Category Archives for "Risk Assessment"

Documentation of Walkthroughs
Oct 25

How to Document Audit Walkthroughs

By Charles Hall | Accounting and Auditing , Risk Assessment

How do you document your audit walkthroughs? Is it better to use checklists, flowcharts or summarize narratively?

Audit Walkthroughs

Picture from

Audit Walkthrough Documentation

While you can use checklists, flowcharts, narratives, or any other method that enables you to gain your understanding of controls, my personal favorite is narrative mixed with screen shots. So how do I do this?

I determine the people involved in a transaction flow and schedule interviews with them. Usually, one or two people can explain a particular transaction flow (e.g., disbursement cycle), but some complicated processes require several interviews. 

Sometimes I don’t know how each person’s work fits into the whole, so it’s like gathering puzzle pieces—at this stage, I am reaching for bits of the picture. The interviews and information may feel random, even confusing. But when you put the pieces together, you will see the picture—and that’s what we’re after, understanding the accounting system and control environment.

The Interview

I document the conversations using:

  • A Livescribe pen
  • My iPhone camera

Taking Notes

Using a Livescribe pen, I write notes and record the conversations.

I begin the interview by saying, “Tell me what you do and how you do it. Treat me like I know nothing. I want to hear all the particulars.” 

As I listen, I write general notes. The Livescribe pen records the audio which syncs with my written notes. Later the conversation can be played from the pen—more in a moment about how I use this tool. 

I find that most interviewees talk too fast—at least faster than I can write. And as I’m writing their last comment, they are moving to the next (and I fall behind). So I write simple words in my Livescribe notebook such as:

  • Add vendor
  • Charlie opens mail
  • P.O. issued by Purchasing
  • Checks signed by the computer

Later as I’m typing the narrative into Word, I touch the letter “A” in “Add vendor” with the tip of my pen. The touching of the letter “A” causes the pen to play the audio for that part of the conversation. Likewise touching “C” with the tip of my pen–in “Checks signed by the computer”–causes the pen to play the discussion at that point. Since the audio syncs with my written notes, I can hear any part of the discussion by touching a letter with my pen.  

And since Livescribe captures the audio, I jot down words—such as “Add vendor”—so I can later retrieve particular parts of the interview.  These short phrases are markers for the audio and an outline of the conversation.

Taking Pictures

In addition to writing notes in my Livescribe notebook, I also take pictures with my iPhone. What am I taking snapshots of? Here are examples (from a payables interview):

  • Invoice with approver’s initials  
  • Screenshot of an invoice entry  
  • If several people are processing invoices, I take a group picture of them at their desks
  • A signed check 
  • The bank reconciliation 

So my inputs into the walkthrough document are as follows:

  • Livescribe notes and audio
  • Photos of documents and persons 

I write my narratives in Word and embed pictures as needed. The walkthrough documentation takes this shape:

  • Narrative
  • Pictures
  • Control identification
  • Control weakness identification

Why identify control deficiencies in the walkthrough? So I can link them to the audit procedures to be performed—what audit standards refer to as “further audit procedures.” The weaknesses tell me where to conduct substantive procedures.

Another key feature of the walkthrough documentation is the identification of who I spoke with and when. So at the top of the transaction cycle description, I name the persons I interview and the date of the conversation. For example:

Charles Hall interviewed Johnny Mann, Hector Nunez, and Suzanne Milton on October 25, 2016. 

Identification of Controls and Control Weaknesses

I note appropriate controls as follows: 

Control: Additions of new vendors is limited to three persons in the accounts payable department. Each time a new vendor is added, the computer system automatically sends an email to the CFO notifying her of the addition. Persons adding new vendors cannot process signed checks.

I note control weaknesses as follows:

Control Weakness: Only one signature is required on check disbursements. Johnny Mann signs checks, has possession of check stock, keys invoices into the payables system, and reconciles the related bank account. 

Response to Risks

The control weaknesses created by Johnny Mann’s performance of critical disbursement procedures increases the risk of theft. My response? I establish audit procedures in my audit program to address the risk such as:

  • Review one month’s cleared checks for propriety, examining the check signature and payee. 

How do you know what audit procedures to perform in response to the risk? Ask, “What can go wrong?” and design a test for that potential. Johnny can write checks to himself. My response? Scan cleared checks to see if the payees are appropriate, particularly on those checks with Johnny’s signature.  

Communication of Control Weaknesses

Though this article focuses upon planning and risk assessment, the identification of control weaknesses will impact our end-of-audit communications.

The bolded text (Control Weakness) makes it easy to locate control weaknesses. Upon completion of the walkthrough, I summarize all control deficiencies in separate memos so I can track the disposition of each one. Ultimately each weakness is deemed a:

  1. Material weakness
  2. Significant deficiency, or
  3. Other weakness 

I report material weaknesses and significant deficiencies in writing to management and those charged with governance. I communicate other deficiencies in a management letter (or verbally and document the discussion in my work papers). 

For more information about how to categorize control weaknesses, click here.

If you missed my first two walkthrough posts, see them here:

Why Should Auditors Perform Audit Walkthroughs?

How to Identify Risk of Material Misstatements with Walkthroughs

Click the pen below to see the Livescribe on Amazon.

Audit Walkthroughs
Oct 10

Why Should Auditors Perform Audit Walkthroughs?

By Charles Hall | Accounting and Auditing , Risk Assessment

Do you ever struggle with audit walkthroughs? Maybe you’re not sure what areas to review or how extensive your documentation should be.  Or possibly, you’re not even convinced of their usefulness.

I hear some auditors protest that professional standards don’t require walkthroughs. Right, but we have an obligation to annually corroborate the existence and use of controls, and I know of no better way to achieve this goal than walkthroughs.

Today, I provide an overview of why walkthroughs are not just advantageous, but foundational to the audit process.

Audit Walkthroughs

Picture is from

What are Walkthroughs?

Walkthroughs are cradle-to-grave reviews of transaction cycles. You start at the beginning of a transaction cycle (usually a source document) and walk the transaction to the end (usually posting to the general ledger). The auditor is gaining an understanding of how a transaction makes its way through the accounting system.

As we perform the walkthrough, we:

  • Make inquiries
  • Inspect documents
  • Make observations

By asking questions, inspecting documents, making observations, we are evaluating internal controls to see if there are weaknesses that would allow errors and fraud to occur. And audit standards do not permit the use of inquiries alone. Observations or inspections must occur.

Some auditors believe that audit walkthroughs (or documentation of controls for significant transaction cycles) are not necessary if the auditor is assessing control risk at high. This is not true. While the auditor can assess control risk at high, she must first gain an understanding of the cycle and the related controls. 

Why Audit Walkthroughs?

Accountants are often more comfortable with numbers than processes. We like things that “tie,” “foot,” or “balance.” We may not enjoy probing accounting systems for risk—it’s too touchy-feely. Even so, passing this responsibility off to lower staff is not a good choice. It’s too complicated–and too important. So there’s no getting around it. The walkthrough—or something like it—must be done. Why? You’re gaining your understanding of risks and responding to them. You’re developing your audit plan. Screw up the plan, and you screw up the audit.

What is the purpose of the walkthrough? Identification of risk. Once you know the risks, you know where to audit.

Too often auditors do the same as last year (SALY). And why do we do this?

First, it requires no thinking.

Second, out of fear. We think, “if the audit plan was appropriate last year, why would it not be this year?” In short, we believe it’s safe. After all, the engagement partner developed this approach seven years ago. But is it still safe?

Why SALY is Dangerous

Suppose the accounts payable clerk realizes he can create fictitious vendors without notice, and his scheme allows him to steal over $10 million over a four-year period.

The audit firm has performed the engagement year after year using the same approach. On the planning side, the fraud inquiry and internal control documentation look the same. Walkthroughs have not been performed in the last five years.

On the substantive side, the auditor ties the payables detail to the trial balance. He conducts a search for unrecorded liabilities. He inquires about other potential liabilities. All, as he has done for years. Even so, in current year, the payables clerk walks away with $3 million—and the audit firm doesn’t know it.

Processes matter. And—for the auditor—understanding those processes is imperative.

Why Walkthroughs?

I will say it again: we are looking for risk. Our audit opinion says that we examine the company’s internal controls to plan the audit. The opinion goes on to say that this review of controls is not performed to opine on the accounting system. So, we are not testing to render an opinion on controls, but we are probing the accounting processes to identify weaknesses. And once we know where risks are, we know where to audit.

Check Your Work Papers for Audit Walkthroughs

Pick an audit file or two and review your internal control documentation. Have you corroborated your understanding of the controls by inquiring, inspecting, and observing the significant transaction cycles? Again walkthroughs are not technically required, but the corroboration of controls is. The walkthrough process is an effective way to achieve this objective.

Audit Risk Assessment
Nov 18

Risk of Material Misstatement: How to Assess

By Charles Hall | Accounting and Auditing , Risk Assessment

How do you assess the risk of material misstatement? How do you know when to assess inherent risk at high (or low)? Can you assess control risk at high for all assertions? What are significant risks? These are common questions about the risk assessment process.

Audit Risk Assessment

Picture is courtesy of

Today we’ll discuss how auditors assess and document risk. We’ll cover:

  • Financial statement level risk
  • Transaction level risk
  • Risk of material misstatement
  • Inherent risk
  • Control risk

Understanding these concepts will put money in your pocket and will result in higher quality audits.

Financial Statement Level Risk

Before picking our audit team, we need a general understanding of the entity.

We must understand the business and its control environment to determine risks at the financial statement level (I think of this as the overall risk). The overall risk will dictate our broader responses such as who the audit team will be.

Consider whether the entity has:

  • Complex transactions
  • Related party transactions
  • New accounting pronouncements
  • Profit pressures
  • Problem vendor relationships
  • Going concern issues
  • Potential debt covenants violations
  • Cash flow problems

We also need to consider the risk of management override. This threat is always a possibility. If management is playing on the edges, consider how you will add muscle and insight to your audit team—or whether you should even perform the engagement.

Keep this thought in mind when considering financial statement level risk assessment: greater overall threats call for a stronger audit team.

Transaction Level Risks

In a previous post, we discussed risk assessment procedures such as walkthroughs, fraud inquiries, and planning analytics. The information gained from those steps is the basis for assessing risk at the transaction level.

Should the transaction risk assessment be performed at the assertion level or for the transaction cycle as a whole? Let’s answer this question by looking at how accounts payable risk might be documented.

If we assess our risk of material misstatement at high for payables (as a whole), what are we saying? That further audit procedures are necessary for all assertions. If we assess risk at high for all payable assertions, and we don’t perform audit procedures in response to the (high) risk assessment, we create an incongruity. We are saying that risk is high for all assertions, but our responses don’t agree.

Wouldn’t it be better to assess risk at the assertion level? For example, if we’ve historically proposed significant journal entries to record additional payables, maybe the risk of material misstatement for the completeness assertion is high. Our audit procedures will include a search for unrecorded liabilities. Now we have an appropriate risk assessment and response (what the audit standards refer to as linkage). The remaining accounts payable assertions could possibly be assessed at low.

Risk of Material Misstatement

We can express the risk of material misstatement (RMM) as:

RMM = Inherent Risk X Control Risk 

While audit standards don’t require that we assess inherent risk and control risk separately, it’s helpful to do so. In a moment, we’ll see that inherent risk often drives our audit responses.

Inherent Risk

So what is inherent risk? My simple definition is the risk that exists when no controls are present. (We are not saying controls don’t exist, just that we are disregarding them as we measure inherent risk.) 

Inherent risk can be a function of:

  • The complexity of the transaction (e.g., derivatives are harder to understand)
  • The nature of the financial statement item (e.g., cash is liquid and subject to theft)
  • The experience and knowledge of the client’s accounting personnel
  • Past audit issues in the area
  • The volume of transactions

As we assess inherent risk, we ask, “what’s the chance that material misstatement will occur assuming there are no related controls?”

Some areas are so risky that the audit standards refer to them as significant risks. These areas require special audit consideration. Significant risks relate to transactions that are complex, nonroutine, or involve judgment. For example, a bank’s allowance for loan losses—due to complexity—demands extra scrutiny. The inherent risk in such areas will always be high.

Now, let’s marry inherent risk with control risk so we can determine our risk of material misstatement.

Control Risk

For audits of smaller entities, control risk is often assessed at high—across the board. Why? To save time. While control risk can’t be assessed at high before performing our risk assessment procedures, we can do so afterward

Assessing control risk at high is permissible as an efficiency decision. (Risk assessment procedures are still required.)

If control risk is assessed at less than high, the auditor is required to test controls to support the lower risk assessment. It may be more economical to perform substantive procedures rather than testing controls. We might, for example, be able to vouch all of the additions to property and equipment in less time than it takes to test the related controls. If this is true, we will opt to use a substantive approach (vouching all significant additions to invoices), and we will assess control risk at high.

Also, it is possible to have a low to moderate risk of material misstatement if your inherent risk is low—even if your control risk is high. How? Consider the following equation.

Risk of Material Misstatement Formula

IR (low) X CR (high) = RMM (low or moderate)

What does this mean? Well, you can get to a low or moderate RMM without testing controls. Also, you may not need to perform much in the way of substantive procedures–depending on your final RMM for the area.

Plant, Property and Equipment Example

As an example of how this works, think about a low inherent risk assessment regarding plant, property, and equipment. 

  • What’s the inherent risk related to the existence of your client’s main office building? Low. 
  • If your client has no controls related to the existence of the building, would the lack of controls have any bearing on the overall RMM? No. 
  • Do you need to test any controls? No. 
  • Do you need to perform any substantive procedures? Yes, if plant, property and equipment is material. Why? ASC 330.18 says “Irrespective of the assessed risks of material misstatement, the auditor should design and perform substantive procedures for all relevant assertions related to each material class of transactions, account balance, and disclosure.”
  • Do you need any substantive audit steps (concerning the building) in your audit program? Yes, but it could be as simple as seeing the building (to address the existence assertion).

Call to Action

Consider reviewing your risk assessments, and see if some of the inherent risk assessments will allow you to assess your RMMs at low to moderate–even if control risk is assessed at high.

This is the last in our series of posts about audit risk assessment. Thanks for joining in the journey.

If you have suggestions for other posts, please leave a comment with your idea. Thanks.

Aug 07

How to Perform Audit Risk Assessments

By Charles Hall | Accounting and Auditing , Risk Assessment

Do you know someone who suffers from risk assessment averseness? Patients with this illness possess an extreme dislike for thinking before acting. They live in the land of the objective–bank confirmations, vouching, and searching for unrecorded liabilities. They disdain the subjective–inquiring about processes, observing segregation of duties, thinking about inherent risk. To them, auditing is science, not art. It’s concrete. You hear them say “that front-of-file stuff is just to make peer reviewers happy.” After all, “there’s work to do.” And they know what to do. It’s all there in the prior year file.

There is only one cure for this thought-borne disease. It’s understanding the advantages of risk assessment and planning.

Picture is courtesy of

Picture is courtesy of

Audit Risk Model

Let’s start with the audit risk model. How is it defined?

Put simply, it is:

Risk of Material Misstatement = Inherent Risk X Control Risk

This is the framework for gaining an understanding of:

  • The entity
  • Transaction cycles and account balances

Do I Need to Understand the Entity?

The audit standards require that we understand the entity and its environment. I like to start by asking management the question, “If you had a magic wand that you could wave over the business and remove one problem, what would it be?” The answer tells us a great deal about the entity’s risk. I want to know what they think and feel. The visceral is a flashing light saying, “Important!” And believe me, every business owner or manager worries about something. Your clients understand their businesses. This is where they live. The wise auditor taps into that knowledge.

Risks can be thought of as threats to objectives. Your client’s fears tell you what the objectives are.

Other questions that can be entertained include:

  • How is the industry faring?
  • Are there any new competitive pressures?
  • Are there any new opportunities?
  • Are there any changes in key vendor relationships? Can the company still obtain necessary products?
  • Are there pricing pressures?

Now let’s delve into accounting controls.

Do I Have to Understand Controls?

In every audit, we must understand the client’s internal controls. “But my client has no controls.” Really? It is doubtful that a client has no controls. They may have few, but almost every entity has some controls. Here are a few questions to consider:

  • Who signs checks?
  • Who has access to checks (or electronic payment ability)?
  • Who approves payments?
  • Who initiates purchases?
  • Who can open and close bank accounts?
  • Who posts payments?
  • What software is used? Does it provide an adequate audit trail? Is the data protected? Are passwords used?
  • Who receives bank statements? Who opens them? Who has online access? Does anyone review cleared checks for appropriateness?
  • Who reconciles the bank statement? How quickly? Does a second person review the bank reconciliation?
  • Who creates expense reports? Who reviews them?
  • Who bills clients? In what form (paper or electronic)?
  • Who opens the mail?
  • Who receipts monies?
  • Are there electronic payments?
  • Who receives cash onsite and where?
  • Who has credit cards? What are the spending limits?
  • Who makes deposits (and how)?
  • Who keys the receipts into the software?
  • What revenue reports are created and reviewed? Who reviews them?
  • Who creates the monthly financial statements? Who receives them?
  • Are there any outside parties that receive financial statements? Who are they?

These are examples of what we need to understand before we plan the audit. Why? Because risk is a function of processes. Understanding informs us. It directs us.

Remember this: Numbers are the narrative.

And this: To change the story, change the figures.

And for auditors: See if the story is true–or if it changed (whether by accident or intentionally).

How do we do this?

We look for indicators of false numbers (false stories). Do the accounting processes allow for false numbers?

As a kid, I once stole five dollars from my father. His internal control of laying his billfold down on his dresser every night did not work well. When he asked who took the money, I changed the story from one of fact to fiction (also known as a white lie). I tried to change the narrative.

My father inquired, but he also observed, and my reaction gave me away.

Auditors are to use the following in performing risk assessments:

1. Inquiry

2. Observation

3. Inspection

Inquiry alone is never sufficient. Combine observation and inspection with inquiries.

And what is the purpose? To know where risks lie.

Your Thoughts?

We’ll pick up here in my next post about risk assessment. Feel free to share this article with those you know who suffer from audit risk assessment averseness. Friends don’t let friends audit without thinking.

What unique risk assessment procedures do you use? Since this is an art, there are myriad ways to gain an understanding of clients and their processes–and I’m always looking to learn more.