The Why and How of Auditing Payables and Expenses

Here's an overview of common payable and expense risks and how to audit them

Are you auditing payables and expenses? In this post, we’ll answer questions such as, “how should we test accounts payable?” and “should I perform fraud-related expense procedures?” We’ll also take a look at common risks and how to respond to them.

auditing payables and expenses

Picture from AdobeStock.com

Auditing Accounts Payable and Expenses — An Overview

What is a payable? It’s the amount a company owes for services rendered or goods received. Suppose the company you are auditing receives $2,000 in legal services in the last week of December, but the law firm sends the related invoice in January. The company owes $2,000 as of December 31, 2016. The services were provided, but the payment was not made until after the period-end. Consequently, the company records the $2,000 in its year-end payables. 

In determining whether payables exist, I like to ask, “if the company closed down at midnight on the last day of the month, would it have a legal obligation to pay for a service or good?” If the answer is yes, then record the payable—even if the invoice is received after the month-end. Has the service been received by month-end? Have the goods been received by month-end? If yes and the company has not paid for the service or good by month-end, then the company has a payable.

In this post, we will cover the following:

  • Primary accounts payable and expenses assertions
  • Accounts payable and expense walkthroughs
  • Directional risk for accounts payable and expenses
  • Primary risks for accounts payable and expenses
  • Common accounts payable and expenses control deficiencies
  • Risk of material misstatement for accounts payable and expenses
  • Substantive procedures for accounts payable and expenses
  • Typical accounts payable and expense work papers

How a College Aid Official Stole $4.1 Million

Day 28 of 30 Days of Fraud

The Theft

When I was a student at the University of Georgia, I needed every dollar I could find. I ate my share of cheap hamburgers and peanut butter sandwiches. In the summers, I scouted peanuts and cotton to make ends meet. So when I see a college aid official stealing student money, I wince.

Picture is courtesy of AdobeStock.com

Picture is courtesy of AdobeStock.com

A New York college aid administrator used a simple scheme to steal $4.1 million of student aid funds. How? She made out financial aid checks to nonexistent students and then endorsed them over to the name of an alias. The administrator set up a bank account in the name of the alias and deposited the checks into the bank account, allowing her to convert the checks to cash.

How long did the theft go on? Over ten years.

How many fraudulent checks did she issue? Over 1,000, each to a different student.

The Weakness

No one was comparing the checks written to student admission files. Legitimate students have admission and other information that can be used to verify the students’ existence.

The Fix

A person other than the financial aid administrator should compare the student name on the check to student files to verify the existence of the student. If this control can’t be performed for each disbursement, it should be performed on a sample basis, and the persons creating and signing the checks should know their work is being monitored.

This test could be performed by someone in the financial aid office or by an external professional such as a CPA or a Certified Fraud Examiner.

The college can request from the bank the endorsement side of the cleared checks. If the back side of the checks are obtained, then the endorsements could be examined for appropriateness.

Why a Kind Person Steals While Dying

Day 15 in 30 Days of Fraud

The Theft

In one of the stranger frauds I’ve seen, the bookkeeper was stealing money while dying.

steals while dying

The picture is courtesy of AdobeStock.com

I had provided external audit services to this health department for years and knew the bookkeeper (we’ll call her Susan) quite well. She sent me thank you cards – yes, thank you cards – for my audit work. Susan was polite, well spoken, and great at her job. If ever I thought there was someone who would not (and could not) steal, it was her.

But external circumstances can make even the best of people do the unexpected. During the course of the year, Susan developed cancer. The medical treatments resulted in numerous medical bills, many of which were received while she still worked off and on. She died just prior to audit time.

Knowing that Susan had passed away, I knew the audit would be challenging, especially since the health department board had not hired anyone to replace her.

Upon my arrival I requested the bank statements, but the remaining employees could not locate them (not a good sign). I thought maybe she had taken the bank statements home and had not returned with them due to her illness, but that was not the case. After the employees searched for some time with no result, the client requisitioned the bank statements and cleared checks from the bank (this was some twenty years ago, before electronic access).

In reviewing the cleared checks, I quickly noticed round-dollar vendor checks written to Susan. The first one was for $7,000. My first thought was, “Not Susan, I’ve known her too long. No way. ” But then there was another and another…

The Weakness

The weakness was a lack of segregation of duties. Susan did the following:

  • Keyed payables into the general ledger
  • Created checks for signing
  • Had signature authority on the bank account
  • Reconciled the bank statements
  • Created the monthly financial statements

Are you noticing a recurring theme in the 30 Days of Fraud? Yes, a lack of segregation of duties. It’s fundamental. One person cannot be allowed to do everything.

The Fix

Segregate the accounting duties. Most importantly, she should not have been on the bank’s signature card. Additionally, someone else should have been reconciling the bank statement and examining cleared checks. For small organizations, have the bank statements mailed to someone outside the accounting department (e.g., a board member); this person should open the statements and review the cleared checks—then the statements should be routed to accounting.

How Can a Fraudster Write Checks to Himself?

Day 9 of 30 Days of Fraud

The Theft

Randy Toms, an accounting clerk, creates a manual check for $5,200 that is made out to himself and signs it with a signature stamp. (The stamp is used when the mayor is out of town.) Randy enters the transaction into the accounting system–using a journal entry–as a payment to Macon Hardware. The result: The general ledger reflects a payment to Macon Hardware, and the check is made out to Randy. In addition, he codes the disbursement to an account with ample remaining budgetary balance. The subterfuge works since the expense accounts reflects appropriate vendor activity (a check to Macon Hardware) and expenses don’t exceed budget. And oh, by the way, Randy performs the monthly bank reconciliation, so he alone sees the cleared checks.

Given Randy’s success with the first check, he continues the fraud for several years.

This is picture is courtesy of AdobeStock.com

This is picture is courtesy of AdobeStock.com

The Weakness

The following provides the perfect environment for this theft:

  1. The existence of the signature stamp
  2. The clerk posts journal entries without a second-person review (approval)
  3. The clerk reconciles the related bank account (ensuring that no one–other than Randy–sees the cleared checks)

You may be thinking, “Wouldn’t the auditors catch this type of fraud?” Probably not. Auditors seldom select cleared checks and compare them to supporting invoices. (If you’re an auditor, you may want to consider this potential theft in your fraud brainstorming sessions.)

The Fix

The fix includes the following:

  1. Get rid of the signature stamp
  2. Require second party approval of all journal entries
  3. Have someone other than the clerk reconcile the bank account (and review cleared checks)

Some governments or businesses have bank statements mailed to someone outside the accounting department such as the city mayor or business owner. This person opens the bank statement and performs a cursory review of the cleared checks–once done, the bank statement is routed to the accounting department. Since cleared checks are viewed by someone else, there is less of a chance that the accounting staff will write checks to themselves.