30 May 2023

So we have a typical small not for profit: poor division of duties, no real controls apart from two signatories for payments, a review of financial results at irregular board meetings, and the annual Performance Report prepared by external accountants.

We know we are not relying on controls for our audit work, but that pesky ISA 315 tells us that we still have to document controls, such as they are. We must – according to paragraph 25 – obtain an understanding of the entity’s information system and communication relevant to the preparation of the financial statements, including:

  • how information flows through the entity’s information system, including how transactions are initiated, and how information about them is recorded, processed, corrected as necessary, incorporated in the general ledger and reported in the financial statements, and
  • how information about events and conditions, other than transactions, is captured, processed and disclosed in the financial statements;
  • understanding how the entity communicates significant matters that support the preparation of the financial statements and related reporting responsibilities in the information system and other components of the system of internal control so that we may
  • evaluate whether the entity’s information system and communication appropriately support the preparation of the entity’s financial statements.

How do we obtain this information? Para A136 tells us it is through various ways that may include:

  • enquiries of relevant personnel about the procedures used to initiate, record, process and report transactions or about the entity’s financial reporting process;
  • inspection of policy or process manuals or other documentation of the entity’s information system;
  • observation of the performance of the policies or procedures by the entity’s personnel; or
  • selecting transactions and tracing them through the applicable process in the information system (i.e., performing a walk-through).

Optional or required?

So does this mean that walk-through tests are one option among many? Yes and no. We are required to document the identified controls that are relevant to inherent risks that we have identified. Paragraph A125 states that we must “evaluate the design and determine whether the controls have been implemented.” Here is the catch. How can we assess whether the controls have been implemented unless we perform some sort of walk-through test?

The client may complete our internal controls checklist, send us their procedures manual, and tell us sweet stories, but as we all know, what they say they do or think they do may not be what they actually do. These procedures may have existed at some point in the past, but internal controls, like most systems, are subject to entropy over time.

Part of our work is therefore to look for changes. Paragraph A41 states that we are required to determine whether information obtained from our previous experience with the entity and from audit procedures performed in previous audits remains relevant and reliable. If circumstances have changed information from prior periods may no longer be relevant or reliable. The standard suggests that enquiries and other appropriate audit procedures, such as walk-throughs of relevant systems should be carried out.

What form can a walk-through take?

We document the system at a level appropriate to the entity, especially noting the controls. Then we check to see if the system as described is actually what they do. For instance, journals must always be given close attention. How are they initiated? Who can create journals? Who approves them? What reviews are carried out? What other means are there of making adjustments to the ledger – editing transactions say?

In this case, we would document the process, then follow one journal through from initiation to ledger, ensuring that all levels of approval and checking have in fact been followed and there is evidence of this.

This is different to a test of controls which would be spread across the period. The walk-through does not give us reliance that the controls are effective, just that we have documented them correctly. In a simple small entity, we could add this walk-through test as a narrative comment. In a more complex entity, it would make sense to create a diagram and then perhaps a spreadsheet following the transaction through the key steps and controls.

You may wish to carry out the walk-through as you have someone explaining the system and you are documenting it. For instance, you are visiting the client – a sports club say – and you ask them – show me the process for recording a bar sale? Using your phone camera you could record how a sale is initiated, how it is recorded and batched, banked, and reconciled back to the bank details in their software, and the checks and approvals required at each step. Then you could use the photos to build a visual record of how the revenue system works, with suitable narration and assessment, and attach that to your systems documentation page.

As part of going through the system with a staff member remember to be curious and ask things like: What if the bar staff are away? Who does this approval when the manager is on holiday? Do those security cameras actually work? Why is the till left open? What is done when a transaction includes more than one revenue type?

Conclusion

ISA 315 (revised 2019) focuses first on inherent risk. However, control risk is also important, especially when it relates to journals and IT systems. These must be documented at an appropriate level for the entity whether we intend to rely on the controls or not. And describing controls is not enough – we must have confidence that we are describing what actually happens. In my view, walk-through tests are the only real way to achieve this, and many audit files are lacking this important element.