How to Lessen Segregation of Duties Problems in Two Easy Steps

Fraud prevention in two easy steps

Darkness is the environment of wrongdoing.


No one will see us–or so we think.

As you’ve seen many times, fraud occurs in darkness.

In J.R.R. Tolkien’s Hobbit stories, Sméagol, a young man murders another to possess a golden ring, beautiful in appearance but destructive in nature. The possession of the ring and Sméagol’s hiding of self and his precious (the ring) transforms him into a hideous creature–Gollum. I know of no better or graphic portrayal of how that which is alluring in the beginning, is destructive in the end.

Fraud opportunities have those same properties: they are alluring and harmful. And, yes, darkness is the environment of theft. What’s the solution? Transparency. It protects businesses, governments, and nonprofits. And while we desire open and understandable processes, often businesses have just a few employees that operate the accounting system. And many times they alone understand how it works.

It is desirable to divide accounting duties among various employees, so no one person controls the entire process. This division of responsibility creates transparency since multiple eyes see the accounting processes–but this is not always possible.

Lacking Segregation of Duties

Many small organizations lack appropriate segregation of duties and believe that solutions do not exist or that fixing the problem is too costly. But is this true? Can we create greater transparency and safety with simple procedures and without significant cost?


Below I propose two processes to reduce fraud:

  1. Bank account transparency and
  2. Surprise audits.

1. Bank Account Transparency

Here’s a simple and economical control: Provide all bank statements to someone other than the bookkeeper. Allow this second person to receive the bank statements before the bookkeeper. While no silver bullet, it has power.

Persons who might receive the bank statements first (before the bookkeeper) include the following:

  • A nonprofit board member
  • The mayor of a small city
  • The owner of a small business
  • The library director
  • A church leader

What is the receiver of the bank statements to do? Merely open the bank statements and review the contents for appropriateness (mainly cleared checks).

In many small entities, accounting processes are a mystery to board members or owners since only one person (the bookkeeper) understands the disbursement process, the recording of journal entries, billing and collections, and payroll.

One set of eyes on an accounting process is not a good thing. So how can we shine the light?

Fraud Prevention

Picture courtesy of

Second Person Sees the Bank Statements

Allow a second person to see the bank statements.

Fraud decreases when the bookkeeper knows someone is watching. Suppose the bookkeeper desires to write a check to himself but realizes that a board member will see the cleared check. Is this a deterrent? You bet.

Don’t want to send the bank statements to a second person? Request that the bank provide read-only online access to the second person, and let the bookkeeper know that the other person will review bank activity.

Even the appearance of transparency creates (some) safety.

Suppose the second person reviewer opens the bank statements (before providing them to the bookkeeper) and does nothing else. The perception of reviews enhances safety. I am not recommending that you don’t perform the review, but if the bookkeeper even thinks someone is watching, fraud will lessen.

2. Surprise Audits

Another way to create small-entity transparency is to perform surprise audits. These reviews are not opinion audits (such as those issued by CPAs) but involve random inspections of various areas such as viewing all checks clearing the May bank statement. Such a review can be contracted out to a CPA or performed by someone other than the bookkeeper–such as a board member.

Segregation of Duties

Picture courtesy of

Adopt a written policy stating that the surprise inspections will occur once or twice a year.

The policy could be as simple as the following:

Twice a year a board member (or designee other than the bookkeeper) will inspect the accounting system and related documents. The scope and details of the inspection will be at the judgment of the board member (or designee). An inspection report will be provided to the board.

Why word the policy this way? You want to make the system general enough that the bookkeeper has no idea what will be inspected but distinct enough that an actual review occurs with regularity (thus the need to specify the minimum number of times the review will be performed).

Sample Inspection Ideas

Here are some sample inspection ideas:

  • Inspect all cleared checks that clear a particular month for appropriate payees and signatures and endorsements
  • Agree all receipts to the deposit slip for three different time periods
  • Review all journal entries made in a two week period and request an explanation for each
  • Review two bank reconciliations for appropriateness
  • Review one monthly budget to actual report (to see that the report was appropriately created)
  • Request a report of all new vendors added in the last six months and review for appropriateness

The reviewer may not perform all of the procedures and can perform just one. What is done is not as important as the fact that something is done. In other words, the primary purpose of the surprise audit is to make the bookkeeper think twice about whether he or she can steal and not be caught.

Again multiple people seeing the accounting processes reduces the threat of fraud.

Shine the Light

The beauty of these two procedures (bank account transparency and surprise audits) is they are straightforward and cheap to implement but nevertheless powerful. So shine the light.

What other procedures do you recommend for small entities?

For more information about preventing fraud, check out my book: The Little Book of Local Government Fraud Prevention.

Wire Transfer Theft: How to Prevent It

How to steal $6.9 million in less than an hour

In one of the easiest thefts I’ve read about, a nonprofit administrative officer wired $6.9 million from an Ohio bank account to another account in Austria. The wire transfer originated with the fax of a letter (which took less than an hour to create). Since the officer was authorized to make wire transfers, no one at the bank questioned the transaction–until it was too late. The fraudster landed in Austria, called his wife and said, “I’m not coming home.” Interestingly, the wife called the police and turned her husband in; he later came back to the states of his own volition (after his wife gave him an earful). He went to jail. I guess, after a few boat rides down the Danube, he missed his family.

Preventing wire transfer theft

Picture from

Wire Transfer Theft is Easy

It’s easy for an accounting clerk (or other authorized company official) to wire funds and to cover their tracks with a journal entry – too easy in many cases. If a company  accountant or official has the ability to (1) wire funds by himself and (2) make journal entries without a second-person review, then the organization has left the fraud door wide open. Such a situation is not uncommon in small businesses, nonprofits and governments.

As you think about wire transfers, consider that they can be originated with a fax, a phone call, a personal visit to the bank, or a computer. Determine how your bank handles wire transfers and craft your internal controls based on those dynamics.

Wire Transfer Internal Controls

Organizations should do the following to mitigate wire transfer fraud:

  1. Require the bank to limit daily wire transfer amounts (e.g., $25,000 per day for each employee)
  2. Require two persons to consummate all wire transfers to external parties (the most important control in my opinion)
  3. If the wire transfer request is by phone or by fax, require the bank to call your organization back before the wire transfer is consummated
  4. The bank should require the use of unique passwords to access wire-transfer software; consider using a bank that provides bank token keys (small hand-held devices that generate unique identification numbers; these numbers are keyed into the bank software as a part of the transfer request)
  5. Restrict the bank accounts from which a wire transfer can be made (the organization may want to limit external wire transfers to just one bank account)
  6. Restrict certain bank accounts so that wire transfers can only be made to other bank accounts of the organization (e.g., transfer from operating bank account to payroll bank account)
  7. Have someone peruse the daily bank account activity (using online access); at a minimum, reconcile bank statements in a timely fashion (large organizations should consider reconciling bank accounts more frequently than once a month; some reconcile daily)
  8. Require sufficient documentation for all wire transfer journal entries; require a second-person review of these journal entries
  9. Consider using a dedicated computer for all wire transfers; do not use this computer for any other purpose (malware is often picked up by computers as they visit Internet websites)
  10. Use all bank-provided wire transfer controls
  11. Any transactions over a certain high dollar amount (e.g., $50,000) must have the approval of the business owner/CEO

Use Fraud Prevention Controls Offered by Banks

Not using controls offered by banks may make your organization liable should funds be stolen by hackers. One company sued its bank when hackers took $440,000 from its bank account with a wire transfer; the judge ruled against the company because it had opted out of control procedures offered by the bank. Also make sure your company uses appropriate firewall and antivirus protection.

Closing Words

If one person can make external wire transfers and journal entries to record those transactions, you have the makings of wire fraud–soon you may see that employee on Facebook, riding down the old Danube.

Video from Gary Zeune

You can see a news video about the nonprofit fraud mentioned above at Gary Zeune’s website: The Pros and The Cons. (If you have not heard Gary speak about fraud, you should do so. He does a great job.)

How to Account for Cash Overdrafts

Alternative presentations for negative cash balances

How should you account for cash overdrafts (also called negative cash balances) on a balance sheet and in a cash flow statement?

It is year-end and your audit client has three bank accounts at the same bank. Two of the accounts have positive balances (the first with $50,000 and the second with $200,000). The third account has a negative cash balance of $400,000. Since a net overdraft of $150,000 exists, how should we present cash in the financial statements?

Cash overdrafts

Picture Courtesy of

Balance Sheet

In the balance sheet, show the negative cash balance as Cash Overdraft in the current liabilities. Or you can also include the amount in accounts payable.

If you are netting the three bank accounts, consider using the Cash Overdraft option. If you bury the overdraft in accounts payable, the financial statement reader may think, “there is a mistake, where is cash?” Using Cash Overdraft communicates more clearly. (The right of offset must exist in order to net bank accounts. The right of offset commonly exists for multiple bank accounts with one bank.)

Some companies have multiple bank accounts with multiple banking institutions. In such cases, the net balance of one bank might be positive and the net balance of the second bank might be negative. Then the company would reflect the positive balance as cash and the negative cash balance (of the second bank) as an overdraft.  

Suppose a company has bank accounts with two different banks and the net balance of the first bank is $1,350,000 and the net balance of the second bank is an overdraft of $5,000. Then show cash as one amount on the balance sheet ($1,345,000). The $5,000 overdraft is not material.

Cash Flow Statement

Some companies do not include cash overdrafts in the definition of cash; instead, they include the overdraft in accounts payable. Consequently, the company treats the overdraft as an operating activity (change in accounts payable). So, the company includes the overdraft as a change in a liability in the operating section of the cash flow statement. (Some accountants treat overdrafts as a financing activity, but overdrafts clear quickly. Therefore, an operating activity classification is more appropriate.)

Alternatively, include the overdraft in the definition of cash (rather than in accounts payable). In doing so, you combine the cash overdraft with other cash (that with positive balances) in the cash flow statement. The beginning and ending cash–in the cash flow statement–should include cash overdrafts.

FASB ASC 230-10-45-4 requires that the total amounts of cash and cash equivalents in the cash flow statement agree with similarly titled line items or subtotals in the balance sheet. If a cash overdraft is included in the definition of cash, the cash captions in the statement of cash flows should be revised accordingly (e.g., Cash (Cash Overdraft) at end of year).

If the balance sheet contains a positive cash balance in assets and a cash overdraft in liabilities, provide a reconciliation at the bottom of the cash flow statement (or in a disclosure). In the reconciliation, show the composition of cash (cash overdraft)–one line titled Cash, one line titled Cash Overdraft, and a total line titled Total Cash (Cash Overdraft)

One Other Consideration

If checks are created but not released by year-end, reverse the payment. Merely printing checks does not relieve payables. Payables are relieved when payment is made (checks are printed and mailed, or electronic payments are processed).

Restricted Cash

FASB recently issued a new standard dealing with how restricted cash is to be reported in the cash flow statement. Click here for more information.

How to Steal Money with Altered Check Payees

This simple fraud occurs all too often

Some fraudsters steal money with altered checks.

As a kid I once threw a match in a half-gallon of gasoline – just to see what would happen. I found out. Quickly. In a panic, I kicked the gas container–a plastic milk jug–several times, thinking this would somehow put the fire out. But just the opposite occurred, and when my father found out? Something else was on fire.

Steal money with altered check payees

Some accounting weaknesses create unintended consequences. Show me an accounting clerk who (1) can sign checks (whether by hand, with a signature stamp, or with a computer-generated signature), (2) posts transactions to the accounting system, and (3) reconciles the bank statements, and I will show you another combustible situation. Here’s how one city clerk created her own blaze.

Altered Check Example

Using the city’s signature stamp, the clerk signed handwritten checks made out to herself; however, when the payee name was entered into the general ledger (with a journal entry), another name was used – usually that of a legitimate vendor.

For example, Susie, the clerk, created manual checks made out to herself and signed them with the signature stamp. But the check payee was entered into the accounting system as Macon Hardware (for example). Also, she allocated the disbursements to accounts with sufficient remaining budgetary balances. The subterfuge worked as the expense accounts reflected appropriate vendor activity and expenses stayed within the budgetary appropriations. No red flags.


The accounting clerk, when confronted with evidence of her deception, responded, “I don’t know why I did it, I didn’t need the money.” We do a disservice to accounting employees when we make it so easy to steal. Given human nature, we should do what we can to limit the temptation.


Controls to Lessen Check Fraud

First, if possible, segregate the disbursement duties so that only one person performs each of the following:

• Creating checks
• Signing checks
• Reconciling bank statements
• Entering checks into the general ledger

If you can’t segregate duties, have someone (the Mayor, a non-accounting employee, or an outside CPA) review cleared checks for appropriateness.

Secondly, have a second person approve all journal entries. False journal entries can used to hide theft. With sleight of hand, the city clerk made improper journal entries such as:

                                                Dr.                 Cr.

Supply Expense              $5,234

Cash                                                        $5,234


The check was made out to Susie, but the transaction was, in this example, coded as a supply expense paid to Macon Hardware. You can lessen the risk of fraud by preventing improper journal entries.

Thirdly, limit who has access to check stock. It’s usually wise to keep blank check stock locked up until needed.

Finally, limit who can sign checks, and deep-six the signature stamp.

A word to external auditors looking for a fraud test idea (or those just looking for check fraud): Consider testing a random sample of cleared checks by agreeing them to related invoices. Work from the cleared check to the invoice. It is best for the auditor to pull the invoices from the invoice file; if you ask someone in accounting to pull the invoices, that person might create fictitious invoices to support your list (not hard to do these days). If the payee has been altered, you will, in many cases, not find a corresponding invoice. Pay particular attention to checks with payees that are company employees.

Ghostly Payroll Fiends

In many small businesses, governments, and not-for-profits, a limited number of persons (often one or two) handle the entire payroll function. In such situations, appropriate segregation of duties may not exist and you may well meet up with a ghostly payroll fiend.


Common payroll fraud fiends, I mean schemes, include:

  • Inflating hours worked
  • Duplicate payments
  • Ghost employees
  • Inflating pay rates

Once we explore how these frauds occur, we’ll see if we can find appropriate incantations and actions to chase them away (in the form of segregation of duties).

Inflating Hours Worked

Many organizations use time-clocks which are activated by a swipe of the employee’s identification card. This is better than using a paper based payroll system, but the use of biometric systems is more effective in eliminating buddy-punching. Biometric systems read physical features of the employee (e.g., fingerprint). The problem with payroll identification cards is they can be left near the time-clock and workmates can clock in for a buddy while that friend is still in bed, enjoying a morning snooze. Another simple preventive measure is to install a video camera at the clock-in site; then if buddy-punching does occur, it will be captured.

Regardless of the payroll system used, it is imperative that supervisors review and approve the time records for their department – prior to the remittance of these records to accounting. Once the time records are received in accounting, it is important that the payroll clerk review the submitted information for significant variances; this should be done prior to the processing of payroll.

Duplicate Payments

Another common payroll scheme is the issuance of duplicate payroll checks, especially to the payroll clerk or finance director since they often control payroll disbursements. This is even more prevalent when these persons can also sign checks, whether physically or electronically. Be wary of situations where one person can issue payroll checks (including direct deposits) and record the transaction in the general ledger without review by a second party.

Ghost Employees

Most any discourse about payroll fraud includes a discussion of ghost employees (fictitious employees on the payroll); so I won’t disappoint. Regardless of the payroll system, the existence of ghost employees can be expensive. But in order to have a ghost employee, someone must create the employee or leave a terminated employee in the payroll system. The later is the more prevalent practice (since it’s easier to do – no drug test required, for example). By leaving a terminated employee in the payroll system, the fraudster (usually the payroll clerk or finance director) can simply change the terminated employee’s bank account number to his or her own, and, with direct deposit, the ghost employee payments are sent to the fraudster’s bank account. So how do we prevent and detect the existence of ghost employees?

  • Periodically compare each employee in the payroll system to individual personnel files – ghosts don’t normally have personnel files.
  • Examine any returned W–2s. If the ghost has a ghost address, the W–2 will be returned; compare returned W–2s to personnel files.
  • Separate the duty of adding or deleting an employee from the payroll processing function. Assign the duty to add and delete employees to the HR director, for example, and the duty to process payroll to other payroll personnel.
  • If possible, have the computerized payroll system generate an email to someone outside the payroll department (e.g., finance director) for each change of address or each person added or deleted from the system; alternatively have the system generate a monthly report of all changes to payroll – again going to a reviewer outside of payroll.
  • Use a payroll system that requires second party approval of any new personnel additions or changes to payroll records.

Inflating Pay Rates

One of the easiest ways to commit payroll theft is to inflate pay rates (e.g., hourly rates) in the master payroll file. To mitigate this risk, the organization should limit who has access to the master pay rate file. Make sure appropriate passwords are established and that those passwords are known only to authorized persons. In addition, all pay rates should be documented in each employee’s personnel file. The person authorizing the pay rate should sign and date the approval sheet.

Segregation of Duties

Most of these threats can be eliminated or greatly diminished by implementing appropriate segregation of duties. Where possible, the organization should segregate the following payroll responsibilities:

  • Setting up new employees and deleting terminated employees
  • Authorization of wage rates
  • Entering pay rates into the accounting system
  • Entering time into the accounting system
  • Processing and printing of checks
  • Distribution of physical checks
  • Reconciling the payroll bank account

If you can’t segregate these functions, have a second person review and sign off on payroll, or have a periodic audit of your payroll performed.

Any Fiends in Your Payroll?

Have you had any payroll frauds at your place of business? If yes, please share.

New Data Collection Form – Single Audits

To what years will the new data collection form (DCF) apply?

Audit periods ending in 2013, 2014 and 2015

When will the form be finalized?

The form was to be finalized by late November, but the government shut-down may delay this time-frame. (The first Federal Register notice was issued in May with a comment due date of July 8, 2013. A second Federal Register notice was to be issued in mid-October, but, again, the federal shut-down will probably delay this date.)

Has OMB provided an extension for filing due-dates?

The Federal Audit Clearinghouse (FAC) web site states (or at least before the government shutdown stated):

If a single audit for a fiscal period ending in 2013 is due
before the 2013 Form is available, auditees will not be able
to meet the thirty day deadline for submission prescribed
by OMB Circular A-133 §_.320(a). Therefore, OMB has
granted an extension until December 31, 2013, for
reporting packages due to the Clearinghouse before
that date. The extension is automatic and there is no
approval required. The extension applies only to single
audits for the fiscal periods ending in 2013.

(New extended date through January 31, 2014 – as of November 7, 2013; click here for more information.)

When will the new Internet Data Entry System (IDES) be available?

It was suppose to be available on October 7, 2013. I tried to access the site today (October 14, 2013), but, due to the government shut-down, it was not available.

Will there be any changes in registration?

Each user must create one account using one email address; this is true even if you have used the system prior to the update. You will only register once. On the new log-in page, you will see “Register” just under the “Account Log-in” section; click “Register” to access the registration screen.

CaptureOn the registration page, you will enter:

  1. Your name
  2. Your email address

The name entered here will not show up on the data collection form; it is purely for communication purposes with the FAC. Your new account name will be your email address.

Then click the “register” tab.

Now you will receive a confirmation email from; this email will have a hotlink that you will click. Clicking the link will take you to a password entry screen. Now enter your unique password. These passwords will expire after 60 days, regardless, and 30 days if there is no activity. Passwords cannot be reused.

The passwords must meet the following requirements:

  1. 12 characters in length (minimum)
  2. must contain at least one of each of the following:
    1. Upper case letters (A-Z)
    2. Lower case letters (a-z)
    3. Numbers (0-9)
    4. Special characters from !@#$%^&*()
    5. No character repeated more than 4 times (Charles22222# will not work)

For example: ThisisComplicated2556!  – This works (even though it’s complicated).

Previous submissions will be available (the system matches email addresses used for previous reports).

Once you enter your password, you can go to the “Account Home.”


From here you will enter, revise or view your report.

You will see new improved data entry formats; I think you will like them. They are cleaner and easier to understand.

There is still a requirement for auditor and auditee certification. On the “Submission Access” page you will need to enter an email address for the auditor and the auditee. (The auditee will receive a password email like the one you – the auditor – received.)

You will also be required to submit an unlocked and unencrypted audit report. You can find instructions for creating a compliant PDF Single Audit Report at: (this link may not work until the government shutdown is resolved).

There is a requirement that audit reports be unlocked and unencrypted beginning with the 2014 reports. (The auditor will receive a warning page for 2013 reports that don’t comply, but the report can still be submitted.)


I must say it concerns me greatly that CPA firms are being required to submit unlocked and unencrypted files. These reports contain signed CPA firm opinions. Could not someone change the numbers?

FRF for SME – The Lowdown

Well the public brouhaha between NASBA and the AICPA seems to have settled down since the AICPA issued the Financial Reporting Framework for Small- to Medium-Sized Entities (FRF for SME). I won’t say they’re holding hands now, but at least the discussion has simmered.

Here’s a Q&A to help you digest some of the salient points of FRF for SME.

What is FRF for SMEs?

It’s an other comprehensive basis of accounting (OCBOA) that can be used as an alternative to generally accepted accounting principles (GAAP) as issued by the Financial Accounting Standards Board.

When can FRF for SME be used?


Who created FRF for SME?


What is the size of FRF for SME?

A little over 200 pages.

What is the size of GAAP?

Thousands of pages. (I have heard more than 20,000 pages. Correct me if I’m wrong.)

How often will FRF for SME change?

About once every three to four years. (That’s one of the beauties of it.) Stability? Yes.

Why was FRF for SME created?

GAAP had become too complex for small- to medium-sized private businesses, driving up the costs of creating GAAP-compliant financial statements. Existing OCBOA (e.g., modified-cash basis) lacked standardization.

Does FRF for SME define a small- to medium-sized entity? Is there a dollar threshold?

No. It’s subjective. There is no dollar threshold.

Is “FRF for SME” GAAP?

No. (It is not little GAAP. It is not GAAP at all – not intended to be.)

Can entities with debt covenants requiring GAAP use FRF for SMEs?

No. But they can see if the lender will amend the agreement.

Can financial statements created using FRF for SME be audited, reviewed or compiled?

Yes. Yes. Yes.

What are some of the characteristics of companies that might use FRF for SME?

  • For-profit
  • Closely-held
  • Not a public company
  • No regulatory requirements for GAAP
  • Individuals with controlling ownership also manage the company

What entities should not use FRF for SME?

  • Nonprofits
  • Those with complex transactions
  • Governments

Is FRF for SME principles-based?

Yes. Use the flexibility and disclose the policies used.

Do the FRF for SME financial statements look like GAAP statements?

Yes. This is a downside (at least to me). I do think a user might mistakenly believe the financial statements are GAAP. You will need to clearly disclose that FRF for SME is being used. Also your opinion or SSARS report will refer to FRF for SME (rather than GAAP).

What are some key points of FRF for SME?

  • No comprehensive income
  • Investments will be at historical cost (market value used when held-for-sale)
  • Derivatives (think swaps) are not recognized on the balance sheet (only disclosed); no hedge accounting
  • Goodwill amortized over the same period as that used for tax purposes or 15 years
  • Intangibles (all) will be amortized over their economic life
  • Income taxes recognized using taxes payable method (what you owe at period-end) or the deferred income tax method (as GAAP requires)
  • No requirement to accrue uncertain tax positions (no FIN 46)
  • Leases will be recognized as operating or capital leases (FASB’s presently proposed lease standard will require all leases of more than 12 months to be recognized as a liability; expect to see the FASB lease standard approved in early 2014)
  • Policy choice to consolidate subsidiaries or account for them using the equity method (parent-only presentation allowed; use equity method accounting for subsidiaries)
  • Variable interest entities will not be consolidated (disclosure of the relationship); can I get an Amen?
  • No assessment of long-lived assets for impairment
  • Going concern assessment required by management (this assessment is not required by GAAP – yet)
  • Revenue recognition is principles-based (disclose how you recognize revenue); percentage-of-completion is allowable for contractors
  • Stock-based compensation not booked as a liability (disclosure only)
  • Defined benefit plan liabilities can be recognized using contribution payable method (record current pension plan payments not made; no projected benefit obligation liability required)
  • Disclosure requirements are greatly simplified

Can’t I just continue issuing tax-basis financial statements?

Yes. But tax-basis statements do not incorporate some of the more traditional accounting concepts that FRF for SME does.

How will the use of FRF for SME change the peer review process?

No change; FRF for SME is just another OCBOA – like tax-basis or modified-cash basis.

Does the AICPA offer any implementation tools?

Yes. Click here for toolkits.

How About You? 

Will you and your firm use FRF for SME? Do you like it (or dislike it)?

Consolidating Not-for-Profit Entities

The rules for consolidating nonprofit entities

How would you respond to the question, “how do I know when a not-for-profit entity should consolidate a related not-for-profit entity?”

Here’s a brief overview.

Key Consolidation Issue

The main key in determining whether a not-for-profit should consolidate another entity is control.

FASB defines control as the direct or indirect ability to determine the direction of management and policies through ownership, contract, or otherwise.

Consolidation Decision

The FASB Codification addresses not-for-profit (NFP) consolidations as follows:

  • Consolidation is required for 1. through 3. below.
  • Consolidation is permitted but not required for 4. below.
  • Consolidation is not permitted for 5. below.

Controlling Financial Interest

1. 958-810-25-2 – The reporting entity is the sole corporate member of the related NFP
2. 958-810-25-2 – The reporting entity has a controlling financial interest through direct or indirect ownership of a majority voting interest in the other NFP

Control Combined with an Economic Interest

3. 958-810-25-3 – The reporting entity controls another NFP through a majority voting interest in its board and has an economic interest in that other entity (e.g., reporting entity appoints 3 of the 5 voting members of the related NFP)
4. 958-810-25-4 – The reporting entity controls an NFP through a form other than majority ownership, sole corporate membership, or majority voting interest in the board of the other entity and has an economic interest in that other entity (control may be established by contract or an affiliation agreement)


5. 958-810-25-5 – If the reporting entity does not have both control of and an economic interest in the related NFP, then consolidation is not permitted.

Note – There are additional rules for consolidating for-profit entities into NFP financial statements.

Providing Fraud Prevention Services to Compilation Clients

How many small businesses do you compile financial statements for? For most small- to medium-sized CPA firms, the answer is plenty. Now let me ask one more question (please).

What is the greater risk for such small businesses?

  • Financial statements are misstated or
  • The bookkeeper (or someone else) can steal substantial sums of money from the business

Courtesy of

You say, “I’m not engaged to look for potential theft.” In most cases, you probably aren’t. But notice my question is about your client (and your potential opportunity to provide a valuable service).

I find that most compiled small business financial statements are basically correct – often because of the CPA’s involvement. The risk of material misstatement is driven down, and obviously, this is a good thing, but what about the potential for theft?

It seems to me that CPAs seldom talk with their clients about the potential for theft, even though we know, for instance, that the client’s accounting staff consists solely of one bookkeeper.

Theft may occur prior to the CPA’s compilation work, but when theft occurs, bookkeeping clients will sometimes say things like, “surely my CPA is in some way responsible” – even though compilations are not designed to prevent (or detect) fraud.

Defining Your Compilation Service

Let me ask two questions at this juncture:

  1. Do you get compilation engagement letters signed?
  2. Do you verbally explain the limits of your engagement (that you are not providing fraud prevention or detection services)?

These two actions will mitigate your risk when you only provide compilation services.

Providing Fraud Prevention Services

Now let’s consider another service that you can add: fraud prevention.

Do you ever suggest to your client that he or she have you (or someone else trained in fraud prevention) review the accounting system and make fraud prevention suggestions? Here is where, I believe you can add value in addition to the compilation service. I also believe it is largely an untapped source of revenue for small- to medium-sized CPA firms.

If you provide fraud prevention services, you need to create an engagement letter that addresses the boundaries of your work. It is wise to say what you are providing and, more importantly, what you are not providing.

I normally will state that I am providing the additional fraud prevention service to mitigate fraud risk and that the additional work will not provide absolute assurance that fraud will not occur. I go on to say that once the work is complete, “fraud may still occur.” (Check with your insurance carrier for appropriate language.)

In other words, your engagement is to mitigate fraud risk, not eliminate it – a reasonable proposition. (The risk of fraud can seldom, if ever, be fully eliminated.)

Additional Risks for the CPA

But doesn’t providing fraud prevention services create additional risks for the CPA?


Providing any additional service creates additional risks for the CPA. So this is ultimately a business decision for you and your firm.


Will providing fraud prevention services impair your independence? Under existing AICPA independence standards, the answer is often “yes” (because you are assisting with the design of the internal control system). You can offer such a service to a compilation client, but you will need to state your lack of independence in the compilation report.

Agree or Disagree?

What do you think about offering fraud prevention services to compilation clients?

Stealing While Dying

In one of the stranger frauds I’ve seen, the bookkeeper was stealing money while dying. Going to meet your Maker with the fresh scent of theft on your hands is not a good way to go.

manager in office

Courtesy of

I had provided external audit services to this health department for years and knew the bookkeeper (we’ll call her Katie) quite well. She sent me thank you cards – yes, thank you cards – for my audit work. Katie was polite, well spoken, and great at her job. If ever I thought there was someone who would not (and could not) steal, it was (you guessed it) Katie.

But external circumstances can make even the best of people do the impossible. During the course of one audit year, Katie developed cancer. The medical treatments resulted in numerous medical bills, many of which were received while she still worked off and on. Sadly she eventually died.

Knowing that Katie had passed away, I knew the audit would be challenging, especially since the health department board had not hired anyone to replace her.

Upon my arrival I requested the bank statements, but the remaining employees could not locate them (not a good sign). I thought maybe she had taken the bank statements home and had not returned with them due to her illness. After the employees had searched for some time with no result, the client requisitioned the bank statements and cleared checks from the bank (this was some twenty years ago, before electronic access).

In reviewing the cleared checks, I quickly noticed round-dollar vendor checks written to Katie. The first one was for $7,000. My first thought was, “not Katie, I’ve known her too long. No way. Surely there’s a reason for this.” But then there was another and another…

Reporting the theft to the health department board was difficult. Here was an honest person who had stolen money because she felt she had to.

This is one case where I wanted to just let it go, to walk away and pretend it didn’t happen. But I knew that was not an option. Can you imagine being the board member that called Katie’s husband – just months after her death – and informed him of the theft?

Fraud is an ugly thing.

If you ever need a reason to communicate control weaknesses in an open manner, here’s one – for the employee’s own safety (not to mention your own).  Sometimes money is too tempting, even for the best of people.

Fraud Triangle 

So what led to the theft?

  • Pressure (need for cash)
  • Opportunity (almost no segregation of duties), and
  • Rationalization (Katie’s unselfish desire to leave her family with no medical bills).

Katie was authorized to sign checks. Though the checks required two signatures, the bank cleared these checks with just Katie’s signature. Since Katie keyed all transactions into the computer and reconciled the bank statements, she had the keys to the castle. (I was thankful that our firm had – in the prior audits – communicated the lack of segregation of duties.)

The guy or gal you’re auditing is too honest to steal? Maybe. But you never know what is going on in their lives – or what will come.

Lessons Learned

  • When records go missing – pay attention
  • When you see round-dollar vendor checks – dig deeper
  • When your client lacks segregation of duties – raise your antenna

Your Fraud Story

What strange occurrences of fraud have you observed?