10 Steps to Make Work Papers Sparkle
May 22

10 Steps to Make Work Papers Sparkle

By Charles Hall | Accounting and Auditing , SSARS

In this post, I provide ten steps to make work papers sparkle.

Have you ever been insulted by a work paper review note?

Your tickmarks look like something created by my child.

Rather than providing guidance, the comment feels like an assault.

Or maybe you are the reviewer–you stare at a work paper for several minutes–and you’re thinking, “what the heck is this?” Your stomach tightens and you say out loud, “I don’t have time for this.”

There are ways to create greater clarity in your work papers.

Make Work Papers Sparkle

Make Work Papers Sparkle

Here are ten steps to make your work papers sparkle.

  1. Timely review work papers. The longer the in-charge waits to review work papers, the harder it is for the staff person to remember what they did and, if needed, to make corrections. Also, consider that the staff person may be reassigned to another job. Therefore, he may not be available to clear the review notes.
  2. Communicate the work paper’s purpose.

a.  An unclear work paper is like a stone wall. It blocks communication.

b.  State the purpose of the work paper; for example:

Purpose of Work Paper – To search for unrecorded liabilities as of December 31, 2018. Payments greater than $30,000 made from January 1, 2019, through March 5, 2019, were examined for potential inclusion in accounts payable.

Or:

Purpose of Work Paper – To provide a detail of accounts receivable that agrees with the trial balance; all amounts greater than $20,000 agreed to subsequent receipt.

If the person creating the work paper can’t state the purpose, then maybe there is none. It’s possible that the staff person is trying to copy a work paper from the prior year that (also) had no purpose.

Click Purpose Notation Explanation for brief audio comment.

c.  All work papers should satisfy a part of the audit program (plan). No corresponding audit program step? Then the audit program should be updated to include the step—or maybe the work paper isn’t needed at all.

3.  The preparer should sign off on each work paper  (so it’s clear who created it).

4. Audit program steps should be signed off as the work is performed (not at the end of the audit–just before review). The audit program should drive the audit process—not the prior year work papers.

5.  Define tickmarks.

6.  Reference work papers. (If you are paperless, use electronic links.)

7.  Communicate the reason for each journal entry.

The following explanation would not be appropriate:

To adjust to actual.

A better explanation:

To reverse client-prepared journal entry 63 that was made to accrue the September 10, 2018, Carter Hardware invoice for $10,233.

8.   When in doubt, leave it out.

Far too many documents are placed in the audit file simply because the client provided them. Moreover, once the work paper makes its way into the file, auditors get “remove-a-phobia“–that dreaded sense that if the auditor removes the work paper, he may need it later.

If you place those unneeded documents in your audit file and do nothing with them, they may create potential legal issues. I can hear the attorney saying, “Mr. Hall, here is an invoice from your audit file that reflects fraud.”

Again, does the work paper have a purpose?

My suggestion for those in-limbo work papers: Place them in a “file 13” stack until you are completely done. Then–once done–destroy them. I place these work papers in a recycle bin at the bottom of my work paper tree. 

9.  Complete forms. Blanks should not appear in completed forms (use N/A where necessary).

10. Always be respectful in providing feedback to staff. It’s too easy to get frustrated and say or write things we shouldn’t. For instance, your audit team is more receptive to:

Consider providing additional detail for your tickmark: For instance–Agreed invoice to cleared check payee and dollar amount.

This goes over better than:

You failed to define your tickmark–again?

Last Remarks

What other ways do you make your work papers sparkle? Comment below.

You may also be interested in a related post: 7 Steps to Effectively Review Financial Statements. Also, see If It’s Not Documented, It’s Not Done.

The Exciting (and Scary) Future Changes in Accounting
May 21

The Exciting (and Scary) Future Changes in Accounting

By Charles Hall | Technology

Are you ready for the exciting (and scary) future changes in accounting?

I have spent the last two days talking to and listening to CPAs talk about the coming changes in accounting and auditing. What’s the cause of the changes? In a word: Technology.

The Exciting (and Scary) Future Changes in Accounting

The Coming Changes in Public Accounting

Specifically, we will see changes from artificial intelligence, blockchain, big data, and audit tools. The big four have already spent hundreds of millions of dollars in developing (and embracing) these technologies.

The expectation, so I am hearing, is for CPA firms to reduce the employment of traditional positions (e.g., auditing and tax) and increase the use of other disciplines (e.g., data analytics, leveraging AI and other technologies).

When these changes occur (and yes, I believe they are coming), CPAs can get hurt. Or we can embrace the changes and continue to be profitable. Ignoring these dynamics (or saying they are overstated) will—I believe—leave one blind-sided. 

Could I be wrong? Well, yes. And it would not be the first time. But based on what I am reading and hearing, it appears we will see more change in the next five years than we have in the last twenty-five (that’s a pure guess).

Examples of Emerging Accounting and Audit Software

Firms will need to make investments in emerging technologies and new software products such as Onpoint (a compilation and review product developed by the AICPA and CaseWare).

One platform, Mindbridge, offers audit technology with artificial intelligence. (Mindbridge works with standard accounting software packages such as QuickBooks and Intaact.)

An interesting platform for bookkeeping is AutoEntry. This package automates the entry of information into QuickBooks (it works with the online and desktop versions). Hector Garcia provides a nice YouTube video demonstrating how this software works.

Onpoint, Mindbridge, and AutoEntry are examples of technologies that will transform accounting as we know it. Anybody feel like we’re watching the accounting version of the Jetsons?

Advisory Services: An Opportunity

Interestingly, one of the fastest growing areas in public accounting is advisory services. So, smaller CPA firms should expect more demand from bookkeeping clients in terms of providing business advice: strategic planning, how and when to borrow money, where to invest excess funds, etc. This makes sense. The newer technologies are providing accountants with more time. And with that time, we can become better advisors.

May 15

Fraudulent Payments Without Being on the Signature Card

By Charles Hall | Asset Misappropriation

Today I show you how bookkeepers can make fraudulent payments without being on the signature card.

Auditors often focus on authorized check signers when considering who can fraudulently disburse funds. But might it be possible to make payments without being on the bank’s signature card? The answer is yes. 

fraudulent payments without being on the signature card

Courtesy of a DollarPhoto.com

Fraudulent Payments without Being on the Signature Card

Here are a few ways to disburse funds without being on a signature card:

  1. Forgery
  2. Unsigned checks
  3. Wire transfer 
  4. Electronic bill pay 
  5. Signing checks with accounting software 
  6. Use of a signature stamp

1. Forgery

Since banks don’t usually inspect checks as they clear, a forged check will normally clear the bank.

2. Unsigned Checks

Again, since banks don’t normally inspect checks as they are processed, an unsigned check can clear the bank. (I saw one just last month.)

3. Wire Transfer

Many times–at the client’s direction–banks wire money with just one person’s approval. One nonprofit administrator stole $6.9 million in less than an hour because of this control weakness. 

I have also seen small-town business bookkeepers drop by a local bank and ask them to wire money. Banks, desiring to help their client, sometimes do.

Businesses should use the controls offered by banks. Otherwise, they might be on the hook for fraudulent wires.

4. Electronic Bill Pay

Anyone with the right passwords can make electronic bill payments to themselves or anyone else.

5. Signing Checks with Accounting Software

This one scares me the most.

Many businesses, in an effort to expedite the disbursement process, have authorized signatures embedded in the payables software, enabling the payables clerk to make a payment to anyone. If the payables clerk has access to check stock (and they usually do), watch out. Even if a second person is normally involved in processing checks with automatic signatures, how easy is it for the clerk to go by in the evenings and make fraudulent payments? This danger increases if the payables clerk also reconciles the bank account. Why? No second person is reviewing the cleared checks.

6. Use of a Signature Stamp

I cringe every time I see a signature stamp. Why not just ask the authorized signer to just sign plenty of blank checks? (Yes, I am being facetious.)

Just last year I worked on a case where the bookkeeper wrote manual checks to herself but entered payments in the general ledger to legitimate vendors for the same amounts. Why? To mask the payments.

Recipe for Disbursement Fraud

Give anyone (1) the ability to sign checks, (2) access to blank check stock, and (3) the ability to make the bookkeeping entry, and you have the recipe for theft–particularly if that same person reconciles the bank statement or if the person reconciling the bank statement does not examine the payee on cleared checks. If you can’t segregate duties (there are too few employees), here’s how to lessen segregation of duties problems in two easy steps

How to Audit Accounts Payable

Click here for detailed information about how to audit accounts payable and expenses.

CPAHallTalk.com
May 14

CPAHallTalk.com is My New Blog Name (June 1)

By Charles Hall | Accounting and Auditing

CPA-Scribo.com is about to become CPAHallTalk.com.

CPAHallTalk.com

Last week I decided to change the name of my blog. So, I reached out to my regular subscribers and asked for their assistance. I offered a $200 Amazon gift card to the winner. I couldn’t believe the response.

How many suggestions did I receive? Over 200! I was blown away.

And who is the winner? Sara Laidlaw (Www.asbinc.net) from Savannah, Georgia.

Thanks, Sara, for the new name.

If you key in CPA-Scribo.com after the change on June 1, you’ll automatically redirect to the new URL: CPAHallTalk.com.

Thanks much to everyone that participated! My subscribers are the best. At present, the blog has over 1,500 subscribers. So, come on and join the party. You can subscribe below.

The blog is on track to have over 180,000 visitors this year

corporate account takeover
May 02

Corporate Account Takeover (the Importance of Using Bank Security Procedures)

By Charles Hall | Accounting and Auditing , Fraud , Local Governments

Some thieves gain control of company bank accounts using a corporate account takeover scheme. And with that control, they steal money. Below you’ll see how this type of theft occurs.

On March 17, 2010, cyber thieves hacked into the computers of Choice Escrow and stole the login ID and password to their online banking account. With that information, the thieves were able to submit a $440,000 wire transfer from Choice Escrow’s bank account to an account in Cyprus.

Corporate account takeover

Courtesy of istockphoto.com

When Choice Escrow and the bank were unable to resolve their differences, Choice Escrow filed suit. The back-and-forth legal battle lasted until March 18, 2013, when a court ruled the loss was the responsibility of Choice Escrow. A major determining factor in the decision was Choice Escrow’s refusal of the dual control security mechanism offered by Bancorpsouth Bank. According to Article 4A of the Uniform Commercial Code, if an institution offers a reasonable security procedure to a commercial customer and that customer turns down that security procedure, then the customer is liable in the event of a loss.

Bancorpsouth Bank offered dual control to Choice Escrow twice. Not only did the bank offer this security feature to Choice Escrow, but Bancorpsouth also documented the customer’s refusal to use the security feature. The documentation of the customer’s refusal of the security features was a determining factor in this case. From a bank’s perspective, this case underscores the importance of a written agreement with commercial online banking customers and, more importantly, the importance of documenting the security procedures offered to those customers. From a user’s perspective, the case highlights the need to use the security procedures offered.

Corporate Account Takeover

Corporate account takeover is a term which has become more prevalent over recent years. Generally speaking, corporate account takeover occurs when an unauthorized person or entity gains access or control over another entity’s finances or bank accounts. This usually results in the theft of money in the form of fraudulent wire transfers or ACH transactions.

These fraud schemes first began to be noticed in 2005 but have since become much more widespread and frequent. Recent statistics have revealed that the fraudsters carrying out these schemes are actually becoming less successful in getting money out of a bank account. This reduction is due to both increased efforts on the part of the financial institutions, as well as better education of the customer to help them avoid becoming a target.

Usually, the financial institutions themselves are not the targets of the attack but rather the corporate customers of the institution. Using malware, social engineering, and various other methods, the fraudster obtains information about the customer’s online banking credentials. Once the online banking credentials have been obtained, a request for wire or ACH transfers is placed by the thief. Any business may be targeted for these types of attacks, but those at risk mostly are small businesses, governments, and nonprofits who have limited resources to protect against such threats.

Audit Planning Analytics
May 01

Audit Planning Analytics: What You Need to Know

By Charles Hall | Auditing

You can identify risks of material misstatement with audit planning analytics. 

Audit Planning Analytics

Audit Planning Analytics

The auditing standards provide four risk assessment procedures: 

  1. Inquiry
  2. Observation
  3. Inspection
  4. Analytical procedures

I previously provided you with information about the first three risk assessment procedures. Today, I provide you with the fourth, analytical procedures.

While analytical procedures should occur at the beginning and the end of an audit, this post focuses on planning analytics.

Below I provide the quickest and best way to develop audit planning analytics

What are Analytics?

If you're not an auditor, you may be wondering, "what are analytics?" Think of analytics as the use of numbers to determine reasonableness. For example, if a company's cash balance at December 31, 2017, was $100 million, is it reasonable for the account to be $5 million at December 31, 2018? Comparisons such as this one assist auditors in their search for errors and fraud.

Overview of this Post

We'll cover the following:

  • The purpose of planning analytics
  • When to create planning analytics (at what stage of the audit)
  • Developing expectations 
  • The best types of planning analytics
  • How to document planning analytics
  • Developing conclusions 
  • Linkage to the audit plan

Purpose of Planning Analytics

The purpose of planning analytics is to identify risks of material misstatement. Your goal as an auditor is to render an opinion regarding the fairness of the financial statements. So, like a good sleuth, you are surveying the accounting landscape to see if material misstatements exist.

A detective investigates a crime scene using various tools: fingerprints, forensic tests, interviews, timelines. Auditors have their own tools: inquiry, observation, inspection, analytical procedures. Sherlock Holmes looks for the culprit. The auditor (and I know this isn't as sexy) looks for material misstatements. 

The detective and the auditor are both looking for the same thing: evidence. And the deft use of tools can lead to success. A key instrument (procedure) available to auditors is planning analytics. 

When to Create Planning Analytics

Create your preliminary analytics after gaining an understanding of the entity. Why? Context determines reasonableness of numbers. And without context (your understanding of the entity), changes in numbers from one year to the next may not look like a red flag--though maybe they should.

Therefore, learn about the entity first. Are there competitive pressures?  What are the company's objectives? Are there cash flow issues? What is the normal profit margin percentage? Does the organization have debt? Context creates meaning.

Additionally, create your comparisons of numbers prior to creating your risk assessments. After all, the purpose of the analytical comparisons is to identify risk.

But before creating your planning analytics, you first need to know what to expect.

Developing Expectations 

Knowing what to expect provides a basis for understanding the changes in numbers from year to year. 

Expectations can include:

  • Increases in numbers
  • Decrease in numbers
  • Stable numbers (no significant change)

In other words, you can have reasons to believe payroll (for example) will increase or decrease. Or you might anticipate that salaries will remain similar to last year.

Examples of Expectations Not Met

Do you expect sales to decrease 5% based on decreases in the last two years? If yes, then an increase of 15% is a flashing light.

Or maybe you expect sales to remain about the same as last year? Then a 19% increase might be an indication of financial statement fraud.

But where does an auditor obtain expectations?

Sources of Expectations

Expectations of changes can come from (for example):

  • Past changes in numbers 
  • Discussions with management about current year operations
  • Reading the company minutes
  • Staffing reductions
  • Non-financial statistics (e.g., decrease the number of widgets sold)
  • A major construction project

While you'll seldom know about all potential changes (and that's not the goal), information--such as that above--will help you intuit whether change (or a lack of change) in an account balance is a risk indicator.

Now, let's discuss the best types of planning analytics. 

The Best Types of Planning Analytics

Auditing standards don't specify what types of planning analytics to use. But some, in my opinion, are better than others. Here's my suggested approach (for most engagements). 

Audit Planning Analytics

First, create your planning analytics at the financial statement reporting level. Why? Well, that's what the financial statement reader sees. So, why not use this level (if you can)? (There is one exception in regard to revenues. See Analytics for Fraudulent Revenue Recognition below.)

The purpose of planning analytics is to ferret out unexpected change. Using more granular information (e.g., trial balance) muddies the water. Why? There's too much information. You might have three hundred accounts in the trial balance and only fifty at the financial statement level. Chasing down trial-balance-level changes can be a waste of time. At least, that's the way I look at it.

Second, add any key industry ratios tracked by management and those charged with governance. Often, you include these numbers in your exit conference with the board (maybe in a slide presentation). If those ratios are important at the end of an audit, then they're probably important in the beginning.

Examples of key industry ratios include:

  • Inventory turnover
  • Return on equity
  • Days cash on hand
  • Gross profit 
  • Debt/Equity 

Okay, so we know what analytics to create, but how should we document them?

Analytics for Fraudulent Revenue Recognition

AU-C 240.22 says, "the auditor should evaluate whether unusual or unexpected relationships that have been identified indicate risks of material misstatement due to fraud. To the extent not already included, the analytical procedures, and evaluation thereof, should include procedures relating to revenue accounts." 

The auditing standards suggest a more detailed form of analytics for revenues. AU-C 240.A25 offers the following:

  • a comparison of sales volume, as determined from recorded revenue amounts, with production capacity. An excess of sales volume over production capacity may be indicative of recording fictitious sales.
  • a trend analysis of revenues by month and sales returns by month, during and shortly after the reporting period. This may indicate the existence of undisclosed side agreements with customers involving the return of goods, which, if known, would preclude revenue recognition.
  • a trend analysis of sales by month compared with units shipped. This may identify a material misstatement of recorded revenues.

In light of these suggested procedures, it may be prudent to create revenue analytics at a more granular level than that shown in the financial statements.

How to Document Planning Analytics

Here are my suggestions for documenting your planning analytics.

  1. Document overall expectations.
  2. Include comparisons of prior-year/current-year numbers at the financial statement level. (You might also include multiple prior year comparisons if you have that information.)
  3. Document key industry ratio comparisons.
  4. Summarize your conclusions. Are there indicators of increased risks of material misstatement? Is yes, say so. If no, say so.

Once you create your conclusions, place any identified risks on your summary risk assessment work paper (where you assess risk at the transaction level--e.g., inventory).

Use Filtered Analytical Reports with Caution (if at all)

Some auditors use filtered trial balance reports for their analytics. For instance, all accounts with changes of greater than $30,000. There is a danger in using such thresholds. 

What if  you expect a change in sales of 20% (approximately $200,000) but your filters include:

  •  all accounts with changes greater than $50,000, and 
  • all accounts with changes of more than 15%

If sales remain constant, then this risk of material misstatement (you expected change of 20%, but it did not happen) fails to appear in the filtered report. The filters remove the sales account because the change was minimal. Now, the risk may go undetected.

Developing Conclusions

I am a believer in documenting conclusions on key work papers. So, how do I develop those conclusions? And what does a conclusion look like on a planning analytics work paper?

First, develop your conclusions. How? Scan the comparisons of prior year/current year numbers and ratios. We use our expectations to make judgments concerning the appropriateness of changes and of numbers that remain stable. Remember this is a judgment, so, there's no formula for this. 

No Risk Identified

Now, you'll document your conclusions. But what if there are no unexpected changes? You expected the numbers to move in the manner they did. Then no identified risk is present. Your conclusion will read, (for example):

Conclusion: I reviewed the changes in the accounts and noted no unexpected changes. Based on the planning analytics, no risks of material misstatement were noted.

Risk Identified

Alternatively, you might see unexpected changes. You thought certain numbers would remain constant, but they moved significantly. Or you expected material changes to occur, but they did not. Again, document your conclusion. For example:

Conclusion: I expected payroll to remain constant since the company's workforce stayed at approximately 425 people. Payroll expenses increased, however, by 15% (almost $3.8 million). I am placing this risk of material misstatement on the summary risk assessment work paper at 0360 and will create audit steps to address the risk.

Now, it's time to place the identified risks (if there are any) on your summary risk assessment form.

Linkage to the Audit Plan

I summarize all risks of material misstatements on my summary risk assessment form. These risks might come from walkthroughs, planning analytics or other risk assessment procedures. Regardless, I want all of the identified risks--those discovered in the risk assessment process--in one place.

The final step in the audit risk assessment process is to link your identified risks to your audit program. 

Overview of Risk Assessment and Linkage

Now, I tailor my audit program to address the risks. Tailoring the audit program to respond to identified risks is known as linkage.

Audit standards call for the following risk assessment process:

  • Risk assessment procedures (e.g., planning analytics)
  • Identification of the risks of material misstatement
  • Creation of audit steps to respond to the identified risks (linkage)

Summary of Planning Analytics Considerations

So, now you know how to use planning analytics to search for risks of material misstatement--and how this powerful tool impacts your audit plan.

Let's summarize what we've covered:

  1. Planning analytics are created for the purpose of identifying risks of material misstatement
  2. Develop your expectations before creating your planning analytics (learn about the entity's operations and objectives; review past changes in numbers for context--assuming you've performed the audit in prior years)
  3. Create analytics at the financial statement level, if possible
  4. Use key industry ratios 
  5. Conclude about whether risks of material misstatement are present
  6. Link your identified risks of material misstatement to your audit program

If you have thoughts or questions about this post, please let me know below in the comments box. Thanks for reading.

First-Year Businesses and Planning Analytics

You may be wondering, "but what if I my client is new?" New entities don't have prior numbers. So, how can you create planning analytics? 

First Option

One option is to compute expected numbers using non-financial information. Then compare the calculated numbers to the general ledger to search for unexpected variances.

Second Option

A second option is to calculate ratios common to the entity’s industry and compare the results to industry benchmarks.

While industry analytics can be computed, I’m not sure how useful they are for a new company. An infant company often does not generate numbers comparable to more mature entities. But we’ll keep this choice in our quiver--just in case.

Third Option

A more useful option is the third: comparing intraperiod numbers. 

Discuss the expected monthly or quarterly revenue trends with the client before you examine the accounting records. The warehouse foreman might say, “We shipped almost nothing the first six months. Then things caught fire. My head was spinning the last half of the year.” Does the general ledger reflect this story? Did revenues and costs of goods sold significantly increase in the latter half of the year?

Fourth Option

The last option we’ve listed is a review of the budgetary comparisons. Some entities, such as governments, lend themselves to this alternative. Others, not so–those that don’t adopt budgets.

Summary

So, yes, it is possible to create useful risk assessment analytics–even for a first-year company.

audit and work paper mistakes
Apr 23

Forty Audit and Work Paper Mistakes

By Charles Hall | Auditing

Today, I offer you a list of forty audit and work paper mistakes.

audit and work paper mistakes

The list is based on my observations from over over thirty years of audit reviews (and not on any type of formal study).

You will, however, shake your head in agreement as you read these. I know you’ve seen them as well. The list is not comprehensive. So, you can add others in the comments section of this post.

Here’s the list.

  1. No preparer sign-off on a work paper
  2. No evidence of work paper reviews
  3. Placing documents in the file with no purpose (the work paper provides no evidential matter for the audit)
  4. Signing off on unperformed audit program steps
  5. No references to supporting documentation in the audit program
  6. Using canned audit programs that aren’t based on risk assessments for the particular entity
  7. Not documenting expectations for planning analytics
  8. Inadequate explanations for variances in planning analytics (“revenue went up because sales increased”)
  9. Planning analytics with obvious risk of material misstatement indicators, but no change in the audit plan to address the risk (sometimes referred to as linking)
  10. Not documenting who inquiries were made of
  11. Not documenting when inquiries were made
  12. Significant deficiencies or material weaknesses that are not communicated in written form
  13. Verbally communicating control deficiencies (those not significant deficiencies or material weaknesses) without documenting the conversation
  14. Performing needed substantive tests with no related audit program steps (i.e., the audit program was not amended to include the necessary procedures)
  15. Assessing control risk below high without testing controls
  16. Assessing the risk of material misstatement at low without a basis (reason) for doing so
  17. Documenting significant risks (e.g., allowance for uncollectible receivable estimates in healthcare entities) but no high inherent risks (when inherent risk are separately documented)
  18. Not documenting the predecessor auditor communication in a first-year engagement
  19. Not documenting the qualifications and objectivity of a specialist
  20. Not documenting all nonattest services provided
  21. Not documenting independence
  22. Not documenting the continuance decision before an audit is started
  23. Performing walkthroughs at the end of an engagement rather than the beginning
  24. Not performing walkthroughs or any other risk assessment procedures
  25. Not performing risk assessment procedures for all significant transaction areas (e.g., risk assessment procedures performed for billing and collections but not for payroll which was significant)
  26. Not retaining the support for opinion wording in the file (especially for modifications)
  27. Specific items tested are not identified (e.g., “tested 25 disbursements, comparing amounts in the check register to cleared checks” — we don’t know which particular payments were tested)
  28. Making general statements that can’t be re-performed based on the information provided (e.g., “inquired of three employees about potential fraud” — we don’t know who was interviewed or what was asked or their responses)
  29. Retrospective reviews of estimates are not performed (as a risk assessment procedure)
  30. Going concern indicators are present but no documentation regarding substantial doubt
  31. IT controls are not documented
  32. The representation letter is dated prior to final file reviews by the engagement partner or a quality control partner
  33. Consultations with external or internal experts are not documented
  34. No purpose or conclusion statement on key work papers
  35. Tickmarks are not defined (at all)
  36. Inadequately defining tickmarks (e.g., ## Tested) — we don’t know what was done
  37. No group audit documentation though a subsidiary is included in the consolidated financial statements
  38. No elements of unpredictability were performed
  39. Not inquiring of those charged with governance about fraud
  40. Not locking the file down after 60 days 

That’s my list. What would you add?

supplementary information
Apr 11

Supplementary Information, Other Information and Required Supplementary Information

By Charles Hall | Auditing

What’s the difference in supplementary information, additional information, and required supplementary information? What language should be included in the audit opinion when such information is included in the financial statements?  What audit procedures must be performed? Below I provide the answers.

supplementary information

1. Supplementary Information

Supplementary information is defined as information presented outside the basic financial statements, excluding required supplementary information (see below), that is not considered necessary for financial statements to be fairly-presented in accordance with the applicable financial reporting framework (e.g. FASB).  (See AU-C 725 for more guidance about supplementary information.)

Supplementary information may include:

  • Accounting information and
  • Nonaccounting information

Supplementary information examples include:

  • Detail of “Other Income” as shown in the statement of operations*
  • Detail of “General and Administrative” expenses as shown in the statement of operations*
  • Number of employees in a given payroll period**

* Derived from financial statements

** Not derived from the financial statements

Procedures to Perform

Procedures to be performed include:

  • Determine whether the information is fairly stated, in all material respects, in relation to the financial statements as a whole

Sample Opinion Language

Example auditor’s report paragraph:

The [identify accompanying supplementary information] is presented for purposes of additional analysis and is not a required part of the financial statements. Such information is the responsibility of management and was derived from and relates directly to the underlying accounting and other records used to prepare the financial statements. The information has been subjected to the auditing procedures applied in the audit of the financial statements and certain additional procedures, including comparing and reconciling such information directly to the underlying accounting and other records used to prepare the financial statements or to the financial statements themselves, and other additional procedures in accordance with auditing standards generally accepted in the United States of America. In our opinion, the information is fairly stated in all material respects in relation to the financial statements as a whole.

For examples of presenting the supplementary language (1) in the standard opinion or (2) separately, click here.

Notice that an opinion is rendered on supplementary information. No opinion is given in regard to other information.

2. Other Information

Other information is financial and nonfinancial information (other than the financial statements and the audit report) that is included in a document containing audited financial statements and the audit report (e.g., an annual report), excluding required supplementary information. An auditor can use this option when he or she is not engaged to render an opinion on such information. (See AU-C 720 for more guidance about other information.)

Other information examples include:

  • Financial summaries
  • Employment data
  • Planned capital expenditures
  • Names of officers and directors

Procedures to Perform

Procedure to be performed:

  • Reading the other information in order to identify any material inconsistencies with audited financial statements

Sample Opinion Language

The auditor can use an other-matter paragraph to disclaim an opinion regarding other information. Sample language follows:

Our audit was conducted for the purpose of forming an opinion on the basic financial statements as a whole. The [identify the other information] is presented for purposes of additional analysis and is not a required part of the basic financial statements. Such information has not been subjected to the auditing procedures applied in the audit of the basic financial statements, and accordingly, we do not express an opinion or provide any assurance on it.

3. Required Supplementary Information

Required supplementary information (RSI) is information that a designated accounting standard-setter (e.g., FASB, GASB) requires to accompany the basic financial statements. RSI is not part of the basic financial statements. However, the designated accounting standard-setter has determined that the information is an essential part of financial reporting. (See AU-C 730 for more guidance about required supplementary information.)

Required supplementary information examples include:

  • Management discussion and analysis (MD&A) for governments
  • Estimates of current or future costs of future major repairs and replacements for common interest realty associations

Procedures to Perform

Procedures to be performed include:

  • Inquiry of management about methods used to create information
  • Comparing the information for consistency with management responses and the financial statements
  • Obtaining written representations from management

Sample Opinion Language

Example auditor’s report paragraph:

Accounting principles generally accepted in the United States of America require that the [identify the required supplementary information] on page XX be presented to supplement the basic financial statements. Such information, although not a part of the basic financial statements, is required by the Financial Accounting Standards Board who considers it to be an essential part of financial reporting for placing the basic financial statements in an appropriate operational, economic, or historical context. We have applied certain limited procedures to the required supplementary information in accordance with auditing standards generally accepted in the United States of America, which consisted of inquiries of management about the methods of preparing the information and comparing the information for consistency with management’s responses to our inquiries, the basic financial statements, and other knowledge we obtained during our audit of the basic financial statements. We do not express an opinion or provide any assurance on the information because the limited procedures do not provide us with sufficient evidence to express an opinion or provide any assurance.

Some governments exclude the MD&A. Here is sample opinion wording when the MD&A is omitted.

Supplementary Information in Compilations and Review Engagements

You can see information about supplementary information wording for compilation or review reports here. Also, see my post about presenting supplementary information in compilation and preparation engagements.

receipt fraud test for auditors
Apr 03

Three Powerful Receipt-Fraud Tests (for Auditors)

By Charles Hall | Asset Misappropriation

Today I provide three receipt-fraud tests for auditors. 

The audit standards require that we introduce elements of unpredictability. Additionally, it’s wise to perform fraud tests. But I find that auditors struggle with brainstorming (required by AU-C 240, Consideration of Fraud in a Financial Statement Audit) and developing fraud tests. That’s why I wrote Five Disbursement Fraud TestsIt’s also why I am providing this post.

So, let’s jump in. Here are three receipt-fraud tests.

receipt-fraud tests for auditors

Three Receipt-Fraud Tests

1. Test adjustments made to receivables

Why test?

Receipt clerks sometimes steal collected monies and write off (or write down) the related receivable. Why does the clerk adjust the receivable? So the customer doesn’t receive a second bill for the funds stolen. 

How to test?

Obtain a download of receivable adjustments for a period (e.g., two weeks) and see if they were duly authorized. Review the activity with someone outside the receivables area (e.g., CFO) who is familiar with procedures but who has no access to cash collections.

If there are multiple persons with the ability to adjust receivable accounts (quite common in hospitals), compare weekly or monthly adjustments made by each employee.

Agree receipts with bank deposits.

2. Confirm rebate (or similar type) checks

Why test?

When rebate checks are not sent to a central location (e.g., receipting department), the risk of theft increases. Rebate checks are often not recorded as a receivable, so the company may not be aware of the amounts to be received. Stealing unaccrued receivable checks is easy.

How to test?

Determine which vendors provide rebate checks (or similar non-sales payments). Send confirmations to the vendors and compare the confirmed amounts with activity in the general ledger.

Theft of rebate checks is more common in larger organizations (e.g., hospitals) where checks are sometimes received by various executives. The executive receives a check in the mail and keeps it for a while (in his desk drawer – in case someone asks for it). Once he sees that no one is paying attention, he steals and converts the check to cash.

3. Search for off-the-book thefts of receipts

Why test?

The fraudster may bill for services through the company accounting system or an alternative set of accounting records and personally collect the payments.

How to test?

Compare revenues with prior years and investigate significant variances. Alternatively, start with source documents and walk a sample of transactions to revenue recognition, billing, and collection.

Here are a few examples of actual off-the-book thefts:

Police Chief Steals Cash

An auditor detected a decrease in police-fine revenue in a small city while performing audit planning analytics. Upon digging deeper, he discovered the police chief had two receipt books, one for checks that were appropriately deposited and a second for cash going into his pocket. Sometimes, even Andy Griffith steals.

Hospital CFO Steals Cash

hospital CFO, while performing reorganization procedures, set up a new bank account specifically for deposit of electronic Medicaid remittances. He established himself as the authorized bank account check-signer.

The CFO never set up the bank account in the general ledger. As the Medicaid money was electronically deposited, the CFO transferred the funds to himself.  What was the money used for? A beautiful home on Mobile Bay, new cars, and gambling trips.

Another Receipt Fraud to Consider

Sometimes it’s not the front-desk receipt clerk that steals. Surprisingly, your receipt supervisor can be on the take. So, consider that receipt theft takes place up-front and in the back-office.

governmental internal controls
Apr 02

Useful Governmental Internal Controls that You Need Know

By Charles Hall | Fraud , Local Governments

Below I provide useful governmental internal controls that you need to know.

Why am I providing this list of useful controls? Most small governments struggle with establishing sound internal controls. So, the list provides a foundation for preventing theft in your government. While not a comprehensive list, I thought I would share it.

Many of the internal controls listed below are also pertinent to nonprofits and small businesses as well. You will find this same checklist in The Little Book of Local Government Fraud Prevention (available on Amazon) which provides many more fraud prevention ideas.

I am providing general fraud prevention controls and then transaction-level controls for:

  • Cash receipts and billing
  • Cash payments and purchasing
  • Payroll

governmental internal controls

Useful Governmental Internal Controls

General Internal Controls

  1. Have bank statements mailed directly to someone outside of accounting; recipient should peruse bank statement activity before providing it to accounting
  2. Perform surprise audits (use outside CPA if possible)
  3. Elected officials and management should review the monthly budget to actual reports (and other pertinent financial reports)
  4. Map internal control processes by transaction cycle (preferably done by a seasoned CPA); once complete, provide the map to all employees involved in the cycle; when control weaknesses exist, institute additional controls (see 11. below)
  5. Use a whistleblower program (preferably use an outside whistleblower company)
  6. Reconcile bank statements monthly (have a second person review and initial the reconciliation)
  7. Purchase fidelity bond coverage (based on risk exposure)
  8. Periodically request from the government’s bank a list of all bank accounts in the name of the government or with the government’s federal tax I.D. number; compare the list to bank accounts set up in the general ledger
  9. Secure computer access physically (e.g., locked doors) and electronically (e.g., passwords)
  10. Do not allow the electronic transmission (e.g., email) of sensitive data (e.g., social security numbers) without the use of protected transmission technology (e.g. Sharefile); create policy and train staff
  11. Where possible, segregate who (1) authorizes transactions, (2) records transactions, (3) reconciles records, and (4) has custody of assets; when segregation of duties is not possible, require documented second-person review and/or surprise audits

Transaction Level Controls

Cash Receipts and Billing Controls

  1. Use a centralized receipting location (when possible)
  2. Assign each cash drawer to a separate person; require daily reconciliation to receipts; require second person review
  3. Deposit cash timely (preferably daily); require the composition of cash and checks to be listed on each deposit ticket (to help prevent check-for-cash substitution)
  4. Immediately issue a receipt for each payment received; a duplicate of the receipt or electronic record of the receipt is to be retained by the government
  5. A supervisor should review receipting-personnel adjustments made to accounts receivable
  6. Do not allow the cashing of personal checks (e.g., from cash drawers)

Cash Payments and Purchasing Controls

  1. Guard all check stock (as though it were cash)
  2. Do not allow hand-drawn checks; only issue checks through the computerized system; if hand-drawn checks are issued, have a second person create and post the related journal entry
  3. Do not allow the signing of blank checks
  4. Limit check signing authorization to as few people as possible
  5. Require two employees to effectuate each wire transfer
  6. Persons who authorize wire transfers should not make related accounting entries
  7. Require a documented bidding process for larger purchases (and sealed bids for significant purchases or contracts); specify procedures for evaluating and awarding contracts.
  8. Limit the number of credit cards and the chargeable maximum amount on each card
  9. Allow only one person to use an individual credit card; require receipts for all purchases
  10. Require a street address and social security or tax I.D. numbers for each vendor added to accounts payable vendor list (P.O. box numbers without a street address should not be accepted)
  11. Signed vendor checks should not be returned to those who authorized the payment; mail checks directly to vendors
  12. Compare payroll addresses with vendor addresses for potential fictitious vendors (usually done with electronic audit tools such as IDEA or ACL)

Payroll Controls

  1. Provide a departmental overtime budget/expense report to governing body or relevant committee
  2. Use direct deposit for payroll checks
  3. Payroll rates keyed into the payroll system must be supported by proper authorization in the employee personnel file
  4. Immediately remove terminated employees from the payroll system
  5. Use biometric time clocks to eliminate buddy-punching
  6. Check for duplicate direct-deposit bank account numbers
  7. A department head should provide written authorization for overtime prior to payment

Your Recommendations

What additional controls do you recommend? Share your thoughts below.

1 2 3 25
>