Improving Your Audit Process, Part 10: Planning the Deliverablesby
Auditors basically are concerned about two deliverables rooted in the Clarified Auditing Standards: Forming an Opinion and Reporting on Financial Statements (AU-C Section 700) and Communicating Internal Control Related Matters Identified in an Audit (AU-C Section 265).
This brief article is not intended to reiterate the contents of these standards (which one can download free from the AICPA) but to discuss some of the ways auditors can improve the process of completing these deliverables. Basic requirements of the standards will be presented below along with tips to improve the culmination of the audit process with the issuance of the audit report and internal control communication letter.
AU-C Section 700: Objectives of the Auditor
The auditor’s objective is to gather sufficient evidence to form an opinion on the financial statements and to express clearly an opinion on the financial statements through a written audit report.
An unmodified opinion is expressed when the auditor concludes that the financial statements are presented fairly, in all material respects, in accordance with the applicable financial reporting framework.
A modified opinion is expressed when in the auditor’s report, in accordance with the clarified standard, Modifications to the Opinion in the Independent Auditor’s Report, he or she concludes that the evidence indicates the financial statements as a whole are materially misstated or when the auditor is unable to obtain appropriate audit evidence to conclude that the financial statements as a whole are free from material misstatement.
Tips for Improving the Reporting Process
1. At the risk of being corny, improving the reporting process requires us to go “back to the future.” Accepting an audit engagement requires, first, a thorough investigation of a prospective client and its management personnel. Determining that the client management meets a CPA firm’s standards of integrity is a preliminary indicator of a quality engagement.
As many auditors (including myself!) have learned, the desire to increase cash flow should not override good judgment about the integrity of management personnel of a prospective client. Sooner or later, client management personnel without strong character and integrity will become a liability for a CPA firm! Audit reports for these clients will likely contain more costly, modified opinions with increased exposure to lawsuits.
2. During the presentation of the engagement letter by an engagement leader, answers to questions about economic conditions affecting the entity; its past, current, and future operations; operating profitability; and its reporting requirements will offer more information regarding the quality of a prospective client and the engagement. This information will also assist in effective engagement planning.
Unfortunately, we too often discover going-concern problems during the performance and/or completion phases of an engagement. This has been one of the pathways to budget overrun! Effective planning for economic circumstances affecting a reporting entity can improve the reporting process and increase engagement profitability.
3. Performing a thorough risk evaluation as a basis for the design of a cost-beneficial audit strategy enables an auditor to use the substantive evidence from risk assessment procedures in the evaluation of relevant financial statement assertions. Acceptable results from client acceptance and continuance decision-making, tests of controls, systems walk-through procedures, scanning the general ledger account activity, and other planning activities may permit assessments of risk of material misstatement levels for some financial statement assertions at levels less than high.
Focusing on any potential risks of misstatement due to error or fraud discovered during the planning phase enables management and auditors to take corrective action early in an engagement that will support an unqualified opinion. When this occurs, the nature, extent, and timing of the more costly tests of balances procedures also may be modified to reduce time charges and increase engagement profitability.
AU-C Section 265: Determining Reportable Control Deficiencies
According to AU-C Section 265, only significant deficiencies and material weaknesses are required to be included in the internal control communication letter. Significant deficiencies and material weaknesses arise from risks of material misstatements. For small audits, risks of material misstatements are primarily the absence of key controls at the entity level, either in the design or in the operation of an entity’s internal controls.
For larger entities with more accounting personnel, key controls will exist at both the entity and activity levels. An identified risk of material misstatement may be mitigated or offset by certain key controls and would not ordinarily affect the assessed level of risk in a financial statement classification. If, however, such risks are significant deficiencies or material weaknesses, they should be reported to management in the internal control letter, even though the deficiency may have been corrected.
Tips for Improving the Process for Preparing Internal Control Letters
1. Among the few absolutes in the audit process is this: Internal control is always relevant to the nature, size, and complexity of a reporting entity. Therefore, so should be the contents of the internal control communication letter. Smaller entities will ordinarily have more informal control activities performed by one or a few individuals. For smaller entities, key controls performed at the entity level will ordinarily have the most pervasive effects for preventing errors or fraud from occurring and going undetected.
For larger entities, key controls at both the entity and activity levels will have similar results. The results of testing and/or evaluating key controls generally will identify significant deficiencies or material weaknesses in the design and/or operation of an entity’s internal controls for inclusion in the communication letter.
2. To facilitate the risk assessment process and the ultimate reporting of significant deficiencies and material weaknesses, it is beneficial for key controls to be identified and evaluated during the planning and risk assessment phases of an audit. Based on internal control documentation, identified risks will form the basis for audit responses in the audit plan (program), as well as the matters for inclusion in the internal control communication letter.
By using identified control deficiencies for both risk assessment procedures and the preparation of the internal control communication letter, the contents of the letter can be assembled efficiently and include only those significant deficiencies and material weaknesses relative to the nature, size, and complexity of a reporting entity.
The End of it All!
I remember an audit of a chain of banks I supervised years ago. The time budget was severely limited because of a low fee bid by the manager to whom I reported. The manager also set the report delivery date without considering the actual time necessary to complete the audit.
Long days, and sometimes nights, were necessary to complete the audit at which time my manager was available to perform his review. On a Friday afternoon, with the audit report and internal control communication letter due the following Monday, we realized we had failed to centrally document the significant deficiencies and material weaknesses in internal controls of the banks for inclusion in the communication letter.
As my manager left for a weekend of sun and fun, he cheerfully exclaimed, “No problem, you’ve got the entire weekend!” Perhaps we’ve all been there: when we experienced the “light bulb” moment and realized we should have planned for the deliverables!