Tips for auditing with changed controls during the pandemic

The coronavirus pandemic has raised a number of questions about how to properly audit financial statements when internal controls have changed due to dramatic changes in an entity’s business volume and activities.

The auditing standards (GAAS) require the auditor to obtain an understanding of controls that are relevant to the audit and assess whether they are designed effectively to prevent or at least detect and correct material misstatements that might be made in the financial statements. Then the auditor is required to determine whether they’ve been implemented. Please note that this article addresses audits performed under generally accepted auditing standards (GAAS) and not audits under PCAOB standards.

GAAS requires auditors to identify where and how the financial statements may possibly carry a higher risk of being materially misstated. The auditor uses that understanding to help design what further audit procedures might be effective in detecting any material misstatement that may exist.

Those further audit procedures can either be tests of controls or substantive audit procedures. I’ll come back to tests of controls later, but it’s important in this environment for auditors to be creative and innovative in their audit approaches. That may involve performing procedures remotely, and it is predicated on understanding how the client is processing and controlling its financial accounting processes and working transactions through the financial statements.

The auditor needs to understand the entity’s internal control before determining whether procedures that might be performed remotely would truly be effective.

A new environment

In the current environment, most businesses — except for essential business — are pretty much shuttered. Or at least their business is being conducted by a workforce that’s at home working remotely.

It is very likely that for many audit engagements this year, the way that a business is processing its financial transactions impacting the financial statements is different from what the auditor understood it to be prior to the pandemic. That’s just out of necessity for businesses to be able to continue operations.

With that as a backdrop, the auditor needs to be thinking through a couple of issues that are going to be encountered. The first one is that it’s likely that if you’re looking at annual financial statements, there are going to be different systems of internal control, perhaps entirely different or at least partially different systems that have been in effect and operating throughout that 12-month period.

Auditors need to think about that. What did we know from last year? What did we understand? And how long did that continue this year before some of these changes were made? It’s fairly obvious that if we’re looking at March 31 or June 30 and ensuing year-ends this year, certainly we’re going to be in that situation. But I’d also like to throw out a quick alert. Even when doing audits of Dec. 31 or calendar-year 2019 financial statements, auditors need to remember that part of the client’s system of internal control is closing its books, preparing journal entries, preparing financial statements, and pulling everything together. Even though the fiscal year ended Dec. 31, some of the controls that are relevant to those financial statements may still have been operating for periods past that fiscal year end of Dec. 31. Don’t forget about that.

In some cases, this is like having a new client. The auditor needs to obtain an understanding of what controls are now in place. How did they process transactions and what controls were in place at whichever point in time that transition occurred? The auditor needs to maintain an appropriate perspective on this matter. The length of time that new controls may have been in place, and the level of business activity while that system was in place, will drive the importance of gaining that understanding of the new controls and determining the controls relevant to the audit. To illustrate, many businesses in the hospitality industry — the restaurants, bars, hotels, and some of those types of businesses — were closed down by state requirements and restrictions. Some of these businesses have not been operating for the entire fiscal year. It stands to reason that if there is not significant business activity running through the business during a period in which they had a different system of controls in place, it may not be as important to understand all the controls that we would normally encounter if the business was up and running as normal and changes in internal control took place.

Assessing the control environment

The AICPA’s Enhancing Audit Quality initiative places emphasis on the importance of tone at the top and control environment matters generally. It’s always important to carefully assess the client’s control environment, and common questions received involve whether the auditor can do this when they are not on-site at the client location.

I understand the question, but I think that using remote audit procedures might provide the auditor with good insight regarding the control environment.

Something that auditors should be keying in on, and something that will be very informative to them in these periods when the processing of transactions has changed, is: What was the message from the company? What was the message from the CEO, the CFO, the controller, the head bookkeeper, whoever it is, to their accounting people about how they’re going to handle this?

Were they well informed? Was there training on remote working? The auditor can assess all this with inquiry of the accounting personnel and, in some cases, inspecting training material or training records or new operating procedure documents, manuals, instructions, and so on. It’s critical to focus on this right now. What was the environment? How well did company management prepare the accounting staff to be able to operate in this new environment? That will be key in risk assessment to understanding where the holes may be to aid in the auditor’s risk assessment process.

In circumstances where the entity has been essentially inactive for the latter part of the fiscal year, it would be important for auditors to focus on the financial statement close process and the journal entries — those types of activities that would still need to be implemented and performed without respect to the level of business activity. But certainly if you’ve got a business where the transactions are few and far between, from a financial statement materiality perspective, the processing of those few transactions may not be extremely critical to the year in total.

Internal control: Design and implementation

Questions have come to the AICPA recently asking about how auditors can assess the design effectiveness of controls and determine their implementation in a remote environment. Certainly, auditors can gain an understanding of controls that have purportedly been placed in operation during this period. A common procedure for auditors to use is inquiry to obtain that understanding, and that’s certainly available in this environment. The challenge we may encounter is that in normal times an audit team may go to a client location, sit down, and gain that understanding of internal control all at once by talking through how things work with several people together in a conference room. But clearly with remote work taking place, drawing everybody together and having a discussion may be more difficult. But again, thinking innovatively, there’s no reason that can’t be accomplished using videoconferencing technology. You could still essentially have a virtual meeting to gain that understanding and make those inquiries.

A more difficult aspect of what’s required under GAAS is, once we obtain that understanding of the controls that are designed to operate in this environment, how does the auditor determine whether or not they’ve actually been implemented? Again, in a normal environment, you would be able to utilize some of our traditional procedures like inspecting documents to determine whether an approval had been indicated on an invoice or something of that nature. With social distancing in place, some of those traditional procedures ordinarily conducted at a client site may not be feasible, or at least may be more difficult to perform.

That’s not to say that auditors can’t think creatively about how to determine whether controls have been placed in operation. Utilizing technology such as video, similar to what we might use to observe inventory, certainly may work for observing certain controls. For example, an auditor can ask a client employee to enter some passwords to access the accounting system. Using a video feed, the auditor can observe whether those passwords were successful or locked the employee out.

Another aspect is that the controls that may be in place at a client location with a remote workforce are going to be operated largely in the accounting staff’s homes. The auditor is not going to encounter a department sitting in one location going through their processes and daily functions, going to the file cabinets or that sort of thing, so the opportunities for the auditor to observe the general operations of an accounting department are going to be more limited.

Just thinking creatively about how we determine that controls have been placed in operation will be key. Our audit standards are very clear that a single inquiry or inquiry alone is not sufficient and does not constitute sufficient appropriate audit evidence for the auditor’s intended purposes.

Inspection of documents

Inspection is another commonly used tool for either determining that control had been implemented or testing controls. Inspection usually involves looking at an original or source document where the execution or performance of control is evidenced by something you can see.

In the current environment, an auditor might either “look” at an original document via a video feed originating from the client location or “look” at scanned images of original documents. When looking at scanned images of original documents, the auditor needs to be able to document how they were able to get comfortable that the scanned image was a true replication of the original document.

For example, if a client goes to their office at the auditor’s request to scan original invoices or documents, the auditor can use video transmission technology to enable the auditor to observe the client employee scanning those documents to send them to the auditor and to make sure the documents were not altered before being sent through those electronic means. If the client is sending the auditor documents electronically for auditor inspection, a healthy dose of professional skepticism is required.

This environment may give rise to challenges, and it may result in new risks of material misstatement being identified when we’re looking at controls. The environment may create a different nature of risks of which we need to be aware. As a result, understanding the controls that the client has put in place to mitigate those risks is important in designing further audit procedures.

Lastly, don’t forget about our responsibility as auditors to communicate significant deficiencies or material weaknesses in internal control to management and those charged with governance.

For resources on audit and accounting during the pandemic, visit the AICPA’s Coronavirus (COVID-19) Audit and Accounting Resources page.

For more news and reporting on the coronavirus and how CPAs can handle challenges related to the pandemic, visit the JofA’s coronavirus resources page.

— Bob Dohrer, CPA, CGMA, is the AICPA’s chief auditor. Ken Tysiac (Kenneth.Tysiac@aicpa-cima.com) is the JofA’s editorial director.