By Lewis D. Bivona, Jr., CPA, AFE, Partner, Practice Leader
- Volatility refers to periodic fluctuations in transaction volume of a particular account. As an example, a period in which transaction volume is unusually high might present a greater risk of misstatement for that given period. Accounts with unusual spikes should be assessed at a higher risk for this area.
- Volatility also refers to instances where there would be large deviations in the amount of various transactions. As an example, situations where the relative dollar amount of individual transactions vary significantly from transaction to transaction, a misstatement related to a particular transaction might be harder to identify, because it wouldn’t necessarily stand out from other transactions as a possible error.
- A specific example might include a series of relatively consistent dollar amounts of cash disbursement transactions, along with numerous cash disbursement transactions that are much larger dollar amounts. This would create a larger inherent risk for volatility than a payroll account where the amounts are consistent within a relative range.
Examiners should:
A clean audit opinion means that the insurance company is viewed to be a going concern at least through the next audit period, while examiners are concerned about prospective risks that reach out for years!
- Carefully consider inherent risk related to volatility for each account in the summary of the risk assessment matrix.
- If the external auditors have not addressed volatility, use ACL to determine dollar ranges in accounts and consider stratification of data to determine where base controls were applied and enhanced controls might be warranted.
- For account areas such as cash, investments, premiums receivable, premiums, claims paid, etc. where there are large volumes of transactions and the nature of the transaction vary significantly in terms of dollar amount, it may be appropriate to rank such accounts as “4-high” as it relates to volatility.
Once you have an understanding of volatility in an account you can then make a determination as to the quality and effectiveness of controls; remember, controls are not a one size fits all environment, materiality and application of controls vary based on the potential impact to the organization. Examiners have come to rely on the external auditors’ workpapers to leverage their use and assess lower risk during the risk focused exams, but have they considered these factors in either discussions with the auditors or review of their workpapers:
- Did the planning documentation stress the necessity of maintaining professional skepticism?
- Does the planning documentation discuss risks considered including changes within and outside of the company (industry risks)? How do these risks align with those noted in the prior examination report and the current financial analyst reports identified risks?
- Does the staff assigned to the insurance audit have experience with insurance companies? If not, is there evidence of increased supervision of staff by managers and partners on key accounts?
- Do the prior year audit workpapers look just like this years’ when it comes to testing of controls and substantive procedures? If so, the company may have figured out how to “fool” the auditors. Make sure that there is evidence that the auditors are adding unpredictability to their testing methodology.
- Do control tests reflect any changes within the company? If a new system or interface is deployed, is control testing SALY (same as last year) or has it been modified to address potential risks? This is particularly important in insurance companies since there typically is not a “paper trail” for a given transaction; control tests should be performed because substantive testing cannot necessarily be sufficient to reduce risk to an acceptable level. Also, remember that sometimes control testing is comingled with detailed testing (known as a dual purpose test). For example, an auditor may test to see if a claim is approved and the insured’s coverage (is insured on policy master file) before it is paid (control tests) and also test for appropriateness by observation of the invoice existence (detail/substantive test).
Examiners need to remember that auditors should have designed and performed their procedures to address the risks defined at the assertion level. Control testing should include sufficient sample sizes to determine the risk being assessed whether they are cyclical or transactional; any questions that examiner may have about appropriateness of sample size can be quickly put to rest by accessing the sampling guidance in the FCEH. Remember that good controls can reduce risks but they cannot eliminate risk; control testing is not a substitute for substantive testing, especially in material accounts. It is important to note that not all auditors follow FCEH guidance during audit testing; instead they follow AICPA sampling guidelines which may be slightly smaller. In these instances, the examiner may rely on the external audit testing but choose to perform additional tests to satisfy these requirements. It is even more useful if examination staff can meet with the auditors prior to their initiation of fieldwork to develop an understanding of each other’s perspectives and needs.
External auditors and examiners cannot rely on inquiry alone to determine the effectiveness of controls. Inquiry should be backed up by procedural testing to assure that controls were applied to the entire period on a consistent basis and that the person(s) responsible for applying those controls had the appropriate authority and competence. To back up the representations obtained from inquiry, the external auditor workpapers should document review and recalculation of documentation and/or reperformance of automated controls to verify accuracy and reliability of the controls. Remember, the auditor is required to obtain evidence that controls that existed in the prior audit continue to be effective particularly in key transactional cycles; at minimum control tests should be performed at least once in every three year cycle, even if there were no changes and there should be evidence that some controls should be retested every year irrespective of lack of change in controls. If some controls were not sufficient in the prior audit, personnel changes, a high reliance on manual controls, or inappropriate monitoring of controls exists, then the auditor should perform more frequent control testing.
Examiners should also be wary that the auditor’s substantive tests may highlight misstatements that would indicate that controls may not be operating as effectively as expected based on their earlier tests of controls; if this happens, there should be an assessment as to whether this constitutes a material weakness and if it was, was it reported to those in charge of governance.
The guidance we have provided you related to volatility, materiality, control and substantive testing within the auditor’s workpapers highlights the perspective value of using them within the confines of a risk focused examination. Also remember that a clean audit opinion means that the insurance company is viewed to be a going concern at least through the next audit period, while examiners are concerned about prospective risks that reach out for years!
About Our Services
If you would like to learn more about our services, please visit www.withum.com or contact:
Lew Bivona, CPA, AFE, Partner
Practice Leader, Insurance Services Group
[email protected]
609.520.1188
To ensure compliance with U.S. Treasury rules, unless expressly stated otherwise, any U.S. tax advice contained in this communication is not intended or written to be used, and cannot be used, by the recipient for the purpose of avoiding penalties that may be imposed under the Internal Revenue Code.
Learn More About our Insurance Services>>