CPA Practice Aids, LLC Small Audits Made Easy & Profitable Learning Objectives After completing this section of the course, you will be able to: 1. Describe the philosophies underlying cost-beneficial audit approaches 2. Discuss the framework for approaching small audits to achieve high-quality, efficiently 3. Understand the relationship of risk assessment, audit strategies and audit responses on smaller audits Definitions of a Small Business Quality definitions of a small business will focus on the characteristics of an entity, rather than on the volume of its sales or assets. From an auditing perspective, the same is true. The amount of audit hours invested in a small business entity will vary from a small amount to several hundred. For application of the concepts and practice aids in this course, a small business will include the following characteristics: One or a few individuals perform entity level controls or key operational controls. Limited segregation of accounting duties due to a small number of employees. Informal or not formally documented policies and procedures. Basic and/or out-of-the-box accounting software. Limited accounting knowledge by management personnel. Higher risk of management overriding internals controls. Limited accounting training and/or business experience of accounting personnel and governing persons. Assets are easily accessible to employees. Overview of a Simplified Small Audit Approach Operating Philosophies Underpinning the audit strategies for small business engagements, Statement on Quality Control Standards No. 8, A Firm’s System of Quality Control (Redrafted), ensures that an audit engagement is conducted in accordance with existing professional standards. While compliance with quality control standards doesn’t provide direct evidence to support audit conclusions, it does enhance the quality of the evidence gathered by auditors. The quality control standards included in SQCS No. 8 should become a CPA firm’s operating philosophies. Common operating philosophies for small audits are: Involving leadership throughout engagements to establish communication from the top. Meeting personal and firm ethical requirements. Accepting and serving high-quality clients. Hiring outstanding staff persons. Maximizing the benefits of CPE and on-the-job training for staff personnel. Assigning the appropriate staff personnel to engagements. Providing the appropriate level of supervision for engagement personnel. 1 CPA Practice Aids, LLC Planning, assessing risk, and performing engagement procedures to produce the optimum mix of quality and profitability. Monitoring quality control policies and procedures for engagements and for firm administration. Audit Strategies An audit strategy for small audits that includes compliance with applicable generally accepted auditing standards and, at the same time, maximizes engagement profitability will include the following components: Creating and responding to client acceptance and retention evaluations. Completing only core planning practice aids. Examining the general ledger account activity to provide low-cost substantive evidence and risk-assessment procedures. Preparing internal control flowcharts and memos that can be carried forward. Performing systems walk-procedures to reduce the assessed level of risk of material misstatement. Performing maximum analytical procedures during planning, engagement performance and engagement review to reduce detailed tests of balances. Performing only necessary tests of controls and tests of balances procedures. Determining tolerable misstatement by financial statement classification to minimize auditing procedures. Making decisions to not sample to save time. Completing a planning document to facilitate planning meetings and the engagement leader’s involvement. This audit strategy, and other engagement performance and documentation procedures, will be discussed throughout the remainder of these text materials. Some Specific Topics Achieving Small Audit Efficiency Using the word “efficiency” in the same sentence as the word “audit” may seem like an oxymoron, particularly for small audits. Given the explosion of new professional standards in recent years, it’s not surprising that many smaller CPA firms have given up their audit practices. However, small audits can still be profitable. The key is to maximize efficiency. Every planning and performance decision must emphasize both quality and efficiency. I call this the “TenMinute Rule.” By taking advantage of every opportunity to save 5 or 10 minutes, huge overall engagement time savings can be achieved. The Root of Audit Requirements and Documentation For over two decades, publishers of auditing practice aids have supplied forms, checklists and programs to comply with existing professional standards. These practice aids have provided good engagement performance quality control systems, particularly for smaller CPA firms. On the downside however, the volumes of accounting and auditing pronouncements have increased 2 CPA Practice Aids, LLC exponentially causing huge stacks of paper or long lists of electronic forms for even the smallest audits. The length and number of audit practice aids from publishers increased substantially when the audit risk assessment standards were revised in 2006. The Auditing Standards Board subsequently released the Clarified Audit Standards that became effective for periods ending after December 15, 2012. Because it is often very difficult to determine which documentation is required to comply with the currently effective standards, auditors tend to error on the side of conservatism, using and completing all the practice aids purchased from a publisher. While this approach may result in a high-quality audit, it is likely to generate large budget overruns. A foundational principle of audit efficiency is to remember that the root of audit requirements is not the practice aids purchased from a provider. Audit requirements for non-public and nonprofit entities are rooted in the Statements on Auditing Standards (SASs) published by the Auditing Standards Board of the AICPA. Audit efficiency begins with choosing procedures and documentation that, first, satisfies the applicable requirements in SASs and, second, are the most efficient considering engagement risk circumstances. Small Audit Documentation that Supports SAS Compliance Documentation must evidence compliance with the requirements of applicable SASs. Because SASs are written to be applicable to audit engagements of all sizes, compliance for a small audit will differ from a large audit and thus audit documentation of compliance will also differ. Below is a list of annual “key” documentation that will support small audit strategies. Engagement letter. Client acceptance and retention evaluations. General ledger analysis worksheet. Small audit internal control questionnaire, flowcharts and/or memos by financial statement classification. Systems walk-through memo or other documentation. Analytical procedures worksheets for engagement planning and review. Risk of material misstatements evaluation by financial statements classifications. Linking working paper to guide the selection of tests of controls and tests of balances procedures based on risk. Tolerable misstatements calculation by financial statements classifications. Sampling and non-sampling decisions worksheet. Audit planning document summarizing audit strategies and other planning information. Small audit program tailored for audit responses to assessed risks. Representation letter. The Foundation for Audit Documentation Underpinning small audit documentation, a CPA firm’s operating philosophies contribute significantly to engagement efficiency. Involvement of leadership on audit engagements for some CPA firm partners or sole proprietors is often limited to a brief meeting with staff personnel before the engagement begins and a review of the working papers and report after the 3 CPA Practice Aids, LLC engagement is finished. While this may limit the executive’s time charges on an audit, it also limits the opportunities to train personnel, to set the tone at the top, to ensure audit quality and to deal with engagement problems throughout the job. Limited executive participation results in increased time charges during the wrap-up phase to clean up review points and resolve problems after the fieldwork is finished. Auditing standards now require participation of CPA firm leadership in planning meetings on all audit engagements. Many leaders also require in-charge accountants to communicate the status and problems of engagements throughout the performance phase. Some leaders perform their engagement reviews in stages to avoid last minute problems. The result of all these practices is that engagement problems are dealt with early and engagement procedures are done correctly the first time. Wasted time is eliminated and higher profitability is achieved when engagement leaders are involved in all phases of engagements. Developing Cost-Beneficial Audit Strategies on Small Audits Increasing Profits by Evaluating Risk at the Financial Statement Level SQCS No. 8, effective January 1, 2012, requires that a firm establish and document policies and procedures for the acceptance and continuance of clients and engagements. QC Section 10:27-30 reads: .27 The firm should establish policies and procedures for the acceptance and continuance of client relationships and specific engagements, designed to provide the firm with reasonable assurance that it will undertake or continue relationships and engagements only when the firm a. is competent to perform the engagement and has the capabilities, including time and resources, to do so; (Ref: par. .A11) b. can comply with legal and relevant ethical requirements; and c. has considered the integrity of the client and does not have information that would lead it to conclude that the client lacks integrity. (Ref: par. .A12–.A13) .28 Such policies and procedures should a. require the firm to obtain such information as it considers necessary in the circumstances before accepting an engagement with a new client, when deciding whether to continue an existing engagement, and when considering acceptance of a new engagement with an existing client. (Ref: par. .A14) b. require the firm to determine whether it is appropriate to accept the engagement if a potential conflict of interest is identified in accepting an engagement from a new or an existing client. c. if issues have been identified and the firm decides to accept or continue the client relationship or a specific engagement, require the firm to i. consider whether ethical requirements that exist under Interpretation No. 102-2, "Conflicts of Interest," under Rule 102, Integrity and Objectivity (ET sec. 102 par. .03), apply, 4 CPA Practice Aids, LLC such as disclosure of the relationship to the client and other appropriate parties, and ii. document how the issues were resolved. .29 To minimize the risk of misunderstandings regarding the nature, scope, and limitations of the services to be performed, the firm should establish policies and procedures that provide for obtaining an understanding with the client regarding those services. (Ref: par. .A15) .30 The firm should establish policies and procedures on continuing an engagement and the client relationship that address the circumstances when the firm obtains information that would have caused it to decline the engagement had that information been available earlier. Such policies and procedures should include consideration of the following: a. The professional and legal responsibilities that apply to the circumstances, including whether there is a requirement for the firm to report to regulatory authorities b. The possibility of withdrawing from the engagement or from both the engagement and the client relationship (Ref: par. .A16) Client acceptance and continuance procedures are the foundation of the risk assessment process. As discussed in SAS No. 8, management’s integrity is one of the elements of risk at the financial statement level. High risk at the financial statement level requires more evidence to mitigate the risk. Low risk requires less evidence. The impact of risk at the financial statement level on engagement procedures will be discussed in other sections of these materials. Risk at the Financial Statement Level SAS No. 107 (AU-C 320) defines audit risk as the risk that the auditor may unknowingly fail to appropriately modify his or her opinion on financial statements that are materially misstated. Audit risk is subjective in nature and represents the likelihood misstatement will remain in the financial statements after the auditing procedures are complete. SAS No. 107 (AU-C 320) discusses risk at both the financial statement level and the assertion level. Engagement risk, or overall engagement risk as it sometimes called, is audit risk at the financial statement level and is primarily affected by the factors discussed below. From a client acceptance and/or continuance form, and the related client investigation procedures, we can evaluate: 1. Integrity of management. 2. Use of financial statements. 3. Potential for going-concern problems. Integrity of Management Questions concerning the integrity of management and the use of financial statements should be documented in a client acceptance and/or continuance form. Management’s character and compliance with a company’s internal control policies and procedures sets the standard for 5 CPA Practice Aids, LLC behavior of other employees. The “tone at the top” becomes the control environment that underpins all other elements of internal control and the auditor’s risk assessment process. Use of Financial Statements The use of audited financial statements may create a higher risk at the financial statement level. For example, the user may place greater reliance on the audited financial statements when they are submitted to a lender in connection with an application for credit, to a bonding underwriter to obtain a performance bond for a construction contract, or to an attorney for litigation support. The use of financial statements for high risk purposes increases the likelihood of being sued by users. Such likelihood requires more reliable and more extensive evidence to mitigate this risk. Potential for Going-Concern Problems SAS No 126 (AU-C 570)—Going Concern, formerly SAS No. 59, requires an evaluation of the going concern assumption during planning. While management may have plans to mitigate information contrary to the going-concern assumption, the presence of such information and the potential for it materially affecting the financial statements under examination should be considered when planning the desired level of evidence for the engagement. The auditor should evaluate whether there is substantial doubt about the entity’s ability to continue as a going concern for a reasonable period of time, at least one year. If substantial doubt exists, the auditor should evaluate management’s plans to mitigate the contrary information and plan to subjectively increase the overall level of evidence on the engagement. The Impact of Risk at the Financial Statement Level The subjective level of risk at the financial statement level, best described as high or low, can significantly affect the audit strategy, including the nature, extent and timing of procedures, and the staffing and supervision of the engagement. Procedures: High risk at the financial statement level calls for more reliable procedures, increased sample sizes or greater audit coverage of the dollar amount of account balances and performing procedures as of the client’s fiscal year-end. Low risk will permit less reliable procedures, smaller sample sizes or lesser audit coverage of account balances and performing procedures before year-end. In the discussions of materiality concepts and sampling decisions later in these materials, the procedural impact of high and low risk at the financial statement level will be considered. Staffing and supervision: Responses to high risk at the financial statement level will include assigning more experienced engagement personnel to the engagement and/or increased executive supervision. Low risk will permit less experienced personnel and/or less leader supervision. Because assigning personnel to engagements is one of the elements of quality control in SQCS No. 8, firm administrative or engagement files should contain documentation of these decisions during planning. 6 CPA Practice Aids, LLC While the specific risk factors and their planned affects on the audit are considered during the various aspects of the risk assessment process, they are best summarized and documented in a Planning Document. Specific details are discussed later. Increased engagement profits result when both high and low risk factors are linked to specific auditing procedures during planning. CPAs in general are good at increasing procedures when risk is high, but not very good at decreasing procedures when risks are low. The risk assessment standards applicable to all auditing engagements emphasize the importance of modifying procedures for both high and low risks. Using risk-based auditing requires an auditor to respond to risks that come to his or her attention during risk assessment procedures. In areas where no significant risks are discovered, the auditor can and should reduce the nature and extent of tests of balances procedures. Remember, low engagement risk should always result in less audit work and increased profits. How to Perform and Document Risk Assessment Procedures at the Assertion Levels Risk of Material Misstatement In SAS No. 107 (AU-C 320), audit risk at the account balance or transaction class level has three components. Inherent risk. The susceptibility of a financial statement assertion to a material misstatement assuming there are no related internal controls. Control risk. The risk that a material misstatement, which could occur in a financial statement assertion, will not be prevented or detected on a timely basis by the entity’s internal controls. Detection risk. The risk that the auditor will not detect a material misstatement that exists in an assertion. The combination of inherent and control risk comprises the risk of material misstatement. As discussed above, risk of material misstatement is assessed at both the financial statement and assertions levels. The risk of misstatement must be assessed for relevant assertions and is usually done by financial statement classification. In our practices, we ordinarily would not make a complex analysis that would consider inherent and control risk by financial statement assertion. We consider certain relevant assertions as we plan auditing procedures for financial statement classifications. For example, existence and valuation are most important when auditing accounts receivable; completeness is most important for accounts payable. We’ll discuss financial statement assertions and their relationship to audit objectives and types of tests in another section of these materials. Understanding the Entity and Its Environment SAS No. 109 (AU-C 315), Understanding the Entity, Its Environment and Assessing the Risks of Material Misstatement, states: 7 CPA Practice Aids, LLC The purpose of obtaining an understanding of the entity and its environment, including its internal control, is to identify and assess risks of material misstatement and to design and perform procedures that respond to such risks. Risk assessment procedures include inquiries of management and client personnel, observation and inspection procedures and various analytical procedures. The auditor is required to obtain a sufficient understanding of the five elements of internal control to evaluate their design and operation. Substantive procedures must be performed for significant risks. Tests of controls are required only when substantive procedures alone are not sufficient to test financial statement assertions, such as the completeness assertion for revenues. Internal Controls An evaluation of a client’s internal controls will be relative to the nature, size and complexity of an entity. In a recent COSO report on internal control for smaller public entities, the authors indicated that smaller public entities may have more informal internal controls and that key controls would ordinarily be carried out by one or a few individuals. The same is true for smaller non-public and non-profit entities. As SAS No. 107 (AU-C 320) indicates, an entity’s key controls are the primary concern for management, and for auditors. Key controls are those performed at the entity level which can prevent deficiencies in other related control activities from causing material misstatements. A small entity, for example, could have both a good accounting system and good internal controls because an owner or manager with high integrity diligently performs key controls such as signing checks and reviewing vendor invoices, examining bank statements before and after reconciliation, viewing mail opening prelists and bank deposit details, reviewing customer statements and/or aged trial balances of accounts receivable, and so forth. Underpinning the accounting system and the internal control activities is the control environment. The control environment includes management’s attitudes and other factors such as integrity and ethical values, commitment to competence, board of directors and audit committee participation, management’s philosophy and operating style, organizational structure, assignment of authority, and responsibility and human resource policies and practices. All other elements of internal control are established and depend on the control environment. Cost-benefit considerations play a primary role in selecting the audit strategy and begin with internal control evaluation decisions. Since an audit strategy can no longer contain a default of control risk to maximum, material risks of misstatements must be identified to ensure auditing procedures are sufficient to mitigate such risks. 8 CPA Practice Aids, LLC Risk Assessment Procedures Risk assessment procedures include all engagement activities from the planning phase up to the development of the audit plan (detailed audit program). Below is an outline and brief discussion of common risk assessment procedures and related documentation: 1. Making and documenting client acceptance or continuance decisions. 2. Reviewing prior year working papers, considering findings and conclusions, adjusting journal entries, uncorrected audit differences and assessing their impact on the current year’s risk assessment. 3. Reading the current year’s general ledger activity and preparing a memo documenting parameters and findings. 4. Performing and documenting other preliminary analytical procedures (at least comparing the current year’s unadjusted account balances with prior year adjusted balances). 5. Preparing flowcharts or memos documenting the client’s accounting and internal control stems and the performance of systems walk-through procedures for major transactions cycles. 6. Calculating tolerable misstatement by financial statement classification based on risk. 7. Completing applicable practice aids and other documentation from the firm’s accounting and auditing manuals. 8. Preparing a linking working paper combining risk of misstatements due to error and fraud to determine the level of risk of material misstatement and audit responses for relevant assertions in material financial statement classifications. 9. Designing a detailed audit plan (program) that links significant risks with appropriate procedures (tests of control, analytical procedures and/or detailed tests of balances). The risk assessment standards make clear that all risk assessment procedures become substantive evidence that contributes toward accomplishing audit objectives. When considering the evidence necessary to decrease detection risk to an acceptably low level, the performance of risk assessment procedures will reduce the evidence required from other auditing procedures. This is a basic principle underpinning increased efficiency on all audits. Reducing or Eliminating Procedures The key is to look for strengths in a client’s system of internal controls first. Strengths are key controls designed and in operation to prevent material misstatements from occurring and going undetected. Identifying strengths first will enable the auditor to determine when specific control deficiencies are offset and when tests of balances procedures can be reduced or eliminated. SAS No. 109 (AU-C 315) permits a CPA to consider prior years’ control risk assessment for the client while evaluating current year control risk. Lower assessed levels of control risk, and risk of material misstatement, from the prior years’ engagements creates opportunities for reducing or eliminating procedures in the current year. Audit Planning for Profits in Tough Times 9 CPA Practice Aids, LLC Do We Really Have to Plan Small Audits? In earlier years, auditors didn’t do much planning because audit procedures were designed on the fly. The joke was that many did their audit planning in the back seat of the car on the way to the client’s office! This was sometimes true then, and it may be today! Auditors often obtain an understanding of a client’s business and industry, internal controls and operations and target the areas where risks are high as they begin their fieldwork. All auditors complete audit programs, some after the audit is completed. While planning activities are required by the auditing standards, they are a key to completing high-quality audits in the most efficient manner. Identifying risks of material misstatement in the planning phase, for example, will enable an auditor to make inquiries, inspections and observations regarding the risk circumstances to determine if additional substantive procedures are necessary. On the other hand, when few or no risks of material misstatement are identified, fewer tests of balances auditing procedures may be necessary. Proper planning benefits the quality and profitability of both large and small audits. Internal Control, Risk Assessment and Audit Strategies Understanding Internal Control Professional standards require an auditor to obtain an understanding of a client’s business and industry, including its internal control. Unable to default to high control risk and perform only analytical and tests of balances procedures, an auditor is required to obtain the understanding, identify and evaluate risks of material misstatement due to error and fraud, and link the risks to appropriate substantive procedures to prevent financial statements from being materially misstated. Known as audit strategy, the understanding and documenting of internal controls is integral to this process. SAS No. 109 Definition of Internal Control Paragraph 41 of SAS No. 109 defines internal control this way: Internal control is a process—effected by those charged with governance, management, and other personnel—designed to provide reasonable assurance about the achievement of the entity’s objectives with regard to reliability of financial reporting, effectiveness and efficiency of operations, and compliance with laws and regulations. Internal control over safeguarding of assets against unauthorized acquisition, use, or disposition may include control relating to financial reporting and operations objectives. Internal Control and Audit Strategies At the heart of each engagement’s audit strategy is the entity’s system of internal control. Assessing risks of material misstatement (RMM) for each financial statement classification requires an understanding of key controls at the entity and activity levels. The emphasis for assessing RMM is on the design and operation of key controls, primarily at the entity level for smaller entities. If key controls are designed and operating, formally or informally, it is unlikely material errors or fraud can occur and go undetected. If key controls are not designed, or are designed and not operating, control deficiencies are likely. Depending on the likelihood and 10 CPA Practice Aids, LLC magnitude of the deficiencies, there may be significant deficiencies or material weaknesses, both of which can be risks of material misstatements. A Historical Perspective of Internal Controls The Committee of Sponsoring Organizations (COSO) of the National Commission on Fraudulent Financial Reporting (Treadway Commission) issued its first report stressing the importance of internal control, the control environment, codes of conduct, audit committees, and internal audit functions. In 1992, a COSO task force issued a report entitled Internal Control—Integrated Framework, known as the COSO Report. Among other things, the COSO Report defines internal control and its components and provides criteria for evaluating internal control. The report presents these interrelated components of internal control: Control Environment—The core of any business is its people and the environment in which they operate. The environment is primarily set by management personnel. Risk Assessment—The entity must be aware of and deal with the risks it faces. Control Activities—Control policies and procedures must be established, formally or informally and applied to address risks to the achievement of the entity’s objectives. Information and Communication—These systems enable the entity’s people to obtain and use information necessary to conduct, manage and control operations. Monitoring—The internal control process must be monitored and changed as conditions necessitate. Internal controls over financial reporting include those that are designed to make sure financial data is recorded, processed, summarized and reported consistent with management’s representations (assertions) in financial statements. Management of an entity has the primary responsibility for establishing and maintaining a system of internal control. An auditor’s job is to assess whether the five components are designed and operating effectively given the nature, size and complexity of the entity. Key or Entity-Level Controls Illustrated in the Small Audits Internal Control Questionnaire (SAICQ) published by CPA Practice Aids, LLC, these small entity controls may be informal and ordinarily carried out by one or a few persons such as an owner/manager. The design and operation of these key controls can prevent material misstatements due to error or fraud from occurring and going undetected. Successful operation of key controls, subjected to auditors’ tests of controls, may reduce control risk to a moderate or even low level. Systems walk-though procedures performed by an auditor, combined with substantive evidence from scanning the general ledger account activity, may result in a control risk assessment less than high, even moderate. An assessed level of control risk less than high can result in proportionate reductions of more expensive tests of balances evidence. Activity-Level Controls The COSO Report states that control activities are the policies and procedures established to help ensure that management directives are carried out. The key controls described above are primary 11 CPA Practice Aids, LLC to accomplishing this objective. Absent the design of key controls, or when key controls are designed but not operating properly, activity-level controls may be necessary to prevent misstatements from occurring and going undetected. These controls can be applied through features in an accounting software system, by personnel while performing accounting procedures or by the design of documents or data. The SAICQ mentioned above illustrates the activity-level controls for the financial statement classifications of a small entity. If key controls at the entity level are not designed or operating properly, certain activity-level controls may prevent errors from occurring and going undetected. Obtaining knowledge of these controls should be part of the auditor’s risk assessment procedures. The degree to which these controls may be regarded as substantive evidence by an auditor depends on the extent to which tests of controls or systems walk-through procedures may be performed. Can Owner/Manager Controls Be Audited? Many auditors believe that owner or manager controls are unauditable because their performance is usually not documented. Interestingly, audit risk assessment standards identify inquiries and observations as acceptable procedures for testing controls, both key and activity level controls. For example, obtaining a copy of a bank statement and asking a business owner how she approaches its preliminary review before reconciliation may provide evidence that the assessed level of risk of material misstatements for cash is less than high. This procedure will produce reliable substantive evidence when the integrity of management is high. An auditor’s evaluation of management’s integrity as high has at least two significant affects on small audits. First, high management integrity normally means a stronger control environment which reduces risk at the financial statement level. Lower risk mean less evidence is required to reach a conclusion on the financial statements as whole. Second, high management integrity means higher reliance can be placed on responses to inquiries in tests of key controls, thereby reducing the amount of other substantive evidence necessary at the assertion level. Tests of activity-level controls can also be performed by inquiries and observations of other employee’s activities if the auditor has assessed their competence and integrity. The answer to the headline question above is yes, owner/manager controls can be audited. Not only are they auditable, selecting and serving clients employing management and other personnel with good character and high integrity can increase both engagement and firm profits. Considering the Prior Period’s Control Risk Assessment The risk assessment standards of 2006 (and the Clarified Auditing Standards effective for periods ending after December 15, 2012) opened an unexpected door..Auditors were given permission, almost encouraged, to consider the affects of the prior period’s control risk assessment on the current period’s control risk assessment. Focusing on the performance of tests of controls, the standards indicated that if there was no significant change in policies, procedures or personnel, the prior year’s control risk assessment could be used in the current period. To reach such a conclusion, the auditor must at least make inquiries of client management personnel and perform a systems walk-through procedure for two to five transactions in each major transaction cyele. Common sense dictates that the best way to do this is by reviewing the 12 CPA Practice Aids, LLC prior year’s internal control documentation with client personnel. Once a flowchart, an ICQ or memo has been updated and the walk-through procedures documented with no significant change, the prior year’s control risk assessment can be used to develop cost-beneficial audit strategies and audit plans. If there are significant risks of material misstatement found in updating internal control documentation, the prior year’s assessment can not be used to mitigate such misstatements. In this case, further substantive tests would be necessary to mitigate such risks and the control risk assessment may be higher than the prior year. Understanding Assertions and Types of Tests The objective in this section is to lay a foundation for understanding financial statement assertions, audit objectives, and types of tests that enable auditors to efficiently gather evidence to reach conclusions on audits of financial statements. When the requirements of professional standards are understood by auditors, decisions to perform only the minimum amount of work in each engagement’s circumstances can be made. Previous sections have discussed the design of cost-beneficial audit strategies. This section will clarify, expand on and apply these concepts. Financial Statement Assertions (Overall Audit Objectives) Assertions are representations of management that are embodied in all financial statement classifications. Specific audit objectives are developed in each classification to enable the auditor to evaluate relevant financial statement assertions. Auditing procedures are then performed to accomplish the audit objectives and evaluate the financial statement assertions. Below is an easy way to remember these common, relevant assertions that originated in SAS No. 106 (AU-C 500): C ompleteness To determine that all transactions and accounts that should be presented have been included in the financial statements. O ccurrence and cutoff To determine that all transactions occurring during the period have been recorded in the financial statements in the proper period. V aluation and accuracy To determine that all asset, liability, revenue and expense components have been included in the financial statements at accurate amounts, classified properly. E xistence To determine that all recorded assets and liabilities exist at a given date. 13 CPA Practice Aids, LLC R ights To determine that the entity has rights to all assets recorded at a given date. O bligations To determine that all liabilities are obligations of the entity at a given date. D isclosure and Presentation To determine that all components of the financial statements and other transactions and events are accurately classified, clearly described and disclosed. Audit programs used by most CPA firms are designed in a standard, all-inclusive format that includes the most conceivable auditing procedures. To ensure sufficient evidence is gathered to evaluate all applicable financial statement assertions, the auditor must consider relevant assertions during the risk assessment process and when designing and modifying audit programs. Failure to eliminate certain unnecessary procedures may result in over auditing. Eliminating other procedures without considering the relevant assertions applicable to each account balance could result in collecting insufficient evidence. Eliminating all tests of controls, for example, without adding other analytical or tests of balances procedures, may omit procedures for evaluating the completeness assertion for revenue. When deciding on appropriate auditing procedures, the auditor should select a test, or combination of tests, that will provide evidence sufficient to mitigate the risk of material misstatement. Considering the risks of misstatement in each material financial statement classification, the types of tests selected should be the most efficient in the circumstances. Basic Types of Tests To build the foundation for designing the most cost-beneficial audit strategies, a thorough knowledge of the basic types of tests is necessary. While the terms will be familiar to most readers, their consideration here will provide perspective for the discussions in the remainder of this section. Tests of Controls—Compliance Transactions Tests (author’s words) Compliance tests are designed as tests of internal control procedures or activities to determine: 1. 2. 3. 4. The frequency with which the control procedures are performed. The quality of the performance of the control procedures. The person performing the procedures. The design effectiveness of the procedures. Owners or managers for small entities may perform key controls that are not documented. In these circumstances, the auditor may assess compliance by making inquiries of an owner or manager, inspecting supporting information as considered necessary, evaluating their responses and documenting their compliance in a memo or on a working paper. 14 CPA Practice Aids, LLC Tests of Controls—Substantive Transactions Tests (author’s words) A substantive transactions test is an accounting system test designed to check for monetary errors. Determining that all entries recorded in the cash disbursements journal are valid by examining supporting documents, or that the extension of sales prices and units on sales invoices are correct, are examples of substantive transactions testing procedures. Tests of controls are often used as “dual-purpose” tests, i.e., both compliance and substantive tests of transactions are performed. While both may supply sufficient evidence to evaluate applicable financial statement assertions, it is more efficient to perform one or the other. Only a “handful” (10%-20%) of the transactions need be tested substantively after compliance tests are performed. If a client has limited internal controls, but has a good accounting system, a substantive transactions test can be performed or an assessment made of control risk using other procedures such as a systems walk-through procedure or tests of an owner/manager’s key controls by making inquiries and/or observations of procedures and inspection of documents. System’s Walk-Through Procedure The system’s walk-through procedure is often the most cost-efficient, annual risk assessment procedure auditors can use and is discussed for the first time in SAS No.109 (AU-C 315). It is performed by tracing documents and data through the accounting system from the inception of transaction cycles to their termination. Its primary purpose is to provide a good understanding of the accounting system and any control procedures or activities for risk assessment purposes. The walk-through procedure and scanning the general ledger account activity, coupled with good prior year audit experience with a client, may permit an assessment of control risk at slightly less than high to moderate. Lesser reliable procedures (nature) used for small details of an account balance, along with lesser audit coverage of an account balance (extent) and/or performing some procedures before year-end (timing) can result at lower assessed levels of risk. This procedure, considered along with other risk assessment procedures, can provide substantive evidence that may enable the auditor to reduce tests of balances, even on smaller audits. Analytical Procedures (Striking it rich!) Analytical procedures consist of absolute comparisons of dollar balances with prior years’ account balances, or with budgets, ratio comparisons and trend analysis, and computations based on financial or operational data designed to predict the balance in a general ledger account. Analytical procedures also extend beyond numerically-based procedures to become a part of an auditor’s thought process. Challenging financial information or the lack of such information that appears unusual, maintaining positive, healthy professional skepticism when considering client responses to inquiries and searching for the cause of a problem beyond its symptoms are examples of analytical thinking. The term “professional skepticism” is used in the literature to describe this kind of thinking. It is loosely defined as neither blindly trusting every client or, on the other hand, considering each client dishonest as substantive evidence is gathered. The most common analytical procedures are corroborative in the nature. Their primary purpose is to corroborate evidence gathered from other tests designed to evaluate financial statement assertions. 15 CPA Practice Aids, LLC When the results of analytical procedures contribute evidence to enable an auditor to evaluate financial statement assertions, related tests of balances can be reduced, at least to a limited extent. The extent of the reductions of tests of balances depends on the effectiveness of the analytical procedures. Determination of the effectiveness of a procedure must be based on the procedure’s contribution of evidence for evaluating the financial statement assertions. The most effective analytical procedures are computations designed to predict the balance in a general ledger account based on audited financial or operational data, e.g. quantity reconciliations and reasonableness tests. Corroborating procedures performed at lower levels of detail are more effective than corroborating procedures based on balances of financial statement classifications. Reading (Scanning) the General Ledger One of the most pervasive analytical procedures is reading, or scanning, the general ledger account activity. Whether done manually, or with the assistance of data extraction software, this analytical procedure is discussed in the auditing standards. Many auditors perform this procedure but fail to consider its affect on their audit strategy. After any errors that are discovered are corrected by proposed journal entries, the auditor has obtained significant, substantive evidence that relevant assertions for many account balances are reasonable. The evidence obtained from this and other risk assessment procedures should enable the auditor to reduce the assessed levels of risk of material misstatement in financial statement classifications and, therefore, the extent of evidence desired from detailed tests of balances. This procedure is usually performed by searching for unusual amounts or postings, transactions or general journal entries greater than the lower limit for individually significant items, checks or disbursements to be used in support tests, and other unusual matters. Documentation of the procedure should include the parameters of the test, the exceptions the test revealed and the resolution of the exceptions in a spreadsheet, memo or other working paper. Tests of Balances Substantive tests of the details of general ledger account balances include, among other evidence collection procedures, the following: Physical examination of assets. Confirmation of account balances. Inspection of support for transactions and balances. Observation of the work of client personnel. Inquiries of client personnel. Tests of the mechanical accuracy of balances. The substantive tests of balances often make substantial contributions to evaluation of the financial statement assertions. Compared to risk assessment and analytical procedures, tests of balances procedures are, however, usually the most time consuming to perform. Selecting the Strategy To select the proper strategy and prevent over auditing, the auditor must consider (1) the opportunity to assess risk of material misstatement at less than maximum; and (2) the relative 16 CPA Practice Aids, LLC efficiency with which substantive tests of balances procedures can be performed. When a client has good internal controls and/or a good accounting system, using tests of controls may be the most cost-efficient strategy. However, when other risk assessment procedures are performed, e.g., reading the general ledger and performing a systems walk-through procedure and slightly reduced substantive tests of balances to evaluate applicable financial statement assertions in minimum time, tests of controls would not ordinarily be necessary. Since the evaluation of the risk of material misstatement is made at both the financial statement and the assertion levels, and because tolerable misstatement must be determined for each material financial statement classification, the auditor will achieve efficiencies by planning unique audit strategies for each financial statement classification. Establishing and Using Materiality Levels Paraphrasing SAS No. 107, materiality judgments about financial statements are unique to each environment in which judgments are made. Risk always affects materiality. Materially misstated financial statements contain errors or irregularities that a reasonable person, considering the quantitative and qualitative facts in the circumstances, would consider important enough to cause an unfair presentation. Preliminary Estimate of Planning Materiality The preliminary estimate of planning materiality is the maximum amount by which the auditors believe the statements could be misstated, by known or unknown error or fraud, and still not affect the decisions of reasonable users. While professional literature does not require quantification of a materiality level, most firms make an estimate of a dollar amount to guide their judgments and procedures. Remember that this estimate is only a guide and is not a specific determination of what is, and is not, material in an audit. Usually, a single base such as the higher of total revenues or total assets is selected for the financial statements taken as a whole. Once determined, the dollar amount of planning materiality is multiplied by a factor to determine the portion available for known and unknown error and fraud in the financial statements taken as a whole. This is tolerable misstatement, the maximum amount of known error an auditor can accept in the financial statements without adjustment. A general range of 50% to 75% of planning materiality is used to calculate tolerable misstatement at the financial statement level. Extremely low risk could enable an auditor to calculate tolerable misstatement at an even higher level, say, 80% to 90%. When risk is higher at the financial statement level, a lower level of tolerable misstatement will result in a lower limit for individually significant items and more evidence from auditing smaller account balances, general journal entries, unusual transactions, etc. Lower risk at the financial statement level will result in fewer individually significant items. Calculating Tolerable Misstatement and Individually Significant Items by Financial Statement Classification The Tolerable Misstatements Computation Form published by CPA Practice Aids, LLC presents a general calculation of planning materiality for use as an overall guide for engagement planning. 17 CPA Practice Aids, LLC This form also includes a specific calculation of tolerable misstatement and the lower limit for individually significant items by financial statement classification, based on an assessed level of risk of material misstatement for each classification, which should be used in sampling and nonsampling decision making. The process of determining tolerable misstatement and lower limits for individually significant items at the financial statement level and the account classification level is discussed in a later course in this small audit series. Individually Significant Items for Financial Statements Taken as a Whole Tolerable misstatement is the base for determining the lower limit for individually significant items in the financial statements taken as a whole, generally from 1/6 to 1/3 of tolerable misstatement, depending high risk or low risk respectively. For engagements with higher risk of material misstatement at the financial statement level, individually significant items will generally be those account balances, transactions or general journal entries in excess of 1/6 of tolerable misstatement. When risk of material misstatement at the financial statement level is lower, a percentage of up to 1/3 is commonly used for determining individually significant items. When risk is very low at the financial statement level, some firms’ policies permit the lower limit to be set at 50% to 60% of tolerable misstatement. Time-Savings Opportunities The concepts of materiality included in SAS No. 107 (AU-C 320) provide a framework for audit quality. They also provide opportunities for saving time. Here are some of the time savings opportunities: Tolerable misstatement by financial statement classification will affect sample sizes determined statistically or non-statistically. Using a higher level of tolerable misstatement when risk at the assertion level is low or moderate results in fewer individually significant items, smaller sample sizes and less audit work to achieve the desired level of assurance. Using a higher factor of tolerable misstatement at the financial statement or assertion levels to determine the lower limit for individually significant items when risk is less than high to moderate reduces work by auditing fewer individually significant items. Account balances on the trial balance, individual accounts receivable balances and outstanding checks on bank reconciliations that are less than the respective lower limit are examples of details that can be excluded from testing. Potential adjustments less than the lower limit of individually significant items can be recorded on an Error Analysis Form (Audit Difference Evaluation Form) for error analysis by the in-charge accountant, thereby limiting the number of proposed adjustments to the trial balance. Paper-passed adjustments require no further consideration or documentation. Understanding Sampling and Non-Sampling Concepts When SAS No. 39 was issued, concepts of risk and materiality had not been adequately discussed in the professional literature. In fact, SAS No. 47, which contains risk and materiality concepts, was not issued until sometime later. Without it, most practitioners could not understand SAS No. 39 and its implementation took many years. A thorough understanding of the concepts 18 CPA Practice Aids, LLC of risk and materiality is needed in order to understand sampling. This section will build upon the previous discussions of these subjects. SAS No. 39 (amended by SAS No. 111—AU-C 530) defines audit sampling as the application of an audit procedure to less than 100% of the items within an account balance or class of transactions for the purpose of evaluating some characteristic of the balance or class. Tests of controls, accounts receivable confirmations, inventory observations, pricing and clerical tests, vouching fixed assets and expense account balances and tests of purchases and sales cutoffs are a few examples of procedures in which sampling applications may occur. Deciding to Sample or Not to Sample The sampling requirements in SAS No. 39 are applicable when sampling populations are material (greater than the lower limit for individually significant items at the account classification level) and other analytical and tests of balances procedures are not used to satisfy audit objectives. A sampling population is the recorded population (account balance, class of transaction, units, etc.) minus individually significant items. Individually Significant Items Selecting individually significant items is the process by which the sampling population is derived. Individually significant items, instructs SAS No. 39 amended by SAS No. 111 (AU-C 530), must be audited 100%. For accounts receivable, a 100% audit would mean sending a positive confirmation and/or performing alternative procedures such as examining subsequent collections and shipping documents for an account to evaluate the existence and valuation assertions. For inventories, a 100% audit includes observation of the physical inventory taking procedures, making sufficient test counts and performing price testing and clerical testing to evaluate the existence and valuation assertions. For tests of completeness of accounts payable, major suppliers’ transaction records for confirmation and/or support for all subsequent disbursements over a percentage of the applicable lower limit for individually significant items for several weeks or months can be selected. Deciding which items are individually significant requires reconsideration of the risk assessment procedures and any tests of controls, systems walk-through procedures or analytical procedures performed during planning that were considered in setting tolerable misstatement at the financial statement and assertion levels. Some of these factors and their affect on the determination of individually significant items (ISI) discussed above are: Risk of material misstatement at the financial statement level—high risk will lower tolerable misstatement and cause more items to be considered ISI. Low risk will result in fewer ISIs. Risk of material misstatement at the financial statement classification/assertion level— high risk in the financial statement classifications being examined will result in lower tolerable misstatement and more ISIs; low risk will produce the opposite. Tolerable misstatement levels—lower levels of tolerable misstatement for individual financial statement classifications will produce more ISIs, i.e., a greater percentage of a classification would be subjected to audit. Higher levels of tolerable misstatement will permit lesser coverage of account balance dollars. 19 CPA Practice Aids, LLC If the sampling population is less than the lower limit for individually significant items, SAS Nos. 39 and 111 (AU-C 530) will not apply unless the population has some unusual characteristics such as a separate class of transactions or related party transactions. If the sampling population is greater than the lower limit of ISIs, SAS Nos. 39 and 111 (AU-C 530) will apply unless performing other analytical or tests of balances procedures can be used to evaluate applicable assertions more efficiently. Efficiency Should Always Be the Guide The characteristics of a recorded population, and the relative ease of applying analytical and tests of balances procedures in an audit strategy, guide decisions to sample or not to sample. If, for example, the auditor can send 15 positive confirmations and cover 85% of the recorded population, absent unusual items or a separate class of transactions in the remaining population, a non-sampling approach would likely be most cost-efficient. On the other hand, auditing a population with 1,000 small accounts having an average balance of $500, with limited variations in the balances, would probably require a sampling application to be efficient. Statistical applications for sampling are seldom used by firms except for special procedures such as regression analysis to predict expectations in account balances for analytical procedures. Even the once popular PPS statistical sampling method no longer has much support in practice. The reason is sample sizes determined statistically, or by statistically-based non-statistical methods, generally are larger and require more time than using an approach that considers risk and is based on professional judgment. High quality in every engagement is a top priority. A profitable, high quality engagement can be produced when the design of the auditing procedures focuses on efficiency. Planning for Finishing Engagements Functions and Responsibilities Completing an engagement efficiently requires control and organizational skills. This section discusses some of the key functions and responsibilities for engagement completion. It will be covered in more detail in a later course in this small audit series. Complete Engagement Performance Review The in-charge is responsible for reviewing the work of all assistants and seeing that supervision checklists are completed. The in-charge review should be conducted as assistants complete each section of the engagement. Timely review and feedback can prevent assistants from making the same types of documentation or procedural errors in other sections of an engagement. Financial Statements, Footnotes, and Report Preparation The in-charge is responsible for preparing, or assisting in preparing the end products of most engagements. Planning for completing these documents, of course, must begin early in an engagement. Reviewing the prior year’s working papers should include the financial statements, footnotes and reports. Using disclosure checklists or pre-designed disclosure working papers to guide the work of assistants, disclosure information can be gathered efficiently as each section of an engagement is 20 CPA Practice Aids, LLC completed. The financial statements, footnotes and report should be finalized before leaving the field to prevent time-wasting return visits. Report Review Conference between the Engagement Leader and the In-Charge Accountant The report review conference should be the final technical function for the engagement. Accomplishment of the engagement objectives, conformance with firm policy, problem resolution, and the financial statements, footnotes and report form and content should be the primary subjects discussed. This conference, along with any independent report review function, is the final key point for engagement quality. Communication of Internal Control Deficiencies All significant deficiencies and material weaknesses relative to the nature, size and complexity of the reporting entity discovered during the risk assessment procedures and engagement performance must be communicated to management. Significant deficiencies and material weaknesses ordinarily result from omissions of key controls from the design of an entity’s internal control system or from the failure to perform informal or formal key controls. Since internal control is always relevant to the nature, size and complexity of an organization, smaller entities may have only informal key controls performed by an owner or manager. In the case of smaller entities, the internal control communication letter should communicate only those deficiencies that are relevant to the smaller entity. Suggestions that relate to operational issues, particularly those that save the client time or enable them to operate more profitably, are obviously the best received. Teaching staff personnel to document ideas for suggestions during the performance of the engagement facilitates preparation of this communication during the completion phase of the audit. Some firms are focusing on using these suggestions to sell additional services engagements, and in some cases, develop business-planning engagements for their clients. Administrative Wrap-up of Engagements The administrative wrap-up of engagements should include the following functions, as they are applicable for audits, reviews and full-disclosure engagements: Scheduling and Completing Reviews Timely completion of the review functions can make a major contribution to engagement profitability. All reviews, including the tax provision/accrual review, leadere engagement performance and report review, independent report review and engagement partner review, as applicable, should be planned and scheduled in advance by the in-charge accountant. The reviewers should be informed early if scheduled dates are changed. For maximum efficiency, review functions should be performed in the field whenever possible. In this way, the reviewer can avoid the usual telephone and office interruptions, can resolve problems while staff personnel are still working on the engagement, and can use the opportunity to visit and observe the client’s personnel and operations. 21 CPA Practice Aids, LLC Since auditors’ reports are dated when all significant engagement procedures are completed and the financial statements are available for issue, completing all levels of review in the field, and obtaining the client’s approval of the financial statements and footnotes before leaving the field, can eliminate extended subsequent events review periods. The in-charge should carefully plan and assign staff assistants’ work responsibilities to coordinate with the field reviews for timely and efficient completion of the engagement. Obtaining Signed Correspondence A correspondence control form should be maintained during the engagement by the in-charge accountant to monitor the receipt of required correspondence. The engagement leader and/or partner should determine that all correspondence has been received before signing and releasing the report. Furnishing Client with Proposed Adjustments The in-charge accountant is responsible for furnishing the client with copies of all proposed adjustments and reclassifications. All adjusting entries must be approved and posted to the client’s records as of the reporting date. It is not normally necessary for the client to post reclassification entries unless required by a CPA firm’s policies. Review and “To Do” Lists Lists of review and “to do” points are temporary records of possible additional work necessary to complete an engagement. The results of any additional procedures performed or additional information gathered in response to such points should be permanently documented in the working papers. Any review or “to do” points that pertain to future engagements should be summarized and included in a file bearing the next year’s reporting date. All lists of review and “to do” points should be destroyed after engagement completion. Using word processing software to type review notes and “to do” lists makes them easier to read and easier to delete. Time Savings for Next Year Suggestions for modifying procedures on next year’s engagement should also be stored in a file bearing next year’s reporting date. This information can be gathered throughout the engagement or at its conclusion during a post-engagement meeting with staff personnel. Collecting this information is most effective when memories of problems are fresh. Report and Tax Returns Issuance The in-charge accountant is primarily responsible for monitoring the engagement completion and communicating with the engagement leader. The leader should resolve typing and processing delays and communicate any changes of promised dates to the client promptly. Every effort should be made to deliver reports and tax returns to clients on a timely basis. Performance Appraisals Performance appraisals, when a part of a CPA firm’s quality control procedures, should be completed for staff personnel on engagements over a certain number of hours. To achieve maximum benefits from these feedback mechanisms, appraisal forms should be prepared and reviewed with staff peronnel immediately after the engagement’s completion. The forms 22 CPA Practice Aids, LLC should be prepared honestly in accordance with the firms standards of evaluation and with the purpose of building up and strengthening the firm’s staff resource base. Some firms will not release audit reports until all appraisal forms are complete. Time Budget and Control File The in-charge accountant is responsible for the final time summarization, its reconciliation to client time charges in the firm’s billing records, and its final comparison to budget. Reasons for budget overruns should be documented in the file. Suggestions for next year’s possible time savings should also be included. The file documents should be discussed with the engagement leader prior to preparing the final client billing. Finally, preparation of a tentative time budget for next year will facilitate future planning. Policing Engagement Quality Control While performing an inspection engagement for a CPA firm several years ago, I requested working paper files for several clients from the file room. The papers in the files for one client were literally covered with yellow sticky notes. Uncleared items, review notes, notes for next year, and even a missing attorney’s letter were identified on the sticky notes although the audit report had been issued nine months previously. While this is an extreme case, some firms have implemented special quality control procedures to prevent this from happening to them. Auditing standards require completion of an engagement within 60 days after the report release date. Develop checklists to finalize the working paper files prior to their file room storage and have this list monitored by an administrative employee. The checklists should be designed to prevent the pre-peer review, panic cleanup of files. The files should be reviewed for various quality control issues before being stored. Deficiencies or open items need to be communicated to the engagement in-charge accountant along with a deadline for clearance. Maintain a tickler file to control the location of the files and the date due for storage. Below are a few of the questions that could be included on such a checklist: Have all working papers been headed and initialed and dated by a preparer and reviewer? Are all working papers indexed and properly cross-referenced? Are all open items resolved? Are all tick marks adequately explained? Has all correspondence been received? Have all audit program steps been completed? Are all required forms and checklists included? Have performance appraisals been completed? Has a budget been prepared for the next year’s engagement? Has the internal control and/or management letter been issued? The Essence of Engagement Profitability—Efficient Wrap Up Efficient engagement completion is a product of effective engagement planning. Failure to plan properly throughout the engagement pushes problems into the completion phase of the job. Open items are usually more difficult to close during wrap up than during fieldwork. Adopting a do-itnow policy for disposing of loose ends, and teaching the staff to follow it, will relieve considerable pressure during the completion phase. Learning to anticipate common problems and 23 CPA Practice Aids, LLC to achieve their resolution early will expedite the wrap up process. Planning the finish will prevent a loss of control. Conclusion For small audits to be easy and profitable, all engagement personnel must know and comply with applicable quality control and auditing standards, plan and conduct engagements in a timely and orderly fashion, design unique audit strategies and plans for each engagement, and use common sense, practical approaches to documenting the evidence collected to support conclusions on the financial statements. Profitable engagements result from the consistent, on-going applications of standardized policies and procedures that are applied uniformly throughout a CPA firm, from the start of engagements to their completion. 24