A well-performed walkthrough can cement the risk-based foundations of a high-quality audit – but what is a walkthrough, and what does a good one look like? 

Even the most basic walkthrough, effectively performed, can deliver benefits and this article shares practical tips from training providers to assist auditors to maximise the value and effectiveness of their walkthroughs. 

What do the ISAs say?

Given the wide variation in control environments across audited entities, confusion regarding walkthroughs is hardly surprising. ISAs and, in particular, the risk assessment standard ISA 315, refer to walkthroughs in the context of:

• changes to the system from previous years (ISA 315, A41);
• understanding the information system (ISA 315, A136); and
• understanding management’s process for developing an estimate (ISA 540, A20).

Most practitioners also understand a walkthrough to mean a technique enabling them to fulfil the requirement to evaluate the design and implementation (D&I) of relevant controls in the control activities component (ISA 315 para 26).

Many practitioners have concerns about this, because they believe that this walkthrough work is of questionable value where controls are weak and cannot be tested. 

This is an ongoing debate. An International Auditing and Assurance Standards Board (IAASB) project to update ISA 330 (The Auditor’s Responses to Assessed Risks) is looking at internal controls and there will be an opportunity to comment on this issue – again – when amendments are exposed. 

Understanding controls

For now, the requirement to evaluate D&I remains. How this work can be best performed to provide some value to the audit – even where a largely substantive audit approach is taken – is a consideration for many auditors.

In an audit of a smaller and less complex entity, auditors may not plan to rely on the operating effectiveness of controls. Para 26 of ISA 315 requires auditors to perform D&I work on controls addressing any:

• significant risks; 
• controls to be tested; 
• controls over journal entries; 
• ‘other’ controls to address risk at the assertion level, based on judgement. 

If auditors do not identify any significant risks, or intend to test controls, and there are no ‘other’ controls, the only area where D&I work is always needed is controls over journal entries. In practice, there are almost always significant risks, such as the presumed risk of material misstatement in revenue recognition – unless the presumption has been rebutted.

If auditors do not plan to test the operating effectiveness of controls, the control risk assessment – which must be performed under ISA 330 – is such that the assessment of the risk of material misstatement is the same as the assessment of inherent risk (ISA 315 para 34). 

What does an effective walkthrough look like? 

We spoke to training providers, who offered their tips on how to maximise the value of your walkthrough.

1. Perform walkthroughs before period-end and not just in the first days of fieldwork

If you defer walkthroughs to the fieldwork stage, you are not evaluating controls as they operate during the period under audit and you will have left it too late to understand the entity and design better, more tailored responses to assessed risk.

2. Speak to and observe your client

Emailing a generic checklist may not get results, and inquiry alone cannot provide sufficient evidence on the D&I of controls (ISA 315, A177). Conversations while observing live processes can provide specific and up-to-date information and get you thinking about more probing questions regarding ‘what’, ‘when’, ‘how’ and ‘what could go wrong’. Doing this face to face where possible offers additional insight into organisational culture and can be a solid indicator of the strength of the control environment.

3. Do not underestimate the power of a flowchart or map

A well-documented process flowchart enlivened by annotated screenshots can often provide a clearer depiction of the information journey than reams of hard-to-follow system notes.

4. Don’t rely on last year’s notes

A lot can change in a year including technologies, staff members, and even controls themselves. Your walkthrough documentation should reflect how controls operate during the period you are auditing. Approach each audit with a fresh perspective. It is important to bear in mind that management and staff may not always remember that controls have changed.

5. Focus your walkthroughs on controls relevant to financial reporting

Too much work is often performed on operational controls that have little to do with financial reporting. The only controls you need to cover are those designed to prevent, detect and correct material misstatements.

6. Think like a fraudster

Ask yourself: how would I commit a fraud at this company? This can get you thinking about the potential system gaps that bad actors could exploit. This can then be flipped into a question for the client which gets to the bottom of the controls that are there to fill those gaps. Also remember to consider journals posted throughout the year and not just at the period-end. If you had malicious intent, which period would be most and least likely to attract auditor attention?

Once you’ve documented your system notes, don’t be afraid to send them to the audited entity to confirm your understanding.

What are the benefits of a walkthrough?

Remember that walkthroughs are not merely an exercise in ISA compliance. Nor are they ‘tests’. Even at its most basic, an effectively performed walkthrough can deliver benefits:

• It provides valuable insights into an entity’s processes and data flows, even if auditors do not plan to test the operating effectiveness of controls. This allows for a much more tailored audit response and can even identify areas where testing can be more efficient.
• It establishes strong foundations for the testing strategy, providing greater confidence in sample sizes, approach to substantive analytical procedures and the evaluation of misstatements.
• It enhances audited entity engagement. An auditor who can demonstrate a deep understanding of a business is more likely to foster a better constructive working relationship (ISA 260, para 4) with the audited entity.

They also have benefits beyond the insights they provide into how an entity’s systems and controls operate. They may pave the way for potential testing of operating effectiveness of controls and therefore reduced substantive testing if it can be justified – via an evidenced walkthrough – that the relevant controls are designed and implemented appropriately. They may lead to more streamlined group audit procedures where a walkthrough performed at each entity provides evidence that the group has a common system of control.

Walkthroughs are a valuable tool that can provide insights into an entity’s processes, establish strong foundations for testing strategies, and enhance audited entity engagement.

Helen Pierpoint, Technical Manager, Audit and Assurance Faculty, ICAEW.
With thanks to Peter Herbert, Rhodri Whitlock and Stephanie Henshaw for their insights.