeholders helpful.

Continuing Audit Series

This post is a part of my continuing audit series titled The Why and How of Auditing: A Blog Series About Basics. I have covered the planning and substantive parts of audits in earlier posts. To see an overview of the blog series, click here.

audit pricing risk-adjusted
Oct 02

Why Higher Risks Should Result in Higher Priced Audits

By Charles Hall | Auditing

Audit risk increases uncertainty–and price. At least, it should.

audit pricing risk-adjusted

Picture is courtesy of AdobeStock

Factors that Increase Audit Risk

Factors that increase audit risk include:

  • Entity (audit client) that is about to be sold
  • Records not reconciled on a timely basis (including bank accounts, inventory, accounts receivable, and accounts payable)
  • Business with a high debt load and covenant violations
  • Known existence of fraud
  • Inexperienced management in a complicated business
  • Known legal proceedings against the company
  • Unusual estimates (e.g., environmental liabilities)
  • Complex transaction cycles with varied accounting systems (systems differ at each location)
  • Group audit situations with subsidiaries audited by other audit firms (especially if the components are foreign entities)
  • Entities with severe cash flow deficiencies

A Risk Perspective

Pretend, for a moment, that you are a representative of a professional liability insurance carrier, and you’ve been assigned the duty of reviewing an audit firm’s book of business. How would you rate–from an insurance perspective–audits of the following entities?

  1. The City of Perfect has a CPA as its finance director. For the last twenty years, they have received the financial reporting Government Finance Officer’s Certificate of Achievement. They have never had a significant fraud. The city’s net position is strong, and it has no debt.
  2. Shazaam, Incorporated, is a high-tech company funded with venture capital. Operations began two years ago. Shazaam has weak cash flow, but the company has successfully created one new whiz-bang product, making it a highly desirable acquisition target. Potential suitors have already made visits to the company’s headquarters inquiring about a purchase.
  3. Sterling Parts, Incorporated, sells auto parts mainly in the United States, but it also has manufacturing operations in Germany. The company has eight subsidiaries, one of which is the German production component. This entity has been cited for contaminating the Rhine river. The cost of cleanup and damages are not known. The foreign entity uses an accounting system that is entirely different from the other companies. A German accounting firm audits the manufacturing component.

Would you price the insurance for all three engagements the same? Certainly not. The City of Perfect is…well perfect. The second and third audits have risk elements.

So if we–as auditors–examine prospective audit clients purely with an eye on risk, there should be a premium (higher fee) for those with increased risk. Why? There is a higher probability that the audit firm will suffer loss. The inherent risks in examples 2 and 3 increase the chance of faulty financial reporting, which increases the possibility a suit against the audit firm.

From a project management perspective, will all three engagements take the same amount of time? Obviously no. The higher risk engagements will require more resources, effort, and time.

Risks Require More Time

You might think of the additional time element in this way:

Risk = Additional Time = Higher Price

Too often, CPA firms fish for audits without giving appropriate consideration to risk. Then, the flat fee creates pressure to ignore risks, because, after all, the audit firm wants to make a profit. It is critical that auditors incorporate a pricing premium for identified risks.

Unidentified Risks

But what about unknown risks (those that exist before starting the engagement)?

Well, that’s another story. Discovering fraud, for example, may require an expansion of the engagement scope. As with any project, when the scope increases, price increases. But the price increase is dependent upon the size and complexity of the theft. If the fraud is nominal and requires little additional time, then no price increase is necessary. But if the theft is broad and complex, a contract amendment may be needed.

Client Acceptance And Continuance

Does your firm use any type of risk score in your new client acceptance or in your annual continuance decision? If yes, how do you do this?

how to audit equity
Sep 18

Auditing Equity: The Why and How Guide

By Charles Hall | Auditing

What are the keys to auditing equity correctly? In this post, we’ll answer this question, showing you how to focus on the important equity accounting issues.

how to audit equity

Auditing Equity — An Overview

In this post, we will cover the following:

  • Primary equity assertions
  • Equity walkthroughs
  • Directional risk for equity
  • Primary risks for equity
  • Common equity control deficiencies
  • Risk of material misstatement for equity
  • Substantive procedures for equity
  • Common equity work papers

Primary Equity Assertions

Before we look at assertions, consider various potential equity accounts such as:

  • Common stock
  • Paid in capital
  • Preferred stock
  • Treasury stock
  • Accumulated other comprehensive income
  • Noncontrolling interests
  • Members’ equity (for an LLC)
  • Net assets (for a nonprofit)
  • Net position (for a government)

Certain types of equity accounts are used for certain types of entities. For example, you’ll find common stock in an incorporated business, net assets in nonprofits, and members’ equity in a limited liability corporation. 

Then, the equity accounts used will depend upon what the entity does. Examples include:

  • Has the company purchased treasury stock?
  • Does a commercial entity have unrealized gains or losses on available-for-sale securities?
  • Does a nonprofit organization have restricted contributions?
  • Does a government have restricted net position?

So, it’s a must–before you determine the relevant assertions–that you understand the accounting for (1) the type of entity and (2) the particular equity-related transactions.

The primary relevant equity assertions (often) are:

  • Existence and occurrence
  • Rights and obligations
  • Classification

When a company reflects equity on its balance sheet, it is asserting that the balance exists and that the equity transactions occurred. For example, if common stock is sold, the balance of the account is based upon the actual sale of stock and the monies received. The balance is not fictitiously or erroneously stated. 

Equity instruments also have certain rights and obligations. For example, common stock provides rights to retained earnings. Also, some classes of stock provide voting privileges. Others do not.

Additionally, the classification of equity balances is important. Determining how to present equity is usually easy, but classification issues arise when an entity has equity instruments such as convertible stock. Classification is also relevant when there is a noncontrolling interest

Keep these assertions in mind as you perform your transaction cycle walkthroughs.

Equity Walkthroughs

Early in your audit, perform a walkthrough of equity to see if there are any control weaknesses. As you perform this risk assessment procedure, what questions should you ask? What should you observe? What documents should you inspect? Here are a few suggestions.

Walkthrough Questions and Actions

As you perform your equity walkthrough ask or perform the following:

  • What types of equity does the entity have?
  • How many shares are authorized? How many shares have been issued?
  • Does the company have any convertible debt?
  • Has the company declared and paid dividends?
  • Are there any state laws restricting distributions?
  • Does the company have accumulated other comprehensive income?
  • Inspect ownership documents such as stock certificates.
  • Read the minutes to determine if any new equity has been issued.
  • Does the company have classes of stock? What are the rights of each?
  • Is the entity attempting to raise additional capital?
  • Has the company sold any additional equity ownership?
  • Is there a noncontrolling interest in the company?
  • Does the company have stock compensation plan?
  • For a nonprofit, are there any restricted donations?
  • For a government, is the net position restricted?
  • For a limited liability corporation, are there differing classes of ownership? 

As you perform your walkthroughs, also consider if there are risks of material misstatement due to fraud or error.

Equity-Related Fraud and Errors

Theft seldom occurs in the sale of stock. If fraud occurs, it’s usually an intentional false equity presentation. Inflating an entity’s equity can make the organization appear healthier than it really is. 

Additionally, mistakes can lead to errors in accounting for equity. Such mistakes may occur if the entity sells complex equity instruments. Understanding the rights and obligations of ownership interests is a key to proper accounting.

Directional Risk for Equity

The directional risk for equity is that it is overstated (companies desire strong equity positions). So, audit for existence. 

Primary Risks for Equity

The primary risks for equity are:

  1. Equity is intentionally overstated
  2. Misclassified equity 

As you think about these risks, consider the control deficiencies that allow equity misstatements.

Common Equity Control Deficiencies

In smaller entities, it is common to have the following control deficiencies:

  • One person performs two or more of the following: 
    • Approves the sale of equity interests,
    • Enters the new equity in the accounting system, 
    • Deposits funds from the sale of the equity instruments
  • Accounting personnel lack knowledge regarding equity transactions

Another key to auditing equity is understanding the risks of material misstatement.

Risk of Material Misstatement for Equity

In auditing equity, the assertions that concern me the most are existence, classification, and rights. So my risk of material misstatement for these assertions is usually moderate to high. 

My response to the higher risk assessments is to perform certain substantive procedures: namely, a review of equity transactions. Why?

A company may desire to overstate its equity. Also, misclassifications occur due to misunderstandings about equity accounting.

Once your risk assessment is complete, you’ll decide what substantive procedures to perform.

Substantive Procedures for Equity

My normal substantive tests for auditing equity include:

  1. Summarizing and reviewing all equity transactions
  2. Reviewing all equity accounts for proper classification
  3. Agreeing all beginning of period balances to the prior period’s ending balances
  4. Reviewing equity disclosures for compliance with the requirements of the reporting framework (e.g., GAAP)

In light of my risk assessment and substantive procedures, what equity work papers do I normally include in my audit files?

Common Equity Work Papers

My equity work papers normally include the following:

  • An understanding of equity-related internal controls 
  • Documentation of any equity internal control deficiencies
  • Risk assessment of equity at the assertion level
  • Equity audit program
  • A copy of (sample) equity instruments 
  • Minutes reflecting the approval of new equity
  • A summary of equity activity (beginning balances plus new equity less equity distributions and ending balance)

In Summary

In summary, today we reviewed the keys to auditing equity. Those keys include risk assessment procedures, determining relevant assertions, performing risk assessments, and developing substantive procedures. The most important issues to address are usually (1) equity accounting (especially when there are more complex types of equity transactions) and (2) the classification of equity.

Look for my next post in The Why and How of Auditing

If you’ve missed my prior posts in this audit series, click here.

>