Time to Change Your Single Audit Engagement Letters

Single Audits for years ending December 31, 2015, are subject to the Uniform Guidance. So related engagement letters need to state that the engagement will be performed using the Uniform Guidance rather than A-133.

See my prior post here for more information about the Uniform Guidance.

How to Perform Fraud Risk Assessments

Part 3: An overview of the risk assessment process as it relates to fraud

No appreciable change has occurred in the detection of fraud since the issuance of SAS 99, Consideration of Fraud. Why? I fear the problem lies in how we as auditors use the risk assessment standards.

I still hear auditors say, “we are not responsible for fraud.” But are we not?

Without question, auditing standards require that we perform particular fraud risk assessment procedures. And we also know that the detection of material misstatements—whether caused by error or fraud—is the heart and soul of an audit. So writing off our responsibility for fraud is not an option.

fraud risk assessment

Picture is courtesy of DollarPhotoClub.com

Why Auditors Don’t See Fraud Risk

Why do we not see fraud risks? Here are a few thoughts:

  • We don’t understand how fraud occurs, so we avoid it
  • We don’t know how to look for control weaknesses
  • We think our time is better spent in other areas (namely performing substantive procedures)
  • We still believe that a balance sheet approach to auditing is all we need

Signs of Weak Risk Assessments

So what are some signs of weak fraud risk assessments?

  • We ask just one or two questions about fraud
  • We limit our inquiries to as few people as possible (maybe even just one)
  • We discount the potential effects of fraud (even after a client tells us it has occurred)
  • We don’t perform walkthroughs
  • We don’t conduct brainstorming sessions
  • Our files reflect no responses to brainstorming and risk assessment procedures
  • Our files have vague responses to the brainstorming and risk assessment procedures (e.g., “no means for fraud to occur; see standard audit program”)

In effect, some auditors dismiss the fraud risk assessment process. And if we are not aware of fraud risks, we can’t adequately plan our responses. Put another way, if fraud risks are present, and we follow a standard audit program, are we responding to threats?

So how can we understand and respond to fraud risks? Here are a few thoughts.

Start with Potential Fraud Incentives

Fraud comes in two flavors:

  • Cooking the books (intentionally altering numbers)
  • Theft

Start your fraud risk assessment process by determining if there are any incentives to manipulate the financial statement numbers. Are there any bonuses or promotions based on profit or other metrics? Are there other potential motivations for playing with the numbers such as promotions? Cooking the books is more prominent in for-profit entities, but be aware that someone nonprofits also offer incentives based on financial statement targets.

Internal control weaknesses are the doorway to theft. Next, we’ll see how to find those defects in accounting systems.

Look for Fraud Opportunities

My go-to procedure in looking for fraud opportunities is to perform walkthroughs.  Since accounting systems are varied, and there are no “forms” (practice aids) that capture all processes, walkthroughs can be challenging.

For most small businesses, performing a walkthrough is not that hard. Pick a transaction cycle and start at the beginning and follow the transaction to the end. Note who does what. Inspect the related documents.

Think of the accounting system as a story. Our job is to understand the narrative. As we (attempt to) describe the accounting system, we may find missing pieces. Sometimes we’ll need to go back and ask more questions to make the story flow from beginning to end.

The purpose of writing the storyline is to identify any “big, bad wolves.” The threats in our childhood stories were easy to recognize. Not so in the walkthroughs. It is only in connecting all the dots that the wolves materialize.

Picture is courtesy of DollarPhotoClub.com

Picture is courtesy of DollarPhotoClub.com

Our documentation of the walkthrough should be scalable. If the transaction cycle is simple, the documentation should be simple. If the cycle is complex, provide more detail.

In documenting workflows for complex businesses, the old saying “How do you eat an elephant?” comes to mind. Break complicated systems into pieces, and you will understand them.

Observation of Control Weaknesses

The auditing standards require that we use the following:

  • Inquiry
  • Observation
  • Inspection

Audit standards state that inquiry alone is not sufficient for performing the risk assessment process. So we must marry inquiry with either observation or inspection or inquiry with both observation and inspection. May I suggest that you do the latter? Take pictures of your observations (use your smartphone) and make copies of documents you inspect. I like to write my narrative and then insert images into the “story.” (Tip: You can insert pictures in a Word document by clicking “Insert,” and “Object.” Then browse to the picture you desire to add.)

Our walkthroughs can include:

  1. Narrative
  2. Images
  3. Highlights of control strengths and weaknesses

I summarize the internal control strengths and weaknesses within the narrative and usually highlight the wording. For example:

Control weakness: The accounts payable clerk (Judy Jones) can add new vendors and can print checks with digital signatures. In effect, she can create a new vendor and have a check sent to that vendor without anyone else’s involvement.

Highlighting weaknesses makes them more prominent. Then–when I am done–I can use the identified fraud opportunities to create audit procedures that are responsive.

Fraud-Related Inquiries

Audit Standards (AU-C 240) state that we should inquire of management regarding:

  • Management’s assessment of the risk that the financial statements may be materially misstated due to fraud, including the nature, extent, and frequency of such assessments
  • Management’s process for identifying, responding to and monitoring the risks of fraud in the entity, including any specific risks of fraud that management has identified or that have been brought to its attention, or classes of transactions, account balances, or disclosures for which a risk of fraud is likely to exist
  • Management’s communication, if any, to those charged with governance regarding its processes for identifying and responding to the risks of fraud in the entity
  • Management’s communication, if any, to employees regarding its views on business practices and ethical behavior
  • The auditor should make inquiries of management, and others within the entity as appropriate, to determine whether they know of any actual, suspected, or alleged fraud affecting the entity
  • For those entities that have an internal audit function, the auditor should make inquiries of appropriate individuals within the internal audit function to obtain their views about the risks of fraud; determine whether they have knowledge of any actual, suspected, or alleged fraud affecting the entity; whether they have performed any procedures to identify or detect fraud during the year; and whether management has satisfactorily responded to any findings resulting from these procedures

If management has no method of identifying fraud, might this be an indicator of a control weakness? Yes. It is management’s responsibility to develop control systems to lessen the risk of fraud. It is the auditor’s responsibility to review the accounting system to see if it is designed and operating appropriately.

Notice that in these inquiries, we are not only asking if fraud has occurred but does management have a prevention system in place? And does management communicate these processes to those charged with governance?

Planning Analytics

Another risk assessment procedure is the use of planning analytics. As we compare prior year numbers with current year numbers or as we compare budgeted numbers with current, we may see red flags. You can also use ratios in your hunt for potential risks.

As you review the preliminary numbers, ask, “do these numbers make sense in light of current operations?”

The audit standards state that there is a rebuttable presumption that revenues are overstated. Why? Because many past frauds were carried out by managers intentionally overstating income numbers. In some cases, management posted false journal entries at year-end to inflate income. Then in the following period, the entries were reversed.

Video Concerning Fraud Risk Assessment

Here’s a video about how to perform fraud risk assessments:

Brainstorming and Planning Your Responses – My Next Post

Once you perform your risk assessment procedures, you are ready to brainstorm about how fraud will occur and then plan your audit responses. That’s the topic of our next post—so stay tuned. Subscribe to my blog (it’s free) to ensure that you see the next post (see below).

Consider reading this post again and think about how you use your audit forms to perform risk assessments. Understanding the process is 90% of the battle.

If you missed my first two posts in this series, check them out here:

Part 1: How to Perform Audit Risk Assessments

Part 2: How to Understand the Risk Assessment Process

A CPA’s Office Setup: Ways to Enhance Productivity

A peak into my office

Is a CPA’s office setup important? You bet.

Like you, I am constantly looking for ways to be more productive. I buy books, watch videos, and take note of how others work.

I like to see the offices of other CPAs. Here’s mine.

Multiple Monitors

Docking Station – I use a docking station that allows me to push one button to disconnect and place my laptop into a bag for travel. The docking station provides connectivity inputs behind my computer. Rather than disconnecting several wires to “set my computer free,” I push one button.

50″ Monitor (on a swivel hinge) – This monitor is about two feet behind my desk. I dock Outlook on the screen; this allows me to see incoming email at any moment. I also use this screen as a fourth working monitor. For example, when I am reviewing financial statements, I sometimes place the balance sheet on the 50″ screen and a second copy of the financial statements on my lower center monitor. Then as I review the remainder of the statements (e.g., notes), I can glance at the balance sheet.

The 50″ monitor hangs from a swivel hinge. The swivel hinge allows me to tilt the screen in other directions when I am sharing information from my laptop with others in my office. I am using this far more than I thought I would.

Todoist Checklist – I place all my outstanding to-do items in Todoist. Since Todoist integrates with Outlook, I usually have Outlook docked on the 50″ monitor. With just a glance, I can quickly see what I need to complete. With one click, I can add a new to-do item. And the to-do items I add on my laptop show up on my iPad and iPhone Todoist apps (and vice versa)–this integration is why I started using Todoist.

Logitech Camera – I often have online meetings and share information from my computer screen with those I am speaking with (I use Zoom). This Logitech camera creates an excellent picture and sound so those I’m sharing with can see and hear meLogitech C930e 960-000971 USB 2.0 1920 x 1080 Video Webcam

Bose Bluetooth Speaker – Music can make us more productive. And why not have quality sound? You spend such much of your waking day in your office. Bose SoundLink Mini Bluetooth Speaker II (Carbon)

iPhone on a Stand – Do you ever lay your phone down and later you can’t find it? (We used just to lose our keys, now it’s the phone and the keys.) This stand provides me with a consistent place for my phone. elago M2 Stand for all iphones, Galaxy and Smartphones (Angled Support for FaceTime), Black

printer shot

Fujitsu ScanSnap iX500 Scanner – When I receive physical paper documents, my usual first step is to scan the paper and place it (the paper) in my shred box. I use this scanner several times a day. I like the scanner (but I have had problems with paper jams). Fujitsu ScanSnap iX500 Scanner for PC and Mac (PA03656-B005)

Deluxe Shred Box – My deluxe shred box is a box top. I know, sophisticated, huh?

Landline Phone – I keep my phone over on my side table to keep it off my main desktop.

HP Printer – Many CPAs use a central printer for several people but think about the cumulative time you waste walking to the printer. HP LaserJet P2035 Monochrome Printer (CE461A#ABA)

CPA's Office Setup

iPad – This is my favorite device. I use it mainly outside the office, but I place it on the corner of my desk so I can quickly pick it up as I go out.

The Physical Library – I order most publications electronically, but for my physical books, I keep them handy here.

Adjustable Standup Desk – In my attempt to be a (little) more healthy, I bought this standup desk about three years ago. About once a day, I will print and stand while I review a set of financial statements–mainly to get my rear out of the chair. There has been a great deal of press lately about professionals (slowly) killing themselves by sitting too much. This desk does adjust down to the level of my main desktop, and it is mobile, so I use it–when I’m tired of standing–as an extension of my main desktop.

Paper-in Tray – I use a three-level tray for my incoming paper. The top shelf is for newly arrived paper information.

conference space

Corner Meeting Spot –  I use this corner area as a place to meet with partners and staff, especially if they bring paper copies in to discuss.

Coffee Maker – This is probably the most important appliance in my office. No coffee, no Charles.

whiteboard

Whiteboard – If someone needs to draw an idea out, here’s the place. I sometimes take iPhone pictures of the information drawn on the board and then store it in Evernote.

Watercooler – Drinking plenty of water each day will enhance your stamina. As you can tell, I like convenience.

Your Ideas

How would you change my office? What additional ideas would you add to these?

New SSARS 21 Book

My new SSARS 21 book titled Preparation of Financial Statements and Compilation Engagements is now available on Amazon.com. The book provides information about the new preparation of financial statements standard and compilation engagements. The book includes sample engagement letters and financial statements using the preparation and compilation guidance.

Using Post-it Note Stickies While Reviewing Financial Statements

Most of the time I review financial statements from my computer screen, but sometimes (true confession time) I print them and make review notes with a pen.

In doing so, I used to have a problem with my Post-it notes (until I started using the tip below).

If you print your financial statements and then review them, you might do the following:

  • Pencil in changes
  • Attach yellow Post-it note stickies to pages with changes (so you will know what pages need changing)
  • Remove the pages with the yellow Post-it note stickies
  • Scan the pages with changes so they can be emailed to staff (for changes to be made)

Scan Tip

Tip: When you attach a Post-it note sticky to a page, place the Post-it note sticky at the bottom of the page so it is pointed vertically; then you can scan the pages with the stickies still attached. Don’t point the Post-it notes out horizontally and your scanner will jam. Now you won’t need to remove the Post-it notes in order to scan (and if you place these pages back into the original printed financial statements, you will know what pages need changes).

wrong

From Skitch (003)

 

Where to Find Sample GASB 68 Notes and Required Supplementary Schedules

GASB 68, Accounting and Financial Reporting for Pensions, is effective for fiscal years beginning after June 15, 2014. So governments with  June 30, 2015, fiscal year-end financial statements should follow this standard.

You may be asking, “where can I find example notes and required supplementary information?” Good news. GASB provides an implementation guide titled Guide to Implementation of GASB Statement 68 on Accounting and Financial Reporting for Pensions. You can find it here. The sample notes and required supplementary information start on page 117 of the guide. See illustration 2 for a county government example.

 

How to Apply SSARS 21 to Prescribed Forms

CPAs have two options in applying SSARS 21 to prescribed forms

My new SSARS 21 book, Preparation of Financial Statements and Compilation Engagements, will soon be available on Amazon.com.

If you prefer to watch video, click the Vimeo presentation below.

If you prefer to view slides (without watching the video), see below.