Welcome to part 7 of Auditing Standard Number 5. This segment is Understanding Likely Sources of Misstatement. Because AS5 has over a hundred pages of heavy reading, I made it easier by breaking it down to smaller parts, giving you the cliff notes version to:
- Understand flow of transactions
- Understand how IT affects flow of transactions
- Performing walkthroughs
I suggest you watch the video. It’s easier to understand if you are a visual/audio learner. The content below is the same as the video. It’s for those who learn by reading.
This table of contents came directly out of Auditing Standards 5 from the PCAOB, I’ve just made it to chunks so that it is easier to understand and follow.
This section is Understanding Likely Sources of Misstatement.
Understand Flow of Transactions
Paragraph 34 says you have to understand the sources of the misstatements and to understand the sources of misstatements, you have to understand the flow of transactions. This starts when the transaction gets initiated, when it’s authorized, when it’s processed in a system of some sort and when it finally reaches the general ledger or the actual financial statements themselves. Those are the areas where you focus.
In order to do this, as the SOX auditor, we have to identify the points within the processes where a misstatement could happen including fraud. Where could a misstatement happen? Once you find where the misstatements could happen, you have to find the controls that address the potential misstatement. Then identify controls that management has put in place to prevent or detect unauthorized acquisitions, use or disposal of company assets. Again, this goes back to the beginning when people were potentially stealing certain assets or writing up certain assets or selling off certain assets without approval and trying to hide it.
Understand How IT Affects Flow of Transactions
Paragraph 36 talks about understanding how IT affects the company’s flow of transaction. This paragraph is really important because over the 13 years that we have been doing SOX the emphasis on IT continues to grow because IT is so prevalent. You cannot do anything nowadays without IT and maybe in the old days you could only use QuickBooks. With any company today, there are so many new tools and applications. This paragraph says that you have to understand how IT impacts the flow of transactions and it even references for you appendix B of Auditing Standard 12, Identifying and Assessing Material Misstatement related to Information Technology. Auditing Standard number 12.
This is really important because IT is not a separate evaluation. It’s an integral part of the top-down approach. This is why as a team, we put so much focus on not separating the SOX auditor to the financial side versus the IT side. This is why we focus on integrating it so that we have people who understand manual controls in the finance side and also understand IT.
Maybe you are not the subject matter expert on IT systems. But you have to understand it because systems and processes are co-mingled now. Our advantage is that we are auditors and accountants who understand systems and processes. That’s what makes us unique and that’s why it is important for us to learn more about systems and how they impact the financial statements.
Paragraph 37 talks about walkthroughs. The client can describe to us how a process works but really, the best way to validate that we really understand the process is by doing a walkthrough. In doing the walkthrough, you have to get it from the beginning of the process including the IT systems until it gets to the end in the accounting records using the same documents and information system that the client uses.
That is why when we do the walkthrough, we often sit by the desk of the person doing the work and ask them “Show me when we first get that PO, what do you do with it? What does that sheet of paper look like?” Maybe it’s an email, maybe it’s a notification, maybe it’s all in the system. We are putting ourselves in their shoes and walking through significant transactions from beginning to end.
The types of procedures we do in a walkthrough are going to be inquiring, observing, inspecting and re-performing. We ask someone and observe them. We look at the actual document, inspect it and look at the report, flip through the pages to see what they’re circling and what they’re looking at. Then we re-perform the control. It’s important to not just inquire or interview alone. It’s a combination of procedures that makes the walkthrough more effective. We can actually see the process through the control owner’s eyes. What is it that they are doing and why are they doing these steps?
When we’re doing the walkthrough, we want to ask the process owner about their understanding of what’s required in terms of who has to sign off on this? What happens if you look at this and it is not signed off? How does it get kicked back to the system to be reviewed or approved? Once it’s approved, how does it flow through? What documents are required? What support is required?
These types of questions are necessary. A walkthrough is not just that the client says “Here’s what I do” and you write it down. You want to ask them “Why do you do that? What could go wrong when we do this? What are the typical scenarios? What type of mistakes do you catch by doing this?” For us, the value added to our client oftentimes is a fresh set of eyes. Why do we do something that takes 10 steps? Maybe it can be done in 8 steps. Or, the reverse is sometimes that they are going through all of the procedures but maybe there is not a control. We can help them say “You know if you inserted in this particular procedure, this would make the process either go faster or be more accurate and help you in the future.”
That’s why walkthroughs and understanding likely sources of misstatement are required. That’s it for the walkthroughs.