Audit is shaped by the International Standards on Auditing (ISAs). We all know that risk assessment is a fundamental part of an ISA-driven audit approach. When that thorny audit issue of journals testing comes around, however, often risk assessment takes second place to the ‘this is how we always test journals’ approach.
Perhaps you always test the 10 largest journals, those around the year end, and those posted by the Finance Director (FD) on a Saturday. Perhaps there are times when this may be appropriate, but it definitely isn’t always the appropriate thing to do.
This is the first of two articles on journals testing. In it, we will look at the part controls testing plays in journal testing, as we try to navigate a pathway to a more efficient, ISA-compliant approach.
Understanding the entity
Journal entries get more than 40 mentions in the auditing standard on identifying and assessing the risks of material misstatement (ISA 315), with the main emphasis on understanding the controls in place over journal entries. As we know, journals are mainly used for recording non-recurring, unusual transactions or adjustments.
It’s a good idea to try and segregate the journals into these categories if possible.
Reviewing the audit trail for ‘routine’ transactions being posted as journals is a good starting point. For example, if a business is not using the sales ledger module in its accounting system, but instead is posting all its sales via journals, this should be flagged as a risk in the sales audit work and focus applied there, but then those journals could be excluded from any other generic journals testing. What may be unusual for one business is not necessarily unusual for another.
Of course, in this scenario you should also be reviewing the systems notes and the system design and implementation to ensure the business is following the processes you have recorded.
Non-recurring entries will be those one-offs that the accounting system just does not have a routine for. A new operating lease agreement, share capital issue and fixed asset revaluation are all items where a journal will most likely be deployed. Again, these types of transaction will hopefully have already been flagged as part of the risk assessment elsewhere and so these journals will be subject to scrutiny in other audit sections.
The adjustments are, in the main, going to be corrections to the month-end and year-end adjustments. There may well be some automation involved and this may bring along its own set of risk considerations.
Having understood why journals are being posted, we must then move on to understand the controls in place over those journal entries. In most journal systems, there are two main elements to understand: who can post journals and who reviews and/or authorises them. The controls around these elements should be strong and eminently testable.
There is also the issue of whether the journals can be changed once they are posted. I recall a conversation with a client who had changed accounting systems and was bemoaning the fact that he could no longer “just go in and change the figures in a journal entry”. He may not have been happy about this, but I was very relieved.
So, what sort of tests of the operating effectiveness of controls could we undertake? Some examples of reasonably straightforward tests which could give good-quality evidence include:
- testing logins to see who has the journal entry screen available;
- testing the ability to change journals;
- testing that journals have been approved/reviewed in a timely manner and by the appropriate person;
- testing that all journals are accompanied by reasonable and appropriate supporting commentary and/or documentation; and
- testing that automated/recurring journals have been reviewed prior to deployment.
As always, these points all need to be considered in the context of the entity you are auditing. The better you know your client, the more able you will be to apply judgement and scepticism to identify unusual journals.
For less complex entities, there may be no controls over the segregation of duties and so a more substantive approach might be needed (and we will explore this route in the next article on journals testing). Where there is some oversight by the board, however, there may still be a control that can be tested and relied upon by the auditor.
Management override of controls
Journals are possibly the most vulnerable area for management override of controls. It may be quite difficult to change the pricing in the sales module or bypass the inventory controls in the warehouse, but having the authority to post a journal and manipulate the financial statements is potentially much easier.
This is why the fraud standard ISA 240 mandates procedures in this area. The specific requirements in paragraph 33 include the following
- making inquiries of individuals about inappropriate or unusual activity relating to processing journals (ISA (UK) 240 notes that these should be individuals with different levels of responsibility);
- selecting journal entries made at the end of the reporting period (and ISA (UK) 240 goes further by including post-closing entries); and
- considering the need to test journal entries throughout the period.
Let’s look at these individually...
- Making inquiries could be seen as part of the ‘understanding the entity’ requirement, but this would be incorrect. The inquiries must not just be high-level ‘in principle’ discussions with management, but practical inquiries of all the key people involved in the process. What actually happens? Does the FD ask the finance assistant to let them post a quick entry using their login? Does the financial controller just sign off any journals in a hurry without really checking? This needs to be a robust discussion with everyone involved to see what happens in real life – and then the risk is assessed, based on the findings.
- Selecting the cut-off journals for testing is of course something where we all know there could be issues, but it is astonishing how often auditors miss this. We must ensure that year-end adjustments are appropriate. The additional requirement in ISA (UK) 240 to look at post-closing entries is also very sensible, as history has shown a number of fraudulent entries that have been reversed in the post-closure period. Auditors must be sure to look for unusual entries in the post-balance sheet period as well.
- The final point is the vaguest, with the word ‘consider’ implying there is a choice of whether to do this testing or not. While grammatically that is correct, in reality an audit file with only cut-off journals being tested is unlikely to pass a quality review, unless there is some solid explanation as to why no entries were tested.
The amount you do, of course, comes back to risk assessment and too much can be as bad as too little, so we’ll consider this further in the second article in this series.
Again, if you are auditing a less complex entity you might feel that there is less risk and therefore less testing required. While this scalability is certainly true of the testing throughout the period, the inquiries and cut-off work will always be required regardless of size.
Is controls testing an option?
Overall, for all audits there is clearly the potential for controls testing in the area of journals. As well as giving audit assurance (or raising concerns) it can provide valuable feedback to those charged with governance and might even have the added advantage of reducing your substantive sample sizes depending on your audit methodology. It is certainly worth thinking about.
About the author
Andrew Paul, Audit Software and Technical Manager, Baker Tilly International
Audit & Beyond
This article was first featured in the September 2022 edition of Audit & Beyond.