Assessing Audit Control Risk at High (and Saving Time)

Assessing control risk at high is often an efficiency decision

At times, auditors errantly assess control risk at less than high. Why? Because the (lower) assessment is not supported by a test of controls.

So can you assess control risk at high without testing controls? Yes–and you may want to. Below you’ll see why.

We have been told that “you can’t default to maximum risk.” While we can’t default to maximum (the old pre-risk-assessment standards term), we can–and in many audits should–assess control risk at high (the present risk assessment term).

assess control risk

Picture is from

Assessing Control Risk at High

First, the auditor should determine the existence and location of risks–the purpose of risk assessment procedures. Once risk assessment procedures (walkthroughs, inquiries, analytics, etc.) are performed, we know more about what the risks are and where they are. Then we can assess control risk (CR) at whatever level we desire (if CR is below high, then controls must be tested to support the lower risk assessment).

The Efficiency Decision

At this point, our assessment of control risk becomes a question of efficiency. We can:

  1. Assess control risk at high and not perform additional tests of controls, or
  2. Assess control risk at low to moderate and test the operating effectiveness of controls

The salient question is, “Which option is most efficient?”

Risk Assessment Procedures

Risk assessment procedures, such as walkthroughs, generally are not sufficient to support a low to moderate control risk assessment. A walkthrough (often a test of one transaction) allows us to see if appropriate controls are in place. They don’t, however, tell us if the controls are consistently working.

Testing Controls

AU-C Section 330.08 states: The auditor should design and perform tests of controls to obtain sufficient appropriate audit evidence about the operating effectiveness of relevant controls if the auditor’s assessment of risks of material misstatement…includes an expectation that the controls are operating effectively (that is, the auditor intends to rely on the operating effectiveness of controls in determining…substantive procedures).

A test of one transaction–often performed in walkthroughs–generally is not considered “sufficient appropriate audit evidence” to assess control risk at less than high.

Back to the Efficiency Issue


To test and rely on controls, the auditor should examine more transactions. We might, for example, test forty disbursements for proper purchase orders. If the control is working, then we can assess control risk at low to moderate and decrease our substantive work. We could, for example, test fewer additions to plant, property and equipment.

If it takes longer to test controls (e.g., the forty purchase orders) than to perform substantive tests (e.g., vouching invoice support for additions to plant, property and equipment), then it makes more sense to assess control risk at high and perform substantive procedures. And we should do just that–if we desire to make a higher profit on the engagement (and I’m betting you do).

For example, if it takes six hours to test forty transactions for appropriate purchase orders, and it takes four hours to vouch all additions to plant, property, and equipment, then we should assess control risk at high and not perform the test of controls. We should perform the substantive procedure of vouching all significant additions to plant, property, and equipment.

Reducing Substantive Tests (Without Testing Controls)

Can we assess the risk of material misstatement (RMM) at low to moderate without testing controls?


If the inherent risk (IR) is low to moderate, then our combined risk of material misstatement can easily be low to moderate. (Let me encourage you to assess risk at the assertion level and not at the transaction level, but I will save that topic for another post.)

For example, a low inherent risk and a high control risk can yield a low to moderate RMM. In an equation it looks like this:

 IR         CR         RMM            Audit Approach
Low X High = Moderate              Basic

This approach produces a moderate RMM without testing controls. A moderate RMM supports a basic approach, and a basic approach means we are performing fewer substantive tests (a high RMM means the auditor will perform more substantive tests).

In short, many times inherent risk is low to moderate. If you combine a low to moderate inherent risk with a high control risk, you can assess RMM at low to moderate. This low to moderate RMM comports with a basic audit approach. Continuing with our plant, property and equipment example from above, you can–with the low to moderate RMM–test fewer asset purchases. And no test of controls is necessary.

This approach–assessing control risk at high after performing risk assessment procedures–often creates greater audit efficiency and is compliant with audit standards. Alternatively, we should assess control risk below high and test controls if this approach takes less time.

Why Assessing Control Risk at High is (Often) More Efficient


I started this post by saying we sometimes errantly assess control risk. By this, I mean we sometimes assess control risk at low to moderate without a sufficient test of controls. If we assess control risk at less than high, then we must test controls.

What are your thoughts about assessing control risk?

The Little Book of Local Government Fraud Prevention

Whether your government is small or large, this book provides guidance in reducing theft

Do you desire to fight fraud in governments? Or maybe you are just curious about how fraudsters get away with their wily schemes. See my book The Little Book of Local Government Fraud Prevention. You can purchase it on Amazon as a paperback. Also, the ebook is available as a Kindle download.

Local Government Fraud Prevention

Fraud occurs in local governments in a multitude of ways, yet many cities, counties, school systems, authorities, and other public entities are ill-prepared to prevent or detect its occurrence. Why is this so? Some governments place too much reliance on annual audits as a cure-all, but clean audit opinions don’t mean that fraud is not occurring. And some governments fail to understand how vulnerable they are–until it’s too late.

Why is local government fraud so common? Many small governments don’t have a sufficient number of employees to segregate accounting duties. It is also these smaller governments that place too much trust in their accounting personnel. This combination of a lack of segregation of duties and too much trust in key employees often leads to significant losses from theft.

The Little Book of Local Government Fraud Prevention provides several real-life stories of fraud. The stories will inform you about how local government employees steal. Then I provide you with prevention techniques to assist you in mitigating fraud risks. In one story, for example, the book shows how a single municipal employee stole over $53 million dollars, all from a city of just 16,000 citizens.

If you audit governments, you will find this book helpful in pinpointing common areas where governmental fraud occurs. The book also includes fraud audit checklists and fraud detection procedures. Whether you are an internal or external auditor, you will find fresh ideas for prevention and detection.

The Little Book of Local Government Fraud Prevention will assist you if you are a:

1. Local government accounting employee
2. Local government elected official
3. Local government auditor
4. Local government attorney
5. Certified Public Accountant
6. Certified Fraud Examiner

Even if you don’t work with governments, you’ll find this book useful. I provide fraud prevention steps for transaction cycles such as billing and collections, payables and expenses, payroll, and capital assets.

Together we can bring down the risk of fraud and corruption in our local governments. Come join the team. We’ll all be better for it.

If you don’t desire to spend money on the book, here’s a free list of controls.

Circumventing Approval Requirements by Splitting Payments

Day 20 in 30 Days of Fraud

The Theft

The maintenance supervisor, Billy, wants to make multiple payments to a vendor (owned by a friend of his) for $9,900 each. They are questionable payments, so Billy wants to avoid any (unneeded) scrutiny. He knows that all payments over $5,000 require a physical signature (and review by the finance director)–all checks below $5,000 are signed by the computer. What’s a boy to do? Well, Billy can split the transaction–two checks for $4,950 each. That will work.

Picture is courtesy of

Picture is courtesy of

So, Billy tries the scheme, and it works—again and again. Billy’s friend rewards him with a free trip to his favorite hunting destination.

The Weakness

No one is querying the check register for payments just below the threshold. Also, no one is requiring bids.

The Fix

Download the check register into Excel (or any database package). Then, sort the payments and look for repeated payments–just below the threshold of $5,000–to the same vendor.

Require bids for large expenses; the bids should be retained as support for the payments.

Learning tip: The hunting trip is referred to as a gratuity rather than a bribe. Why? Bribes are defined as inducement payments made before the purchase decision, gratuities (a free trip in this example) come after the vendor payments are made. The purpose of the gratuity is to reward the complicit person (Billy). Then, in the future, Billy knows the drill and expects more free trips after he helps his friend.

How to Steal Money with Altered Check Payees

This simple fraud occurs all too often

Some fraudsters steal money with altered checks.

As a kid I once threw a match in a half-gallon of gasoline – just to see what would happen. I found out. Quickly. In a panic, I kicked the gas container–a plastic milk jug–several times, thinking this would somehow put the fire out. But just the opposite occurred, and when my father found out? Something else was on fire.

Steal money with altered check payees

Some accounting weaknesses create unintended consequences. Show me an accounting clerk who (1) can sign checks (whether by hand, with a signature stamp, or with a computer-generated signature), (2) posts transactions to the accounting system, and (3) reconciles the bank statements, and I will show you another combustible situation. Here’s how one city clerk created her own blaze.

Altered Check Example

Using the city’s signature stamp, the clerk signed handwritten checks made out to herself; however, when the payee name was entered into the general ledger (with a journal entry), another name was used – usually that of a legitimate vendor.

For example, Susie, the clerk, created manual checks made out to herself and signed them with the signature stamp. But the check payee was entered into the accounting system as Macon Hardware (for example). Also, she allocated the disbursements to accounts with sufficient remaining budgetary balances. The subterfuge worked as the expense accounts reflected appropriate vendor activity and expenses stayed within the budgetary appropriations. No red flags.


The accounting clerk, when confronted with evidence of her deception, responded, “I don’t know why I did it, I didn’t need the money.” We do a disservice to accounting employees when we make it so easy to steal. Given human nature, we should do what we can to limit the temptation.


Controls to Lessen Check Fraud

First, if possible, segregate the disbursement duties so that only one person performs each of the following:

• Creating checks
• Signing checks
• Reconciling bank statements
• Entering checks into the general ledger

If you can’t segregate duties, have someone (the Mayor, a non-accounting employee, or an outside CPA) review cleared checks for appropriateness.

Secondly, have a second person approve all journal entries. False journal entries can used to hide theft. With sleight of hand, the city clerk made improper journal entries such as:

                                                Dr.                 Cr.

Supply Expense              $5,234

Cash                                                        $5,234


The check was made out to Susie, but the transaction was, in this example, coded as a supply expense paid to Macon Hardware. You can lessen the risk of fraud by preventing improper journal entries.

Thirdly, limit who has access to check stock. It’s usually wise to keep blank check stock locked up until needed.

Finally, limit who can sign checks, and deep-six the signature stamp.

A word to external auditors looking for a fraud test idea (or those just looking for check fraud): Consider testing a random sample of cleared checks by agreeing them to related invoices. Work from the cleared check to the invoice. It is best for the auditor to pull the invoices from the invoice file; if you ask someone in accounting to pull the invoices, that person might create fictitious invoices to support your list (not hard to do these days). If the payee has been altered, you will, in many cases, not find a corresponding invoice. Pay particular attention to checks with payees that are company employees.

How to Capture and Communicate Control Deficiencies

Capturing and reporting internal control weaknesses

We’re concluding another audit, and it’s time to consider whether we will issue a letter communicating internal control deficiencies. A month ago we noticed some control issues in accounts payable, but presently we’re not clear about how to describe them. We hesitate to call the client to rehash the now-cold walkthrough. After all, the client thinks we’re done, and quite frankly, they are tired of seeing us. We know that boiler-plate language will not adequately apprise the client of the weaknesses nor will it provide corrective steps. Now we’re kicking ourselves for not taking more time to document the control deficiencies.

Here’s a post to help capture and document internal control issues as we audit.

Today, we’ll take a look at the following control weakness objectives:

  1. How to communicate them
  2. How to discover them
  3. How to capture them
Internal Controls

Picture is courtesy of

Before we get started, let’s define three types of weaknesses:

  • Material weaknesses – A deficiency, or a combination of deficiencies, in internal control, such that there is a reasonable possibility that a material misstatement of the entity’s financial statements will not be prevented, or detected and corrected, on a timely basis.
  • Significant deficiencies – A deficiency, or a combination of deficiencies, in internal control that is less severe than a material weakness yet important enough to merit attention by those charged with governance.
  • Other deficiencies – For purposes of this blog post, we’ll define other deficiencies as those less than material weaknesses or significant deficiencies.

As we look at these definitions, we see that categorizing control weaknesses is subjective. Notice the following terms:

  • Reasonable possibility
  • Material misstatement
  • Less severe
  • Merits attention by those charged with governance

Categorizing a control weakness is not a science, but an art. With this thought in mind, let’s start our journey with how control weaknesses should be reported.

1. How to Communicate Control Weaknesses

Material weaknesses and significant deficiencies must be communicated in writing to management and those charged with governance. While other deficiencies don’t have to be writing, they should nonetheless be disclosed to management and documented in the work papers.

2. How to Discover Control Weaknesses

Rather than trying to recall control weaknesses at the end of the audit, capture them as you perform the audit. You might see control problems in the following stages:

  • Planning – Risk assessment and Walkthroughs
  • Fieldwork – Transaction-level work
  • Conclusion – Wrapping up

Planning Stage

You will discover deficiencies as you perform walkthroughs which are carried out in the early stages of the engagement. Correctly performed walkthroughs allow you to see process shortcomings and where duties are overly concentrated (what auditors refer to as a lack of segregation of duties). Are functions appropriately segregated concerning:

  • Custody of assets
  • Reconciliations
  • Authorization
  • Bookkeeping

Notice the first letters of these words spell CRAB (I know it’s cheesy, but it helps me remember).

Within each transaction cycle, these functions–if possible–need to be performed by different people. Doing so lessens the possibility of theft. If one person performs multiple duties, ask yourself, “Is there any way this person could steal funds?” If yes, then the client should add a control in the form of a second-person review. If possible, the client should have someone external to prior accounting processes (usually a supervisor) examine daily reports or other supporting documentation. How often should the review be performed? Daily, if possible. If not daily, as often as possible. Regardless, the client should not allow someone with the ability to steal to work without reviews by a second person. As we saw in my recent post, the fear of detection will lessen fraud.

If a transaction cycle lacks segregation of duties, then consider the potential impact from the control weakness. Three possibilities exist:

  • Theft that is material (material weakness)
  • Theft that is not material but which deserves the attention of management and the board anyway (significant deficiency)
  • Theft that is so small that you don’t have to communicate the issue to the board but will do so to management (other deficiency)

My experience has been that if any theft potential exists, those charged with governance want to know about it, but this too is a subjective decision.

Too often auditors make blanket statements that the client lacks appropriate segregation of duties, and then practically excuse the weakness with words such as, “Segregation of duties is not possible due to the limited staff.” I fear such statements are made to protect the auditor (should fraud occur in the future). It is better to be specific about where the weakness lies and what the potential impact might be. For example:

The accounts payable clerk can add new vendors to the vendor file. Since checks are signed electronically as they are printed, there is a possibility that fictitious vendors could be added and funds stolen. Such amounts could be material.

Such a statement tells the client where the problem is and the potential damage. Be prepared to provide a recommendation to remediate the problem.

While I just described how a lack of segregation of duties may allow theft to occur, the same applies to financial statement fraud (or cooking the books). When one person controls the reporting process, there is a greater risk of financial statement fraud. Appropriate segregation mitigates the risk that someone will manipulate the numbers.

Fieldwork Stage

While it is more likely you will discover process control weaknesses in the planning stage of an audit, the results of control deficiencies surface during fieldwork. How? Audit journal entries. What are journal entries but corrections to results (from the accounting system)? The stronger the system, the fewer the journal entries in number and size. Not that all journal entries are evidence of internal control weaknesses, but consider why the errors occurred. If the corrections are the result of control weaknesses, then consider if the client has a material weakness.

A material weakness is defined as:

  • being reasonably possible,
  • material in amount, and
  • [will not be] prevented on a timely basis

When the auditor makes a journal entry for a material amount, it’s difficult to argue that a material weakness does not exist. We know the error is “reasonably possible.” It occurred. We also know it was not “prevented on a timely basis.”

Conclusion Stage

When concluding the audit, review all of the audit entries to see if any are indicators of control weaknesses. Also, review your internal control deficiency work papers (more on this in a moment). If you have not already done so, discuss the noted control weaknesses with management. In particular, it is wise to communicate any potential significant deficiencies or material weaknesses. As you already know, management may oppose these since they are reported to the board–and can cast a poor light on the accounting staff. So be prepared to explain your determination. Your firm may desire to have a policy that only managers or partners make these communications since they are sensitive.

It is a good practice for your company to designate a particular location in your audit files for internal control deficiency documentation. Let’s discuss the appearance of these controls evaluation work papers.

3. How to Capture Control Weaknesses

Create a standard form (if you don’t already have one) to capture control weaknesses. The main point I am stressing is to document the internal control deficiency when you see it.

Internal Controls

Picture is courtesy of

Too often auditors don’t write the weakness down, thinking they will remember the issue at the conclusion of the audit. Be disciplined in documenting on the go. Why?

Two reasons:

  1. You may not be on the engagement when it concludes (you are transferred to another audit) and
  2. You may not remember the issue (weeks later).

The audit standards require that we document our internal control weakness communications–either in a letter (for significant deficiencies and material weaknesses) or another way such as a memorandum (for control weaknesses we verbally communicate). Either way, the communication should be documented.

Think of the internal control communication process as follows:

  1. Capture the control deficiency on your firm’s form
  2. Later, determine whether the weakness if a significant deficiency or a material weakness
  3. If the deficiency is a significant deficiency or a material weakness, create your written letter to management and those charged with governance
  4. If the deficiency is not a significant deficiency or a material weakness, then you have already met the documentation requirement for this type of control issue (you’ve already completed your firm’s form to capture the control problem)
    • Note – You can include these other deficiencies in your written letter, but you are not required to; the communication can be verbal.

What should be on the internal control capture form? At a minimum include the following:

  1.  Check-mark boxes for:
    1. Significant deficiency
    2. Material weakness
    3. Other control deficiency
    4. Other issues (e.g., violations of laws or regulations) — this general category has no relation to internal control weaknesses
  2. Whether the probability of occurrence is at least reasonably possible and whether the magnitude of the potential misstatement is material
    • If the probability of occurrence is at least reasonably possible and the magnitude of the potential misstatement is material, then the client has a material weakness
  3. Description of the deficiency and verbal or other communications with the client about the issue (at the time the problem was identified or later); also the client’s response
  4. The cause of the condition
  5. The potential effect of the condition
  6. Recommendation to correct the issue
  7. Person who identified the issue and the date the issue was noted
  8. Whether the issue is a repeat from the prior year
  9. An area for the partner to sign off that he or she agrees with the description of the deficiency and the category assigned to it (e.g., material weakness)
  10. Reference to related documentation in the audit file

How Do You Capture and Report Control Deficiencies?

Whew! We’ve covered a lot of ground today. How do you capture and report control deficiencies? I’m always looking for new ideas: Please share.

How to Perform Audit Risk Assessments

Part 1: Practical steps to performing audit risk assessments

Do you know someone who suffers from risk assessment averseness? Patients with this illness possess an extreme dislike for thinking before acting. They live in the land of the objective–bank confirmations, vouching, and searching for unrecorded liabilities. They disdain the subjective–inquiring about processes, observing segregation of duties, thinking about inherent risk. To them, auditing is science, not art. It’s concrete. You hear them say “that front-of-file stuff is just to make peer reviewers happy.” After all, “there’s work to do.” And they know what to do. It’s all there in the prior year file.

There is only one cure for this thought-borne disease. It’s understanding the advantages of risk assessment and planning.

Picture is courtesy of

Picture is courtesy of

Audit Risk Model

Let’s start with the audit risk model. How is it defined?

Put simply, it is:

Risk of Material Misstatement = Inherent Risk X Control Risk

This is the framework for gaining an understanding of:

  • The entity
  • Transaction cycles and account balances

Do I Need to Understand the Entity?

The audit standards require that we understand the entity and its environment. I like to start by asking management the question, “If you had a magic wand that you could wave over the business and remove one problem, what would it be?” The answer tells us a great deal about the entity’s risk. I want to know what they think and feel. The visceral is a flashing light saying, “Important!” And believe me, every business owner or manager worries about something. Your clients understand their businesses. This is where they live. The wise auditor taps into that knowledge.

Risks can be thought of as threats to objectives. Your client’s fears tell you what the objectives are.

Other questions that can be entertained include:

  • How is the industry faring?
  • Are there any new competitive pressures?
  • Are there any new opportunities?
  • Are there any changes in key vendor relationships? Can the company still obtain necessary products?
  • Are there pricing pressures?

Now let’s delve into accounting controls.

Do I Have to Understand Controls?

In every audit, we must understand the client’s internal controls. “But my client has no controls.” Really? It is doubtful that a client has no controls. They may have few, but almost every entity has some controls. Here are a few questions to consider:

  • Who signs checks?
  • Who has access to checks (or electronic payment ability)?
  • Who approves payments?
  • Who initiates purchases?
  • Who can open and close bank accounts?
  • Who posts payments?
  • What software is used? Does it provide an adequate audit trail? Is the data protected? Are passwords used?
  • Who receives bank statements? Who opens them? Who has online access? Does anyone review cleared checks for appropriateness?
  • Who reconciles the bank statement? How quickly? Does a second person review the bank reconciliation?
  • Who creates expense reports? Who reviews them?
  • Who bills clients? In what form (paper or electronic)?
  • Who opens the mail?
  • Who receipts monies?
  • Are there electronic payments?
  • Who receives cash onsite and where?
  • Who has credit cards? What are the spending limits?
  • Who makes deposits (and how)?
  • Who keys the receipts into the software?
  • What revenue reports are created and reviewed? Who reviews them?
  • Who creates the monthly financial statements? Who receives them?
  • Are there any outside parties that receive financial statements? Who are they?

These are examples of what we need to understand before we plan the audit. Why? Because risk is a function of processes. Understanding informs us. It directs us.

Remember this: Numbers are the narrative.

And this: To change the story, change the figures.

And for auditors: See if the story is true–or if it changed (whether by accident or intentionally).

How do we do this?

We look for indicators of false numbers (false stories). Do the accounting processes allow for false numbers?

As a kid, I once stole five dollars from my father. His internal control of laying his billfold down on his dresser every night did not work well. When he asked who took the money, I changed the story from one of fact to fiction (also known as a white lie). I tried to change the narrative.

My father inquired, but he also observed, and my reaction gave me away.

Auditors are to use the following in performing risk assessments:

1. Inquiry

2. Observation

3. Inspection

Inquiry alone is never sufficient. Combine observation and inspection with inquiries.

And what is the purpose? To know where risks lie.

Your Thoughts?

We’ll pick up here in my next post about risk assessment. Feel free to share this article with those you know who suffer from audit risk assessment averseness. Friends don’t let friends audit without thinking.

What unique risk assessment procedures do you use? Since this is an art, there are myriad ways to gain an understanding of clients and their processes–and I’m always looking to learn more.

10 Powerful Steps to Reduce Theft

Windows open. Curtains blowing. The sound of crickets and an occasional train in the distance. It was a simple childhood. It was my childhood. My mother parked her black Ford Falcon and left the keys in the ignition. The doors to our home were unlocked. We trusted our neighbors and they us. And why would we not? We’d known each other for what seemed like a millennium.

Picture courtesy of

Picture courtesy of

But then one night at the dinner table, my father said, “someone stole Miss Gussie’s Chevy.” Unthinkable. Our innocence broken, soon my mother took precautionary measures and each evening, after parking, she would place the car keys under the car seat. No need to take chances. We began to close the windows at night, but still the back door was left unlocked in case my father needed to go out for a smoke.

A couple of months later, I overheard my mother whispering to my grandmother that a man slithered into Miss Kidd’s house in the dead of night and had taken valuables. Miss Kidd lived diagonally from our home, just a stone’s throw away. To think that someone just walked–unannouncedinto the octogenarian’s home. How could this be?

Picture courtesy of

Picture courtesy of

Fear was palpable. Our neighborhood’s character shifted. No longer would Mom leave the keys in the car. No longer would we leave the windows open. No more cricket sounds. And my father even locked the back door.

Safely we would sleep, not because there were no threats, but because of protection.

The New COSO Framework

See what changed in the new COSO Framework

Rita Crundwell, the former comptroller for Dixon, Illinois, stole over $53 million from a city of 16,000 people with an annual budget of $6 to $8 million. In the early 1990s, she opened a secret bank account in the name of the city and began transferring funds (disguised as payments to the Illinois DOT). The monies (in the secret account) were used by Rita to fund one of the nicest quarter horse ranches in the world.

The theft was simple. The damage was massive.

COSO Framework

Picture courtesy of

Losses from fraud and other risks can happen to any organization that lacks sufficient internal controls. Therefore, it’s imperative that your business, government, or nonprofit create a sound working internal control system.


Prior to 1992 (the year COSO’s internal control framework came into existence), internal control guidance was sparse. Accountants knew that controls were needed, but many had no model to follow.

COSO to the Rescue

The Committee of Sponsoring Organizations (COSO), consisting of five organizations, such as the AICPA, came together to develop an internal control framework that accountants could use in any organization. Those standards have served well over the last twenty years, but with many changes in technology (e.g., cloud computing), the uptick in laws and regulations (e.g., Sarbanes Oxley), the increase in outsourcing (e.g., payroll), and the higher incidence of fraud, it became apparent that the framework needed amendments. So the COSO did just that, releasing the updated framework in May 2013; the effective date of the guidance is December 15, 2014.

The Hip Bone Connected to the Leg Bone

COSO added greater definition and guidance in regard to the five internal control components created back in 1992:

  1. Control Environment
  2. Risk Assessment
  3. Control Activities
  4. Information and Communication
  5. Monitoring

As the 1992 framework states, these five components should be holistically integrated to create a healthy and safe control environment for business, nonprofits, and other organizations.

And what does this integration look like?

Every entity needs ethical leadership (the control environment). Those leaders identify key risk areas, usually in terms of likelihood and dollar impact. Once the risk areas are known, controls are designed and implemented (control activities) to ensure the creation of financial information (information and communication). Lastly, the organization monitors the system to ensure that it all works as planned (monitoring).

Most auditors (and those who design internal controls) usually emphasize the control activities component. The reason? Audit opinions relate to financial statements and deficiencies in control activities often allow misstatements to occur. The result? The reporting of significant deficiencies and material weaknesses. As auditors issue control deficiency letters, they tend to focus on control activities, though those communications can and should address deficiencies in the other four internal control components.

What changed in the new COSO framework?

Key changes in the 2013 framework include:

  • The addition of 17 principles (each related to one of the five control components listed above)
  • The addition of points of focus (each applicable to one of the 17 principles)
  • An increased focus on fraud
  • An increased focus on governance
  • An increased focus on information technology
  • An increased focus on compliance with laws and regulations

Why should I care about these changes?

Think of the COSO framework as the fountainhead of all that is good in internal control land. And once COSO speaks, other important bodies (e.g., the AICPA Auditing Standards Board) listen and absorb what is published. Remember SAS 109, Understanding the Entity and Its Control Environment, issued in 2006? Guess where the five control components (control environment, risk assessment, control activities, information and communication, and monitoring) came from? Don’t be surprised if you see the 17 new COSO principles–and possibly the points of interest–embedded in future audit standards.

In any event, the new COSO guidance is a great place for any business or organization to develop a control system that identifies and mitigates risks.

Then disasters–like the one in Dixon, Illinois–can be avoided.

Deeper Dive

If you are interested in more information about the new COSO guidance, consider purchasing the book Executive’s Guide to COSO Internal Controls by Robert Moeller. Mr. Moeller provides a nice summary of the framework along with implementation steps.

You can buy the COSO Framework here.

Five Disbursement Fraud Audit Tests

You are leading the audit team discussion concerning disbursements, and a staff member asks, “why don’t we ever perform fraud tests?”

Your rejoinder, somewhat lacking, but said with authority, is, “We are only required to perform such tests in certain circumstances. What do you suggest?”

“I don’t know,” the staff member sheepishly responds. “What are some possibilities?”

You pause to consider the question, and you remember a blog post addressing how fraud can sting auditors. You begin to think, “what can we do?”


Five Disbursement Fraud Tests

1. Test for duplicate payments.

Why test?

Theft may occur as the accounts payable clerk generates the same check twice, stealing and converting the second check to cash. The second check may be created in a separate check batch, a week or two later. This threat increases if (1) checks are signed electronically or (2) the check-signer commonly does not examine supporting documentation and the payee name.

How to test?

Obtain a download of the full check register in Excel. Sort by dollar amount and vendor name. Then investigate same-dollar payments with same-vendor names above a certain threshold (e.g., $25,000).

2. Review the accounts payable vendor file for similar names.

Why test?

Fictitious vendor names may mimic real vendor names (e.g., ABC Company is the real vendor name while the fictitious name is ABC Co.). Additionally, the home address of the accounts payable clerk is assigned to the fake vendor (alternatively, P.O. boxes may be used).

The check-signer will not recognize the payee name as fictitious.

How to test?

Obtain a download of all vendor names in Excel. Sort by name and visually compare any vendors with similar names. Investigate any near-matches.

3. Check for fictitious vendors.

Why test?

The accounts payable clerk may add a fictitious vendor (one in which no similar vendor name exists, as we saw in the preceding example).

The fictitious vendor address? You guessed it: the clerk’s home address (or P.O. Box).

Pay particular attention to new vendors that provide services (e.g., consulting) rather than physical products (e.g., inventory). Physical products leave audit trails; services, less so.

How to test?

Obtain a download in Excel of new vendors and their addresses for a period of time (e.g., month or quarter). Google the businesses to check for validity; if necessary, call the vendor. Or ask someone familiar with vendors to review the list (preferably someone without vendor set-up capabilities).

4. Compare vendor and payroll addresses.

Why test?

Those with vendor-setup ability can create fictitious vendors associated with their own home address. If you compare all addresses in the vendor file with addresses in the payroll file, you may find a match. (Careful – sometimes the match is legitimate, such as travel checks being processed through accounts payable.) Investigate any suspicious matches.

How to test?

Obtain a download in Excel of (1) vendor names and addresses and (2) payroll names and addresses. Merge the two files; sort the addresses and visually inspect for matches.

5. Scan all checks for proper signatures and payees.

Why test?

Fraudsters will forge signatures or complete checks with improper payees such as themselves.

How to test?

Pick a period of time (e.g., two months), obtain the related bank statements, and scan the checks for appropriate signatures and payees. Also consider scanning endorsements.

Your Ideas

Those are a few of my ideas. Please share yours.

My fraud book provides more insights into why fraud occurs, how to detect it, and–most importantly–how to prevent it. Check it out.

Backdoor Thefts of Payroll Withholdings

Common payroll frauds include ghost employees, inflated time cards, and improper changes to pay rate files. These payroll frauds are usually discussed in fraud prevention classes, but backdoor thefts of payroll withholdings are not. So how is this fraud carried out?


A payroll clerk intentionally overpays payroll withholdings (for the business as a whole), alters his or her personal W–2 withholdings to include the excess payment, and later receives a tax refund that includes the overpayment.

For example, if Gertrude, the payroll clerk, intentionally overpays state tax withholdings by $25,000, she can amend her W–2 so that it reflects the excess payment as withheld from her paycheck (though it was not); once she files her state tax return, she gets an extra $25,000. In effect, she is using the state government as a funnel for her theft. Since payroll tax deposits are seldom monitored by a second person, it’s an easy way to steal.

The potential for this scheme increases if one person processes payroll, files all related payroll tax reporting information, makes payroll withholding payments, and records payroll entries in the general ledger—not uncommon in smaller organizations or businesses. As a preventive measure, have someone outside of the payroll department review all W–2s before they are issued; this person should also physically mail the W-2s (to prevent the payroll clerk from making changes after the review).

Governmental Fraud Prevention Book

This fraud is discussed in my book: The Little Book of Local Government Fraud Prevention. The book covers dozens of common local government frauds and how to prevent them. For a limited time you can purchase the Kindle version on Amazon for only $4.99

The photo is courtesy of