How to Create New Accounting Products and Services

Here are steps to ensure the success of your new projects

This is a guest post by Harry Hall, the Project Risk Coach. Harry is a speaker, teacher, and blogger who helps leaders and project managers get results. Harry has managed projects–mainly for insurance companies–for more than 17 years. He also teaches project management courses to CPA firms. Harry lives in Macon, Georgia with his wife Sherri. He can be found on LinkedIn.

Are you wondering how to create new accounting products and services? In this post, I’ll explain how.

how to create new accounting products and services

Imagine an accounting firm (we’ll call it Premier CPAs) that has struggled in recent years. Revenue is down, and the firm has lost several top clients. To make matters worse, the firm recently received a fail report in its peer review.

The partners recently met and were brutally honest with one another. Something has to change.

Premier CPAs has a great team of auditors. However, they are failing to understand their client’s needs, and they are not changing their business model accordingly. Over time, competing CPA firms have created superior products and services.

The partners selected a team to go offsite and develop a strategic plan. The group was challenged to perform an assessment of where the firm is and where it needs to go.

The top strategies identified were to:

  • Implement a more modern auditing software solution
  • Map and re-engineer Premier CPAs’ audit processes
  • Implement a small customer service center

How to Make Your Dreams Come True

Great ideas, but how do we make them a reality? It’s easy to talk about things, but it’s another matter to plan and execute new ideas.

Well, you could do this like many lack-luster firms. Just do the projects willy-nilly. Do it as you have time. Find a few warm bodies who are not busy to do the work. Maybe assign the activities to the IT guy.

Will you get there? Maybe, but how long will it take? How much further will you fall behind your competition?

Take a different approach. Focus on your goals and strategies. Be intentional.

How to Create New Accounting Products and Services

The following steps can put you on a fast track to greater success:

  1. Define your projects. In the initiation of your projects, define them with project charters. Spell out the problems you are attacking, your goals, what you will deliver, the assumptions of the project, the constraints of the project, key stakeholders, top risks, and who will serve on the project team.
  2. Assign project sponsors. Select partners and senior management who will define and cast the vision for the projects. These leaders should have the authority to provide resources and money to complete the projects. While the project team does most of the work, the sponsors are ultimately responsible for ensuring success (and should be held accountable).
  3. Create project teams. One of the most important things you can do for your projects is to staff the teams. Carefully select individuals who have the knowledge and skills to deliver the project in a timely manner. There will likely be some opportunity cost in this equation. You may have to assign some audit personnel to perform the project work.
  4. Kick off projects. Get your project team and key stakeholders together for the project kick-off. The sponsors should share their vision for the project. The individual leading the project (i.e., project manager) should review the project charter, ensuring that everyone understands the project and their roles.
  5. Monitor progress. The project managers should periodically meet with their team members to check the status of the project and to plan their next steps. The project managers report to the sponsors, and in some firms, the sponsors report to senior management and partners. Doing so provides transparency throughout the firm’s leadership.
  6. Celebrate success. Create a robust project culture by celebrating when teams hit milestones or complete projects on time and under budget. Thank your teams.
  7. Perform benefits realization. How do we ensure that the projects produce the desired results? Measure your results at designated times (e.g., six months and twelve months after the completion of each project).

Parting Words…This Is NOT Easy

These steps may require a significant transformation in the firm’s culture. Changing what people believe, their attitudes, and their behavior is the toughest part of creating a productive project culture.

First, leadership is required, not optional. Without a firm hand, people will fall back into old bad habits. The senior leadership team of the firm must consistently communicate their expectations and lead by example. Make sure there is a high level of accountability with appropriate rewards and recognition for high performing teams.

Second, train your teams in project management. At a minimum, identify and train individuals who will serve as project managers. You may want to get a project coach to work with your firm. Many progressive firms require their project managers to get project management certifications.

Lastly, all of these actions must be performed with an eye on your firm’s strategic goals and objectives. Make sure the changes align and support your vision, mission, and goals.

Your best days are ahead!

Wire Transfer Theft: How to Prevent It

How to steal $6.9 million in less than an hour

In one of the easiest thefts I’ve read about, a nonprofit administrative officer wired $6.9 million from an Ohio bank account to another account in Austria. The wire transfer originated with the fax of a letter (which took less than an hour to create). Since the officer was authorized to make wire transfers, no one at the bank questioned the transaction–until it was too late. The fraudster landed in Austria, called his wife and said, “I’m not coming home.” Interestingly, the wife called the police and turned her husband in; he later came back to the states of his own volition (after his wife gave him an earful). He went to jail. I guess, after a few boat rides down the Danube, he missed his family.

Preventing wire transfer theft

Picture from

Wire Transfer Theft is Easy

It’s easy for an accounting clerk (or other authorized company official) to wire funds and to cover their tracks with a journal entry – too easy in many cases. If a company  accountant or official has the ability to (1) wire funds by himself and (2) make journal entries without a second-person review, then the organization has left the fraud door wide open. Such a situation is not uncommon in small businesses, nonprofits and governments.

As you think about wire transfers, consider that they can be originated with a fax, a phone call, a personal visit to the bank, or a computer. Determine how your bank handles wire transfers and craft your internal controls based on those dynamics.

Wire Transfer Internal Controls

Organizations should do the following to mitigate wire transfer fraud:

  1. Require the bank to limit daily wire transfer amounts (e.g., $25,000 per day for each employee)
  2. Require two persons to consummate all wire transfers to external parties (the most important control in my opinion)
  3. If the wire transfer request is by phone or by fax, require the bank to call your organization back before the wire transfer is consummated
  4. The bank should require the use of unique passwords to access wire-transfer software; consider using a bank that provides bank token keys (small hand-held devices that generate unique identification numbers; these numbers are keyed into the bank software as a part of the transfer request)
  5. Restrict the bank accounts from which a wire transfer can be made (the organization may want to limit external wire transfers to just one bank account)
  6. Restrict certain bank accounts so that wire transfers can only be made to other bank accounts of the organization (e.g., transfer from operating bank account to payroll bank account)
  7. Have someone peruse the daily bank account activity (using online access); at a minimum, reconcile bank statements in a timely fashion (large organizations should consider reconciling bank accounts more frequently than once a month; some reconcile daily)
  8. Require sufficient documentation for all wire transfer journal entries; require a second-person review of these journal entries
  9. Consider using a dedicated computer for all wire transfers; do not use this computer for any other purpose (malware is often picked up by computers as they visit Internet websites)
  10. Use all bank-provided wire transfer controls
  11. Any transactions over a certain high dollar amount (e.g., $50,000) must have the approval of the business owner/CEO

Use Fraud Prevention Controls Offered by Banks

Not using controls offered by banks may make your organization liable should funds be stolen by hackers. One company sued its bank when hackers took $440,000 from its bank account with a wire transfer; the judge ruled against the company because it had opted out of control procedures offered by the bank. Also make sure your company uses appropriate firewall and antivirus protection.

Closing Words

If one person can make external wire transfers and journal entries to record those transactions, you have the makings of wire fraud–soon you may see that employee on Facebook, riding down the old Danube.

Video from Gary Zeune

You can see a news video about the nonprofit fraud mentioned above at Gary Zeune’s website: The Pros and The Cons. (If you have not heard Gary speak about fraud, you should do so. He does a great job.)

Assessing Audit Control Risk at High (and Saving Time)

Assessing control risk at high is often an efficiency decision

At times, auditors errantly assess control risk at less than high. Why? Because the (lower) assessment is not supported by a test of controls.

So can you assess control risk at high without testing controls? Yes–and you may want to. Below you’ll see why.

We have been told that “you can’t default to maximum risk.” While we can’t default to maximum (the old pre-risk-assessment standards term), we can–and in many audits should–assess control risk at high (the present risk assessment term).

assess control risk

Picture is from

Assessing Control Risk at High

First, the auditor should determine the existence and location of risks–the purpose of risk assessment procedures. Once risk assessment procedures (walkthroughs, inquiries, analytics, etc.) are performed, we know more about what the risks are and where they are. Then we can assess control risk (CR) at whatever level we desire (if CR is below high, then controls must be tested to support the lower risk assessment).

The Efficiency Decision

At this point, our assessment of control risk becomes a question of efficiency. We can:

  1. Assess control risk at high and not perform additional tests of controls, or
  2. Assess control risk at low to moderate and test the operating effectiveness of controls

The salient question is, “Which option is most efficient?”

Risk Assessment Procedures

Risk assessment procedures, such as walkthroughs, generally are not sufficient to support a low to moderate control risk assessment. A walkthrough (often a test of one transaction) allows us to see if appropriate controls are in place. They don’t, however, tell us if the controls are consistently working.

Testing Controls

AU-C Section 330.08 states: The auditor should design and perform tests of controls to obtain sufficient appropriate audit evidence about the operating effectiveness of relevant controls if the auditor’s assessment of risks of material misstatement…includes an expectation that the controls are operating effectively (that is, the auditor intends to rely on the operating effectiveness of controls in determining…substantive procedures).

A test of one transaction–often performed in walkthroughs–generally is not considered “sufficient appropriate audit evidence” to assess control risk at less than high.

Back to the Efficiency Issue


To test and rely on controls, the auditor should examine more transactions. We might, for example, test forty disbursements for proper purchase orders. If the control is working, then we can assess control risk at low to moderate and decrease our substantive work. We could, for example, test fewer additions to plant, property and equipment.

If it takes longer to test controls (e.g., the forty purchase orders) than to perform substantive tests (e.g., vouching invoice support for additions to plant, property and equipment), then it makes more sense to assess control risk at high and perform substantive procedures. And we should do just that–if we desire to make a higher profit on the engagement (and I’m betting you do).

For example, if it takes six hours to test forty transactions for appropriate purchase orders, and it takes four hours to vouch all additions to plant, property, and equipment, then we should assess control risk at high and not perform the test of controls. We should perform the substantive procedure of vouching all significant additions to plant, property, and equipment.

Reducing Substantive Tests (Without Testing Controls)

Can we assess the risk of material misstatement (RMM) at low to moderate without testing controls?


If the inherent risk (IR) is low to moderate, then our combined risk of material misstatement can easily be low to moderate. (Let me encourage you to assess risk at the assertion level and not at the transaction level, but I will save that topic for another post.)

For example, a low inherent risk and a high control risk can yield a low to moderate RMM. In an equation it looks like this:

 IR         CR         RMM            Audit Approach
Low X High = Moderate              Basic

This approach produces a moderate RMM without testing controls. A moderate RMM supports a basic approach, and a basic approach means we are performing fewer substantive tests (a high RMM means the auditor will perform more substantive tests).

In short, many times inherent risk is low to moderate. If you combine a low to moderate inherent risk with a high control risk, you can assess RMM at low to moderate. This low to moderate RMM comports with a basic audit approach. Continuing with our plant, property and equipment example from above, you can–with the low to moderate RMM–test fewer asset purchases. And no test of controls is necessary.

This approach–assessing control risk at high after performing risk assessment procedures–often creates greater audit efficiency and is compliant with audit standards. Alternatively, we should assess control risk below high and test controls if this approach takes less time.

Why Assessing Control Risk at High is (Often) More Efficient


I started this post by saying we sometimes errantly assess control risk. By this, I mean we sometimes assess control risk at low to moderate without a sufficient test of controls. If we assess control risk at less than high, then we must test controls.

What are your thoughts about assessing control risk?

Should You Perform Audit Walkthroughs Annually?

Post 4 - Corroborating your understanding of controls

Audit walkthroughs, sometimes referred to as “cradle to grave” reviews of transaction cycles, are performed for significant transaction cycles and should be performed early in the audit process. The auditor starts at the beginning of a transaction cycle and walks a transaction completely through the accounting system while observing controls. Why? To see if controls exist and are in use–and ultimately, to identify risks.

audit walkthroughs

Picture from

Are Internal Control Walkthroughs Required?

How often is the auditor required to perform a walkthrough?

Answer: Once per year, if this is how you corroborate your understanding of the cycle. Walkthroughs are not required, but you do need to verify your understanding of the accounting system and related controls–and I can think of no better way.

Recently, I was asked, “If a walkthrough is not used, what else can I do?” While questionnaires can be used, there is a risk that key internal controls will be missed. What if the questionnaire doesn’t address a critical piece of the control structure? Walking a transaction through the accounting system and reviewing related controls ensures a full understanding.

AICPA Guidance Concerning Annual Walkthroughs

TIS Section 8200.12, as issued by the AICPA, states the following:

Inquiry—AU section 314 (now AU-C 315) requires the auditor to obtain an understanding of internal control. An auditor might perform walkthroughs to confirm his or her understanding of internal control. If the auditor decides to use walkthroughs to confirm his or her understanding of internal control, how often do walkthroughs need to occur?

Reply—In accordance with AU Section 314 (now AU-C 315), the auditor is required to obtain an understanding of internal control to evaluate the design of controls and to determine whether they have been implemented. To do that, performing a walkthrough would be a good practice. Accordingly, auditors might perform a walkthrough of significant accounting cycles every year [emphasis added].

Controls Documented in Prior Period

In some situations, AU-C section 315 allows the auditor to rely on audit evidence obtained in prior periods. In those situations, the auditor is required to perform audit procedures to establish the continued relevance of the audit evidence obtained in prior periods (for example, by performing a walkthrough). So, an auditor might perform walkthroughs every year to update his or her understanding. (I know the TIS says “might,” but it does appear the AICPA encourages annual walkthroughs.)

Summary Thoughts

Remember, a walkthrough is a risk assessment procedure. As such, it should be performed early in the audit–not as we are finalizing the work paper file. Identify risks and then create audit steps to respond.

Too many auditors see walkthroughs as “something we do because we have to,” rather than as procedures that inform the audit process. That’s why some auditors document walkthroughs at the end of the audit. 

Audits should be performed in the following order:

  1. Identify risk
  2. Assess risk
  3. Create an audit plan
  4. Execute the audit plan
  5. If necessary, revise the risk assessment and audit plan (if new risks are identified during step 4.)

Walkthroughs should be performed in step 1., not after step 4.

See my prior walkthrough posts:

Post 1 – Why Should Auditors Perform Audit Walkthroughs?

Post 2 – How to Identify Risks of Material Misstatements with Audit Walkthroughs

Post 3 – How to Document Audit Walkthroughs

Omission of MD&A from Governmental Financial Statements

Governments can exclude the MD&A from their financial statements

According to AU-C 730, the auditor’s report on the financial statements should include an other-matter paragraph that refers to the required supplementary information (RSI). In governmental financial statements, the management, discussion, and analysis (MD&A) is considered RSI. Though the MD&A is “required” supplementary information, governments can–strangely enough–exclude it from the financial statements.

omission of management, discussion and analysis

Picture from

Omitting the MD&A – Effect on an Audit Opinion

If the required supplementary information is omitted, the auditor should include an other-matter paragraph in the opinion such as the following:

Management has omitted the management, discussion, and analysis that accounting principles generally accepted in the United States of America require to be presented to supplement the basic financial statements. Such missing information, although not a part of the basic financial statements, is required by the Governmental Accounting Standards Board, who considers it to be an essential part of financial reporting for placing the basic financial statements in an appropriate operational, economic, or historical context. Our opinion on the basic financial statements is not affected by this missing information.

Notice the omission of the MD&A does not affect the opinion rendered (in other words, it does not result in a modified report).

RSI Audit Standard

AU-C 730 is the audit standard for required supplementary information. Click here for an overview of the supplementary information audit standards. The former supplementary information standards were SASs 118, 119 and 120; those standards are now–under the Clarity Standards–AU-C sections 720, 725, and 730.

Omitting the MD&A – Effect on a Compilation Report

In compilation reports, the language is as follows:

Management has omitted the management, discussion and analysis that accounting principles generally accepted in the United States of America require to be presented to supplement the basic financial statements. Such missing information, although not a part of the basic financial statements, is required by the Governmental Accounting Standards Board which considers it to be an essential part of financial reporting and for placing the basic financial statements in an appropriate operational, economic, or historical context. 

How to Identify and Manage Audit Stakeholders

Identifying your audit stakeholders can assist in identifying audit risks

This is a guest post by Harry Hall. He is a Project Management Professional (PMP) and a Risk Management Professional (PMI-RMP). He blogs at ProjectRiskCoach. You can also follow Harry on Twitter.

Some auditors perform the same procedures year after year. These individuals know the drill. Their thought is: been there; done that.

Imagine a partner or an in-charge (i.e., project manager) with this attitude. He does little analysis and makes some costly stakeholder mistakes. As the audit team starts the audit, they encounter surprises:

  • Changes in the client stakeholders – accounting personnel and management
  • Changes in accounting systems and reporting
  • Changes in business processes
  • Changes in third-party vendors
  • Changes in the client’s external stakeholders
Identifying audit stakeholders

Picture from

Furthermore, imagine the team returning to your office after the initial work is done. The team has every intention of continuing the audit; however, some members are being pulled for urgent work on a different audit.

These changes create audit risks–both the risk that the team will issue an unmodified opinion when it’s not merited and the risk that engagement profit will diminish. Given these unanticipated factors, the audit will likely take longer and cost more than planned. And here’s another potential wrinkle: Powerful, influential stakeholders may insist on new deliverables late in the project.

So how can you mitigate these risks early in your audit?

Perform a stakeholder analysis.

“Prior Proper Planning Prevents Poor Performance.” – Brian Tracy

The Why and How of Auditing Payables and Expenses

Here's an overview of common payable and expense risks and how to audit them

Are you auditing payables and expenses? In this post, we’ll answer questions such as, “how should we test accounts payable?” and “should I perform fraud-related expense procedures?” We’ll also take a look at common risks and how to respond to them.

auditing payables and expenses

Picture from

Auditing Accounts Payable and Expenses — An Overview

What is a payable? It’s the amount a company owes for services rendered or goods received. Suppose the company you are auditing receives $2,000 in legal services in the last week of December, but the law firm sends the related invoice in January. The company owes $2,000 as of December 31, 2016. The services were provided, but the payment was not made until after the period-end. Consequently, the company records the $2,000 in its year-end payables. 

In determining whether payables exist, I like to ask, “if the company closed down at midnight on the last day of the month, would it have a legal obligation to pay for a service or good?” If the answer is yes, then record the payable—even if the invoice is received after the month-end. Has the service been received by month-end? Have the goods been received by month-end? If yes and the company has not paid for the service or good by month-end, then the company has a payable.

In this post, we will cover the following:

  • Primary accounts payable and expenses assertions
  • Accounts payable and expense walkthroughs
  • Directional risk for accounts payable and expenses
  • Primary risks for accounts payable and expenses
  • Common accounts payable and expenses control deficiencies
  • Risk of material misstatement for accounts payable and expenses
  • Substantive procedures for accounts payable and expenses
  • Typical accounts payable and expense work papers

The Little Book of Local Government Fraud Prevention

Whether your government is small or large, this book provides guidance in reducing theft

Do you desire to fight fraud in governments? Or maybe you are just curious about how fraudsters get away with their wily schemes. See my book The Little Book of Local Government Fraud Prevention. You can purchase it on Amazon as a paperback. Also, the ebook is available as a Kindle download.

Local Government Fraud Prevention

Fraud occurs in local governments in a multitude of ways, yet many cities, counties, school systems, authorities, and other public entities are ill-prepared to prevent or detect its occurrence. Why is this so? Some governments place too much reliance on annual audits as a cure-all, but clean audit opinions don’t mean that fraud is not occurring. And some governments fail to understand how vulnerable they are–until it’s too late.

Why is local government fraud so common? Many small governments don’t have a sufficient number of employees to segregate accounting duties. It is also these smaller governments that place too much trust in their accounting personnel. This combination of a lack of segregation of duties and too much trust in key employees often leads to significant losses from theft.

The Little Book of Local Government Fraud Prevention provides several real-life stories of fraud. The stories will inform you about how local government employees steal. Then I provide you with prevention techniques to assist you in mitigating fraud risks. In one story, for example, the book shows how a single municipal employee stole over $53 million dollars, all from a city of just 16,000 citizens.

If you audit governments, you will find this book helpful in pinpointing common areas where governmental fraud occurs. The book also includes fraud audit checklists and fraud detection procedures. Whether you are an internal or external auditor, you will find fresh ideas for prevention and detection.

The Little Book of Local Government Fraud Prevention will assist you if you are a:

1. Local government accounting employee
2. Local government elected official
3. Local government auditor
4. Local government attorney
5. Certified Public Accountant
6. Certified Fraud Examiner

Even if you don’t work with governments, you’ll find this book useful. I provide fraud prevention steps for transaction cycles such as billing and collections, payables and expenses, payroll, and capital assets.

Together we can bring down the risk of fraud and corruption in our local governments. Come join the team. We’ll all be better for it.

If you don’t desire to spend money on the book, here’s a free list of controls.

Supplementary Information Audit Opinion

You can report on supplementary information in an audit opinion or as a separate report

Are you looking for a supplementary information audit opinion example? Well, here it is.

supplementary information audit opinion

Picture from

Two Options for Reporting

You can opine on supplementary information in two ways:

  1. In the financial statement opinion or
  2. In a separate opinion that addresses just the supplementary information

Below you will see sample wording for both options.

The Why and How of Auditing Property

Here's an overview of how to audit property

Are you wondering about how to audit property?

Today, we’ll answer questions such as, “how should we test additions and retirements of property?” and “what should we do in regard to fair value impairments?” 

how to audit property

Picture is from

Auditing Property — An Overview

Property is sometimes referred to as plant, property, and equipment or capital assets. In this post, I’ll use the word “property.”

We will cover the following:

  • Primary property assertions
  • Property walkthroughs
  • Directional risk for property
  • Primary risks for property
  • Common property control deficiencies
  • Risk of material misstatement for property
  • Substantive procedures for property
  • Common property work papers