This article originally appeared in the September 2017 issue of the Journal of Accountancy. Advice provided in this article has been reviewed and remains current.
What is the purpose of audit planning if the audit may not ultimately follow the carefully thought out plan? As may be inferred from Dwight D. Eisenhower's words—"Plans are worthless, but planning is everything"—the value of audit planning is not derived solely from the resulting audit plan. Often overlooked, the real benefit of audit planning is gained from the process itself. In painstakingly documenting endless client details, auditors achieve more than just compliance with professional standards—they also develop more efficient engagements and help reduce professional liability risk.
Consider the importance of planning in this claim scenario:
The senior on a CPA firm's largest audit engagement received a request from the client's CFO for a copy of "any communications the firm has sent relating to internal-control-related matters identified during the current- and prior-year audits and copies of internal control documentation completed by the firm." Operating under the assumption that the client was finally going to address its many pesky control deficiencies, the senior happily sent an email with the requested documents.
A short time later the firm received notification of a lawsuit from the client. The complaint asserted that the audit firm had failed to detect an embezzlement scheme perpetrated by the accounts payable clerk. It further indicated that the firm's failure to detect a breakdown in internal controls allowed for the payment of fictitious vendor invoices.
The firm's legal counsel hired an expert to review each year's engagement workpapers. One hopeful yet problematic issue arose: The firm had informed the client of a significant deficiency in internal controls in its prior-year management letter. Had the deficiency been corrected, the embezzlement scheme likely would have been discovered. The disturbing point—the significant deficiency was not mentioned in current-year engagement planning documentation, neither in risk assessment nor in the design of planned audit procedures. It appeared as though the prior-year documentation had simply been copied to the current-year file with updated completion dates. No additional audit procedures addressed the issue, and the scheme continued for an additional six months beyond issuance of the current-year audit report.
As exemplified above, use of the "same as last year" (SALY) mentality can be a major pitfall in audit planning. SALY disregards the advantages of the planning thought process, focusing instead on getting the job done quickly. Many planning pitfalls, including relying too heavily on checklists or compartmentalizing each step of the audit, result from trying to save time in the present without consideration of the rest of the engagement. Conversely, an engagement that is effectively planned could eliminate over- or under-testing, lead to more relevant documentation, and help reduce the likelihood of audit failure or a potential professional liability claim, saving time in the long run.
Audit Planning Standards and Risk Management
Audit planning is not a simple process. It involves consideration of client industry and regulatory factors, client operations and administration, availability and assignment of firm resources, engagement timing, and much more. Fortunately, the hard work of proper planning may not only enable more efficient audit execution, but it also provides auditors with important risk management techniques. Complying with all applicable professional standards when delivering services helps reduce professional liability risk. Consider the professional liability lessons that can be gleaned from these particular sections of the AICPA Statements on Auditing Standards:
- Timing (AU-C §§300.02 and 300.A2): Planning can easily be misconstrued as a discrete phase of an audit, taking place only when scheduled. Instead, it should be viewed as a continuous process that begins upon completion of the prior audit and ends with completion of the current engagement. The information learned during planning should be applied throughout the engagement to achieve appropriate conclusions. In our scenario, planning for the current engagement should have started with the control deficiency identified in the prior audit and addressed the issue throughout the audit process.
- Risk assessment (AU-C §315): Gaining an understanding of the client and its environment presents an opportunity for the auditor to view the client's business and the engagement from a perspective other than the debits and credits underlying the financial statements. A holistic view of the various industry, regulatory, internal, and external factors may allow for linkages that might otherwise be lost in the minutiae of performing the engagement. Identifying areas of greatest risk early in an audit can allow for additional testing or analysis, reducing the likelihood of error that may result in a professional liability claim. As exemplified in the claim scenario, accounts affected by the internal control deficiency should have been deemed high-risk, and testing should have been tailored to address the concern.
- Team composition (AU-C §300.05): Assignment of the engagement team and scheduling of resources may seem like simple logistical issues. Nevertheless, the level of experience on the team, use of experts, and scheduling of who will review and when are all variables that can significantly alter the engagement approach and affect its success. Assigning complex or difficult areas of an audit to the appropriate level of expertise, depth of experience, or extent of review is an important step in reducing the likelihood of an error.
Further, the resources should not be limited solely to the engagement team. Colleagues, peers, professional associations, technical standards, prior-year audits, and other engagements can all provide valuable insight. Utilizing all resources available to the engagement team may develop a more informed audit approach. For example, in the scenario above, the current-year testing of accounts affected by the significant deficiency could have been assigned to a more experienced team member or subjected to additional review.
Additional Planning Considerations
In addition to the professional liability risk management considerations that can be gleaned from the professional standards, two additional suggestions should be kept in mind.
For more information about this article, contact firstname.lastname@example.org.
- Invest the time: Proper planning is an investment in time that is intended to pay dividends in later phases of the engagement. Identifying a potential issue or complex audit area at the start of the planning process could save time later in the audit. That additional effort, while it may seem difficult in the moment, could save time as deadlines approach. Errors are more likely to occur when timing is compressed, causing work to be rushed. If planning can alleviate even a portion of the demand for time during the busiest periods of the year, exponential gains in efficiency and reduction of professional liability risk can be realized.
- Be flexible: Planning is a guide for work to be performed, not a step-by-step instruction manual. Flexibility creates a positive tone that can be established in planning and carried through to issuance. The audit plan and strategy developed at the start of the engagement should be updated and adjusted based upon information gathered throughout the engagement. Maintain a focus on achieving the correct end result, rather than simply finishing the audit. Flexibility also allows the audit plan to be quickly modified when unexpected risks arise, thus reducing professional liability exposure that would exist if adjustments were not made.
This information is produced and presented by CNA, which is solely responsible for its content. Continental Casualty Company, a member of the CNA group of insurance companies, is the underwriter of the AICPA Professional Liability Insurance Program.
The purpose of this article is to provide information, rather than advice or opinion. It is accurate to the best of the authors’ knowledge as of the date of the article. Accordingly, this article should not be viewed as a substitute for the guidance and recommendations of a retained professional. In addition, CNA does not endorse any coverages, systems, processes or protocols addressed herein unless they are produced or created by CNA.
Any references to non-CNA Web sites are provided solely for convenience, and CNA disclaims any responsibility with respect to such websites.
Examples are for illustrative purposes only and not intended to establish any standards of care, serve as legal advice, or acknowledge any given factual situation is covered under any CNA insurance policy. The relevant insurance policy provides actual terms, coverages, amounts, conditions, and exclusions for an insured. All products and services may not be available in all states and may be subject to change without notice.
“CNA” is a registered trademark of CNA Financial Corporation. Certain CNA Financial Corporation subsidiaries use the “CNA” trademark in connection with insurance underwriting and claims activities.
Copyright © 2021 CNA. All rights reserved