Three Minutes to Better Client Interviews

Keys to understanding your clients

Many times have I interviewed accounting personnel and walked away thinking, “I have no idea what they just said to me.”

In my early years–fresh out of college–I had the same thoughts but with additional commentary: “I must be dense. It’s obvious, he understands what he just told me, but I don’t.” Often my anxiety would increase when I realized the interviewee (e.g, accounts payable clerk) had much less education than me.

Reasons We Don’t Understand

After years of performing interviews, I realized that I wasn’t dense (at least not as much as I thought), and that I was encountering, what The Art of Explanation calls, the “curse of knowledge.”

What is the “curse of knowledge?” It’s when someone knows a subject very well, and, consequently, has a difficult time imagining what it is like to not know itI was experiencing the “curse of knowledge” – those I interviewed believed I already knew what they knew. As a result, they unintentionally left out details.

Also, those I interviewed often had years of experience doing the same job day after day. Of course they understood what they did. But I had less than an hour, in many cases, to grasp all the nuances of what they had learned over many years.

Additionally, those I interviewed used a language unique to their office, and I, mistakenly, tried to use a different language – one I had learned in college. The result: the ying and the yang did not jibe. So how can I right the cosmos?

iStock_000008665923XSmall

Four Keys to Interviewing

1. Pay attention to their language and use it.

If they call it a thingy, then I call it as a thingy.

2. Seek understanding more than trying to impress.

I often want to impress more than I desire to understand. The remedy: Admit (maybe even out loud) I don’t know everything.

I tell the clerk, “Treat me like I don’t know anything. I’ve never been here, so I need your help in understanding how you do your job.”

To higher level personnel (e.g., CFO), I might say, “I have worked in this industry for fifteen years, but I need your help to understand how you guys operate.”

3. Repeat what is said to you.

For example, “May I repeat what you just said to make sure I understand? ‘The thingy is created once per week on Mondays to ensure that total receipts agree with deposits.’”

4. Use your cell phone to take pictures and to record parts of the interview.

Just last week, I reviewed a complex accounting system (for about three hours). As I did so, I used my cell phone Evernote app to take pictures of computer screens and printed reports and to record parts of the conversation. Later I summarized the conversation in memo form (complete with pictures).

The use of electronic devices (e.g., camera or recording device) is a judgment call. Yes, you do want to understand, but some clients may find electronic devices intrusive.

Your Interviewing Ideas

Have I left out any key ideas about interviewing? Please share your thoughts.

Three Receipt-Fraud Tests

Tests you can use in your audits

Today I provide three receipt-fraud tests to perform in audits.

After my last fraud post regarding disbursement fraud tests, my LinkedIn friends asked two questions:

1. Shouldn’t auditors design fraud tests based on their risk assessment work?

2. Why focus just on disbursements?

In response to 1.: Absolutely. Fraud tests should not be picked willy-nilly. They should be designed in response to control weaknesses identified in your risk assessment work (e.g., transaction walk-throughs) and in prior audits.

In response to 2.: The first post was just a beginning. This post will focus on receipts (and billings). The fraud tests I’m providing are designed to stimulate thought and are not, by any means, comprehensive (there are hundreds of potential fraud tests).

So let’s jump in. Here are three receipt-fraud tests.

Receipt-fraud tests

1. Test adjustments made to receivables.

Why test?

Theft of cash is commonly achieved by persons writing off (or writing down receivables) and then taking the related payment. Receivables are adjusted to ensure that the customer will not receive a bill that reflects an unpaid balance.

How to test?

Obtain a download of receivable adjustments for a period of time (e.g., two weeks) and see if they were properly authorized. Review the activity with someone outside of the receivables area (e.g., CFO) who is familiar with procedures but who has no access to cash collections.

If there are multiple persons with the ability to adjust receivable accounts (quite common in hospitals), compare weekly or monthly adjustments by person.

Agree receipts created with the bank deposits.

2. Confirm rebate (or similar type) checks.

Why test?

When checks are not received at a central collection area (e.g., rebate checks sent to purchasing agent), there is an increased risk that the checks will be stolen.

How to test?

Determine who provides rebates (or similar non-receivable) type checks. Send a confirmation of payments to the paying company and compare the confirmed amounts with activity in the general ledger.

This type of theft is more prone to occur in larger organizations where checks are sometimes received by executives (e.g., hospitals). The executive receives the check in the mail, keeps it for a while (in his desk drawer – in case someone asks for it), sees that no one is paying attention, and then steals and converts the check.

3. Search for off-the-book theft of receipts.

Why test?

The fraudster may bill for services through the company accounting system or an alternative set of accounting records and personally collect the payments.

How to test?

Compare revenues with prior years and investigate significant variances. Alternatively start with original source documents and walk a sample of transactions to revenue recognition, billing, and collection.

Here are a few examples of actual off-the-book receipt thefts:

An auditor detected a decrease in police fine revenue in a small city while performing audit planning analytics. Upon digging deeper, he discovered the police chief had two receipt books, one for checks that were appropriately deposited and a second for cash going into his pocket.

hospital CFO, while performing reorganization procedures, set up a new bank account specifically for deposit of electronic Medicaid remittances. He established himself as the sole authorized bank account check-signer. Strangely, the bank account was never set up in the general ledger. As the Medicaid money was electronically deposited, the CFO transferred the funds out to build a nice home on Mobile Bay, purchase new cars, and pay for gambling trips.

Risk Assessment for Fraud

Before performing fraud tests, auditors should perform risk assessment procedures. For information about doing so, click here.

 

Being In The Know with Minimal Effort

Are you looking for a way to stay in the know with minimal effort?

Here’s a tip: See your accounting and auditing publisher’s list of substantive changes.

For example, I print the List of Substantive Changes and Additions from PPC’s Guide to Audits of Nonprofit Organizations, then review the printed copy with yellow highlighter in hand. This one document fully encapsulates all significant changes, regardless of the source.

When I’m done, I look up the highlighted areas as needed (PPC’s List of Substantive Changes and Additions provides references to related information in the publication).

The Clarity Project – Compliance with Laws and Regulations

This is just a reminder that the Clarity Auditing Standards introduced new procedures with regard to your client’s compliance with laws and regulations. Specifically, the standards require the following:

  1. The  auditor must inspect correspondence, if any, with relevant licensing or regulatory authorities.
  2. While implied in prior audit standards, the new standards require the following:
    1. Obtain an understanding of the legal and regulatory framework.
    2. Obtain an understanding of how the entity is complying with that framework.
    3. Determine whether the auditor has a responsibility to report suspected noncompliance to outside parties.
    4. Document identified or suspected noncompliance.

As you perform your fraud inquiries, also ask about compliance with laws and regulations. See if the client has received any adverse correspondence from regulators or licensing bodies, and consider adding the response to your management representation letter.

Also document your understanding of the regulatory framework in your understanding of the entity and its environment.

Finally, consider that regulated entities (e.g., telecommunications) should have internal controls in place to ensure that legal and regulatory compliance is monitored and communicated.

Five Disbursement-Fraud Tests

You are leading the audit team discussion concerning disbursements, and a staff member asks, “why don’t we ever perform fraud tests?”

Your rejoinder, somewhat lacking, but said with authority, is, “We are only required to perform such tests in certain circumstances. What do you suggest?”

“I don’t know,” the staff member sheepishly responds. “What are some possibilities?”

You pause to consider the question, and you remember a recent blog post addressing how fraud can sting auditors. You begin to think, “what can we do?”

Five Disbursement Fraud Tests

Check

1. Test for duplicate payments.

Why test?

Theft may occur as the accounts payable clerk generates the same check twice, stealing and converting the second check to cash. The second check may be created in a separate check batch, a week or two later. This threat increases if (1) checks are signed electronically or (2) the check-signer commonly does not examine supporting documentation and the payee name.

How to test?

Obtain a download of the full check register in Excel. Sort by dollar amount and vendor name. Then investigate same-dollar payments with same-vendor names above a certain threshold (e.g., $25,000).

2. Review the accounts payable vendor file for similar names.

Why test?

Fictitious vendor names may mimic real vendor names (e.g., ABC Company is the real vendor name while the fictitious name is ABC Co.). Additionally, the home address of the accounts payable clerk is assigned to the fake vendor (alternatively, P.O. boxes may be used).

The check-signer will not recognize the payee name as fictitious.

How to test?

Obtain a download of all vendor names in Excel. Sort by name and visually compare any vendors with similar names. Investigate any near-matches.

3. Check for fictitious vendors.

Why test?

The accounts payable clerk may add a fictitious vendor (one in which no similar vendor name exists, as we saw in the preceding example).

The fictitious vendor address? You guessed it: the clerk’s home address (or P.O. Box).

Pay particular attention to new vendors that provide services (e.g., consulting) rather than physical products (e.g., inventory). Physical products leave audit trails; services, less so.

How to test?

Obtain a download in Excel of new vendors and their addresses for a period of time (e.g., month or quarter). Google the businesses to check for validity; if necessary, call the vendor. Or ask someone familiar with vendors to review the list (preferably someone without vendor set-up capabilities).

4. Compare vendor and payroll addresses.

Why test?

Those with vendor-setup ability can create fictitious vendors associated with their own home address. If you compare all addresses in the vendor file with addresses in the payroll file, you may find a match. (Careful – sometimes the match is legitimate, such as travel checks being processed through accounts payable.) Investigate any suspicious matches.

How to test?

Obtain a download in Excel of (1) vendor names and addresses and (2) payroll names and addresses. Merge the two files; sort the addresses and visually inspect for matches.

5. Scan all checks for proper signatures and payees.

Why test?

Fraudsters will forge signatures or complete checks with improper payees such as themselves.

How to test?

Pick a period of time (e.g., two months), obtain the related bank statements, and scan the checks for appropriate signatures and payees. Also consider scanning endorsements.

Your Ideas

These are a few of my ideas. How about yours?

If you like this post, you will enjoy: The Little Book of Local Government Fraud Prevention.

My next fraud post will address the theft of cash collections.

New Illustrative Yellow Book and Single Audit Reports

The AICPA Governmental Audit Quality Center has issued new illustrative reports for the following types of engagements:

  • Yellow Book
  • Single Audit

The reports incorporate the Clarity Auditing Standards opinion language; the illustrative reports include, in addition to GAO reports, two financial statement audit reports – one for a government and one for a nonprofit. The GAO reports are in conformity with the 2011 Government Auditing Standards.

The reports have been reviewed by:

  • The AICPA Auditing Standards Board
  • The Government Accountability Office, and
  • Various federal agency representatives

Click here to see the new reports.

Fraud Stings Auditor

An audit client discovers, through an inside tip, an employee fraud and you, the audit engagement partner, receive the following phone call:

“George, we just found out our controller has stolen about $70,000 per year for the last three years. Since you guys have been doing our audit, I thought I’d call and discuss what we need to do.” The caller does not verbally say it, but he intimates, “where were you guys?” and “how are you going to resolve this?”

iStock_000007701361XSmall.jpg

Your first thought is this amount is immaterial, and you begin to explain that audits are not designed to detect immaterial fraud – the first time your client has ever heard these words. It sounds technical, evasive, and hollow. Your client is thinking, “what did I pay you for?” as you are reading his mind and thinking, “not for this.”

The first mistake: Not clearly explaining to your client what an audit is, and, more importantly, what it is not.

The Association of Certified Fraud Examiners’ (ACFE) biennial fraud survey notes that most frauds have a life of about 18 months before they are detected, and less than 10% of frauds are detected by external audits. Even if the external auditor is performing the engagement in accordance with generally accepted auditing standards, the procedures are designed to detect material fraud, something your client needs to know before you start the audit.

Your client files a claim with his insurance company in order to recoup the stolen funds, and, at this point, the insurance company contacts you and asks, “may we have a copy of your internal control letter?” You’ve known all along that there were significant deficiencies in controls, but you’ve been afraid to communicate the weaknesses in writing, knowing that doing so might jeopardize your relationship with management (the guys and gals who hired you).

The second mistake: Not communicating all significant weaknesses and material weaknesses in writing.

Now things go from bad to worse: the insurance company sues your firm and subpoenas your work papers as they prepare to take you to court. The insurance company’s attorney obtains copies of your fraud work for the last three years, and he notes that the three respective audit files have the same fraud inquiry form. All three annual fraud forms reflect your CPA firm interviewed the same two management personnel who noted, “the company has high ethical standards and there are no known ways to commit fraud.” No other fraud work exists in the files.

In the deposition, the insurance company’s attorney asks you four times, “did you perform any fraud tests other than inquiring of management?” Now you wish you had.

The third mistake: Inquiring of the same personnel year after year and not performing an annual fraud test (at least one).

Lessons Learned

You now resolve to do the following on all future audits:

  1. Resolved – I will explain to my client that an audit does not address immaterial fraud.
  2. Resolved – I will communicate all significant control deficiencies and material weaknesses in writing.
  3. Resolved – I will perform at least one new fraud test each year (and those tests will relate to control weaknesses noted in planning walk-throughs and inquiries); additionally, I will perform fraud inquiries of different personnel each year.

Fraud-Test Ideas

If you need fraud-test ideas, I will offer some detailed suggestions in my next blog post.