Three Audit Readiness Hot Topics to Address Now
As the end of the financial reporting year approaches, external auditors are finalizing their risk-assessments and determining which financial statement accounts and processes will garner the most attention. In turn, companies are preparing to respond to numerous requests to facilitate the timely completion of a successful audit.
“When CFOs and Controllers are asked about expectations for a successful audit, the most frequent response is ‘limit surprises’,” says one assurance senior manager at a Big Four audit firm. Frequently, the best path to achieving an efficient audit is to proactively evaluate and address potential audit issues before they become issues at all.
Below, Riveron explores some of the most significant emerging audit issues that represent time-saving opportunities if addressed prior to the year-end reporting period.
#1: Critical Accounting Estimates and Judgments
Critical accounting estimates and judgments are always assessed as an area of “higher risk” according to auditors. Specifically, auditors will focus on evaluating the significant assumptions used in developing such estimates. Examples of critical accounting estimates include straightforward items, such as the allowance for doubtful accounts, to more complex items such as valuation of assets and liabilities as a result of business combinations, estimates used within goodwill impairment analyses, and deferred tax asset valuation allowances.
To adequately prepare, companies should compile an inventory of significant estimates incorporated into the financial statements. When creating this list, the following are some important reminders:
- An estimate that appears to be immaterial does not mean that it will be out of scope for the audit; there is always the possibility of understatement.
- Estimates are not limited to financial statement line items themselves but can also be inputs into accounting calculations.
- Do not assume the list of significant estimates is consistent with prior periods.
- The most complex estimates tend to be the result of new transactions or business combinations, those that are particularly sensitive when changing an input, and those where management’s historical estimations have varied from actual results.
Once management has compiled all of the significant estimates, the key inputs and assumptions made for each should be identified. Ensure that the rationale for each assumption is clearly documented, including identifying any support used, such as publicly available competitor or industry data, third party studies, or audited historical financial results.
#2: Accuracy and Completeness of Data
Reliance on sophisticated enterprise resource planning (ERP) software to automate and inform the finance and accounting processes continues to increase. Additional dependence on ERP functionality means additional scrutiny by external auditors around the accuracy and completeness of this data.
Compiling a listing of key reports that impact the financial statements is a critical step in preparing. “Oftentimes, the biggest hurdle is simply identifying a full list of reports that are relied on,” notes a Big Four senior manager. “A key report is one that the company uses to execute relevant controls or one that we use in our substantive testing procedures.”
The level of reliance that management can place on each report varies depending on the controls in place, the source of the data, and the report type. In other words, just because a report is system generated does not necessarily mean that no further steps are needed to validate the data. Consider the following:
- If reports are customized (i.e., not “canned” or “standard” reports), change management controls should be in place to validate that the report structure has not been altered.
- If proper change management controls are in place, but users need to input report parameters (e.g., date ranges, account numbers) to generate the appropriate system output, these parameters should be reviewed every time the report is extracted and relied upon.
- If the report is editable (e.g., an Excel document), controls should be in place to ensure the completeness and accuracy of the data in the spreadsheet, such as secondary review or agreement of the amounts to the system.
Finally, remember that even in more manual environments, controls should be in place to review spreadsheets to ensure the completeness and accuracy of the data inputs, the formulas, and any assumptions built into the calculations.
#3: Reliance on Third-Party Service Providers
Increasingly, companies are engaging third party service providers to perform tasks that directly impact the financial statements, including processing transactions, storing and managing customer information, and providing software as a service. Management is responsible for ensuring that the service provider is dependable, and that their systems have appropriate controls and safeguards in place.
To assist management in gaining comfort over the controls of the service provider, many service providers will provide a Service Organization Control (SOC) report, which is based on compliance standards set by the AICPA. However, the Company’s responsibility does not end with obtaining such a report. External auditors will want to understand the following:
- What data was provided to the service provider and how did management verify the accuracy and completeness of this data?
- Did management review the SOC report and address any identified control deficiencies?
- Did management address the items that the SOC report highlights as the company’s responsibility (typically referred to as “user controls”)?
- Did management address any areas that were explicitly excluded from the scope of the SOC report?
- If management did not receive a SOC report, did they perform procedures to independently validate the service provider’s output and results?
In addition to proactively addressing auditor requests, constructing a clear profile of all third-party partners and the potential risks they pose provides a secondary benefit of risk management. As these providers often have access to a company’s data and internal systems, establishing effective governance and review structures will allow a company to manage fraud and cybersecurity risks that could impact a company’s reputation.
Companies that proactively focus on these areas will experience increased audit efficiency, improved quality of financial information and clarity into the financial reporting processes. Additionally, public companies will find that they are better prepared for the audit report of the future, which will require a discussion of critical audit matters in either 2019 or 2020, depending on their filer status. Finally, companies should consider addressing these topics with the audit committee, specifically highlighting the most judgmental and data-driven estimates, as they are often the most impactful to an evolving financial reporting oversight process.