My firm uses third-party audit software. About 18 months ago, we found that the sample size calculator started producing very large sample sizes, particularly for testing revenue. The providers of the software told us this is necessary because the FRC required much larger sample sizes. Is that correct?
This sort of question has been very common over the past six months and there is a lot for me to unpack as I try to answer it.
First, it is true that the Financial Reporting Council (FRC) has made it known, during inspections, that sample sizes should not be subject to a nominal cap. Some service providers, supplying audit methodologies, have responded to this, which has led to changes in certain proprietary sampling methodologies.
However, this does not necessarily result in the very significant increases in sample sizes that are being reported by some auditors.
When I first came across this issue, I immediately noticed that it was revenue testing where the sample sizes were being identified as being ‘too large’ by auditors. On closer inspection, it seems that auditors were often determining inherent risk in revenue as very high and this determination was driving up the sample size.
When I asked these auditors what the actual inherent risks were, many simply responded that it was the ISA 240 presumption of a significant risk of fraud in revenue and nothing more specific than that. When I asked why the presumption was not rebutted their responses led on to the following question, below.
Based on all of this, it seems to me that although there have been changes in audit methodologies, these are not necessarily always responsible for driving up sample sizes. But these changes to audit methodologies are shining a spotlight on some incorrect assessments of inherent risk.
I understood that the presumption of fraud in revenue could only be rebutted in exceptional circumstances and that the risk of fraud in revenue is always a significant risk. Is this correct?
Quite simply, no. This is a surprisingly misunderstood area. In part, this misunderstanding is driven by the (as good as) universal recognition that it is remarkably common for fraudsters to manipulate revenue to produce misleading financial statements. Redcentric and Patisserie Valerie are two notable recent examples of this, but there are many, many more.
The intentions of the standard setters, when producing ISA 240’s rebuttable presumption of a significant risk of fraud in revenue, was to ensure that auditors adequately focused on what is a high-risk area.
This is not to say that the risk of fraud in revenue exists in every audit, but that it must be specifically considered in every audit. In particular, there is a requirement to document why the auditor considers that the presumption should be rebutted. In other words, the fraud risk in revenue is a risk that must be documented, even in its absence.
More crucially, auditors need to consider the nature of the fraud risk, so that the audit work can be properly targeted. It is most common for the fraud risk to exist in year-end cut-off and not elsewhere. This means that the auditors’ revenue transaction testing might be responding to fairly low risk and consequently a smaller sample size might be adequate, whereas the audit work on cut-off will often need to be more robust to address the greater risk.
Nonetheless, it’s important to recognise that fraud risk might also exist as a consequence of inappropriate journals posted to revenue (not necessarily just posted at the year-end), and therefore auditors need to consider whether their work on journals testing adequately addresses the risk.
If the most common area of fraud risk in revenue is the year-end cut-off, how should auditors be addressing this risk?
When auditing revenue cut-off, increasing sample sizes to address a significant risk of fraud is rarely the complete response to the issue.
Obviously, testing the last five sales of the year, and the first sales of the next year, will often be inadequate. Remember that the auditor is trying to detect fraud and only a remarkably uninformed fraudster would not design their fraud well enough to avoid such an unsophisticated testing approach.
To detect fraud, the auditor needs to think like a fraudster and consider, for example, how cut-off might be manipulated. This could involve:
- looking at transactions from weeks and months both before and after the year-end;
- being appropriately sceptical and challenging of explanations and documents inspected; and
- seeking third-party confirmations, where necessary.
Another point to consider is whether the auditor has concluded that the risk of fraud relates to potential overstatement or understatement of revenue, based on management’s incentive. If it is the former, then there needs to be more of a focus on revenue transactions before the year-end to establish that they are valid (and credit notes applied after the year-end). If it is the latter, there needs to be greater focus on revenue transactions after the year-end to establish whether they should have been recorded pre-year-end.
Also, auditors need to introduce some unpredictability into their testing – a requirement under ISA 240 – so that individuals within the audit entity who are familiar with previous audit engagements are less able to conceal fraudulent financial reporting.
This unpredictability could be achieved by, for example:
- talking to a range of people in finance and operations at the audit entity, not the same people each year;
- varying the questions and the people asking them;
- performing substantive procedures on selected account balances and assertions not otherwise tested due to their materiality or risk;
- adjusting the timing of audit procedures from that otherwise expected;
- use different sampling methods;
- performing audit procedures at different locations or at locations on an unannounced basis.
If auditors always use the same approach, fraudsters can learn to work round that.
Improving audit of revenue
The audit of revenue is often mentioned by the Financial Reporting Council and by ICAEW’s Quality Assurance Department as an area where improvements are needed, based on their audit quality review findings. So, auditors may be able to improve their audit of revenue by considering some of the most common shortcomings in this key area.
Examples of opportunities for improvement include:
- Not always testing all material income streams. There are various possible reasons for this. The audit team may not have identified a new income stream at the planning stage and so planned to carry out the same tests as the previous year. Or, they may have tested the most significant income streams, leaving a smaller but nevertheless material one untested.
- Shortcomings when using substantive analytical procedures. They can provide very persuasive evidence if done well, but firms do not always apply sufficient rigour or work through all the required steps. Sometimes expectations are set that are not precise enough in light of the materiality level and sometimes reviewers find flaws in the logic applied in setting expectations.
- Not always testing the completeness assertion when appropriate. This may be because a firm did not carry out a planned test in the way it was designed or because the design was flawed, for example because it tested back from the accounting records rather than forwards from outside the accounting system.
There is a faculty webinar on auditing revenue that firms may find helpful. It covers:
- the ‘rebuttable presumption’ and what it means in practice;
- which revenue streams to look at and how much evidence to gather;
- directional testing – common tips and traps;
- how effective analytical review and controls work reduces legwork on substantive testing;
- the role of professional scepticism in the audit of revenue; and
- effective documentation – what to put on and leave off the audit file.
Questions asked by auditors during this webinar are answered in an Audit & Beyond article.
About the author
John Selwood, freelance lecturer and writer
Audit & Beyond
This article was first featured in the December 2022/January 2023 edition of Audit & Beyond.