Editor’s Note: This month marks the introduction of a new column, Auditing, that will feature column editor Howard B. Levy’s incisive take on selected issues in auditing practice and procedure. Levy has decades of auditing experience, formerly serving on the AICPA’s Auditing Standards Board and its Accounting Standards Executive Committee, and currently on its Center for Audit Quality’s Smaller Firms Task Force. Already a member of The CPA Journal Editorial Board and frequent contributor on auditing theory and history, his introductory column concerns a seldom-considered auditing risk: revenue understatement.
Although the professional literature is full of guidance about the risk of inappropriate revenue recognition, most of it concerns the risk of fraudulent overstatement resulting in improper acceleration. In contrast, little authoritative or semi-authoritative guidance is available to help auditors identify the risks of and select appropriate audit procedures to address the potential for material understatements.
Revenue understatements commonly arise from fraudulent behavior by management or against the company, such as from employee theft or by outsiders who control and have an incentive to underreport the transactions or activities that generate revenues based on contractual arrangements. In the absence of reliable records maintained independently by the company, confirmations from counterparties have little value as audit evidence in such circumstances. Auditors are cautioned not to fall into the common trap of concluding that a clean opinion is warranted because they did all the auditing they could under the circumstances. The inability to apply necessary auditing procedures must be reported as a scope limitation [Auditing Standard (AS) 3101.22–.27, AU-C 705.08b or .11–.13].
Completeness of recorded revenue is a particularly significant concern for businesses like retailers and casinos, where because of the intrinsic property of cash to disappear when no one is looking, cash transactions must be subject to surveillance and other controls designed to afford reasonable assurance that they are recorded. These controls must be tested; however, there can be no effective, substantive tests for the completeness of recorded cash transactions because there is no alternative population where the unrecorded cash revenue likely to reside. Accordingly, auditors must rely on analytical procedures to supplement control tests when auditing the completeness of recorded revenue. It is important to remember, however, that analytical tests consisting merely of comparing the reported revenue of one period to that of another, or one contract to another (commonly called “flux” tests), are typically unreliable as primary substantive tests, since there is no reason to believe that the base period or contract represents an appropriate expectation.
Revenue Underreporting by Contract Counterparties
Many forms of revenue are contractually linked to variables stipulated in related lease, revenue-sharing, royalty, or licensing arrangements; these include usage, sales volume, or production, the measurement of which is outside of the reporting entity’s control. The related revenues may take the form of contingent rentals, management fees, royalties, or other license fees.
Some auditors mistakenly underestimate or overlook the risk of understatement of these revenues by reasoning that the client’s recorded revenue rightfully should be limited to what is reported to it by and received from contract counterparties. This kind of understatement may be inadvertent as a result of poor controls by the counterparty, undiscovered fraud by the counterparty, or accurate but late reporting resulting in a revenue recognition delay to the subsequent accounting period. Understatement of recorded revenues also reflects itself in understated assets in these cases, most likely in the form of receivables from counterparties. Because these risks relate to understatement, the size and materiality of the potential error is often difficult to assess, but to be reasonably assured of fair presentation, auditors must adequately evaluate and address such risks to determine whether the potential for understatement is significant.
When reported revenue from a particular arrangement or group of similar arrangements is relatively small, it is easy but erroneous to conclude that the risk of underreporting is not material. In reality, small amounts often have the greatest potential for under-statement. Accordingly, an auditor must determine some evidentially supportable limiting factor, such as space or production capacity, that can help to estimate both a probable maximum revenue that might possibly be derived from the arrangement and the understatement thereof. If the estimated understatement can be reliably judged to be immaterial based on objective evidence, no further work is necessary.
If an auditor cannot identify and verify any such limiting factors (such as space or production capacity) that would enable reasonable estimation of probable maximum revenue under-statement, it is ordinarily necessary to view the inherent risk as significant and subject to mitigation only in the presence of suitably designed controls that have been adequately tested and found to be operating effectively. Such inherent risk of under-reporting, when significant, is frequently controlled by reporting entities by providing for audit rights in the related contractual arrangements. But the effectiveness of such controls may depend upon the frequency with which such rights are actually exercised. Any perceived deterrent effect of merely providing for such rights naturally diminishes with time if not exercised.
Industries in which royalty income is substantial, such as publishing, music, and film and television, commonly engage royalty auditors who periodically audit the sales of royalty-generating customers. When these royalty audits are conducted less than annually, these independent auditors must obtain sufficient comfort as to revenue completeness by relying on audits of management’s estimates (typically based on the client’s historical experience with royalty audit adjustments).
In other industries, audit rights in connection with these arrangements generally consist either of permitting the client’s auditor direct access to the underlying records of the counter-party or of requiring the counterparty to engage independent auditors to provide periodic special reports, such as illustrated in AS 3305.18 and AU-C section 805.A28. Auditors may also consider evidence from Statement on Standards for Attestation Engagements (SSAE) 16 (formerly Statement on Auditing Standards 70) or other reports on internal controls at the counterparty level. Only when these reports are based on appropriate tests of controls can the auditors provide satisfactory evidence of their operating effectiveness.
When there are no audit rights associated with a contract that bears significant inherent risk of underreporting revenues by counterparties, auditors must exercise considerable judgment to determine the scope of audit work necessary to reduce the risk of failing to detect revenue understatement to an acceptably low level. Since the only substantive tools available are analytical procedures, auditors must recognize that under AS 2305.09 and AU-C 330.22, they may not rely solely on substantive analytical procedures, whether applied by the auditor or the client, with regard to a significant risk of material misstatement. Rather, they must supplement these procedures with internal control tests sufficient in scope to support (at a minimum) a moderate control risk assessment. A lack of effective controls—other than to assure that whatever is reported by the counterparty is recorded—could potentially constitute a scope restriction that must be addressed appropriately.
To Be Continued
This discussion will continue next month with 1) special risks associated with the use of managing agents who are entrusted with, among other functions, the collection of and accountability for revenues, and 2) risks associated with fraudulent behavior by management or against the company, such as from employee theft.
