This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Marci Thomas, MHA, CPA, CGMA, licensed as a CPA in Georgia and North Carolina, is an author and nationally recognized speaker on various accounting and auditing topics to companies, nonprofits, CPA firms, and state societies of CPAs around the country. A frequent speaker at local, regional, and national conferences, she also writes and teaches courses in governance, financial management, grants accounting, strategy, and various operational topics. Marci is a clinical assistant professor in the School of Public Health at the University of North Carolina at Chapel Hill. She works with numerous accounting firms, performing quality control and efficiency reviews and with boards on strategic planning, internal control, and governance issues. Marci serves on the Not-for-profit Committee for the North Carolina Association of CPAs.
Marci has written and co-written several books, including Essentials of Physician Practice Management, published by Jossey Bass in 2004. Her book Best of Boards: Sound Governance and Leadership for Nonprofit Organizations was published by the AICPA and Wiley Publishing in 2018 and is on its second printing. Her book on health care financial management was published by Wiley Publishing in 2014, with a new edition expected in 2020.
Marci received her Bachelor in Business Administration with a concentration in accounting from the Georgia State University and her Masters in Health Administration from the University of North Carolina at Chapel Hill.
• Many times when discussing accounting, tax and financial policy issues, it can be difficult to divorce the politics from the policy
• Today, when discussing the various issues we will encounter over the next several hours, let’s agree to keep our own view of politics out of the application of the policy and focus on doing the very best we can for all our clients
• The peer reviewer’s objective is to determine whether the system is designed to ensure conformity with professional standards and whether the firm is complying with its system
• Guidance in SQCS 8
• The System review also includes evaluation of a sample of the firm’s engagements, including:
D. AICPA focus areas and peer review issues identified
Question for Discussion
The AICPA has been issuing Audit Risk Alerts for over 30 years. Among other things, they focus on deficiencies that have come to light in audits. Why do you believe that audit quality continues to be a problem?
D. AICPA focus areas and peer review issues identified
• SAS 136 addresses the auditor’s responsibility to form an opinion and Reporting on Financial Statements of Employee Benefit Plans Subject to ERISA. It also adds new requirements for:
– Engagement acceptance;
– Audit risk assessment and response;
– Communications with those charged with governance;
– Procedures for an ERISA §103(a)(3)(C) audit; and
D. AICPA focus areas and peer review issues identified
• SAS 137 addresses the Auditor’s Responsibilities Relating to Other Information included in Annual Reports. This standard supersedes SAS No. 118, Other Information in Documents Containing Audited Financial Statements (AU-C 720)
• SAS 138 changes the definition of materiality
• SAS 139 and 140 primarily make conforming changes to the reports for special purpose frameworks and reports on supplementary information
• SASs 134-140 were deferred one year by SAS 141 and are now effective for audits of financial statements for periods ending on or after December 15, 2021. Early implementation is permitted
D. AICPA focus areas and peer review issues identified
• SAS 143 was issued in July 2020
• Makes revisions to the existing standard on Auditing Accounting Estimates:
– Discusses the concept of estimation uncertainty;
– Requires a separate evaluation for inherent risk and control risk for estimates;
– Proposes additional risk assessment procedures for estimates including assessment of management bias;
– Emphasizes that internal controls over the development of accounting estimates is important; and
– Makes clear that lack of internal controls over significant estimates with high estimation risk could be a material weakness or significant deficiency
• AU-C 230 states: “The auditor should prepare audit documentation that is sufficient to enable an experienced auditor, having no previous connection with the audit to understand:
– The nature, timing and extent of the audit procedures performed to comply with GAAS and applicable legal and regulatory requirements;
– The results of the audit procedures performed, and the audit evidence obtained; and
– Significant findings or issues arising during the audit, the conclusion reached, and significant professional judgments made in reaching the conclusions”
– Professional standards require that accounts receivable be confirmed. The audit partner on the engagement knew that in situations involving nursing home patients that the chances of confirmations being returned were very low. Therefore, he directed the staff to test subsequent payments instead. The workpaper contained a list of the patients selected for testing along with a record of payments vouched and a summary at the bottom showing the extent of the testing performed and the results.
Was this documentation sufficient to meet professional standards?
• In 2018, peer review issues related to poor quality control included:
– Use of templates from practice aids and other vendors without tailoring them to the unique qualities and risks of the firm; and
– Some firms were not performing key quality control functions such as consultations with others on engagement issues and engagement quality control reviews
• Peer reviewers have noted that firms are not always:
– Documenting acceptance and continuance procedures;
– Obtaining the proper licensure in the states where engagements were accepted; and
– Evaluating the risk of performing an engagement in a specialized industry or obtaining the necessary knowledge of current standards in specialized areas prior to performance of the audit
– Risk that the practitioner is not independent (independence in mind); and
– Risk that the practitioner is perceived as not being independent (independence in appearance)
• Practitioners should use a conceptual framework which involves:
– Identifying threats to independence
– Evaluating the threat that the AICPA member would not be independent or would be perceived by a reasonable and informed third party as not being independent
– Threats must be eliminated or reduced to an acceptable level to be independent
Is the nonattest service(s) specifically mentioned in ET Sec. 1.295?
Evaluate the nonattest service using the conceptual framework at ET Sec. 1.210.010.
No
Does the nonattest service(s) specifically impair independence?
Service may not be performed for attest client.
Are there threats that would need supplemental safeguards to bring them to an acceptable level?
Yes
Evaluate firm safeguards and apply them. Document the safeguards and how they were applied.
Firm is independent if management is willing and able to provide a person with suitable skill, knowledge and experience to review and take responsibility for the service. Ensure that this documentation is thorough and that the important engagement letter and rep letter provisions are included.
• Risk assessment procedures help to focus an auditor’s attention on the account balances and classes of transactions that are most likely to have material misstatement and identify errors and irregularities
• The procedures also help to uncover deficiencies in internal control so that improvements can be made to prevent and detect their occurrence in the future
• Overall objectives when conducting risk-based audits of financial statements are to:
– Obtain reasonable assurance about whether the financial statements, as a whole, are free from material misstatement, whether due to error or fraud; and
II. Performing a conforming risk assessment A. Summary of the risk assessment process
• Step 1: Make inquiries of management and other members of the client to develop an understanding of the entity, its environment, and internal control relevant to the audit
– Assess prior experience with the entity as well as results of audit procedures performed in prior audits. The assessment of prior experience is documented, in part in the client continuance form. This was discussed earlier
• Step 2: Perform preliminary analytical procedures on financial and nonfinancial information
• Step 3: Make inquiries of management, those charged with governance and others to assist in identifying the risk of material misstatement due to fraud
– Perform procedures to understand the risk of fraud such as inspection of journal entries, evaluation of significant estimates and the rationale for unusual business transactions
– Conclude on the risk of fraud related to revenue recognition and management override of controls
• Step 4: Identify the entity’s significant accounting processes including the financial reporting process and those that are outsourced and identify the key controls within those processes. Identify the key entity level controls
• Step 5: Conduct observations and inspections of those entity level controls and accounting processes with purpose of understanding the design of the key internal controls and whether they have been implemented
• Step 6: Accumulate the data points on risk identified
– Conduct discussions with the engagement team, brainstorming where the entity’s financial statements are susceptible to material misstatement due to fraud or error. Identify significant and fraud risks so they can be specifically documented
– Conclusions will be summarized in the risk assessment summary form
• Step 7: Assess inherent risk at the account balance/class of transaction and assertion level
– Be sure to document elements used to assess inherent risk
• Step 8: Assess the risk of material misstatement at the account balance and assertion level as high, moderate or low
– Ensure that significant and fraud risks are identified. Assess the risk of material misstatement at the overall financial statement level, that is, those risks that cannot be identified as specific to an account balance and assertion
• Step 9: Develop tailored audit procedures to be responsive to the risks of material misstatement and link them to the overall risks of material misstatement, the significant risks and the level of risk in the other account balances and classes of transactions at the assertion level
• Step 10: Document the results of the risk assessment process, including:
– Significant decisions reached in engagement team discussions, as well as timing of those discussions, and audit team members who participated in those discussions;
– Key elements associated with obtaining an understanding of the audit client, its environment, internal control components as well as the sources from which the understanding was obtained, and the risk assessment procedures performed; and
– Risk of material misstatement assessed at both the financial statement and relevant assertions level including the controls related to those risks that require special audit consideration (i.e., fraud risk, risks associated with significant related party transactions, economic and accounting matters, etc.).
A. Peer Review Issue #1 – failure to communicate or document the communication between the auditor and those charged with governance
• NEW!! AU-C 260 has been amended by SAS 135:
– Additional communications about the auditor’s views relating to the entity’s significant unusual transactions
• Communication of significant unusual transactions may include the auditor’s views on the policies and practices management used to account for significant unusual transactions as well as
• The auditor’s understanding of the business purpose for significant unusual transactions
– Communications about the potential effects of uncorrected misstatements on future-period financial statements are required
– When management communicates some or all of the information to governance
B. Peer Review Issue #2 – failure to properly perform/document preliminary analytical procedures
• Purpose of performing/documenting preliminary analytical procedures is to:
– Identify areas that might indicate the presence of risk whether due to error or fraud; and
– Investigate the unusual relationships between what he/she expected to occur based on inquiries with the client, board, and understanding of the industry
• Preliminary analytical procedures are performed at a high level with aggregated data
• The auditor has discretion in how he/she performs the procedures
B. Peer Review Issue #2 – failure to properly perform/document preliminary analytical procedures
Case Study 1: Peer review issue identified -- Preliminary analytical procedures
An auditor of a small entity with a lack of segregation of duties prepared a fluctuation to serve as preliminaryanalytical procedures to meet professional standards. The expectation stated on the workpaper was that, “allsignificant account balances and classes of transactions would remain constant since there was very littlechange in operations during the year and no significant transactions occurred.” The auditor identified severalfluctuations greater than the scope set but instead of concluding as to the risk that might be present, she crossreferenced the line item with the significant fluctuation to a workpaper representing substantive testing.
Subsequent to the issuance of the report the audit firm learned there had been a fraud at this company. Thetrusted bookkeeper created a fictitious company and over a seven-year period had embezzled $1.8 million. Thefraudulent expenses were concentrated in one general ledger account. Bookkeeper held the amount of thebalance constant so that it would not be questioned by the board or by the auditor.
If you were the manager on the account, what review comments might you have written to the auditorwho prepared the analysis?
B. Peer Review Issue #2 – failure to properly perform/document preliminary analytical procedures
Exercise 1: Peer Review Issue Identified -- Documentation of the risk of fraud, journal entries
An auditor was performing a review of journal entries to comply with AU-C 240. The objective of the review of the journal entries is to address, in part, the risk of management override of controls. The auditor is testing journal entries and other adjustments for indications of possible material misstatements due to fraud. The audit program required the auditor to perform the following steps:
Step 1: Consider the risks of material misstatement due to fraud identified in planning the engagement and their
effect on the nature and extent of journal entry testing. This may require journal entries to be tested throughout the
period, at closing points during the period when financial statements are issued, and at the end of the period.
Step 2: Obtain an understanding of the entity’s financial reporting processes and the internal controls over journal
entries and other adjustments. Make inquiries of personnel who process journal entries about inappropriate activity that
may have taken place.
Step 3: Perform audit procedures to determine the completeness of the population of journal entries and other
B. Peer Review Issue #2 – failure to properly perform/document preliminary analytical procedures ̶ example
Expectation: Based on discussions with management, review of the board minutes for the year and review of trends in the industry we have the following expectations. Based on discussions with management and review of sales reports provided by operations personnel we noted that sales of product were flat, and services decreased. We learned that there was some increased competition in the area from a larger company that sold at lower prices. We were able to corroborate this from external sources. Based on the review of the minutes we noted that the company replaced a piece of equipment that was old for $6,500. In addition, we know discussions with management that there were significant issues with their billing system and as such bills for the last few months did not go out as scheduled. We corroborated this by review of the AR run that took place shortly before year end. This accounts for the significant difference in accounts receivable. Accounts payable and cash typically fluctuate due to timing and so we do not expect that any fluctuations +/- $25,000 would be unusual. In 20X8 the company wrote off a significant amount of inventory due to some damage sustained to the warehouse. Margin appears consistent and inventory did not decrease from 20X8 to 20X9. We will follow up on this issue as it appears to be a risk The only fluctuation, aside from inventory that is unexplained is other assets. The amount is not significant and so although we will follow up on this during our substantive testing, it does not appear to be a significant risk or risk of fraud. We will carry forward the risk associated with inventory to be considered in the team discussion.
C. Peer Review Issue #3 – failure to discuss the risk of fraud with governance
• AU-C 315 states that the auditor should make inquiries of management, those charged with governance and others to assist in identifying the risk of material misstatement due to fraud
– Peer review comments primarily note the failure to hold discussions with members of governance about their perceptions of the risk of fraud and whether they have knowledge of any actual, suspected or alleged fraud
E. Peer Review Issue #5 – auditors are failing to assess the risk of material misstatement at both the financial statement level and relevant assertion level
• AU-C 315.26 states that the auditor is required to assess risk for account balances and classes of transactions at the assertion level
• Peer reviewers have noted that some auditors are making a blanket assessment assuming that all assertions are the same
E. Peer Review Issue #5 – auditors are failing to assess the risk of material misstatement at both the financial statement level and relevant assertion level
F. Peer Review Issue #6 – auditors are assessing the risk of material misstatement as a whole, not considering inherent and control risk separately
• Peer reviewers noted that auditors were assessing the risk of material misstatement (RMM) with one value representing their combined assessment of inherent and control risk
• This would be deemed an inadequate risk assessment. Inherent and control risk are two very separate evaluations
IR X CRDR= Detection RiskAR= Audit RiskIR = Inherent RiskCR= Control Risk
Using the Audit Risk Model to Determine the Audit
Evidence Required
Inherent Risk Control Risk RMMHigh High HighHigh Moderate HighHigh Low ModerateModerate High ModerateLow High ModerateModerate or Low Moderate Low/ModerateModerate or Low Low Low
2. Auditors should document the basis for their risk assessment only if either control risk or inherent risk is set below high. Otherwise they can carry forward the assessment from the prior year.
2. Auditors should document the basis for their risk assessment only if either control risk or inherent risk is set below high. Otherwise they can carry forward the assessment from the prior year.
• Internal controls is defined as a process effected by those charged with governance, management, and other personnel that is designed to provide reasonable assurance about the achievement of the entity’s objectives with regard to the reliability of financial reporting, effectiveness and efficiency of operations, and compliance with applicable laws and regulations. Internal control over safeguarding of assets against unauthorized acquisition, use, or disposition may include controls relating to financial reporting and operations objectives
• Objective of AU-C 315 is also to ensure that the entity has a process that is adequate for identifying business risks relevant to financial reporting objectives, estimating the significance of the risks, assessing the likelihood of their occurrence, and deciding about actions to address those risks
• Objective of AU-C 315 is that the entity should have a mix of preventive and detective controls designed to prevent, detect and enable management to correct misstatements on a timely basis. Types of controls are:
• Objective of AU-C 315 is that the information systems must be adequate to properly reflect transactions in the financial statements
• Communication system is to adequately communicate financial reporting roles including communications with those charged with governance and external communications such as with regulatory authorities
• A good communication system is one that securely and efficiently:
• Objective of AU-C 315 is to allow management and the board to perform activities monitoring internal control over financial reporting, including those related to those control activities relevant to the audit, and enable the entity to initiate remedial actions to deficiencies in its controls
• A good system of monitoring of controls both:
– Conducts ongoing and/or separate evaluations; and
• An auditor identified the following controls as key controls for the entity’s control environment. She prepared a workpaper identifying the key controls.
– Management sets the appropriate tone from the top
– Those charged with governance meet regularly. They review the internal financial statements at each meeting and ask questions about significant fluctuations
– The entity has a code of conduct and all employees are required to acknowledge that they have read it
– Management conducts performance evaluations of staff members
• The auditor concluded that management had implemented these controls
• If you were reviewing this workpaper what review comments would you have for the auditor? Assume that you are only reviewing the work on the control environment controls.
C. Peer Review Issue #1 – auditors are not performing the appropriate level of procedures on internal control related to financial reporting
• Auditors are omitting critical required audit procedures related to gaining an understanding of the client’s internal control over the financial reporting process. Obtaining this understanding is an important part of the risk assessment process. Specifically, auditors are not:
– Considering what could go wrong as the client personnel prepare financial statements;
– Identifying controls intended to mitigate financial reporting risks; and
– Evaluating the likelihood that the client’s controls are adequate to prevent and/or detect material misstatements in the financial statements
C. Peer Review Issue #1 – auditors are not performing the appropriate level of procedures on internal control related to financial reporting
• Financial reporting process includes the closing process, combining or consolidating entries, evaluating significant accounting estimates and disclosures. Understand the controls over the:
– Inputs (automated or by JE), procedures performed (testing for completeness, accuracy, presentation and disclosure) and outputs of the process
– Information technology involved
– Types of JEs used in the process
– Nature and extent of oversight by management, board of directors, and audit committee
• Auditors should evaluate the design of the controls and whether they have been implemented
• Auditors do not always conclude on deficiencies noted
E. Peer Review Issue #3 – auditors fail to understand which controls are relevant to an audit
• Peer review findings indicate that auditors do not always obtain an understanding of which controls are relevant to an audit
• They evaluate the controls relevant to the “big three” significant systems; cash receipts, cash disbursements, and payroll and obtain an understanding of the controls over those systems
• There may be more significant systems including ad hoc spreadsheets
• Relevant controls also include those that:
– Address significant risks;
– Address risks where the auditor believes that substantive testing alone will not provide sufficient appropriate evidence (those would be tested);
F. Peer Review Issue #4 – auditors have misconceptions about key controls, walkthroughs, and the level of testing necessary for control reliance
• Auditors are reducing control risk due to the results of the tests performed on entity level controls
• Auditors are reducing control risk due to the test results of attribute tests conducted on 40 cash disbursements for goods/services and payroll disbursements
• Often the only internal control tested is an approval
• Other attributes may consist of tracing information from a source document to the general ledger
F. Peer Review Issue #4 – auditors have misconceptions about key controls, walkthroughs, and the level of testing necessary for control reliance
Example ̶
An auditor was performing a test of controls over cash disbursements so he could rely on controls and reduce the level of substantive testing. He obtained a narrative that explained the process used for cash disbursements. The process is the journey that a transaction takes from initiation to authorization to processing and recording. The narrative helped him to understand the flow of the process. However, he realized that this narrative did not provide enough documentation for a complete understanding of controls.
The auditor went through the narrative and identified control activities that were designed to prevent, detect and correct misstatement on a timely basis. To ensure that his understanding was complete he identified activities performed by the client to support the appropriate authorization, safeguarding of assets and reconciliations. He also evaluated the segregation of duties.
He then selected key controls to support the assertions that were relevant to the account balance/class of transactions. The auditor’s objective was to evaluate the controls in place to ensure that purchases were approved, the goods or services represented bona fide obligations of the entity (i.e. that they were ordered), that the purchases were supported by source documentation evidencing receipt and the amounts were recorded accurately. He identified controls relevant to the assertions as follows:
F. Peer Review Issue #4 – auditors have misconceptions about key controls, walkthroughs, and the level of testing necessary for control reliance
Expense/Accounts Payable
Occurrence/Existence -- the purchase requisition is attached to the receiving document and the invoice before the expense is recorded in the general ledger. The accountant reviews the documents to ensure that they match and then signs the documentation.
Completeness -- pre-numbered purchase orders are used. Open purchase orders are investigated at the end of the month to determine if they were void or just failed to be recorded. Management reviews checks written toward the end of the period to ensure the underlying transactions were posted in the appropriate period. This review is documented in an excel checklist that is completed at the end of each month for these activities.
Rights and Obligations -- purchases are approved before they are ordered to ensure they are bona fide purchases of the company. Purchases at a certain level must be approved by a member of senior management. This is evidenced by a signature (initials).
Accuracy/Valuation -- invoices are checked against receiving documentation and the purchase requisition to ensure that amounts recorded in expenses and accounts payable are accurate. This is evidenced by a stamp on the documentation.
G. Peer Review Issue #5 – auditors are failing to conclude on the design of controls
• The understanding of internal controls includes both evaluating the design of controls as well as whether they have been implemented
• Control design -- consider whether the control, individually or in combination with other controls, is capable of effectively preventing, or detecting and correcting, material misstatements
G. Peer Review Issue #5 – auditors are failing to conclude on the design of controls
Exercise 2: Peer Review Issue Identified -- Walkthrough of Control Activities
An auditor identified the two signatures required on checks as a key internal control. The control activity was supposedto cover the occurrence/existence assertion, ensuring that the supporting documentation matched the amount of thecheck, that the name on the check was the proper payee and that receiving documents, if any, were attachedconfirming quantities and other information. The control additionally was important because although the purchaseswere approved in an earlier step it was possible that the check preparer could prepare an unauthorized check. Withoutthe appropriate documentation the check signer was supposed to question the check thereby preventing fraudulentdisbursements.
The auditor obtained an understanding from reviewing the prior year process chart and asked the client for a specifictransaction to determine if the two signatures were present on the check. He documented the information from thetransaction selected noting that two signatures were on the check.
If you were the auditor what other steps, if any would you have performed and documented in your evaluation of the design and walkthrough to see if the control had been implemented?
H. Peer Review Issue #6 – auditors are not linking control risks to further substantive procedures
• Peer review data indicates that some auditors are identifying control weaknesses but failing to link those risks to the right level of substantive procedures
• Auditors do not always go back to the team discussion documentation and risk assessment summary to document that a risk has emerged during testing along with the further audit procedures to be performed to lower detection risk
H. Peer Review Issue #6 – auditors are not linking control risks to further substantive procedures
Exercise 3: Peer Review Issue Identified -- Ramifications of Control Weaknesses
An auditor was gaining an understanding of internal control over a significant accrual for an entity that raises livestock for milk production. In reviewing the process, she noticed that the CFO prepared the unborn livestock accrual (a significant asset) and gave the staff accountant an entry to post to the general ledger. In past years the controller would prepare the estimate and journal entry with the CFO reviewing it. However, the entity went through a cost cutting initiative after losing a major contract during the year to improve its financial performance. The controller position was eliminated. When asked, the CFO indicated that there was no review of the journal entry. He did not feel it was necessary. The auditor concluded that this estimate had many sensitive and subjective components and therefore was subject to a high degree of estimation uncertainty. She believed that it was a significant deficiency because of the risk of management bias. Due to the loss of the contract the company had been close to violating two of its debt covenants in the second and third quarter. The auditor was aware that the CEO and the board reviewed the financial statements each month, but the auditor was concerned that they were not likely to question an estimate such as this.
H. Peer Review Issue #6 – auditors are not linking control risks to further substantive procedures
Exercise 3: Peer Review Issue Identified -- Ramifications of Control Weaknesses
In the prior year when controls were functioning, and the company was profitable the auditor performed the followingprocedures.
• Determine whether the assumptions used in forming the estimate are reasonable. This involves challengingmanagement’s assumptions and evaluating the quality of the data.
• Evaluate the internal controls. This includes the review of estimates by management. Understand the data andreliability of the sources used to develop the estimate and recalculate.
In light of the situation in the current year, how might the auditor link this control deficiency to further auditprocedures?
I. Peer Review Issue #7 – auditors are not evaluating control weaknesses
• Auditors are failing to identify weaknesses in internal controls and classify them as control deficiencies, significant deficiencies, or material weaknesses
• Several ways that control deficiencies come to light:
– Lack of segregation of duties
– Weaknesses identified during understanding the design of controls and whether they have been implemented
– The auditor may identify a misstatement in the financial statements. He/she will want to identify the significance of the misstatement and its root cause when documenting the control deficiency
I. Peer Review Issue #7 – auditors are not evaluating control weaknesses (cont.)
• AU-C 265 identifies the following as indicators of material weaknesses:
– Identification of fraud, even if not material, on the part of senior management
– Restatement of previously issued financial statements to reflect the correction of a material misstatement due to fraud or error
– Identification by the auditor of a material misstatement of the financial statements under audit in circumstances that indicate that the misstatement would not have been detected and corrected by the entity’s internal control
– Ineffective oversight of the entity’s financial reporting and internal control by those charged with governance
I. Peer Review Issue #7 – auditors are not evaluating control weaknesses ̶ Example
An audit firm was hired by a midsized not-for-profit entity to audit the financial statements. In the first meeting with the board of directors the board chair mentioned that she would like to see the material weakness in the AU-265 report be removed. She was concerned with the perception donors would have of the organization. The auditor agreed subject to one of the board members also reviewing the checks and supporting documentation before they were released. The lack of segregation of duties was related to cash disbursements. There was one bookkeeper who initiated, authorized, processed and recorded the transactions. She also prepared the bank reconciliation and the analytical comparisons that were reviewed monthly by the CFO and the board.
The material weakness was removed. Two years later it came to light that the bookkeeper was embezzling fromthe company. As is often the case with fraud, she authorized disbursements to a company she created. Thiswas discovered by a regulator and it made headlines. The auditor’s work and ethics were called into question.The firm’s workpapers did not contain documentation of why the auditor believed that adding a board member’sreview of checks could mitigate a lack of segregation of duties as significant as this.
• Upon reviewing this chapter, the reader will be able to:
– Understand the professional standards related to designing audit procedures in response to assessed risk and where peer reviewers are noting deficiencies;
– Identify and implement best practice techniques and documentation for linkage from the risk assessment to further audit procedures; and
– Prepare appropriate documentation for sampling applications
During the risk assessment process an auditor was concerned that management could override controls due to their need to meet earnings expectations. The entity had 2 complex and significant estimates, the CFO prepared most of the journal entries himself and numerous nonroutine journal entries were made during the year. Since there was no formal oversight mechanism the audit partner concluded that the risk was pervasive. The engagement team spent time in their meeting discussing professional skepticism. The partner highlighted that this is an area where the ASB is refining audit standards. More experienced personnel were assigned the responsibility for auditing the significant estimates. In addition, the audit plan called for additional testing of journal entries for a bona fide business purpose and the risk of fraud than was typical in engagements with less risk. This risk response was documented in the team discussion memo, on the risk assessment summary form and cross-referenced to the workpaper where the audit work was performed. The results of the additional procedures were documented on the workpapers where the work occurred. Had there been any findings that led to expansion of testing this would have been documented in the risk assessment documentation and further modifications made to the audit plan.
The auditor of a health insurer was auditing a significant accrual for the claims that had been incurred but not reported to the insurer (IBNR). The estimate was based off historical estimates of the length of time it takes for claims to become substantially complete along with the lag time from the service to the receipt by the insurer. The estimate was also adjusted for claims incurred that were outliers. Due to the complexity and inherent risk of the estimate the auditor concluded that controls would need to be tested because substantive tests would not provide sufficient evidence. The risk assessment documentation reflected this decision. Since the area was identified as a significant risk, the special audit consideration was documented along with the workpaper where the testing occurred. Had there been any issues identified that would have caused a reassessment of the audit plan, the auditor would have returned to the risk assessment documentation and made those changes.
After performing their risk assessment, the engagement team considered the special audit consideration needed to address the risks of material misstatement. The team identified revenue recognition, which included the deferred revenue account, as significant risks for the occurrence and cutoff assertions. They also identified accounts receivable as a significant risk related to the valuation and cutoff assertions.
Significant risk: Accounts ReceivableAssertions: Cutoff and Valuation
What could go wrong? Accounts are frequently 120+ days old. Management makes special deals with certain customers extending the payment period, but those decisions are frequently undocumented. In addition, the economy in the area has been poor heightening the team’s assessment of risk. The receivables are a very large asset balance and the allowance is material to the financial statements.
Special audit consideration: The team decided to alter the nature and extent of testing. All testing is performed at year end. They discussed the following additional procedures.
• Perform a hindsight review of prior year receivables collected to determine if management’s estimates were accurate. This supports management’s ability to forecast collectability. In addition to balances that would normally be part of a sample, confirm receivables greater than 90-days-old accounts larger than $20,000. This may result in additional selections.
• On all confirmations, ask if any fees are disputed.• In addition to the evaluation of the aging that is normally performed, for any receivables over $100,000 and 120 days
old, perform procedures to evaluate whether the customer can pay including:• Examining financial statements, where available.• Examining correspondence with the entity, where available.• Performing internet searches to see if delinquent customers have been in the news – be alert to events that
might affect their ability to pay. • Examine the correspondence logs that collections personnel are required to maintain.
Linkage in a Financial Statement AuditRisk Assessment Components
Understand the entity and its environment• Relevant industry, regulatory, and other external factors• Financial reporting framework• Nature of the entity, including its operations, ownership
and governance structures• Investments that the entity is making and plans to make• Way that the entity is structured and how it is financed• Entity's selection and application of accounting policies,
including changes• Entity's objectives and strategies and related business
risks • Measurement/ review of the entity's financial performance.
Understand the entity’s internal control and perform tests if necessary or desired
Client acceptance/continuance procedures
Perform preliminary analytical procedures
Develop theaudit strategy
Develop theaudit plan
Make fraud inquires and perform procedures such as journal entry testing to understand risk
Supports the determination of inherent risk
Supports the determination of control risk
Audit team discussion-brainstorm –Risk of fraud,
significant risks
Document- Risk
assessment summary and conclusions
An audit is an iterative process. It’s not over until it’s over!
Link to workpapers
Read the Minutes of the Governing Board
B. Peer Review Issue #2 – auditors are failing to link elements of the risk assessment to the team discussion and other testing
C. Peer Review Issue #3 – auditors are not using appropriate sampling strategies to test internal control
• Inquiry alone is not sufficient to test operating effectiveness of controls
• Peer reviewers have noted that auditors sometimes believe that if written documentation is absent, that inquiry is sufficient testing
• Common misunderstanding -- If the auditor observes a process, this is a test of controls. In the context of internal controls, observation is only relevant at the time it is performed
• Auditor may use evidence relative to tests performed in prior periods after determining if changes have been made by corroborative inquiry, review of document, observation and inspection
• Prior year tests are most effective to use for automated controls but be sure to test general computer controls
• Tests must be performed every three years and some controls tested each year
2. Exercise 1: peer review issue identified – testing internal control and sample size calculation
2. Exercise 1: Peer Review Issue Identified --Testing Internal Control An auditor decided to test controls over the authorization of disbursements prior to mailing. The entity processed over 500 payments a year. Based on experience gained in prior audits, the auditor determined that controls were generally effective but was not confident that the client personnel would be completely consistent in signing off even though she believed the control was being performed. The auditor planned to perform other tests controls (corroborative inquiry, review of documents, observation) so she only needed moderate assurance from this one control.
What sample size do you think she should choose to meet this objective?
C. Peer Review Issue #3 – auditors are not using appropriate sampling strategies to test internal control
• Documentation (from AU-C 230) states that an experienced auditor, having no previous connection with the audit, should be able to understand (from the documentation):
– Extent of the audit procedures performed (sample size and how it was derived);
– The results of the audit procedures performed, and the audit evidence obtained;
– Significant findings and conclusions reached; and
– Significant professional judgments made in reaching those conclusions
C. Peer Review Issue #3 – auditors are not using appropriate sampling strategies to test internal control
• Sampling with replacement
• Auditors frequently want to use sample selections to test for accumulation of information and perform substantive testing
– If a dual-purpose sample is constructed the auditor should evaluate if the sample size is large enough to meet both needs (a sample size of 40 may not be large enough to be of much value for substantive testing)
– The population for the test should be complete for the purpose for which each test was designed
– The sample should be evaluated by considering each purpose of the test separately
D. Peer Review Issue #4 – auditors are not using appropriate sampling strategies to perform substantive tests
• The AICPA Audit Sampling Guide defines variables sampling as “classical statistical sampling method that reaches a conclusion on the monetary amounts of a population”
• Type of sampling is used to test account balances and classes of transactions to determine if items are recorded appropriately
• Distinction between testing 100% of a population or a portion of a population and sampling
• Auditor is likely to remove the significant items from a population before the remaining population will yield a smaller number of test selections
D. Peer Review Issue #4 – auditors are not using appropriate sampling strategies to perform substantive tests
Dollar value of the population being tested $1,200,000Tolerable Misstatement $ 75,000Risk of Material Misstatement ModerateReliance on detailed test Moderate
Auditor decided to stratify the sample.Significant items to be tested 100% ($500,000 represents 5 items)
Sample Size = Amount of Population X Risk FactorTolerable Misstatement
Sample Size = $700,000 X 1.6 = 15 + 5 = 20$75,000
If RMM is assessed as low because controls were tested and found to be reliable andthe reliance on the test was moderate, then the sample size would be:
A. Peer Review Issue #1 – disclosures related to special purpose frameworks
• Fair presentation
• Consider overall presentation, structure and content of the financial statements and whether the financial statements, including the related notes, represent the underlying transactions and events in a manner that achieves fair presentation
• When statements prepared on the cash basis or modified cash basis contain items that are the same as, or similar to, those in financial statements prepared in accordance with GAAP, informative disclosures similar to those required by GAAP are necessary
B. Peer Review Issue #2 – frequently missed GAAP disclosures
• Peer reviewers and regulatory reviewers have noted that firms may not be using disclosure checklists or may not understand the requirements in disclosure checklists
• Recently they identified the following deficiencies:
1. Failure to disclose the date through which subsequent events were evaluated. This is a FASB disclosure requirement as well as an important audit step. Nonpublic entities are required to provide information about management’s evaluation of subsequent events
B. Peer Review Issue #2 – frequently missed GAAP disclosures
• Recently they identified the following deficiencies (cont.):
2. Failure to correctly classify long-term debt, cash flows, and presenting gross amounts instead of net
– ASC 230 requires separate presentation of gross cash inflows and outflows no matter the method (direct or indirect) the cash flow statement is presented. There are some exceptions:
• Cash and cash equivalents (transfers between categories); and
• Financial instruments that are short-term in nature and have a quick turnover, for example, draws and payments on lines of credit
B. Peer Review Issue #2 – frequently missed GAAP disclosures
• Long-term debt appears to be a challenge as follows:
– Classification of due-on-demand debt should be current
– Long-term debt callable by the creditor because of covenant violations would be current unless the creditor has provided a waiver or lost the right to demand the payment
• ASC 470 states that long-term debt should be classified as noncurrent unless bothof the following exist:
– There is a loan violation at the balance sheet date or a violation would have occurred if the loan was not modified; and
– It is probable that the default would not be cured or covenant would not be complied with at the measurement date without the next 12 months (or operating cycle)
B. Peer Review Issue #2 – frequently missed GAAP disclosures
• Long-term debt callable by the creditor is a violation if not cured within a grace period. If it is probable that the violation would be cured, it could be classified as noncurrent. But if it is not, the debt would be classified as current
B. Peer Review Issue #2 – frequently missed GAAP disclosures
Heads Up!
• The FASB is currently working on an exposure draft that will modify the way debt is classified
• The new guidance would be principles-based and applied based on the facts and circumstances that exist at the balance sheet date
• It would include an exception related to waivers of debt covenant violations obtained after the balance sheet date but before the financial statements are issued
• The new guidance would require noncurrent classification of debt if one of the following criteria is met: (1) Debt must be settled 12 months or more after the balance sheet date; (2) The entity has a contractual right to defer settlement of the debt for at least 12 months after the balance sheet date
B. Peer Review Issue #2 – frequently missed GAAP disclosures
5. Failure to appropriately disclose fair value hierarchy of investments, description of the levels. In addition, there was failure to perform procedures or document procedures on the assurance of fair value measurements
Update to professional literature – ASU 2018-13, Changes to Fair Value Disclosure
Heads Up!
Update to professional literature - ASU 2018-13, Changes to Fair Value Disclosure
• Effective for fiscal years and periods within those years beginning after December 15, 2019 the disclosure requirements have been modified as follows:
Disclosure Requirements Removed from ASC 820:
• The amount of and reasons for transfers between Level 1 and Level 2 of the fair value hierarchy;
• The policy for timing of transfers between levels;
• The valuation processes for Level 3 fair value measurements; and
• For nonpublic entities, the changes in unrealized gains and losses for the period included in earnings for recurring Level 3 fair value measurements held at the end of the reporting period
Update to professional literature – ASU 2018-13, Changes to Fair Value Disclosure
Heads Up! (cont.)
Disclosure requirements were modified in ASC 820:
• In lieu of a roll forward for Level 3 fair value measurements, a nonpublic entity is required to disclose transfers into and out of Level 3 of the fair value hierarchy and purchases and issues of Level 3 assets and liabilities
• For investments in certain entities that calculate net asset value, an entity is required to disclose (1) the timing of liquidation of an investee’s assets, and (2) the date when restrictions from redemption might lapse only if the investee has communicated the timing to the entity or announced the timing publicly
• The ASU clarifies that the measurement uncertainty disclosure is to communicate information about the uncertainty in measurement as of the reporting date. Public entities provide this information
Update to professional literature – ASU 2018-13, Changes to Fair Value Disclosure
Heads Up! (cont.)
• Disclosure requirements were added to ASC 820 (nonpublic entities are exempt):
• The changes in unrealized gains and losses for the period included in other comprehensive income for recurring Level 3 fair value measurements held at the end of the reporting period
• The range and weighted average of significant unobservable inputs used to develop Level 3 fair value measurements. For certain unobservable inputs, an entity may disclose other quantitative information (such as the median or arithmetic average) in lieu of the weighted average if the entity determines that other quantitative information would be a more reasonable and rational method to reflect the distribution of unobservable inputs used to develop Level 3 fair value measurements
Individuals, CPE certificates will be available in your Surgent profile within 24 hours.Groups, please scan and submit the attendance form to [email protected] for CPE certificates.