Elements of Unpredictability in Financial Statement Audits

Audit standards require an elements of unpredictability

The audit standards require elements of unpredictability. Why? So clients can’t guess what the auditor is going to do. Clients naturally observe and learn what auditors normally do. The client’s knowledge of what is audited (and what is not) makes it easier to steal–simply take from unaudited places. This knowledge also enables the company to manipulate numbers–do so in unaudited balances.

The purpose of the unpredictable element is to create uncertainty–in the client’s mind–about what we will audit.

elements of unpredictability

Picture from AdobeStock.com

Elements of Unpredictability – The Audit Standards

AU-C 240.29 states the following:

In determining overall responses to address the assessed risks of material misstatement due to fraud at the financial statement level, the auditor should…incorporate an element of unpredictability in the selection of the nature, timing, and extent of audit procedures.

AU-C 240.A42 states:

Incorporating an element of unpredictability in the selection of the nature, timing, and extent of audit procedures to be performed is important because individuals within the entity who are familiar with the audit procedures normally performed on engagements may be better able to conceal fraudulent financial reporting. This can be achieved by, for example,

  • performing substantive procedures on selected account balances and assertions not otherwise tested due to their materiality or risk.
  • adjusting the timing of audit procedures from that otherwise expected.
  • using different sampling methods.
  • performing audit procedures at different locations or at locations on an unannounced basis.

Examples of Unpredictable Audit Procedures

To introduce elements of unpredictability, perform procedures such as these:

  • Examine payments less than your normal threshold in your search for unrecorded liabilities (e.g., in the last three years your threshold was $7,000; this year, it’s $3,000)
  • Perform a surprise unannounced review of teller cash (for a bank client)
  • Make a physical visit to the inventory location one month after the end of the year and review inventory records (assuming you don’t normally do so)
  • Review payroll salary authorization sheets for ten employees and agree to amounts in the payroll master table (in the payroll software)
  • Test a bank reconciliation for the seventh month in the year being audited (in addition to the year-end bank reconciliation)
  • Confirm an immaterial bank account that you haven’t confirmed in the past
  • Pick ten vendors at random and perform procedures to verify their existence (as a test for fictitious vendors)

Document Your Unpredictable Test

Since unpredictable tests are required in every audit, document where you performed this procedure. Reference your audit program step for unpredictable tests to the work performed. Title your work paper, “Unpredictable Test,” and then add a purpose statement such as, “Purpose: To confirm the immaterial bank account with ABC Bank as an unpredictable test.” Doing so will eliminate the potential for a peer reviewer to say, “that’s a normal procedure.” You are overtly stating the purpose of the test is to satisfy the unpredictable test requirement.

Change Your Unpredictable Tests Annually

Change your unpredictable tests annually. Otherwise, they will–over time–become predictable.

Ten Most Popular CPA Scribo Blog Posts for 2016

10 most shared posts during 2016

Well, 2016 is in the books for CPA Scribo.

Here are the top ten 2016 posts (starting with number 10 and moving to number 1)–based on your social shares.

CPA Scribo

Picture from AdobeStock.com

Top 10 CPA Scribo Posts

 

10. Assessing Audit Control Risk at High (and Saving Time)

9. Getting More Done with My Favorite Accountant’s Device

8. How Honest People Steal

7. A List of Online Resources for CPAs

6. How to Add Value to Audits

5. How to Steal by Double Paying a Vendor

4. 25 Ways Fraud Happens

3. How $16 Million was Stolen from a Bakery

2. Seven Deadly Audit Sins

and drum roll…..

1.  Why Should Auditors Perform Audit Walkthroughs

Your Ideas for 2017

If you have an accounting or auditing idea that you’d like for me to address in 2017, please let me know–post a comment. Thanks.

Have You Checked Out “The Pros and The Cons” Web Site?

Gary Zeune offers interesting perspectives on white collar crime

If you’ve never seen The Pros and The Cons website, you should. My friend, Gary Zeune, provides fraud prevention information from the perspective of white collar prevention specialists–and from the dark side (those who steal).

The Pros and The Cons

Picture is from AdobeStock.com

Understanding how fraudsters think and act may be your greatest asset in stopping theft.

Gary provides fraud prevention articles, books, and videos on his website. He has a wealth of knowledge and a strong network of Pros and Cons working with him. If you haven’t heard Gary speak, seek out the opportunity to do so. You can contact Gary at gzfraud@TheProsAndTheCons.com. He and Dennis Dycus (who also works with Gary) are two of my favorite white collar crime speakers.

Gary provides online CPE classes, so if you need some interesting fraud prevention classes here at year-end, check his website out here.

Fraud Risk Assessments: How to Perform

A new fraud brainstorming idea guaranteed to generate better results

Do your fraud brainstorming sessions lack vigor. In this video, I provide an idea that will liven up your discussions and result in better identification of potential thefts. I also discuss auditor’s responsibilities with regard to fraud and–as you perform risk assessments–ways to score points with your clients.

To see my previous (written) post about how to perform fraud risk assessments, click here.

Circumventing Approval Requirements by Splitting Payments

Day 20 in 30 Days of Fraud

The Theft

The maintenance supervisor, Billy, wants to make multiple payments to a vendor (owned by a friend of his) for $9,900 each. They are questionable payments, so Billy wants to avoid any (unneeded) scrutiny. He knows that all payments over $5,000 require a physical signature (and review by the finance director)–all checks below $5,000 are signed by the computer. What’s a boy to do? Well, Billy can split the transaction–two checks for $4,950 each. That will work.

Picture is courtesy of AdobeStock.com

Picture is courtesy of AdobeStock.com

So, Billy tries the scheme, and it works—again and again. Billy’s friend rewards him with a free trip to his favorite hunting destination.

The Weakness

No one is querying the check register for payments just below the threshold. Also, no one is requiring bids.

The Fix

Download the check register into Excel (or any database package). Then, sort the payments and look for repeated payments–just below the threshold of $5,000–to the same vendor.

Require bids for large expenses; the bids should be retained as support for the payments.

Learning tip: The hunting trip is referred to as a gratuity rather than a bribe. Why? Bribes are defined as inducement payments made before the purchase decision, gratuities (a free trip in this example) come after the vendor payments are made. The purpose of the gratuity is to reward the complicit person (Billy). Then, in the future, Billy knows the drill and expects more free trips after he helps his friend.

How to Steal Money with Altered Check Payees

This simple fraud occurs all too often

Some fraudsters steal money with altered checks.

As a kid I once threw a match in a half-gallon of gasoline – just to see what would happen. I found out. Quickly. In a panic, I kicked the gas container–a plastic milk jug–several times, thinking this would somehow put the fire out. But just the opposite occurred, and when my father found out? Something else was on fire.

Steal money with altered check payees

Some accounting weaknesses create unintended consequences. Show me an accounting clerk who (1) can sign checks (whether by hand, with a signature stamp, or with a computer-generated signature), (2) posts transactions to the accounting system, and (3) reconciles the bank statements, and I will show you another combustible situation. Here’s how one city clerk created her own blaze.

Altered Check Example

Using the city’s signature stamp, the clerk signed handwritten checks made out to herself; however, when the payee name was entered into the general ledger (with a journal entry), another name was used – usually that of a legitimate vendor.

For example, Susie, the clerk, created manual checks made out to herself and signed them with the signature stamp. But the check payee was entered into the accounting system as Macon Hardware (for example). Also, she allocated the disbursements to accounts with sufficient remaining budgetary balances. The subterfuge worked as the expense accounts reflected appropriate vendor activity and expenses stayed within the budgetary appropriations. No red flags.

Check

The accounting clerk, when confronted with evidence of her deception, responded, “I don’t know why I did it, I didn’t need the money.” We do a disservice to accounting employees when we make it so easy to steal. Given human nature, we should do what we can to limit the temptation.

How?

Controls to Lessen Check Fraud

First, if possible, segregate the disbursement duties so that only one person performs each of the following:

• Creating checks
• Signing checks
• Reconciling bank statements
• Entering checks into the general ledger

If you can’t segregate duties, have someone (the Mayor, a non-accounting employee, or an outside CPA) review cleared checks for appropriateness.

Secondly, have a second person approve all journal entries. False journal entries can used to hide theft. With sleight of hand, the city clerk made improper journal entries such as:

                                                Dr.                 Cr.

Supply Expense              $5,234

Cash                                                        $5,234

 

The check was made out to Susie, but the transaction was, in this example, coded as a supply expense paid to Macon Hardware. You can lessen the risk of fraud by preventing improper journal entries.

Thirdly, limit who has access to check stock. It’s usually wise to keep blank check stock locked up until needed.

Finally, limit who can sign checks, and deep-six the signature stamp.

A word to external auditors looking for a fraud test idea (or those just looking for check fraud): Consider testing a random sample of cleared checks by agreeing them to related invoices. Work from the cleared check to the invoice. It is best for the auditor to pull the invoices from the invoice file; if you ask someone in accounting to pull the invoices, that person might create fictitious invoices to support your list (not hard to do these days). If the payee has been altered, you will, in many cases, not find a corresponding invoice. Pay particular attention to checks with payees that are company employees.

Bribery – Can You Stop It?

Here are methods to lessen the threat of bribes being paid to your people

A bribe is seen as a charm by the one who gives it; they think success will come at every turn. Proverbs 17:8

The FBI performed a sting operation involving two mid-Georgia city council members. The Bureau’s court complaint alleges that two city council members contacted a city vendor requesting a bribe. The vendor, according to the complaint, had previously provided services to the city, but when the contract came up for renewal, the city officials sought monetary encouragement (also known as cash) to continue the arrangement.

Picture is courtesy of DollarPhotoClub.com

Picture is courtesy of DollarPhotoClub.com

The vendor’s president, once aware of the proposed bribe, contacted the FBI, which in turn conducted the sting. On the arranged date, the company CFO  delivered $20,000 in cash to the city council members (the conversation was recorded by Bureau agents); after that, arrests were made.

Detecting Bribes

This case reminds me of how difficult it is to detect bribes, and that there are usually two factors in identifying and prosecuting corruption:

* A tip (usually from someone within the organization) and
* Assistance from law enforcement

Corruption is predominantly discovered by tips or by accident though we will examine a couple of audit techniques below. The Association of Certified Examiner’s (ACFE) biennial fraud surveys reflect that over 60% of corruption-related frauds are unearthed by tips or by accident.

How common is corruption?

Very.

The ACFE’s 2012 Report to the Nation disclosed corruption was the root of 35% of all government fraud, and the percentages are much higher in other industries such as oil and gas, mining, real estate, and utilities.

How are organizations harmed?

Bribes harm organizations indirectly.

Vendors usually don’t absorb the cost of the bribe; they pass the expense along to the organization in the form of increased invoice billings, or the vendor will, in some cases, provide substandard products or services. Either way, the organization loses, and the villain walks away with cash or a free vacation or a free car or … well, you get the picture.

Auditor Techniques

One audit procedure that can be performed is to compare vendor costs over a period of time. I suggest the tests be performed and advertised (let everyone know) so that those tempted will think twice – the potential of detection is a strong deterrent.

How?

  1. Obtain the check register for multiple periods (e.g., three years)
  2. Sort the payments by vendor name, aggregate the total paid by vendor and period
  3. Compare the annual vendor totals (e.g., annual vendor totals for each of the three years)
  4. Investigate significant differences

Inflated invoices are a smoking gun. For unexplained increases, determine who approved the invoices.

Also, inquire within departments about faulty or substandard products received (another smoking gun); then, if significant, see who approved the related purchases – especially if the faulty product is repeatedly received.

Mitigating Corruption

To mitigate corruption, implement these controls (there are others, but here are a few suggestions):

  • Require sealed bids that are opened in the presence of multiple people 
  • Implement a whistleblower program (include vendors)
  • Require announced periodic vendor audits
  • Implement a conflict of interest policy
  • Implement a bribery prevention policy (include gifts)
  • For significant construction contracts, monitor all phases of the project, including solicitation of bids, awarding of the bid, development of the contract, on-site construction, and related billing, and contract change orders (don’t trust the builder to do this for you).

Your Thoughts

What corruption prevention strategies does your organization use?

How to Perform Fraud Risk Assessments

Part 3: An overview of the risk assessment process as it relates to fraud

No appreciable change has occurred in the detection of fraud since the issuance of SAS 99, Consideration of Fraud. Why? I fear the problem lies in how we as auditors use the risk assessment standards.

I still hear auditors say, “we are not responsible for fraud.” But are we not?

Without question, auditing standards require that we perform particular fraud risk assessment procedures. And we also know that the detection of material misstatements—whether caused by error or fraud—is the heart and soul of an audit. So writing off our responsibility for fraud is not an option.

Picture is courtesy of DollarPhotoClub.com

Picture is courtesy of DollarPhotoClub.com

Why Auditors Don’t See Fraud Risk

Why do we not see fraud risks? Here are a few thoughts:

  • We don’t understand how fraud occurs, so we avoid it
  • We don’t know how to look for control weaknesses
  • We think our time is better spent in other areas (namely performing substantive procedures)
  • We still believe that a balance sheet approach to auditing is all we need

Signs of Weak Risk Assessments

So what are some signs of weak fraud risk assessments?

  • We ask just one or two questions about fraud
  • We limit our inquiries to as few people as possible (maybe even just one)
  • We discount the potential effects of fraud (even after a client tells us it has occurred)
  • We don’t perform walkthroughs
  • We don’t conduct brainstorming sessions
  • Our files reflect no responses to brainstorming and risk assessment procedures
  • Our files have vague responses to the brainstorming and risk assessment procedures (e.g., “no means for fraud to occur; see standard audit program”)

In effect, some auditors dismiss the fraud risk assessment process. And if we are not aware of fraud risks, we can’t adequately plan our responses. Put another way, if fraud risks are present, and we follow a standard audit program, are we responding to threats?

So how can we understand and respond to fraud risks? Here are a few thoughts.

Start with Potential Fraud Incentives

Fraud comes in two flavors:

  • Cooking the books (intentionally altering numbers)
  • Theft

Start your fraud risk assessment process by determining if there are any incentives to manipulate the financial statement numbers. Are there any bonuses or promotions based on profit or other metrics? Are there other potential motivations for playing with the numbers such as promotions? Cooking the books is more prominent in for-profit entities, but be aware that someone nonprofits also offer incentives based on financial statement targets.

Internal control weaknesses are the doorway to theft. Next we’ll see how to find those defects in accounting systems.

Look for Fraud Opportunities

My go-to procedure in looking for fraud opportunities is to perform walkthroughs.  Since accounting systems are varied, and there are no “forms” (practice aids) that capture all processes, walkthroughs can be challenging.

For most small businesses, performing a walkthrough is not that hard. Pick a transaction cycle and start at the beginning and follow the transaction to the end. Note who does what. Inspect the related documents.

Think of the accounting system as a story. Our job is to understand the narrative. As we (attempt to) describe the accounting system, we may find missing pieces. Sometimes we’ll need to go back and ask more questions to make the story flow from beginning to end.

The purpose of writing the storyline is to identify any “big, bad wolves.” The threats in our childhood stories were easy to recognize. Not so in the walkthroughs. It is only in connecting all the dots that the wolves materialize.

Picture is courtesy of DollarPhotoClub.com

Picture is courtesy of DollarPhotoClub.com

Our documentation of the walkthrough should be scalable. If the transaction cycle is simple, the documentation should be simple. If the cycle is complex, provide more detail.

In documenting workflows for complex businesses, the old saying “How do you eat an elephant?” comes to mind. Break complicated systems into pieces and you will understand them.

Observation of Control Weaknesses

The auditing standards require that we use the following:

  • Inquiry
  • Observation
  • Inspection

Audit standards state that inquiry alone is not sufficient for performing the risk assessment process. So we must marry inquiry with either observation or inspection or inquiry with both observation and inspection. May I suggest that you do the latter? Take pictures of your observations (use your smartphone) and make copies of documents you inspect. I like to write my narrative and then insert images into the “story.” (Tip: You can insert pictures in a Word document by clicking “Insert,” and “Object.” Then browse to the picture you desire to add.)

Our walkthroughs can include:

  1. Narrative
  2. Images
  3. Highlights of control strengths and weaknesses

I summarize the internal control strengths and weaknesses within the narrative and usually highlight the wording. For example:

Control weakness: The accounts payable clerk (Judy Ware) can add new vendors and can print checks with digital signatures. If effect, she can create a new vendor and have a check sent to that vendor without anyone else’s involvement.

Highlighting weaknesses makes them more prominent. Then–when I am done–I can use the identified fraud opportunities to create audit procedures that are responsive.

Fraud-Related Inquiries

Audit Standards (AU-C 240) state that we should inquire of management regarding:

  • Management’s assessment of the risk that the financial statements may be materially misstated due to fraud, including the nature, extent, and frequency of such assessments
  • Management’s process for identifying, responding to, and monitoring the risks of fraud in the entity, including any specific risks of fraud that management has identified or that have been brought to its attention, or classes of transactions, account balances, or disclosures for which a risk of fraud is likely to exist
  • Management’s communication, if any, to those charged with governance regarding its processes for identifying and responding to the risks of fraud in the entity
  • Management’s communication, if any, to employees regarding its views on business practices and ethical behavior
  • The auditor should make inquiries of management, and others within the entity as appropriate, to determine whether they have knowledge of any actual, suspected, or alleged fraud affecting the entity
  • For those entities that have an internal audit function, the auditor should make inquiries of appropriate individuals within the internal audit function to obtain their views about the risks of fraud; determine whether they have knowledge of any actual, suspected, or alleged fraud affecting the entity; whether they have performed any procedures to identify or detect fraud during the year; and whether management has satisfactorily responded to any findings resulting from these procedures

If management has no method of identifying fraud, might this be an indicator of a control weakness? Yes. It is management’s responsibility to develop control systems to lessen the risk of fraud. It is the auditor’s responsibility to review the accounting system to see if it is designed and operating appropriately.

Notice that in these inquiries, we are not only asking if fraud has occurred but does management have a prevention system in place? And does management communicate these processes to those charged with governance?

Planning Analytics

Another risk assessment procedure is the use of planning analytics. As we compare prior year numbers with current year numbers or as we compare budgeted numbers with current, we may see red flags. You can also use ratios in your hunt for potential risks.

As you review the preliminary numbers, ask, “do these numbers make sense in light of current operations?”

The audit standards state that there is a rebuttable presumption that revenues are overstated. Why? Because many past frauds were carried out by managers intentionally overstating income numbers. In some cases, management posted false journal entries at year-end to inflate income. Then in the following period the entries were reversed.

Brainstorming and Planning Your Responses – My Next Post

Once you perform your risk assessment procedures, you are ready to brainstorm about how fraud will occur and then plan your audit responses. That’s the topic of our next post—so stay tuned. Subscribe to my blog (it’s free) to ensure that you see the next post (see below).

Consider reading this post again and think about how you use your audit forms to perform risk assessments. Understanding the process is 90% of the battle.

If you missed my first two posts in this series, check them out here:

Part 1: How to Perform Audit Risk Assessments

Part 2: How to Understand the Risk Assessment Process