Table 2.1 Using Revenue to Set Scope
1 Total = $10,000,000
The amounts or the risks associated with a component of the financial statements will cause you to include those streams within your project scope. Based just on revenues, you might be able to cover 85 % of the revenues by evaluating the controls related to the two main streams of revenue. But the next question is whether you have covered your identified risks with this scope. Because fees and fines are more volatile from year to year, are more difficult to predict and verify, and involve more human interaction and judgment and fraud risk than the other areas, they probably still require controls attention.
For example, if the receipt and recording of the revenue-sharing portion were easy to track because these revenues are allocated in a scheduled or known way from a larger pool of county revenues and transferred to you in an easy-to-audit transaction, the area may be considered a low risk and require only limited evidence to conclude the controls are effective. However, if the process over fees and their collection and recording is not as well controlled, and there is some risk of completeness (e.g., skimming, a type of fraud) and some risk of inaccurate processing when collecting these fees, then more effort may be placed on controls over these transactions than their sheer size might suggest.
You might take similar key measures of other financial statement accounts and, in profit-oriented entities, consider the contribution to profit. Thus, you may find a profile of revenues, expenses, and locations or segments emerging from your analysis that really define the core of your entity. That core can be a starting point to determine the main focus of your controls assessment project.
You may need some talking points to address the peripheral and trivial areas you do not identify as your core based on volume or risk. Auditors cannot reliably use size as a risk indicator when understatement is a risk. For example, a completeness risk could be that all the activity of a remote location might not be reported. Skimming is a fraudulent withholding of some of the revenue stream such that some revenues never get recorded.
One approach followed by some entities is to make a list of the main controls and procedures that are in place regarding those amounts that might be candidates for exclusion from the analysis. For example, numerous smaller entities may be part of the consolidated entity but individually and in the aggregate still make up only a small portion of the overall entity. If these entities adhere to a common accounting manual of procedures, use the approved company software, and perform monthly bank reconciliations and management or internal audit visits these locations periodically to audit the details, monitoring the key statistics and cash flows from these locations may be sufficient for management to detect a significant departure from expectations.
As a general guide, you might start with all the financial statement accounts and elements in your initial scope of documentation and assessment of controls. Often the financial statement caption items are larger than materiality or are separately presented for some reason. Your documentation and design assessments can be broader (and should be, for your own protection) than any testing plans need to be. In my view, too many entities and their auditors are too quick in using risk assessment judgments to exclude amounts completely from the scope of the examination. There will come a day of reckoning for those who incorrectly assess risk, as there was with those who thought there was little or no risk in auditing Enron, WorldCom, and Parmalat. Smaller entities suffer similar fates based on bad guesses regarding risk; you just do not hear about them. They just become empty storefronts at the local strip mall.
One quip attributed to Yogi Berra, the oft-quoted Hall of Fame catcher for the New York Yankees, applies here: “It's amazing what you see when you look.” I am sure many misstatements and frauds are overlooked because of faulty risk assessments that do not indicate an observable risk. All the more reason not to shortcut the process of gathering evidence to support low-risk assessments and periodically reexamining decisions about risks. For example, in 2004 and 2005, few companies or auditors included the stock option granting process in their controls assessments. In the past it was not on the radar screen for substantive audit testing, either since it seemed to be a rather low-risk area or was subject to written corporate policies and clear accounting rules and was not generally noted as a risk area. There was no explicit exclusion of this process in the Sarbanes-Oxley (SOX) Act or any other guidance. Well, what followed was a discovery by an outsider academic (Dr. Eric Lie) of a widespread “fudging” of the stock option dating process to favor the executives receiving the options. Companies and their auditors were embarrassed by the discovery. For sure, this is not a forgotten process these days.
As you perform this analysis, you may wish to review your conclusions with your independent (external) auditor to see if your reasoning is on target with his or her expectations. Having to expand a project late in the year can be both annoying and expensive. In one case I can recall, a reluctant client with an attitude started with a proposed scope of coverage that was far less than any reasonable estimate of the required scope under the standards and kept coming back time and time again with proposed incremental increases, becoming angrier and angrier that the scope had to increase and never understanding that the better answer was to start at the other end and exclude trivial and low-risk aspects of the entity. In the end, the same result would have been achieved by starting with a broad scope, with the side benefit of decreased blood pressure for all involved.
After the Initial Year
It does not hurt to think longer term. The first year of documentation requires a significant commitment of time and effort. You may prioritize the core that needs to be included in year 1. However, in subsequent years, you should consider whether to expand the documentation process into a few other less significant areas. Additionally you should consider if your experience has offered a better way to document the core areas for more efficient update and assessment in the future. Once you have the internal experience in doing the documentation and assessment, you will find these procedures do not take long to perform, and you may conclude that unexpected benefits and efficiencies can be gained from digging into the business at this level. Many entities are today following the same documentation paths in some core areas that were established early on when first documenting processes and controls.
A frequent opportunity that is missed to reduce costs and attain some benefits of the controls focus is to adopt an attitude of “continuous improvement” in the process and testing. Taking good ideas back from conferences or even examining best practices from within the organization can result in significant benefits. Auditors sometimes fall into the trap called SALY (same as last year), which creates a false sense of efficiency when changes occur in the business.
Also frequently encountered and a contributor to higher-than-necessary costs is the lack of training and learning on the part of today's assessment teams. It might be shocking, but many new college accounting major graduates have not had significant exposure to COSO or any of the issues discussed in this book. In the early days of increased attention to internal controls, one could understand this. Today, more than a decade later, not all of the professors and the texts they use have caught up with this important and durable topic. Some professors claim there is no room for the subject in their curriculum. Also shocking are the number of company employees who are expected to learn on the job by following their predecessors' practices. Without some global understanding of this whole COSO process, how could one expect to figure it out from just following specific procedures? Since the approach is conceptual and not prescriptive, some level of conceptual understanding is essential to effective implementation. We are all familiar with the parlor game where a thought is shared around the room and morphs in meaning as the message is passed. Such is the nature of some on-the-job training unless supplemented by consistent, effective structured training.
Mapping the Entity to the Financial Statements: Ins and Outs
In the last section, we illustrated a technique for using revenues to identify the core of the
