Audit Journal testing has become a consistent theme year after year within the FRC inspection reports. And 2022 was no different. But this time around only 2 of the 7 firms were found wanting in this area.
The findings from these firms covered the end-to-end audit approach expected to test journal entries. So, what can smaller firms learn?
The use of data analytics and technology to support journal entry testing is now incredibly common. In truth, it would be incredibly challenging to perform compliant journal entry testing without these advanced techniques. But these automated tools and techniques are only as good as the data auditors are using.
First and foremost, to perform effective testing for management override of control you need a complete list of all transactions. Not just the “manual journals”, but every transaction within the general ledger system. And you need to ensure the listing is complete. This is usually performed through a trial balance reconstruction – i.e. taking the opening trial balance, adding all the transactions in the population to it, and comparing this to the closing trial balance. Ensure you are performing critical completeness testing before you do anything with the data.
An often-overlooked element of data integrity is the risk surrounding information produced by the entity. This includes the risk of tampering, for example a client deleting or modifying data before sharing it with the auditor. Clients are getting more familiar with the kind of data analytics routines auditors perform, so auditors must give this risk greater focus – particularly when data is being extracted through system reports into .csv or Excel formats.
There are many ways to address this risk, from the more primitive approach of watching the client run system reports and email them unmodified, to performing attribute tests from the system to the listing. But this is where investing in data extraction technologies can really help, as such technologies can often eliminate the risks associated with information prepared by the entity completely without the need for manual testing. Don’t forget to consider information produced by the entity and how to address the risk of manipulation.
Most commonly, auditors apply risk criteria of some description to the journals population to identify the transactions to be tested. Ensuring the risk criteria applied is well considered and documented is a key part of writing up the journals testing performed.
The first step in testing unusual journal entries is often discussion with management. Explanations given need to be corroborated, and tested to supporting documentation. Having a discussion and concluding journals pose no risk is not an adequate response to the risks in this area.
Where journals demonstrate the defined risk criteria but are not tested, this requires auditors to document robust justification. Focus on closing out your journal entry testing with clear testing and justification, don’t flag a list of risky transactions and fail to adequately address them.
There are some clear takeaways for audit journal testing from the FRC’s latest audit inspection results. This is an area where the benefits of technology are clear. All firms should be improving methodologies and investing in more advanced automated tools and techniques to address the risk of fraud and management override of control.
To support improving journals testing across your firm, or on your next audit, you can download our free 2022 FRC audit inspection results guide. The guide includes handy quick reference cheat-sheets, such as the 6 journal testing tips below, extracted from the FRC’s latest inspection reports.