Hosting Services Impair a CPA’s Independence

Hosting services impair a CPA’s independence, so says the AICPA. And most firms are providing hosting services (though they may not know it). This article explains why your possession of client records, whether electronic or hard-copy, can affect your independence.

Hosting Services Impair a CPA’s Independence

Starting September 1, 2018, your possession of client documents (e.g., tax records) or information (e.g., the housing of QuickBooks files on our server) can, in some instances, create an independence impairment. (If you temporarily possess original documents (e.g., tax records) but return them to the client in a short period, then the possession of the original documents does not impair your independence.)

The AICPA recently adopted a new interpretation, “Hosting Services,” which appears in the Code of Conduct under nonattest services. See 1.295.143 of the Code.

Why would possessing documents or information potentially impair independence? Because you accepted the responsibility for designing, implementing or maintaining internal controls for the records in your possession. And this is considered a management function.

In effect, the AICPA is saying there is an implicit understanding that you (the CPA) will safeguard the client’s records. And to safeguard the information, you agree to create controls to ensure the safety of the information in your possession.

To understand the actions that would impair your independence, see Catherine Allen’s article in the Journal of Accountancy. Specifically, look at her examples of where independence is impaired and where it is not. 

Four Keys to Better Client Interviews

You can understand your clients

Many times I have interviewed accounting staff and walked away thinking, “I have no idea what they just said to me.” Do you ever have this problem? If yes, this article is for you. Below I provide four keys to better client interviews.

Better client interviews

In my early years–fresh out of college–I would think: “I must be stupid. It’s obvious, he understands what he just said, but I don’t.” Often my anxiety would increase when I realized the interviewee (e.g, accounts payable clerk) had no college degree (and me, a masters in accounting).

Reasons We Don’t Understand

After years of performing interviews, I realized that I wasn’t dense (at least, not as much as I thought), and that I was encountering what The Art of Explanation calls, the “curse of knowledge.”

What is the “curse of knowledge?” It’s when someone knows a subject very well, and, consequently, has a difficult time imagining what it is like to not know it. I was experiencing the “curse of knowledge.” Those I interviewed thought knew what they knew. As a result, they left out details.

Also, those I interviewed had years of experience doing the same job day after day. Of course they understood what they did. But I had less than an hour, in many cases, to grasp their duties.

Additionally, those I interviewed used a language unique to their office, and I, mistakenly, tried to use a different language—one I had learned in college. The result: we did not understand one another. So how can I communicate and comprehend better?

Four Keys to Interviewing

1. Pay attention to their language and use it.

If they call it a thingy, then I call it a thingy.

2. Seek understanding more than trying to impress.

I often want to impress more than I desire to understand. The remedy: Admit (maybe even out loud) I don’t know everything.

I tell the clerk, “Treat me like I don’t know anything. I’ve never been here, so I need your help in understanding what you do.”

To higher level personnel (e.g., CFO), I might say, “I have worked in this industry for fifteen years, but I need your help to understand how you guys operate.”

3. Repeat what is said to you.

For example, “May I repeat what you just said to make sure I understand? ‘The thingy is created once per week on Mondays to ensure that total receipts agree with deposits.’”

4. Use your cell phone to take pictures and to record parts of the interview.

Just last week, I reviewed a complex accounting system (for about three hours). As I did so, I used my cell phone Evernote app to take pictures of computer screens and printed reports. I also used the app to record parts of the conversation. Later, I summarized the conversation in memo form (complete with pictures).

Scanbot is another useful iPhone app if you take pictures of client information. By using your phone to take pictures, you can leave your physical scanner in your office.

Your Interviewing Ideas

Have I left out any key interviewing ideas? Please share your thoughts.

Check out my series of articles about auditing.

How to Capture and Communicate Internal Control Deficiencies

Capturing and reporting internal control weaknesses

Too many times auditors fail to capture control deficiencies in the audit process. So, today I’ll show you how to capture and communicate internal control deficiencies.

A Common End-of-Audit Problem

We’re concluding another audit, and it’s time to consider whether we will issue a letter communicating internal control deficiencies. A month ago we noticed some control issues in accounts payable, but presently we’re not clear about how to describe them. We hesitate to call the client to rehash the now-cold walkthrough. After all, the client thinks we’re done, and quite frankly, they are tired of seeing us. We know that boiler-plate language will not clearly communicate the weakness or how to fix it. Now we’re kicking ourselves for not taking more time to document the control deficiencies.

Here’s a post to help capture and document internal control issues as we audit.

How to Capture and Communicate Internal Control Deficiencies

Today, we’ll take a look at the following control weakness objectives:

  1. How to communicate them
  2. How to discover them
  3. How to capture them
how to capture and communicate internal control deficiencies

Picture is courtesy of AdobeStock.com

As we begin, let’s define three types of weaknesses:

  • Material weaknesses – A deficiency, or a combination of deficiencies, in internal control, such that there is a reasonable possibility that a material misstatement of the entity’s financial statements will not be prevented, or detected and corrected, on a timely basis.
  • Significant deficiencies – A deficiency, or a combination of deficiencies, in internal control that is less severe than a material weakness yet important enough to merit attention by those charged with governance.
  • Other deficiencies – For purposes of this blog post, we’ll define other deficiencies as those less than material weaknesses or significant deficiencies.

As we look at these definitions, we see that categorizing control weaknesses is subjective. Notice the following terms:

  • Reasonable possibility
  • Material misstatement
  • Less severe
  • Merits attention by those charged with governance

Categorizing a control weakness is not a science, but an art. With this thought in mind, let’s start our journey with how control weaknesses should be reported.

1. How to Communicate Control Weaknesses

Material weaknesses and significant deficiencies must be communicated in writing to management and those charged with governance. Other deficiencies can be given verbally to management, but you must document those discussions in your work papers.

2. How to Discover Control Weaknesses

Capture control weaknesses as you perform the audit. You might identify control weaknesses in the following audit stages:

  1. Planning – Risk assessment and walkthroughs
  2. Fieldwork – Transaction-level work
  3. Conclusion – Wrapping up

A. Planning Stage

You will discover deficiencies as you perform walkthroughs which are carried out in the early stages of the engagement. Correctly performed walkthroughs allow you to see process shortcomings and where duties are overly concentrated (what auditors refer to as a lack of segregation of duties).

Segregation of Duties

Are accounting duties appropriately segregated with regard to:

  • Custody of assets
  • Reconciliations
  • Authorization
  • Bookkeeping

Notice the first letters of these words spell CRAB (I know it’s cheesy, but it helps me remember).

Auditors often make statements such as, “Segregation of duties is not possible due to the limited number of employees.”

I fear such statements are made only to protect the auditor (should fraud occur in the future). It is better that we be specific about the control weakness and what the potential impact might be. For example:

The accounts payable clerk can add new vendors to the vendor file. Since checks are signed electronically as they are printed, there is a possibility that fictitious vendors could be added and funds stolen. Such amounts could be material.

Such a statement tells the client what the problem is, where it is, and the potential damage. 

Fraud: A Cause of Misstatements

While I just described how a lack of segregation of duties can open the door to theft, the same idea applies to financial statement fraud (or cooking the books). When one person controls the reporting process, there is a higher risk of financial statement fraud. Appropriate segregation lessens the chance that someone will manipulate the numbers.

Within each transaction cycle, accounting duties need to be performed by different people. Doing so lessens the possibility of theft. If one person performs multiple duties, ask yourself, “Is there any way this person could steal funds?” If yes, then the client should add a control in the form of a second-person review.

If possible, the client should have a second person examine reports or other supporting documentation. How often should the review be performed? Daily, if possible. If not daily, as often as possible. Regardless, a company should not allow someone with the ability to steal to work alone without review. The fear of detection lessens fraud.

If a transaction cycle lacks segregation of duties, then consider the potential impact from the control weakness. Three possible impacts exist:

  • Theft that is material (material weakness)
  • Theft that is not material but which deserves the attention of management and the board anyway (significant deficiency)
  • Theft of insignificant amounts (other deficiency)

My experience has been that if any potential theft area exists, the board wants to know about it. But this is a decision you will make as the auditor.

Errors: Another Cause of Misstatements

While auditors should consider control weaknesses that allow fraud, we should also consider whether errors can lead to potential misstatements. So, ask questions such as:

  • Do the monthly financial statements ever contain errors?
  • Are invoices mistakenly omitted from the payable system?
  • Do employees forget to obtain purchase order numbers prior to buying goods?
  • Are new employees ever unintentionally left off the payroll?
  • Do bookkeepers fail to reconcile the bank statements on a timely basis? 

B. Fieldwork Stage

While it is more likely you will discover process control weaknesses in the planning stage of an audit, the results of control deficiencies sometimes surface during fieldwork. How? Audit journal entries. What are audit entries but corrections? And corrections imply a weakness in the accounting system.

When an auditor makes a material journal entry, it’s difficult to argue that a material weakness does not exist. We know the error is “reasonably possible” (it happened). We also know that prevention did not occur on a timely basis.

C. Conclusion Stage

When concluding the audit, review all of the audit entries to see if any are indicators of control weaknesses. Also, review your internal control deficiency work papers (more on this in a moment). If you have not already done so, discuss the noted control weaknesses with management. 

Your firm may desire to have a policy that only managers or partners make these communications. Why? Management can see the auditor’s comments as a criticism of their own work. After all, they designed the accounting system (or at least they oversee it). So, these discussions can be a little challenging.

Now let’s discuss how to capture control weaknesses.

3. How to Capture Control Weaknesses

So, how do you capture the control weakness?

First, and most importantly, document internal control deficiencies as you see them.

Why should you document control weaknesses when you initially see them?

  1. You may not be on the engagement when it concludes (because you are working elsewhere) or
  2. You may not remember the issue (weeks later).

Second, create a standard form (if you don’t already have one) to capture control weaknesses. 

Internal Controls

Picture is courtesy of AdobeStock.com

Internal Control Capture Form

 What should be in the internal control form? At a minimum include the following:

  1.  Check-mark boxes for:
    • Significant deficiency
    • Material weakness
    • Other control deficiency
    • Other issues (e.g., violations of laws or regulations) 
  2. Whether the probability of occurrence is at least reasonably possible and whether the magnitude of the potential misstatement is material
    • If the probability of occurrence is at least reasonably possible and the magnitude of the potential misstatement is material, then the client has a material weakness
  3. Description of the deficiency and the verbal or written communications to the client; also the client’s response
  4. The cause of the condition
  5. The potential effect of the condition
  6. Recommendation to correct the issue
  7. Person who identified the issue and the date when the issue was identified
  8. Whether the issue is a repeat from the prior year
  9. An area for the partner to sign off that he or she agrees with the description of the deficiency and the category assigned to it (e.g., material weakness)
  10. Reference to related documentation in the audit file

Summary

The main points in capturing and communicating internal control deficiencies are:

  1. Capture control weaknesses as soon as you see them
  2. Develop a form to document the control weaknesses

How Do You Capture and Report Control Deficiencies?

Whew! We’ve covered a lot of ground today. How do you capture and report control deficiencies? I’m always looking for new ideas: Please share.

Understand and Communicate Material Weaknesses and Significant Deficiencies

This post provides guidance on distinguishing material weaknesses from significant deficiencies

In today’s post, I tell you how to understand and communicate material weaknesses and significant deficiencies.

How do you categorize a control weakness? Is the weakness a material weakness, a significant deficiency or something less? This seems to be the most significant struggle in addressing internal control issues.

understand and communicate material weaknesses and significant deficiencies

And if you’ve been in the business for any time at all, you know that management can take offense regarding control weakness communications. For instance, a CFO may believe that a material weakness reflects poorly upon him. After all, he controls the design of the accounting system. So, communicating control weaknesses can result in disagreements. Therefore, it’s even more important that these communications be correct.

Before telling you how to distinguish material weaknesses from significant deficiencies, let’s review control weakness definitions.

Definitions of Control Weaknesses

A deficiency in internal control is defined as follows: A deficiency in internal control over financial reporting exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent, or detect and correct, misstatements on a timely basis. A deficiency in design exists when (a) a control necessary to meet the control objective is missing, or (b) an existing control is not properly designed so that, even if the control operates as designed, the control objective would not be met. A deficiency in operation exists when a properly designed control does not operate as designed or when the person performing the control does not possess the necessary authority or competence to perform the control effectively.

Now let’s define (1) material weaknesses, (2) significant deficiencies, and (3) other deficiencies.

  1. Material weakness. A deficiency, or a combination of deficiencies, in internal control, such that there is a reasonable possibility that a material misstatement of the entity’s financial statements will not be prevented, or detected and corrected, on a timely basis.
  2. Significant deficiency. A deficiency, or a combination of deficiencies, in internal control that is less severe than a material weakness yet important enough to merit attention by those charged with governance.
  3. Other deficiencies. For the purposes of this blog post, an other deficiency is a control weakness that is less than a material weakness or a significant deficiency.

How to Categorize a Control Weaknesses

Now that we have defined material weaknesses and significant deficiencies, we can discuss how to distinguish between the two.

Material Weakness

First, ask these two questions:

  1. Is there a reasonable possibility that a misstatement could occur?
  2. Could the misstatement be material?

If your answer to both questions is yes, then the client has a material weakness. (By the way, if you propose a material audit adjustment, it’s difficult to argue that there is no material weakness. As you write your control letter, examine your proposed audit entries.)

Significant Deficiency

If your answer to either of the questions is no, then ask the following:

Is the weakness important enough to merit the attention of those charged with governance? In other words, are there board members who would see the weakness as important.

If the answer is yes, then it is a significant deficiency.

If no, then it is not a significant deficiency or a material weakness.

How to Communicate Material Weaknesses and Significant Deficiencies

The following deficiencies must be communicated in writing to management and to those charged with governance:

  • Material weaknesses
  • Significant deficiencies

The written communication (according to AU-C section 265) must include:

  • the definition of the term material weakness and, when relevant, the definition of the term significant deficiency
  • a description of the significant deficiencies and material weaknesses and an explanation of their potential effects
  • sufficient information to enable those charged with governance and management to understand the context of the communication
  • the fact that the audit included consideration of internal control over financial reporting in order to design audit procedures that are appropriate in the circumstances and that the audit was not for the purpose of expressing an opinion on the effectiveness of internal control
  • the fact that the auditor is not expressing an opinion on the effectiveness of internal control
  • that the auditor’s consideration of internal control was not designed to identify all deficiencies in internal control that might be material weaknesses or significant deficiencies, and therefore, material weaknesses or significant deficiencies may exist that were not identified
  • an appropriate alert, in accordance with section 905, Alert That Restricts the Use of the Auditor’s Written Communication

Next, I explain how to communicate other deficiencies (those that are less than a material weakness or a significant deficiency).

How to Communicate Other Deficiencies

Other deficiencies can be communicated in writing or orally and need only be communicated to management (and not to those charged with governance). The communication must be documented in the audit file. So if you communicate orally, then follow up with a memo to the file addressing who you spoke with, what you discussed, and the date of the discussion.

photo

Stand-alone management letters are often used to communicate other deficiencies. Since there is no authoritative guidance for management letters, you may word them as you wish. Alternatively, you can, if you like, include other deficiencies in your written communication of significant deficiencies or material weaknesses.

A Key Word of Warning

Always provide a draft of any written communications to management before final issuance. It is much better to provide a draft and find out (before issuance) that it contains an error or a miscommunication. Then, corrections can be made.

Additional Information

Writing your internal control letter is a part of the wrap-up process for audits. Click here for additional information concerning wrapping up an audit.

Seven Excuses for Unnecessary Audit Work Papers

Most audit files contain unnecessary work papers

Unnecessary audit work papers create clutter and can create legal problems.

I see two problems in most audit work paper files:

(1) Too much documentation, and
(2) Not enough documentation

I recently wrote a post tilted: Audit Documentation: If It’s Not Documented, It’s Not Done. Since I have already covered the “not enough documentation” issue, today we’ll look at the other problem, too much documentation.

unnecessary audit work papers

Seven Excuses for Unnecessary Audit Work Papers

Over the last thirty years, I have reviewed audit files for CPA firms and have commonly asked this question: Why is this work paper in the file?

Here are a few standard answers.

1. It was there last year.

But is it relevant this year? Resist the temptation just to copy or bring forward work papers from the prior year. Performing a proper audit entails risk assessment (e.g., walkthroughs, analytics), planning (i.e., creating an audit plan), and execution (i.e., carrying out the audit plan). Likewise, compilations and reviews should reflect current year planning and performance.

2. The client gave it to me.

For some reason, young auditors tend to put everything given to them in the file. I think they believe, “if the client gave it to me, it must be important.”

There is one reason to place documentation is the file: It provides audit evidence to support the opinion.

3. I may need it next year.

Then save it—somewhere other than the audit file—for next year. If the information does not provide current year engagement evidence, then it does not belong in the current year file.

Consider setting up a file for next year and placing next year’s information in that file. Or create a folder in the current year file titled: next year’s work papers; then move this section from the current year file as you wrap up the engagement.

4. I might need it this year.

Before going paperless (back in the days of moving work papers with a hand truck), I kept a manila folder titled: File 13. The physical folder was my hang-on-to-it-in-case-I-need-it repository.

Since my files are now paperless, I create an electronic folder titled “Recycle Bin” that sits at the bottom of my file. If I receive information that is not relevant to the current year work, I move it to the recycle bin, and while I am wrapping up the engagement, I dispose of the entire folder.

5. It’s an earlier version of an existing work paper.

Move earlier versions of work papers (e.g., initial financial statements) to your recycle bin.

6. I need it for my tax work.

Then it belongs in the tax file (unless it’s related to your attestation work – e.g., deferred taxes).

7. We missed a fraud ten years ago, so we always include these work papers.

Fraud procedures (and all procedures for that matter) should reflect the current year audit risk assessment and planning.

Closing Comments

The most important reason for minimizing work paper content is to reduce your legal exposure. Excess work papers may provide an attorney ammunition. “Mr. Hall, here’s a work paper from your own audit file that reveals fraud was occurring, and you didn’t see it?” (So don’t, for example, leave the full general ledger in your work papers.)

Hear my podcast based on this post.

What are your thoughts about removing unnecessary audit work papers?

Fraud Stings Auditor: Another Reason Detection is Important

Theft can adversely affect audit clients--and the audit firm

Auditors think about how fraud affects audit clients, but could it be that fraud might affect auditors? After all, auditors do have responsibility for detecting fraud. In this article, I show how undetected theft can adversely affect audit firms.

theft stings auditor

The Phone Call

An audit client discovers, through an inside tip, an employee fraud and you, the audit engagement partner, receive the following phone call:

“George, we just found out our controller has stolen about $70,000 per year for the last three years. Since you guys have been doing our audit, I thought I’d call and discuss what we need to do.” The caller does not verbally say it, but he intimates, “where were you guys?” and “how are you going to resolve this?”

Your first thought is this amount is immaterial, and you begin to explain that audits are not designed to detect immaterial fraud–the first time your client has ever heard these words. It sounds technical, evasive, and hollow. Your client is thinking, “what did I pay you for?” as you are reading his mind and thinking, “not for this.”

The First Mistake

The first mistake is not clearly explaining to your client what an audit is, and, more importantly, what it is not.

The Association of Certified Fraud Examiners’ (ACFE) biennial fraud survey notes that most frauds have a life of about 18 months before they are detected, and less than 10% of frauds are detected by external audits. Even if the external auditor is performing the engagement in accordance with generally accepted auditing standards, the procedures are designed to detect material fraud, something your client needs to know before you start the audit.

Your client files a claim with his insurance company in order to recoup the stolen funds, and, at this point, the insurance company contacts you and asks, “may we have a copy of your internal control letter?” You’ve known all along that there were significant deficiencies in controls, but you’ve been afraid to communicate the weaknesses in writing, knowing that doing so might jeopardize your relationship with management (the guys and gals who hired you).

The Second Mistake

The second mistake is not communicating all significant weaknesses and material weaknesses in writing.

Now things go from bad to worse: the insurance company sues your firm and subpoenas your work papers as they prepare to take you to court. The insurance company’s attorney obtains copies of your fraud work for the last three years, and he notes that the three respective audit files have the same fraud inquiry form. All three annual fraud forms reflect your CPA firm interviewed the same two management personnel who noted, “the company has high ethical standards and there are no known ways to commit fraud.” No other fraud work exists in the files.

In the deposition, the insurance company’s attorney asks you four times, “did you perform any fraud tests other than inquiring of management?” Now you wish you had.

The Third Mistake

The third mistake is inquiring of the same personnel year after year and not performing an annual fraud test (at least one).

Lessons Learned

You now resolve to do the following on all future audits:

  1. Resolved – I will explain to my client that an audit does not address immaterial fraud.
  2. Resolved – I will communicate all significant control deficiencies and material weaknesses in writing.
  3. Resolved – I will perform at least one new fraud test each year (and those tests will relate to control weaknesses noted in planning walk-throughs and inquiries); additionally, I will perform fraud inquiries of different personnel each year.

More Fraud-Related Articles

For more information about fraud detection and prevention, check out my list of articles here.

If you are looking for examples of fraud tests (that you can use in your audits), check out:

Disbursement Fraud Audit Tests: Five Powerful But Simple Ideas

Three Receipt Fraud Tests

Comment from Stephen Pedneault

Stephen Pedneault, the principal of Forensic Accounting Services, made the following comment about the above article:

You truly have to live through one of these phone calls from a client to appreciate what happens when this occurs. I completely concur that better auditor communications up front during the planning phase, long before fieldwork starts, would decrease the risk a client’s expectations are beyond what an audit can accomplish (and detect). Documented for your files, the conversation you had with your client will help “remind” the client, who is now enraged and reacting emotionally versus rationally due to the discovered fraud, that you discussed the associated audit risks. The representation letter your client signed will augment your defense should your client commence litigation, which is becoming more and more commonplace. Your best defense – avoidance altogether. Perform fraud-related tests as part of your audit.

Stephen has written several fraud books that are available on Amazon. Check him out here.

Uncollected Prior Year Fees: Can They Impair Your Independence?

Can uncollected prior year fees impair your independence?

Answer: It depends. If a covered member has unpaid fees from an attest client for any previously rendered professional service provided more than one year before the date of the current-year report, he is not independent.

Section 1.230.010 (Unpaid Fees) of the Code of Professional Code states:

Threats to the covered member’s compliance with the “Independence Rule” would not be at an acceptable level and could not be reduced to an acceptable level by the application of safeguards if a covered member has unpaid fees from an attest client for any previously rendered professional service provided more than one year prior to the date of the current-year report (my bold). Accordingly, independence would be impaired. Unpaid fees include fees that are unbilled or a note receivable arising from such fees.

uncollected prior year fees

The picture is courtesy of DollarPhotoClub.com.

Applies to All Fees

Note that the rule states that independence is impaired if a covered member has unpaid fees from an attest client for any previously rendered professional service. Impairment exists when any prior year fee has not been paid, including tax or consulting work.

Billed or Unbilled Services

Also, the CPA should look back one year from the report date to see if billed or unbilled amounts exist. Here’s an example:

  1. The CPA provided tax services to ABC Company on April 25, 2015.
  2. The CPA billed for the tax services on June 1, 2015.
  3. ABC Company needs an audit report with a May 15, 2016, date.
  4. ABC Company has not paid the June 1, 2015, bill.

Is the CPA independent? If the audit report is dated May 15, 2016, the CPA is not independent.

Why? If we look back one year from the report date of May 15, 2016, we see that the April 25, 2015 work has not been paid. So an unpaid service for more than one year before the report date exists. If the CPA issues the May 15, 2016 report, he is in violation of the Code of Conduct.

How do you cure the independence impairment? ABC Company has to pay for the April 25, 2015 service.

An Odd Collection Procedure

Oddly, the potential impairment of independence may assist you in collecting past-due accounts. If the client needs the current year audit report, and the CPA can’t provide it to him without payment for the prior-year work, then the client may be willing to come up with the money.

Fake Bank Confirmation Responses: How One Man Defrauded Investors of $6 Million

Can auditors be fooled with fake bank confirmations? You bet.

The Western District of North Carolina U.S. Attorney’s Office issued a press release on June 17, 2013, detailing how James Shepherd, an investment company owner, defrauded over 100 investors of approximately $6 million. How? By misusing funds and tricking his company’s external auditors with fake bank confirmation responses.

fake bank confirmation responses

Hiding Theft with Fake Bank Confirmation Responses

The press release states, “Documents indicate that Shepherd built a $2 million residence in Vass, North Carolina, and used investor money to make mortgage payments on the residence.” The U.S. Attorney’s Office said, “For seven years Shepherd used his investment fund as his personal piggy bank and repeatedly lied to his investors who trusted him with their savings.” The release goes on to say the fraud was concealed as “Shepherd sent to investors certified financial statements…accompanied by an Independent Auditor’s Report.” The fraudulent December 31, 2012, financial statement reflected a $6,041,850 cash balance when in reality the fund had less than $100,000. So, how was Shepherd able to get an independent auditor’s report based on fraudulent numbers?

The auditor sent bank confirmations to a P.O. Box address provided by Shepherd. Additionally, the confirmations were sent to the attention of a “Charles Fisher”–a fictitious bank employee.

And who controlled the P.O. Box? Mr. Shepherd.

According to the U.S. Attorney’s Office, Shepherd would receive the bank confirmations, “forge the name Fisher on a fake bank letter” and “send forged bank statements with fake balances” to the auditor. The responses came in the form of both letters and faxes.

So, how were the forged bank statements created? The press release stated that “Shepherd generated the fraudulent bank statements using a version of Adobe Acrobat that enabled him to type false numbers over true bank statements.”

Given the false bank confirmations, how was Mr. Shepherd ever caught? In March 2013 the auditors “insisted on verifying the cash balance of funds’ bank account electronically through the audit confirmation website www.confirmation.com.” Shepherd then refused to give the accountant authority to utilize the site to verify the cash balance. After that, the auditor notified the National Futures Association that his audit opinion could no longer be relied upon.

Given this cautionary tale, how can auditors combat the threat of false bank contact information?

Designing Confirmations 

A while back, my friend James Ulvog brought to my attention the following clarified auditing section about confirmations.

AU-C Section 505.A7 states:

Determining that requests are properly addressed includes verifying the accuracy of the addresses, including testing the validity of some or all of the addresses on the confirmation requests before they are sent out, regardless of the confirmation method used. When a confirmation request is sent by e-mail, the auditor’s determination that the request is being properly directed to the appropriate confirming party may include performing procedures to test the validity of some or all of the e-mail addresses supplied by management.

Auditors confirm bank accounts using:

  1. Letters
  2. Faxes
  3. Emails

Regardless of how an account is confirmed, auditors need to verify the contact information provided by the auditee–at least for some of the confirmations.

Bottom line

Audit standards require that steps be taken to ensure that confirmations are sent to the appropriate persons.

Using Confirmation.com reduces risk related to faulty confirmations. If you don’t use Confirmation.com, then consider checking street addresses by Googling them, or you might call the confirming party–especially for high-risk accounts.

The procedures used to verify mailing addresses, fax numbers, and email addresses should be documented in the auditor’s work papers.

Postscript

On February 11, 2015, Mr. Shepherd was sentenced to 84 months in prison and three years of supervised release. Shepherd pleaded guilty to one count of securities fraud in June 2013.

Modified Audit Opinions: Determining Which is Appropriate

Options include qualified, disclaimer and adverse

You are performing an audit that has a material misstatement, and the client is unwilling to post the proposed audit adjustment. So, you are wondering, “how do I modify the opinion?”

First, let’s take a look at a summary of opinion options, and then we will review sample opinion language.

modified audit opinions

 

Opinion Modification Options

Opinion TypeCircumstance
QualifiedMaterial misstatement is not pervasive
AdverseMaterial misstatements are pervasive
DisclaimerSufficient audit evidence not available; potential material misstatements are pervasive
QualifiedSufficient audit evidence not available; potential material misstatement is not pervasive

Definitions

Before we explore potential opinions, let’s review relevant definitions included in AU-C 705:

Modified opinion. A qualified opinion, an adverse opinion, or a disclaimer of opinion

Pervasive. A term used in the context of misstatements to describe the effects on the financial statements of misstatements or the possible effects on the financial statements of misstatements, if any, that are undetected due to an inability to obtain sufficient appropriate audit evidence [my italics]. Pervasive effects on the financial statements are those that, in the auditor’s professional judgment:

  • are not confined to specific elements, accounts, or items of the financial statements;
  • if so confined, represent or could represent a substantial proportion of the financial statements; or
  • with regard to disclosures, are fundamental to users’ understanding of the financial statements.

Sample Modified Audit Opinions 

1. Qualified Opinion

Suppose your audit reveals inventories are materially misstated, the client will not record your proposed audit adjustment, and there are no other material misstatements. If this is your situation (a material misstatement exists that is not pervasive), then audit standards allow for the issuance of a qualified opinion.

The sample opinion language provided by AU-C 705 is as follows:

Basis for Qualified Opinion

The Company has stated inventories at cost in the accompanying balance sheets. Accounting principles generally accepted in the United States of America require inventories to be stated at the lower of cost or market. If the Company stated inventories at the lower of cost or market, a write-down of $XXX and $XXX would have been required as of December 31, 20X1 and 20X0, respectively. Accordingly, cost of sales would have been increased by $XXX and $XXX, and net income, income taxes, and stockholders’ equity would have been reduced by $XXX, $XXX, and $XXX, and $XXX, $XXX, and $XXX, as of and for the years ended December 31, 20X1 and 20X0, respectively.

Qualified Opinion

In our opinion, except for the effects of the matter described in the Basis for Qualified Opinion paragraph, the financial statements referred to above present fairly, in all material respects, the financial position of ABC Company …

2. Adverse Opinion

Now let’s suppose that you are auditing a consolidated entity, and your client is not willing to include a material subsidiary and which, if included, would have a pervasive impact on the statements.

The sample opinion language provided by AU-C 705 is as follows:

Basis for Adverse Opinion

As described in Note X, the Company has not consolidated the financial statements of subsidiary XYZ Company that it acquired during 20X1 because it has not yet been able to ascertain the fair values of certain of the subsidiary’s material assets and liabilities at the acquisition date. This investment is therefore accounted for on a cost basis by the Company. Under accounting principles generally accepted in the United States of America, the subsidiary should have been consolidated because it is controlled by the Company. Had XYZ Company been consolidated, many elements in the accompanying consolidated financial statements would have been materially affected. The effects on the consolidated financial statements of the failure to consolidate have not been determined.

Adverse Opinion

In our opinion, because of the significance of the matter discussed in the Basis for Adverse Opinion paragraph, the consolidated financial statements referred to above do not present fairly the financial position of ABC Company and its subsidiaries as of …

3. Disclaimer of Opinion

Finally, let’s suppose you are performing an audit in which insufficient audit information is provided with regard to receivables and inventories (both of which are material) and that the misstatements have a pervasive impact on the financial statements as a whole.

The sample opinion language provided by AU-C 705 is as follows:

Basis for Disclaimer of Opinion

We were not engaged as auditors of the Company until after December 31, 20X1, and, therefore, did not observe the counting of physical inventories at the beginning or end of the year. We were unable to satisfy ourselves by other auditing procedures concerning the inventory held at December 31, 20X1, which is stated in the balance sheet at $XXX. In addition, the introduction of a new computerized accounts receivable system in September 20X1 resulted in numerous misstatements in accounts receivable. As of the date of our audit report, management was still in the process of rectifying the system deficiencies and correcting the misstatements. We were unable to confirm or verify by alternative means accounts receivable included in the balance sheet at a total amount of $XXX at December 31, 20X1. As a result of these matters, we were unable to determine whether any adjustments might have been found necessary in respect of recorded or unrecorded inventories and accounts receivable, and the elements making up the statements of income, changes in stockholders’ equity, and cash flows.

Disclaimer of Opinion

Because of the significance of the matters described in the Basis for Disclaimer of Opinion paragraph, we have not been able to obtain sufficient appropriate audit evidence to provide a basis for an audit opinion. Accordingly, we do not express an opinion on these financial statements.

Resolving Conflict with Clients

If, as described above, you have a client that is unwilling to post a material audit adjustment, consider creating a draft of the opinion and providing it to them. This is not a threat, just a clear way to communicate the effect of not posting the adjustment. 

Before doing anything, allow the client to fully explain their position. There is no profit in upsetting a client with needless talk about a modified opinion, if they are correct (and I am wrong). But after the discussion, if the auditor is still convinced there is a material misstatement, a modified opinion may be necessary.

Research

Deciding on the opinion is often the most important decision you will make in an audit. So, do your research, and, if needed, consult with others to gain assurance about your decisions.