What is the purpose of audit planning if the audit may not ultimately follow the carefully thought out plan? As may be inferred from Dwight D. Eisenhowers words—"Plans are worthless, but planning is everything"—the value of audit planning is not derived solely from the resulting audit plan. Often overlooked, the real benefit of audit planning is gained from the process itself. In painstakingly documenting endless client details, auditors achieve more than just compliance with professional standards—they also develop more efficient engagements and help reduce professional liability risk.
Consider the importance of planning in this claim scenario:
The senior on a CPA firms largest audit engagement received a request from the clients CFO for a copy of "any communications the firm has sent relating to internal-control-related matters identified during the current- and prior-year audits and copies of internal control documentation completed by the firm." Operating under the assumption that the client was finally going to address its many pesky control deficiencies, the senior happily sent an email with the requested documents.
A short time later the firm received notification of a lawsuit from the client. The complaint asserted that the audit firm had failed to detect an embezzlement scheme perpetrated by the accounts payable clerk. It further indicated that the firms failure to detect a breakdown in internal controls allowed for the payment of fictitious vendor invoices.
The firms legal counsel hired an expert to review each years engagement workpapers. One hopeful yet disturbing issue arose: The firm had informed the client of a significant deficiency in internal controls in its prior-year management letter. Had the deficiency been corrected, the embezzlement scheme likely would have been discovered. The disturbing point—the significant deficiency was not mentioned in current-year engagement planning documentation, neither in risk assessment nor in the design of planned audit procedures. It appeared as though the prior-year documentation had simply been copied to the current-year file with updated completion dates. No additional audit procedures addressed the issue, and the scheme continued for an additional six months beyond issuance of the current-year audit report.
As exemplified above, use of the "same as last year" (SALY) mentality can be a major pitfall in audit planning. SALY disregards the advantages of the planning thought process, focusing instead on getting the job done quickly. Many planning pitfalls, including relying too heavily on checklists or compartmentalizing each step of the audit, result from trying to save time in the present without consideration of the rest of the engagement. Conversely, an engagement that is effectively planned could eliminate over- or under-testing, lead to more relevant documentation, and help reduce the likelihood of audit failure or a potential professional liability claim, saving time in the long run.
AUDIT PLANNING STANDARDS AND RISK MANAGEMENT
Audit planning is not a simple process. It involves consideration of client industry and regulatory factors, client operations and administration, availability and assignment of firm resources, engagement timing, and much more. Fortunately, the hard work of proper planning may not only enable more efficient audit execution, but it also provides auditors with important risk management techniques. Complying with all applicable professional standards when delivering services helps reduce professional liability risk. Consider the professional liability lessons that can be gleaned from these particular sections of the AICPA Statements on Auditing Standards:
- Timing (AU-C §§300.02 and 300.A2): Planning can easily be misconstrued as a discrete phase of an audit, taking place only when scheduled. Instead, it should be viewed as a continuous process that begins upon completion of the prior audit and ends with completion of the current engagement. The information learned during planning should be applied throughout the engagement to achieve appropriate conclusions. In our scenario, planning for the current engagement should have started with the control deficiency identified in the prior audit and addressed the issue throughout the audit process.
- Risk assessment (AU-C §315): Gaining an understanding of the client and its environment presents an opportunity for the auditor to view the clients business and the engagement from a perspective other than the debits and credits underlying the financial statements. A holistic view of the various industry, regulatory, internal, and external factors may allow for linkages that might otherwise be lost in the minutiae of performing the engagement. Identifying areas of greatest risk early in an audit can allow for additional testing or analysis, reducing the likelihood of error that may result in a professional liability claim. As exemplified in the claim scenario, accounts affected by the internal control deficiency should have been deemed high-risk, and testing should have been tailored to address the concern.
- Team composition (AU-C §300.05): Assignment of the engagement team and scheduling of resources may seem like simple logistical issues. Nevertheless, the level of experience on the team, use of experts, and scheduling of who will review and when are all variables that can significantly alter the engagement approach and affect its success. Assigning complex or difficult areas of an audit to the appropriate level of expertise, depth of experience, or extent of review is an important step in reducing the likelihood of an error.
Further, the resources should not be limited solely to the engagement team. Colleagues, peers, professional associations, technical standards, prior-year audits, and other engagements can all provide valuable insight. Utilizing all resources available to the engagement team may develop a more informed audit approach. For example, in the scenario above, the current-year testing of accounts affected by the significant deficiency could have been assigned to a more experienced team member or subjected to additional review.
ADDITIONAL PLANNING CONSIDERATIONS
In addition to the professional liability risk management considerations that can be gleaned from the professional standards, two additional suggestions should be kept in mind.
- Invest the time: Proper planning is an investment in time that is intended to pay dividends in later phases of the engagement. Identifying a potential issue or complex audit area at the start of the planning process could save time later in the audit. That additional effort, while it may seem difficult in the moment, could save time as deadlines approach. Errors are more likely to occur when timing is compressed, causing work to be rushed. If planning can alleviate even a portion of the demand for time during the busiest periods of the year, exponential gains in efficiency and reduction of professional liability risk can be realized.
- Be flexible: Planning is a guide for work to be performed, not a step-by-step instruction manual. Flexibility creates a positive tone that can be established in planning and carried through to issuance. The audit plan and strategy developed at the start of the engagement should be updated and adjusted based upon information gathered throughout the engagement. Maintain a focus on achieving the correct end result, rather than simply finishing the audit. Flexibility also allows the audit plan to be quickly modified when unexpected risks arise, thus reducing professional liability exposure that would exist if adjustments were not made.
Daniel Gartland (email@example.com) is a risk control consultant at CNA.
Continental Casualty Co., one of the CNA insurance companies, is the underwriter of the AICPA Professional Liability Insurance Program. Aon Insurance Services, the National Program Administrator for the AICPA Professional Liability Program, is available at 800-221-3023 or visit cpai.com.
This article provides information, rather than advice or opinion. It is accurate to the best of the authors knowledge as of the article date. This article should not be viewed as a substitute for recommendations of a retained professional. Such consultation is recommended in applying this material in any particular factual situations.
Examples are for illustrative purposes only and not intended to establish any standards of care, serve as legal advice, or acknowledge any given factual situation is covered under any CNA insurance policy. The relevant insurance policy provides actual terms, coverages, amounts, conditions, and exclusions for an insured. All products and services may not be available in all states and may be subject to change without notice.