Do I Have to Do a Walkthrough Every Year?

No.

Okay, a cheeky response, but I couldn’t resist.  Now let’s get down to business.

As it turns out, the question about walkthroughs is one of the most frequently asked questions about the risk assessment standards.  Just the other day, I got this email from my friend Russ Madray, who does a lot of instructing.

You’ve probably received this question a thousand times, but I thought I

would go to “the source” and get your thoughts. Here it is: Do you have to

perform walkthroughs on every audit as part of your risk assessment

procedures related to internal control? If the answer is “no” (which I

think it is), what alternative procedures would be “acceptable,” since

inquiry alone would not be sufficient.

I know this is a simple question, but I get it a lot. How do you answer it?

Russ is right.  There’s nothing in the standards that requires auditors to perform walkthroughs, either in the first year of implementation or in subsequent years.  That’s the easy part.  His follow up “what procedures would be appropriate?” takes a bit more thought.

To answer that question, you need to put it in the proper context, and you do that by working through a sequential process.  The two keys are:

It’s a sequential process and you need to build from step-to-step

You can’t assume that the controls continue to be implemented the same as in the prior year.

Make your determination about the procedures you want to perform on an assertion-by-assertion basis.  For some assertions you may want to do walkthroughs of related controls, for other assertions, you may determine that other procedures achieve the same audit objective.  The key is that if you decide to do walkthroughs, you don’t have to do them everything.

Here’s the process that I work through.

1.  Identify changes in the entity and it’s environment (not including internal control)

2.  Evaluate those changes and assess inherent risk.

3.  Do changes in inherent risk require modifications in internal control design?  That is, would last year’s internal controls be insufficient to meet inherent risks in the current year?

3a.  If the answer to #3 is that the client should have new controls to meet new inherent risks, then you’re basically where you were in the initial year of implementation.  You need to determine the design and implementation of controls and assess design effectiveness.

3b.  If the answer to #3 is that the controls implemented last year would effective in addressing current year’s risk, then you need to determine that the implementation of the controls has not changed.

It’s at this point that the walkthrough question comes into play.  The objective of performing a walkthrough would be to determine whether, and if so how, the implementation of the controls has changed since the prior year.

As my friend Hiram Hasty points out, the key is to ask the right question.  Ask not, “do I have to perform a walkthrough?”  The question that leads to a better answer is “how can I best achieve my audit objective of determining whether and how the implementation of controls has changed?”

I can see some situations where you could obtain persuasive audit evidence about control implementation based solely on the work you performed in the prior year and procedures other than walkthroughs.  For example, if you had a situation where the transactions the processing of those transactions is relatively constant year-after-year, and the controls are largely automated.  In that case, maybe you could achieve your audit objective through inquiry and looking at IT general controls.

For more guidance on factors to consider when determining whether to perform a walkthrough, take a look at paragraph 42 of SAS No. 110.  That paragraph relates to testing operating effectiveness, but some of the ideas transfer nicely to the issue of identifying changes to control design and implementation.

You must be logged in to post a comment.