Feb 01

Client Acceptance: How to Do It Right

Client acceptance and continuance may be the most critical step in an audit, but it’s one that gets little attention. A prospective client calls saying, “Can you audit my company?” and we respond, “sure.” While new business can be a good thing, relationships need appropriate vetting. Not doing so can lead to significant (and sometimes disastrous) consequences.

New Relationships

My daughter recently met a young man on Instagram. Not unusual these days. But now the relationship is entering into its third month. They talk every day for two or three hours. So far, they have not been in the same room—and not even in the same city. Skype, yes. Physical presence, no. That’s happening at the end of this month. (He lives eight hours away.)

So what do Mom and Dad think about all of this? Well, it’s fine. My wife checked him out on Facebook (I know you’ve never done this). And my daughter has told us all about the “fella” and his family. We like what we’re hearing. He has similar beliefs. He has a job (Yay!), and he has graduated from college. His family background is like ours.

Why do we want to know all the details about the young man? Because relationships impact people—my daughter, the young man, his family members, and yes, my wife and I. We want everyone to be happy.

Client Acceptance

And that’s what good relationships create. Happiness. The same is true with clients. As Steven Covey said, “think win, win.” When the customer wins, and your CPA firm wins, everyone is happy. Mutual needs are met.

Careless CPAs accept business with only one consideration: Can I get paid?

While getting paid is important, other factors are also critical.

Before accepting an audit engagement consider:

Are they ethical?
Are you independent?
Do you have the technical ability to serve them?
Do you the capacity to serve them?

Are They Ethical?

I want my daughter to marry a guy with beliefs that correspond with who she is. Is he honest? Would he steal? Is he transparent? Who are his associates? What do others think of him?

We ask similar questions about accepting a new client. Audit standards require us to consider whether the prospective client has integrity. If the company is not morally straight, then there’s no need to move forward. Ethics is a key to client acceptance.

(The predecessor auditor can provide information about their interactions with the company. Audit standards require contact with the predecessor auditor prior to acceptance. This is an initial year consideration.)

Are You Independent?

Independence is another key to client acceptance. And the time to determine your firm’s independence is the beginning—not at the conclusion of the audit.

Consider what happens—during a peer review—when a firm is not independent, and it has issued an audit opinion. The original audit report will be recalled, and I’ll bet the company asks for and receives a full refund of your audit fee. Now, the company needs to be re-audited. (Oh, and there’s that impact on the peer review report.)

Pay attention to requested nonattest services—such as preparation of financial statements. If the client has no one with sufficient skill, knowledge, and experience to accept responsibility for such services, you may not be independent. See the AICPA’s Plain English Guide to Independence for more information. (You can see additional help-aids in my list of online resources for CPAs. )

Do You Have the Technical Ability to Serve Them?

If you can pick up a client in an industry in which you have no experience, should you? Possibly, but it depends on whether you can appropriately understand the client and their industry before you conduct the engagement. Some new customers may not be complicated. In those cases, CPE may get you into position to provide the audit.

But what if the potential engagement involves a highly sophisticated industry and related accounting standards for which you are ill-equipped? It may be better to let the engagement go and refer it to an audit firm that has the requisite knowledge. Or maybe you can partner with the other firm.

Do You Have the Capacity to Serve Them?

A prospective client calls saying, “Can you audit my company? We have a December 31 year-end, and we need the audit report by March 31.” After some discussion, I think the fee will be around $75,000. But my staff is already working sixty hours a week during this time of the year. Should I take the engagement?

My answer would be no unless I can create the capacity. How? I can hire additional personnel or maybe I can contract with another firm to assist. If I can’t build additional capacity, then I may let the opportunity pass.

Far too many firms accept work without sufficient capacity. When this happens, corners are cut, and staff members and partners suffer. Stuffing—even more—work into a stressful time of the year is not (always) a wise thing. We lose staff. And if the engagement is deficient, peer review results may take a hit.

When you don’t have the capacity to accept new good clients, consider whether you should discontinue service to existing bad customers.

The Continuance Decision

Quality controls standards call for CPAs to not only develop acceptance procedures, but we are to create continuance protocols as well.

I previously said CPAs often don’t give proper attention to acceptance procedures. So, how about continuance decisions? Even worse.

Each year, we should ask, “If this was a new client opportunity, would I accept them?” If the answer is no, then why do we continue serving them?

Here are a few questions to ponder:

Has the client paid their prior year fees?
Am I still independent (consider the new Hosting Services interpretation)?
Does the client demand more from me than the fee merits?
Do I enjoy working with this client?
Is the client’s financial condition creating additional risks for my firm?
Is the client acting ethically?

Each year, well before the audit starts, ask these questions.

And then consider, is the bottom 10% of my book of business keeping me from accepting better clients? My experience has been that when I have the capacity, new business appears. When capacity is lacking, I don’t. The decision to hold on to bad clients is a decision to close the door to better clients. Don’t be afraid to let go.

Risk Assessment Starts Now

When should we start thinking about risk assessment? Now.

Whether you are going through the initial acceptance procedures or you are making your continuance decision, start thinking about risk assessment now. Assuming you accept the client, you’ll be a step ahead as you begin to develop your audit plan. Ask questions such as:

How is your cash flow?
Do you have any debt with covenants?
Who receives the financial statements?
Has the company experienced any fraud losses?
How experienced is management?
Why are you changing auditors?

Keep these notes for future reference and audit planning.

The Strangest Audit Ever

As I close this post, I thought I’d share an old war story. One where I did not perform client acceptance correctly. You’ll find this story hard to believe. But it’s true.

Dec 24

Single Audit Overview: In Five Minutes

By Charles Hall | Accounting and Auditing , Single Audit

Here’s a Single Audit overview in five minutes. This video provides an overview of what a Single Audit is and what an auditor does in performing such an engagement.

Single Audit Overview

First, understand that some entities receive multiple federal grants. Rather than performing an audit of each individual, the Uniform Guidance allows one audit (a Single Audit) based on risk. So, if a city receives seven federal grants in one year, an auditor can perform a single audit that addresses the riskier programs. The video explains how the auditor determines major programs, the riskier grants of the seven received. Those are the ones that will be audited.

The applicability of the Single Audit to a grantee is based on the entity’s federal expenditures. Audit the entity using the Uniform Guidance when more than $750,000 in federal funds are expended.

Compliance Supplement

In the video, I also explain how auditors use the Compliance Supplement to audit federal programs. The Compliance Supplement provides a summary of the applicable compliance provisions for federal grants. You can locate a particular grant by searching the Compliance Supplement by its federal assistance listing number. For example, 14.321 is HUD’s Emergency Systems Grant Program.

Single Audit Compliance Areas

Potential compliance areas for federal programs include:

Allowability
Eligibility
Procurement
Special Reporting
Sub-recipient monitoring
And more

Auditors choose the compliance areas that are direct and material, those that are most important. These areas are audited for each major program.

Single Audit Reports

Additionally, Single Audit reports are created by the auditor to communicate the results of the audit. That way, financial statement readers can see if the grantee (e.g., city) used the grant funds appropriately and whether the entity had proper internal controls. The auditor opines upon the major program grant compliance. If noncompliance is present or if related internal controls were not in use, the auditor reports the noncompliance or deficiencies in the Single Audit report.

Moreover, Single Audit reports include a schedule of expenditures of federal awards (SEFA). The SEFA includes a listing of expended federal awards.

Federal Audit Clearinghouse

Finally, the Single Audit report is filed with the federal audit clearinghouse once completed. The report is publicly available, so anyone can see the results of the audit.

Watch the video for the Single Audit overview in five minutes.

Dec 18

Test of Controls: When is It Required?

By Charles Hall | Auditing

Most auditors don’t perform a test of controls? But should they? Below I explain when such a test is required. I also explain why some auditors choose to use this test even when not required.

Once risk assessment is complete, auditors have three further audit procedures they can use to respond to identified risks:

Test of details
Substantive analytics
Test of controls

This article focuses on the third option.

Below you will see:

The Right Response
Not Testing Controls (including video about the same)
The Decision Regarding Testing
How to Test Controls
Required Tests
Which Controls to Test
Three-year Rotation of Testing
Interim or Period-End Testing

The Right Response

Which responses to risks of material misstatement are best? That depends on what you discover in risk assessment.

If, for example, your client consistently fails to record payables, then assess control risk for completeness at high and perform a search for unrecorded liabilities (a substantive procedure).

By contrast, if the internal controls for receivables are strong, then assess control risk for the existence assertion at less than high, and test controls for effectiveness. (You do, however, have the option to perform substantive tests rather than test controls, even when controls are appropriate. More about this in a moment.)

Not Testing Controls

Many auditors assess control risk at high (after risk assessment is complete) and use a fully substantive approach. That is fine, especially in audits of smaller entities. Why? Because smaller entities tend to have weaker controls. As a result, controls may not be effective. Therefore, you may not be able to assess control risk at less than high.

Control risk assessments of less than high must be supported with a test of controls to prove their effectiveness. But if controls are not effective, you must assess control risk at high. This is one reason why you might bypass testing controls: you know, either from prior experience or from current-year walkthroughs, that controls are not effective. If your test reveals ineffectiveness, you are back to square one: a control risk assessment of high. Then substantive procedures are your only option. In such a situation, the initial test was a waste of time.

The Decision Regarding Testing

But if controls are effective, why not test them? Doing so allows you to reduce your substantive procedures. There is one reason, however, why you might not test controls even though they appear appropriate: substantive tests may take less time.

Once risk assessment is complete, your responses—the further audit procedures—are based on efficiency and effectiveness. If control testing takes less time, then use this option. If substantive procedures takes less time, then perform a test of details or use substantive analytics. But, regardless of efficiency considerations, address all risks with appropriate responses.

How to Test Controls

Suppose you’ve decided to test controls for effectiveness. But how? Let’s look at an example starting with risk assessment.

Risk Assessment

Your approach to testing controls depends on risk.

For example, suppose your billing and collections walkthrough reveals appropriate segregation of duties. You see that authorized personnel issue receipts for each payment received. Additionally, you determine that total daily cash inflows are reconciled by the collections supervisor to the online bank statement, and she signs off on a reconciliation sheet as evidence of this procedure. Lastly, you note that a person not involved in cash collections reconciles the monthly bank statement. In other words, controls are properly designed and in use.

Furthermore, you believe completeness is a relevant assertion. Why? Theft of incoming cash is a concern since the business handles a high volume of customer checks. If checks are stolen, cash collections would not be complete. Consequently, the inherent risk for completeness is high. The fraud risk is a significant risk which requires a test of details in addition to the test of controls.

Test Supports Effectiveness

Now it’s time to test for effectiveness.

Test the receipt controls on a sample basis. But before doing so, document the controls you desire to test and the sample size determinations. (See AICPA’s Audit Sampling standard, AU-C 530.)

The first control you are testing is the issuance of receipts by an authorized person and your sample size might be sixty.

The second control you are testing is the daily reconciliation of cash to the bank statement. For example, you could agree total daily receipts to the bank statement for twenty-five days. As you do so, you review the daily sign-offs on the reconciliation sheets. Why? The collection supervisor’s sign-off is the evidence that the control was performed.

The third control you are reviewing is the reconciliation of the bank account by a person not involved in the receipting process. So, you review the year-end bank reconciliation and confirm that the person that reconciled the bank statement was not involved in cash collections.

Once the tests are performed, determine whether the controls are effective. If they are, assess control risk for the completeness assertion at less than high. Now you have support for that lower assessment.

And what about substantive tests?

You need to perform a test of details since a significant risk (the fraud risk) is present. You might, for example, reconcile the daily total receipts to the general ledger for a month.

Test Doesn’t Support Effectiveness

If your tests do not support effectiveness, expand your sample size and examine additional receipts. Or skip the tests (if you believe the controls are not effective) and move to a fully substantive approach. Regardless, if controls are not effective, consider the need to communicate the control deficiency to management and those charged with governance.

So, when should you test controls? First let’s look at required tests and then optional ones.

Required Audit Tests of Controls

Here are two situations where you must test controls:

When there is a significant risk and you are placing reliance on controls related to that risk
When substantive procedures don’t properly address a risk of material misstatement

Let me explain.

Auditing standards allow a three-year rotation for control testing, as long as the area tested is not a significant risk. But if the auditor plans to rely on a test of controls related to a significant risk, operating effectiveness must be tested annually.

Also a test of controls is necessary if substantive procedures don’t properly address a risk of material misstatement. For example, consider the controls related to reallocation of investments in a 401(k). The participant goes online and moves funds from one account to another. Other than the participant, there are no humans involved in the process. When processes are fully automated, substantive procedures may not provide sufficient audit evidence. If that is your situation, you must test of controls. Thankfully, a type 2 service organization control report is usually available in audits of 401(k)s. Such a report provides evidence that controls have already been tested by the service organization’s auditor. And you can place reliance upon those tests. In most cases, substantive procedures can properly address risks of material misstatement. So this test requirement is usually not relevant.

Optional Audit Test of Controls

We just covered the two situations when testing is required. All other control testing is optional.

Prior to making the decision about testing, consider the following:

Do you anticipate effectiveness? There’s no need to test an ineffective control.
Does the control relate to an assertion for which you desire a lower control risk?
Will it take less time to test the control than to perform a substantive procedure? Sometimes you may not know the answer to this question until you perform the test of controls. If the initial test does not prove effectiveness, then you have to expand your sample or just punt—in other words, use a fully substantive approach.
Will you use the control testing in conjunction with a test of details or substantive analytics? How would effective controls reduce these substantive tests? In other words, how much substantive testing time would you save if the control is effective?
Is the control evidence physical or electronic? For example, are the entity’s receipts in a physical receipt book or in a computer? It’s usually easier to test electronic evidence.
How large will your sample size be? Some controls occur once a month. Others, thousands of times in the period. The larger the population, the larger the sample. And, of course, the larger the sample size, the more time it will take to perform the test.
Can you test the population as a whole without sampling? Data analytics software—in some instances—can be used to test the entire population. For example, if a purchase order is required for all payments above $5,000, it might be easy to compare all payments above the threshold to purchase orders, assuming the purchase orders are electronic.

Three-Year Rotation of Testing

As I said earlier, audit standards allow a three-year rotation for testing. For example, if you test accounts payable controls in 2020, then you can wait until 2023 to test them again. In 2021 and 2022, you need to ensure that these controls have not changed. You also want to determine that those controls have continuing relevance in the current audit. How? See if the controls continue to address a risk of material misstatement. And as you perform your annual walkthroughs, inquire about changes, observe the controls, and inspect documents. Why? You want to know that everything is working as it was in 2020, when the initial test was performed. And, yes, you do need to perform those walkthroughs annually, if that is how you corroborate your understanding of controls.

In short, testing for effectiveness can, in most cases, occur every three years. But walkthroughs are necessary each year. If you tested sixty transactions for an appropriate purchase order in 2020, then you can wait until 2023 to do so again. But review of the purchase order process each year in your annual walkthroughs.

So should you test controls at interim or after year-end?

Interim or Period-End Testing

Some auditors test controls after the period-end (after year-end in most cases). Others at interim. Which is best?

It depends.

Perform interim tests if this fits better in your work schedule. Here’s an example: You perform an interim test on November 1, 2021. Later, say in February 2022, consider whether controls have changed during the last two months of the year. See if the same people are performing those controls. And consider performing additional tests for the November 1 to December 31 period. Once done, determine if the controls are effective.

Testing on an interim date is not always the answer. For example, if management is inclined to manipulate earnings near year-end, then interim tests may not be appropriate.

If you choose to test after period-end, then do so for the full period being audited. Your sample should be representative of that timeframe.

So should you ever test controls at a point in time and not over a period of time? Yes, sometimes. For example, test inventory count controls at year-end only. Why? Well those controls are only relevant to the year-end count, a point in time. Most controls, however, are in use throughout the period you are auditing. Therefore, you need to test those controls over that period of time (e.g., year).

Conclusion

As I said above, many auditors tend to rely fully on substantive responses to the risks of material misstatement. But, in some cases, that may not be the best or wisest approach. If controls are designed well and functioning, why not test them? Especially if it takes less time than substantive procedures.

Finally, take a look at my two related articles regarding responses to the risk of material misstatement: (1) Test of Details: Substantive Procedures and (2) Substantive Analytical Procedures: Power Up.

Dec 13

Auditing Payroll: A Step by Step Guide

By Charles Hall | Auditing

Auditing payroll is a critical skill. Today I explain how.

While payroll is often seen as a low-risk area, considerable losses can occur here. So, knowing how to audit payroll is important.

Auditing Payroll – An Overview

Payroll exceeds fifty percent of total expenses in many governments, nonprofits, and small businesses. Therefore, it is often a significant transaction area.

To assist you in understanding how to audit payroll, let me provide you with an overview of a typical payroll process.

First, understand that entities have payroll cycles (e.g., two weeks starting on Monday). Then, payments are made at the end of this period (e.g., the Tuesday after the two-week period). Also, understand that most organizations have salaried and hourly employees. Salaried personnel are paid a standard amount each payroll, and hourly employees earn their wages based on time.

Second, an authorized person (e.g., department head) hires a new employee at a specified rate (e.g., $80,000 per year).

Third, human resources assists the new-hire with the completion of payroll forms, including tax forms and elections to purchase additional benefits such as life insurance.

Fourth, a payroll department employee enters the approved wage in the accounting system. The employee’s bank account number is entered into the system (if direct deposit is used).

Fifth, employees clock in and out so that time can be recorded.

Sixth, once the payroll period is complete, a person (e.g., department supervisor) reviews and approves the recorded time.

Seventh, a second person (e.g., payroll supervisor) approves the overall payroll.

Eighth, the payroll department processes payments. Direct deposit payments are made (and everyone is happy).

In this article, we will cover the following:

Primary payroll assertions
Payroll walkthroughs
Payroll fraud
Payroll mistakes
Directional risk for payroll
Primary risks for payroll
Common payroll control deficiencies
Risk of material misstatement for payroll
Substantive procedures for payroll
Common payroll work papers

Primary Payroll Assertions

The primary relevant payroll assertions are:

Completeness
Cutoff
Occurrence

I believe—in general—completeness and cutoff (for accrued payroll liabilities) and occurrence (for payroll expenses) are the most important payroll assertions. When a company accrues payroll liabilities at period-end, it is asserting that they are complete and that they are recorded in the right period. Additionally, the company is saying that recorded payroll expenses are legitimate.

Additionally, payroll auditing requires an understanding of threats in light of these assertions. So how do I gain this knowledge? Payroll walkthroughs.

Payroll Walkthroughs

Perform a walkthrough of payroll to see if there are any control weaknesses. How? Walk transactions from the beginning (the hiring of an employee) to the end (a payroll payment and posting). And ask questions such as the following:

Does the company have a separate payroll bank account?
How often is payroll processed? What time period does the payroll cover? On what day is payroll paid?
Who has the authority to hire and fire employees?
What paperwork is required for a new employee? For a terminated employee?
Is payroll budgeted?
Who monitors the budget to actual reports? How often?
Who controls payroll check stock? Where is it stored? Is it secure?
If the company uses direct deposit, who keys the bank account numbers into the payroll system? Who can change those numbers?
Do larger salary payments require multiple approvals?
Who approves overtime payments?
Who monitors compliance with payroll laws and regulations?
Who processes payroll and how?
Who signs checks or makes electronic payments? If physical checks are used, are they signed electronically (as checks are printed) or physically?
How are payroll tax payments made? How often? Who makes them?
Who creates the year-end payroll tax documents (e.g., W-2s) and how?
What controls ensure the recording of payroll in the appropriate period?
Are the following duties assigned to different persons:
- Approval of each payroll,
- Processing and recording payroll,
- The reconciliation of related bank statements
- Possession of processed payroll checks
- Ability to enter or change employee bank account numbers
- Ability to add employees to the payroll system or to remove them
Who can add or remove employees from the payroll system? What is the process for adding and removing employees from the payroll system?
Who can change the master pay rate file? Does the computer system provide an audit trail of those changes?
Who approves salary rates and how?
Who reconciles the payroll bank statements and how often?
Who approves bonuses?
What benefits (e.g., retirement accounts) does the company offer? Who pays for the benefits (e.g., employee) and how (e.g., payroll withholding)?
Who reconciles the payroll withholding accounts and how often?
Are any salaries capitalized rather than expensed? If yes, how and why?
Are surprise payroll audits performed? If yes, by whom?
Does the company outsource its payroll to a service organization? If yes, does the payroll company provide a service organization control (SOC) report? What are the service organization controls? What are the complementary controls (those performed by the employing company)?

Moreover, as we ask these questions, we need to inspect documents (e.g., payroll ledger) and make observations (e.g., who signs checks or makes electronic payments?).

If controls weaknesses exist, we create audit procedures to respond to them. For example, during the walkthrough, if we see that one person prints and signs checks, records payments, and reconciles the bank statement, then we will plan fraud-related substantive procedures.

As we perform payroll walkthroughs, we are asking, “What can go wrong—whether intentionally or by mistake?”

Payroll Fraud

When payroll fraud occurs, understatements or overstatements of payroll expense may exist.

If a company desires to inflate its profit, it can—using bookkeeping tricks—understate its expenses. As (reported) costs go down, profits go up.

On the other hand, overstatements of payroll can occur when theft is present. For example, if a payroll accountant pays himself twice, payroll expenses are higher than they should be.

Payroll Mistakes

Mistakes also lead to payroll misstatements. Payroll errors can occur when payroll personnel lack sufficient knowledge to carry out their duties. Additionally, misstatements occur when employees fail to perform internal control procedures such as reconciling bank statements.

Directional Risk for Payroll

The directional risk for payroll is an understatement. So, audit for completeness (determining that all payroll is recorded). Nevertheless, when payroll theft occurs (e.g., duplicate payments), overstatements can occur.

Primary Risks for Payroll

The primary payroll risks include:

Payroll is intentionally understated
Inappropriate parties receive payments
Employees receive duplicate payments

As you think about these risks, consider the control deficiencies that allow payroll misstatements.

Common Payroll Control Deficiencies

In smaller entities, it is common to have the following control deficiencies:

One person performs two or more of the following:
- Approves payroll payments to employees,
- Enters time or salary rates in the payroll system,
- Issues payroll checks or makes direct deposit payments,
- Adds or removes employees from the payroll system
- Reconciles the payroll bank account
No one reviews and approves recorded time
No one reviews and approves payroll before processing
No one performs surprise audits of payroll
Appropriate procedures for adding and removing employees are not present
No one reviews the removal of terminated employees from payroll
No one compares payroll expenses to a budget

(Here are suggestions to make your payroll controls stronger.)

Another key to auditing payroll is understanding the risks of material misstatement.

Risk of Material Misstatement for Payroll

In auditing payroll, the assertions that concern me the most are completeness, occurrence, and cutoff. So my risk of material misstatement for these assertions is usually moderate to high.

My response to higher risk assessments is to perform certain substantive procedures: namely, a reconciliation of payroll in the general ledger to quarterly 941s. Why? The company has an incentive to accurately file 941s since the returns are subject to audit by governmental authorities. So, if the 941s are correct, the reconciliation provides support for recorded payroll.

Additionally, consider theft which can occur in numerous ways, such as duplicate payments or ghost employees.

In a duplicate payment fraud, the thief, usually a payroll department employee, pays himself twice.

Ghost employees exist when payroll personnel leave a terminated employee on the payroll. Why would someone in the payroll department intentionally leave a terminated employee in the payroll system? To steal the second payment. How? By changing the terminated employee’s direct deposit bank account number to his own. The result? He receives two payments (his own and that of the terminated employee).

Once your payroll risk assessment is complete, decide what substantive procedures to perform.

Substantive Procedures for Auditing Payroll

My customary tests for auditing payroll are as follows:

Reconcile 941s to payroll
Recompute accrued payroll liability (amount recorded at period-end)
Review payroll withholding accounts for appropriateness and vouch subsequent payments for any significant amounts
Compare payroll expenses (including benefits) to budget and examine any unexplained variances
When control weaknesses are present, design and perform procedures to address the related risks
Compare accrued vacation to prior periods and current payroll activity

In light of my risk assessment and substantive procedures, what payroll work papers do I normally include in my audit files?

Common Payroll Work Papers

My payroll work papers normally include the following:

An understanding of payroll-related internal controls
Risk assessment of payroll at the assertion level
Documentation of any payroll control deficiencies
Payroll audit program
Accrued salaries detail at period-end
A summary of any significant payroll withholding accounts with supporting information
A detail of vacation payable (if material) with comparisons to prior periods
Budget to actual payroll reports
A reconciliation of payroll in the general ledger to quarterly 941s
Fraud-related payroll work papers (when needed)

In Summary

In this article we looked at the keys to auditing payroll. Those keys include risk assessment procedures, determining relevant assertions, assessing risks, and developing substantive procedures. My go-to substantive procedure is to reconcile payroll to 941s. I also review payroll withholding accounts and recompute salary accruals. Comparisons of payroll expenses are useful. Finally, if merited, I perform fraud-related payroll procedures.

See my book on Amazon: The Why and How of Auditing.

Dec 07

Extended Audit Procedures: When Segregation of Duties is Absent

By Charles Hall | Accounting and Auditing

Should an auditor perform extended audit procedures when there is no segregation of duties? Or are basic procedures sufficient?

No Segregation of Duties

A few months ago, I was talking to a CPA about audit procedures where a client had only one person performing accounting duties. In other words, there was no segregation of duties, and no one reviewed the activity. Regarding cash, the CPA said basic procedures would be sufficient. In other words, test the bank reconciliation and tie the book balance back to the trial balance, and you’re done.I said, “What if the bookkeeper stole $100,000 before it was deposited? Would a test of the bank reconciliation detect the theft?” But he insisted that basic procedures were appropriate. Why? Because the entity was small.The size of the entity does not matter. The risks do.

Extended Procedures

When segregation of duties is lacking, especially if severe (e.g., one person does everything), extended procedures such as fraud detection steps are warranted. In the example above, the auditor should test receipts and disbursements.Balance sheet audit steps (like testing a bank reconciliation) will usually not detect theft of funds. Cash, receivables, and payables can still reconcile to the trial balance–but the stolen funds are gone.

Responsibility for Fraud Detection

Through the years, I’ve heard CPAs say, “I’m not responsible for fraud.” They incorrectly believe they don’t have to look for fraud.

That idea died in 2002 with the issuance of SAS 99, Consideration of Fraud in a Financial Statement audit. Yes, it’s been a while. The auditor is responsible for the detection of material fraud.

So, the auditor should plan to detect fraud if risk assessment calls for it. In the above situation, where there is no segregation of duties, the walkthroughs of cash receipts and disbursements would reveal high risks of material misstatement.

Additionally, if the entity receives a significant amount of cash (currency, not checks), the risk is even higher.

And how many ways can theft occur through disbursements? There are many.

Let’s consider revenue and expense cycle tests that you might use when segregation of duties is lacking.

Extended Procedures – Revenue Cycle

So, how does an auditor know what extended procedures might be appropriate?

First, review the revenue cycle processes and controls with a walkthrough. Consider the related risks of material misstatement, and plan your tests.

Nonprofit Example

For example, if you are auditing a nonprofit that receives contributions through the mail, review the processes and controls. Here are example questions:

Who opens the mail?
Is a second person present when the mail is opened?
Is a list of daily receipts created and signed by the two persons opening the mail?
Does a video camera record those opening the mail?
Are daily deposits reconciled to the daily cash receipts log?
Are contributions tracked in a contributions software package? If yes, does someone other than those who opened the mail enter the amounts received?
Do persons opening the mail (those with access to checks) reconcile the related bank account?
Are daily deposits made?
Who takes the daily cash receipts to the bank for deposit?
Are acknowledgment letters mailed to contributors? Are those reconciled to the daily receipts log and contributions software by someone who did not initially open the mail?

I could go on, but these are the types of questions to ask before deciding whether extended audit procedures are required and, if they are, what those might be.

What extended audit procedures might the auditor perform in this situation?

Receipt Tests

Testing in the nonprofit environment described above is challenging, especially if currency is received in the mail. Even so, here are some extended procedures that one might perform:

On a sample basis, reconcile the daily receipts log to the contributions software entries.
On a sample basis, reconcile the daily receipts log to the daily deposits. Agree the bank deposit receipt to the total daily bank deposit.
On a sample basis, compare the daily receipts log to the donor acknowledgment letter (you may need to review the contribution software entries if multiple payments are received).

You could perform other tests, but these provide you with some examples for this entity.

For companies that bill and receive payment, it’s easier to design revenue cycle tests–and those tests will be different than the nonprofit examples. You can, for example, compare amounts billed with collections and review receivable write-offs for appropriateness.

But what about expense tests?

Extended Procedures – Expense Cycle

There are many ways to steal funds through the expense cycle, so I will provide a few examples. Again, understand the processes and controls walkthrough. Assess your risk and create your responses.

Here are example questions for a nonprofit:

Who can add vendors to the payables software?
Are new vendors reviewed for existence (to ensure the entity exists)? Who performs this review and how?
Who can authorize a payment, and how?
Who can sign checks or disburse funds in other ways (e.g., electronic payment)?
Who enters invoices in the payables software?
Who has logical access (as provided by I.T.) to the payables module?
Who reconciles the bank account used for vendor payments?
Is a budget-to-actual report provided to management?

Again, these are example questions. There are many more that you can ask.

Expense Tests

Once you understand the payables process, consider where fraud might occur. For example, if someone can sign checks, add vendors, and enter invoice amounts, theft could happen. Then you might perform extended audit procedures such as the following:

On a sample basis, review cleared checks for appropriateness by inspecting the payees and comparing those to the descriptions in the general ledger
On a sample basis, compare cleared checks to invoices
Review new vendors with someone outside of the payables department who is familiar with vendors used by the company

As you can see, context (the processes and controls) aids in designing the control tests.

Summary

Test revenue and expense cycles when there is a lack of segregation of duties. You’ll know if the accounting system has this control weakness from your walkthroughs of the revenue and expense cycles. Once you understand those dynamics, you can assess the risks of material misstatement and plan your extended audit tests, such as those listed above.

« Previous 1 2 3 4 … 27 Next »

Category Archives for "Accounting and Auditing"