Journals testing continues to be one of the areas where audit quality reviewers and regulators raise concerns over the audit work carried out by firms.
In my last article, I focused on the controls aspects of journals testing. In this article, the focus moves to substantive audit work and how we can efficiently and effectively meet the requirements of the International Standards on Auditing (ISAs), by looking at real-world experiences.
When should we test journals?
One of the most frequent questions asked on audit training courses, when journals are mentioned, is: “How many journals should I be looking at?” The easy answers of course are: “It depends on your audit methodology” or “It depends on your risk assessment.”
Both answers may be true. Neither is overly helpful if you are a hard-pressed audit senior, on a Friday afternoon, trying to get the file completed and ready for manager review.
But maybe therein lies the problem. Should journals testing be one of those areas left until the end? I would argue not. Journals are the heartbeat of the financial reporting process for many entities. They are where the senior finance people make all the adjustments and craft the final look of the financial statements. So why leave looking at them until late in the day?
The old joke is that we do bank and cash on a Monday morning “because it gives a good overview of the whole process” (not just because it is an easy place to start). If this is the case, then I would argue that hot on the heels of bank and cash should come journals, as they also give a great insight into where adjustments are being made and where other audit work may need to be focused.
Often you will see a comment on the audit file that journals have been reviewed as part of another audit section, but I would suggest it makes more sense to start with the journals to drive focus towards other sections.
What testing should we be doing?
ISA 240, both in the UK and internationally, is extremely clear that journals testing is mandatory irrespective of the risks of management override of controls.
Specifically, the auditor is required to:
- make inquiries about inappropriate or unusual activity relating to processing of journal entries;
- select journals made at the end of a reporting period; and
- consider the need to test journal entries throughout the period.
The ISA requirements manage to be both prescriptive and vague, with the use of “unusual” and “consider” giving lots of scope, but a very specific mandate to look at cut-off journals.
As with all risk-based audit work, it is important to document why you do not do something, as well as documenting what you actually do. If you decide that there are no risks driving you to make inquiries or perform other testing, it should be noted on the audit file how you arrived at that conclusion.
How many items should we test?
The Financial Reporting Council’s (FRC’s) report into the audits of Patisserie Valerie gives a great example of the problem here. The auditor is criticised for testing insufficient cut-off journals, but also for testing an “excessively large” sample of other journals that were not tested effectively. Clearly, getting journal samples right is not a simple task.
The auditors did, however, break journals down into disaggregated groups for testing. Key groups would include:
- cut-off journals and their reversals (month-end and year-end);
- large journals (over and above a set level);
- unusual journals (with entries to unexpected nominal codes);
- journals posted by senior management (when this is out of the ordinary); and
- journals posted at unexpected times (evenings, weekends, bank holidays, and so on).
Clearly some of these categories may overlap, but the above categories should still be considered in selecting the journals for testing. If a journal is picked up twice under two different headings, of course it need only actually be tested once.
The key is focus. There is little to be gained from randomly picking journals in the hope of happening upon something. Use your understanding of the entity, the personnel, the systems and controls to select the risky journals and test them. If there are fewer risky journals, so be it.
Journals is not an area where being wedded to a set sample size is going to be helpful. Use your audit judgement and scepticism and pick a sample appropriately. As the FRC report demonstrates, too many with a loss of focus is as bad as too few.
What about the role of software?
These sample selections can be facilitated by using automated software tools such as Inflo, MindBridge, CaseWare IDEA, TeamMate Analytics or other proprietary software. But if you are using these tools, there are two key questions you must consider:
- Has all the raw data been included? Most packages will run data integrity checks such as rebuilding a trial balance to ensure that you are selecting from a full data set; and
- What are the selection criteria in the software? The audit team must understand how the software is selecting the journals to test. It will not be sufficient to record: “We tested what the software told us to.” There should be a report on the audit file explaining the selection criteria used and the risk scoring applied to the population.
An often-heard comment is that Microsoft Excel could be used to perform such analysis and selection of journals for testing, through sorting and filtering functionality. While this is true, the larger the data set and more complex the business, the more difficult it will be to use a simple spreadsheet solution. For small simple data sets, however, the spreadsheet can be an effective option.
What supporting evidence should we obtain?
Having set our selection criteria and generated our sample to test, what evidence should we obtain to support the journals which have been posted?
The answer will, of course, depend on the journal being posted. As we discussed in my earlier article on controls, there should be procedures to approve journals and – as a minimum – you should be looking for evidence of review of the journals posted.
For the month-end or year-end accruals, prepayment and depreciation journals, suitable supporting working papers should be available, or a proof in total analytical procedure might be appropriate.
For the more complex journals, vouching back to the detailed supporting calculations for an impairment provision or bonus is a must. But this then brings me back to my earlier point – journals are never posted in isolation. They will be posted to increase or decrease numbers across the financial statements so, to be efficient, combine the review of the journals with the testing in that audit area, to give holistic evidence rather than piecemeal testing in several sections of the file, which could mean you risk missing the big picture.
What about the big picture?
This is where the revised ISA 315 stand-back procedures come into play. Make sure someone is taking that step back and looking at the interactions of journals across the whole audit file. As we saw with the Patisserie Valerie case, it is too easy to get lost and not see the wood for the trees.
About the author
Andrew Paul, Audit Software and Technical Manager, Baker Tilly International
Audit & Beyond
This article was first featured in the October 2022 edition of Audit & Beyond.