Monthly Archives: June 2017

Jun 21

How to Organize Your Computer Desktop with Fences

By Charles Hall | Technology

Most accountants like organization, yet I often see total chaos on their computer desktops.

A typical CPA’s screen looks like this.

Organize desktop

We’d be much better off if our desktops looked like this.


Creating Order on Your Desktop

So how can you bring order to your desktop?

Use Fences. The cost is $9.99, but well worth the iconic bliss.

Once Fences is downloaded, you simply right-click and drag on your screen to create a new fence (see below). Above you see a fence titled “Programs.” You can arrange the icons in whatever order you wish. To add an icon to a fence, you simply drag it to the desired location.

Create Fence

Once you arrange your icons, they stay that way. When you reboot your computer the next morning, you’ll find your icons in the same order. 

Fences YouTube Video

Here’s a video that provides additional information:

My Experience with Fences

I’ve used Fences for about five years and have found it useful. I recommend it.

To see physical office setup ideas for accountants, click here.

Group Audits
Jun 21

Group Financial Statement Audits: An Overview

By Charles Hall | Auditing

Do you audit financial statements that contain subsidiaries or equity method investments? Then the group audit standards apply, even if you audit all components. Peer reviewers are looking for the required group audit documentation, and they, in many cases, are not seeing what they should.

Audits of Group Financial Statements (AU-C 600) provides guidance for group audits. This article gives an overview of those standards.

Group Audits

Made with Canva

When is AU-C 600 Applicable?

AU-C 600 applies whenever there is an audit of group financial statements (meaning financial statements that include the financial information of more than one component). A component is an entity or business activity whose financial statements are required to be included in the group financial statements under the applicable reporting framework (e.g., U.S. GAAP).

AU-C 600 does apply even if a firm audits all of the components that comprise consolidated financial statements.

What is a Component?

A component includes:

  • Subsidiary
  • Joint venture
  • Division of a company
  • Geographic or functional activity (e.g., program in a not-for-profit organization)
  • Equity-method investment

Why the Group Audit Standard?

When there are multiple components audited by different firms, the risk of error–specifically, an incorrect opinion–increases. AU-C 600 decreases this risk by providing the group audit firm with guidance for group audit situations. Here are a couple of examples where the group audit standards are in play.

Consider, for example, a group audit in which a significant unaudited subsidiary is located in California, but the parent company is in Georgia. Since the subsidiary is not audited, the group auditor does not have the option to reference another audit firm (see below). Nevertheless, he has to obtain audit evidence to support the group audit opinion. The group auditor might direct a California-based audit firm to perform certain audit procedures and provide the results. These procedures provide audit evidence for the group audit opinion.

Likewise, if the California subsidiary is audited, AU-C 600 provides the group auditor with the ability to get the information necessary to render an appropriate audit opinion. In this instance, the component auditor issues an opinion on the California subsidiary, and the group auditor can rely on that work. There is no need for the group auditor to request certain procedures of the California audit team. The group audit firm communicates with the component audit firm concerning issues such as materiality, competence, and independence.

The Auditing Standards Board created AU-C 600 to give the group audit firm and partner the resources and information to get things right.  

When multiple firms audit various components, the group auditor can assume responsibility for the related audits or he can reference the component audit firm in his audit opinion.

The Big Decision: Referencing Another Audit Firm

While AU-C 600 applies to group audits when the same firm audits all components, it also applies when the group auditor does not audit a component–for example, the group audit firm audits the parent company and another audit firm audits a subsidiary (a component).

The group engagement partner (the partner responsible for the group audit) will decide if he or she will make reference to the component auditor

If reference is made, the auditing standards state:

  1. The auditor’s report on the group financial statements should clearly indicate that the component was not audited by the auditor of the group financial statements but was audited by the component auditor.
  2. The group auditor’s report should also communicate the magnitude of the component audited by the component auditor.

If reference is not made, then the group audit firm is responsible for the full audit and related audit evidence. 

The group auditor has the option to name or not name the component audit firm. Typically the group audit firm will not name the component audit firm, but will reference the other firm with opinion language such as “those statements were audited by other auditors.”

Requirements for Referencing a Component Auditor

The group auditor can make reference to the component auditor only if the following is true:

  1. The component auditor must meet independence requirements 
  2. The group audit team must not have serious concerns about whether the component auditors will understand and comply with ethical requirements (including independence)
  3. The group audit team must not have serious concerns about the component audit team’s professional competence
  4. The component financial statements must be presented using the same financial reporting framework as the group financial statements
  5. The component auditor must audit the component in accordance with GAAS (or when required, PCAOB standards)
  6. The component auditor’s report must not be restricted as to use

Requirements to Communicate with Component Auditor 

Regardless of whether reference is made, the group audit team should obtain an understanding of the following:

  1. Whether a component auditor understands and will comply with the ethical requirements that are relevant to the group audit and, in particular, is independent
  2. A component auditor’s professional competence
  3. The extent, if any, to which the group engagement team will be able to be involved in the work of the component auditor
  4. Whether the group engagement team will be able to obtain information affecting the consolidation process from a component auditor
  5. Whether a component auditor operates in a regulatory environment that actively oversees auditors

Peer Review

The group audit standards are in the crosshairs of peer reviews, so make sure your audit documentation (especially your planning documents) is appropriate.

Audit lessons from a brain tumor
Jun 14

Audit Lessons from a Brain Tumor

By Charles Hall | Auditing

I said to my wife, “Am I driving straight?” I felt as if I was weaving, not quite in control. I felt dizzy and heard clicking noises in my ears.

The mystery only increased over the next two years as I visited three different doctors. They stuck, prodded, and probed me–but no solution.


Doctor Looking at Head Xray on blue

Picture is courtesy of

Meanwhile, I felt a growing numbness on the right side of my face. So one night I started Googling health websites (the thing they tell you not to do) and came upon this link: Acoustic Neuroma Association. I clicked it. It was like reading my diary. It couldn’t be. A brain tumor.

The next day I handed my doctor the acoustic neuroma information and said, “I think this is what I have. I want a brain scan.”

Two days after the scan, while on the golf course, I received the doctor’s call: “Mr. Hall, you were right. You have a 2.3-centimeter brain tumor.” (I sent him a bill for my diagnosis but he never paid–just kidding.) My golfing buddies gathered around and prayed for me on the 17th green, and I went home to break the news to my wife. I had two children, two and four at the time. I was concerned.

Shortly after that, I was in a surgeon’s office in Atlanta. The doctor said they’d do a ten-hour operation; there was a 40% chance of paralysis and a 5% chance of death. The tumor was too large for radiation–or so I was told.

I didn’t like the odds, so I prayed more and went back to the Internet. There I located Dr. Jeffrey Williams at Johns Hopkins Hospital in Baltimore. I emailed the good doctor, telling him of the tumor’s size. His response: “I radiate tumors this size every day.” He was a pioneer in fractionated stereotactic radiation, one of the few physicians in the world using this procedure (at the time).

A few days later, I’m lying on an operating table in Baltimore with my head bolted down, ready for radiation. They bolt you down to ensure the cooking of the tumor (and not the brain). Fun, you should try it. Four more times I visited the table. Each time everyone left the room–a sure sign you should not try this at home.

Each day I laid there silently, talking to God and trusting Him.

Three weeks later I returned to work. Eighteen years later, I have had one sick day.

I’ve watched my children grow up. They are twenty-one and twenty-three now–both finished college. My daughter is engaged to be married. My wife is still by my side, and I’m thankful for each day.

Cades Cove, Tennessee with my wife

So what does a brain tumor story tell us about audits? (You may, at this point, be thinking: they did cook the wrong part.)

Audit Lessons Learned from a Brain Tumor

1. Pay Attention to Signs

It’s easy to overlook the obvious. Maybe we don’t want to see a red flag (I didn’t want to believe I had a tumor). It might slow us down. But an audit is not purely about finishing and billing. It’s about gathering proper evidential matter to support the opinion. To do less is delinquent and dangerous.

2. Seek Alternatives

If you can’t gain appropriate audit evidence one way, seek another. Don’t simply push forward, using the same procedures year after year. The doctor in Atlanta was a surgeon, so his solution was surgery. His answer was based on his tools, his normal procedures. If you’ve always used a hammer, try a wrench.

3. Seek Counsel

If one answer doesn’t ring true, see what someone else thinks, maybe even someone outside your firm. Obviously, you need to make sure your engagement partner agrees (about seeking outside guidance), but if he or she does, go for it. I often call the AICPA hotline. I find them helpful and knowledgeable. I also have relationships with other professionals, so I call friends and ask their opinions–and they call me. Check your pride at the door. I’d rather look dumb and be right than to look smart and wrong.

4. Embrace Change

Fractionated stereotactic radiation was new. Dr. Williams was a pioneer in the technique. The only way your audit processes will get better is to try new techniques: paperless software (we use Caseware), data mining (we use IDEA), real fraud inquiries (I use ACFE techniques), electronic bank confirmations (I use, project management software (I use Basecamp). If you are still pushing a Pentel on a four-column, it’s time to change.


Finally, remember that work is important, but life itself is the best gift. Be thankful for each moment, each hour, each day.

Jun 13

AICPA Consulting Standards – The Swiss Army Knife

By Charles Hall | Accounting and Auditing

Do your clients ever ask you to perform unusual services? When those requests come, do you ever struggle with which standards to follow or what the deliverable will be? Should you follow the Attestation Standards or the Auditing Standards, or maybe the SSARS–or are we forgetting something? Sometimes the answer lies in the Consulting Standards

Consulting Standards

Examples of Consulting Services

Here are three examples of consulting services:

  1. My client wants me to perform test counts of inventory, but he wants it done at a low cost. No third party will see the results of the engagement. 
  2. My client wants me to review their accounts payable internal controls, and he doesn’t need an audit or a formal attest engagement. 
  3. My client thinks fraud is occurring in his payroll, but she does not want an audit. 

Most CPAs are familiar with compilation and review standards (Statement on Standards for Accounting and Review Services) and audit standards (Statement on Auditing Standards). They also know about the attestation standards (Statement on Standards for Attestation Engagements), but many are not familiar with the consulting standards (Statement on Standards for Consulting Services).

Consulting Standards Primer

You might call the AICPA Consulting Standards the CPA’s swiss army knife. Many of the services you provide fall under these standards.

What services fall under the consulting standards? 

The consulting standards specifically address six areas:

  1. Consultations – e.g., reviewing a business plan
  2. Advisory services – e.g., assistance with strategic planning
  3. Implementation services – e.g., assistance with a merger
  4. Transaction services – e.g., litigation services
  5. Staff and other support services – e.g., controllership services
  6. Product services – e.g., providing packaged training services

CPAs often provide consulting services such as the following:

  • Consultations about complex transactions
  • Fraud investigation services
  • Internal control services
  • Bankruptcy services
  • Divorce settlement services
  • Controllership services
  • Business plan preparation
  • Cash management
  • Software selection
  • Business disposition planning

When can I use the consulting standards?

I recently posted about when you can use the consulting standards. If there is no third-party reliance on the report, consider the option.

Also, you can use the consulting standards in conjunction with other standards. For example, you could perform an agreed-upon procedures engagement, issuing an AUP report, and also provide the client with a second consulting report. Many times this is a good option. Too often CPAs put consulting type information (e.g., recommendations) in an AUP report. Since AUPs are designed in a “procedures, results” format, it’s best to address secondary issues in a separate consulting report. If you design your engagement in this manner, the results will be (1) an AUP report that addresses the agreed upon procedures and results, and (2) a consulting report that covers other considerations.

Characteristics of a Consulting Engagement

  1. Generally nonrecurring
  2. Usually, requires a CPA with specialized knowledge and skills
  3. More interaction with client
  4. Done just for the client (usually no third parties seeing the results)

Consulting Work Paper Requirements

The work paper requirements are minimal.

The understanding with the client can be oral or in writing (I recommend the latter). 

Keep in mind that the AICPA Code of Professional Conduct does require the CPA who performs a nonattest service (e.g., consulting) and an attest service (e.g., audit) to follow the independence guidance in the Code of Conduct. See 1.295 Nonattest Services of the Code.

The consulting standards do not require the CPA to prepare work papers, but you should do so anyway. The work papers are the link between your work and your report. Also, the general standards of the profession, contained in 1.300 of the AICPA Code of Professional Conduct, apply to all services performed by members. 1.300 says “Sufficient relevant data. Obtain sufficient relevant data to afford a reasonable basis for conclusions or recommendations in relation to any professional services performed.”

Consulting Reports

The report content and format are up to you and your client.

No Opinion or Accountant’s Report

For consulting engagements, the CPA does not issue an opinion or any other attestation report (e.g., agreed-upon procedures report). Consulting reports are usually designed for the client and not third parties.

Subject to Peer Review?

Work performed under the Consulting Standards is not subject to peer review.

Where Can I Find the AICPA Consulting Standards?

You can see the consulting standards here

segregation of duties
Jun 06

How to Lessen Segregation of Duties Problems in Two Easy Steps

By Charles Hall | Auditing , Fraud

Darkness is the environment of wrongdoing.


No one will see us–or so we think.

As you’ve seen many times, fraud occurs in darkness.

In J.R.R. Tolkien’s Hobbit stories, Sméagol, a young man murders another to possess a golden ring, beautiful in appearance but destructive in nature. The possession of the ring and Sméagol’s hiding of self and his precious (the ring) transforms him into a hideous creature–Gollum. I know of no better or graphic portrayal of how that which is alluring in the beginning, is destructive in the end.

Fraud opportunities have those same properties: they are alluring and harmful. And, yes, darkness is the environment of theft. What’s the solution? Transparency. It protects businesses, governments, and nonprofits. And while we desire open and understandable processes, often businesses have just a few employees that operate the accounting system. And many times they alone understand how it works.

It is desirable to divide accounting duties among various employees, so no one person controls the entire process. This division of responsibility creates transparency since multiple eyes see the accounting processes–but this is not always possible.

Lacking Segregation of Duties

Many small organizations lack appropriate segregation of duties and believe that solutions do not exist or that fixing the problem is too costly. But is this true? Can we create greater transparency and safety with simple procedures and without significant cost?


Below I propose two processes to reduce fraud:

  1. Bank account transparency and
  2. Surprise audits.

1. Bank Account Transparency

Here’s a simple and economical control: Provide all bank statements to someone other than the bookkeeper. Allow this second person to receive the bank statements before the bookkeeper. While no silver bullet, it has power.

Persons who might receive the bank statements first (before the bookkeeper) include the following:

  • A nonprofit board member
  • The mayor of a small city
  • The owner of a small business
  • The library director
  • A church leader

What is the receiver of the bank statements to do? Merely open the bank statements and review the contents for appropriateness (mainly cleared checks).

In many small entities, accounting processes are a mystery to board members or owners since only one person (the bookkeeper) understands the disbursement process, the recording of journal entries, billing and collections, and payroll.

One set of eyes on an accounting process is not a good thing. So how can we shine the light?

Fraud Prevention

Picture courtesy of

Second Person Sees the Bank Statements

Allow a second person to see the bank statements.

Fraud decreases when the bookkeeper knows someone is watching. Suppose the bookkeeper desires to write a check to himself but realizes that a board member will see the cleared check. Is this a deterrent? You bet.

Don’t want to send the bank statements to a second person? Request that the bank provide read-only online access to the second person, and let the bookkeeper know that the other person will review bank activity.

Even the appearance of transparency creates (some) safety.

Suppose the second person reviewer opens the bank statements (before providing them to the bookkeeper) and does nothing else. The perception of reviews enhances safety. I am not recommending that you don’t perform the review, but if the bookkeeper even thinks someone is watching, fraud will lessen.

2. Surprise Audits

Another way to create small-entity transparency is to perform surprise audits. These reviews are not opinion audits (such as those issued by CPAs) but involve random inspections of various areas such as viewing all checks clearing the May bank statement. Such a review can be contracted out to a CPA or performed by someone other than the bookkeeper–such as a board member.

Segregation of Duties

Picture courtesy of

Adopt a written policy stating that the surprise inspections will occur once or twice a year.

The policy could be as simple as the following:

Twice a year a board member (or designee other than the bookkeeper) will inspect the accounting system and related documents. The scope and details of the inspection will be at the judgment of the board member (or designee). An inspection report will be provided to the board.

Why word the policy this way? You want to make the system general enough that the bookkeeper has no idea what will be inspected but distinct enough that an actual review occurs with regularity (thus the need to specify the minimum number of times the review will be performed).

Sample Inspection Ideas

Here are some sample inspection ideas:

  • Inspect all cleared checks that clear a particular month for appropriate payees and signatures and endorsements
  • Agree all receipts to the deposit slip for three different time periods
  • Review all journal entries made in a two week period and request an explanation for each
  • Review two bank reconciliations for appropriateness
  • Review one monthly budget to actual report (to see that the report was appropriately created)
  • Request a report of all new vendors added in the last six months and review for appropriateness

The reviewer may not perform all of the procedures and can perform just one. What is done is not as important as the fact that something is done. In other words, the primary purpose of the surprise audit is to make the bookkeeper think twice about whether he or she can steal and not be caught.

Again multiple people seeing the accounting processes reduces the threat of fraud.

Shine the Light

The beauty of these two procedures (bank account transparency and surprise audits) is they are straightforward and cheap to implement but nevertheless powerful. So shine the light.

What other procedures do you recommend for small entities?

For more information about preventing fraud, check out my book: The Little Book of Local Government Fraud Prevention.

Audit documentation
Jun 05

Audit Documentation: If It’s Not Documented, It’s Not Done

By Charles Hall | Auditing

Peer reviewers are saying, “If it’s not documented, it’s not done.” Why? Because standards require sufficient audit documentation. And if it’s not documented, the peer reviewer can’t give credit for performance. 

But what does sufficient documentation mean? What should be in our work papers? How much is necessary? This article answers these questions.

Audit documentation

Made with Canva

In the AICPA’s Enhanced Oversight program, one in four audits is nonconforming due to a lack of sufficient documentation. This has been and continues to be a hot-button peer review issue. And it’s not going away. 

But auditors ask, “What is sufficient documentation?” That’s the problem, isn’t it? The answer is not black and white. We know good documentation when we see it–and poor as well. It’s the middle that fuzzy. Too often audit files are poor-to-midland. Why? 

First, many times it boils down to profit. Auditors can make more money by doing less work. So, let’s go ahead and state the obvious: Quality documentation takes more time and may lessen profit. But what’s the other choice? Poor work.

Second, the auditor may not understand what the audit requirements are. So, in this case, it’s not motive (more profit), it’s a lack of understanding.

Thirdly, another contributing factor is that firms often bid for work–and low price usually carries the day. Then, when it’s time to do the work, there’s not enough budget (time)–and quality suffers. Corners are cut. Planning is disregarded. Audit programs are poorly designed. Confirmations, walkthroughs, fraud inquiries are omitted. It’s easier, at least in the short run.

Even though these reasons may be true, we all know that quality is the foundation of every good CPA firm. And work papers tell the story–the real story–about a firm’s character. How would you rate your work paper quality? Is it excellent, average, poor? If you put your last audit file on this website and everyone could see it, would you be proud? Or does it need improvement?

Insufficient Audit Documentation

First, let’s look at examples of poor documentation:

  • Signing off on audit steps with no supporting work papers (and no explanation on the audit program)
  • Placing a document in a file without explaining why (what is its purpose?)
  • Not signing off on audit steps
  • Failing to reference audit steps to supporting work papers
  • Listing a series of numbers on an Excel spreadsheet without explaining their source (where did they come from? who provided them?)
  • Not signing off on work papers as a preparer
  • Not signing off on work papers as the reviewer
  • Failing to place excerpts of key documents in the file (e.g., debt agreement)
  • Performing fraud inquiries but not documenting who was interviewed (their name) and when (the date)
  • Not documenting the selection of a sample (why and how)
  • Failing to explain the basis for low inherent risk assessments
  • Key bank accounts and debt are not confirmed
  • Not documenting the reason for not sending receivable confirmations
  • A lack of retrospective reviews
  • A failure to document the current year walkthroughs for significant transaction cycles (the file contains a generic description of controls with no evidence of a current year review)
  • Not documenting COSO deficiencies (e.g., tone at the top, management’s risk assessment procedures)
  • A failure to document risk assessments
  • Low control risk assessments without a test of controls
  • A lack of linkage from the risk assessment to the audit plan
  • No independence documentation though nonattest services are provided

This list is not comprehensive, but it provides examples to consider. This list is based on my past experiences. Probably the worst offense (at least in my mind) is signing off on an audit program with no support.

AICPA Findings

Additionally, the AICPA has identified the following deficiencies. Work papers lack:

  • Tests of controls over compliance in a single audit
  • Determinations of direct and material Single Audit compliance requirements 
  • Eligibility testing in Employee Benefit Plan audits

Sufficient Audit Documentation According to AU-C 230

Now, let’s examine what constitutes sufficient documentation.

AU-C 230 Audit Documentation defines how auditors are to create audit evidence. It says that an experienced auditor with no connection to the audit should understand:

  • Nature, timing, and extent of procedures performed
  • Results and evidence obtained
  • Significant findings, issues, and professional judgments

While most auditors are familiar with this requirement, the difficulty lies in how to accomplish this. What does it look like?

Experienced Auditor’s Understanding

Here’s the key: When an experienced auditor reviews the documentation, does she understand the work?

Any good communicator makes it her job to speak or write in an understandable way. The communicator assumes responsibility for clear messages. In creating work papers, we are the communicators. The responsibility for transmitting messages lies with us (the auditors creating work papers).  

A Fog in the Work Papers

So what creates fogginess in work papers? We forget we have an audience. Others will review the audit documentation to understand what was done. As we prepare work papers, we need to think about those who will read our work. All too often, the person creating a work paper understands what he is doing, but the reviewer doesn’t. Why? The message is not clear.

Just because I know why I am doing something does not mean that someone else will.

Creating Clarity

This is why most work papers should include the following:

  • A purpose statement (what is the reason for the work paper?)
  • The source of the information (who provided it? where did they obtain it and how?)
  • An identification of who prepared and reviewed the work paper
  • The audit evidence (what was done)
  • A conclusion (does the audit evidence support the purpose of the work paper?)

When I make these suggestions, some auditors push back saying, “We’ve already documented some of this information in the audit program.” That may be true, but I am telling you–after reviewing thousands of audit files–the message (what is being done and why) can get lost in the audit program. The reviewer often (speaking for myself) has a difficult time tieing the work back to the audit program and understanding its purpose and whether the documentation provides sufficient audit evidence.

Remember, the work paper preparer is responsible for clear communication. 

And here’s another thing to consider. You (the work paper preparer) might spend six hours on one document. So, you are keenly aware of what you did. The reviewer, on the other hand, might spend five minutes–and she is trying (as quickly as she can) to understand. 

Help Your Reviewers

To help your less informed reviewers:

  1. Tell them what you are doing (purpose statement)
  2. Do it (document the test work)
  3. Then, tell them how it went (the conclusion)

Sample Work Paper from AICPA

Here’s a sample work paper from the AICPA. What do I like about it?

It communicates (clearly):

  • That it was not prepared by the client
  • Who prepared it and who reviewed it
  • The dates prepared and reviewed
  • The objective (purpose)
  • What the tickmarks mean

I also note there is no extraneous information, no clutter.

work paper documentation

So far, we’ve discussed insufficient documentation. Let’s take a minute to review an opposite problem, having too much.

Too Much Audit Documentation

It’s funny, but many CPAs say to me, “I feel like I do too much,” meaning they believe they are auditing more than is necessary. To which I often respond, “I agree.”

In looking at audit files, I see:

  • The clutter of unnecessary work papers
  • Files received from clients that don’t support the audit opinion
  • Unnecessary work performed on these extraneous documents

For whatever reason, clients usually provide more information than we request. And then–for some other reason–we retain those documents, even if not needed.

If auditors add purpose statements to each work paper, then they will discover that some work papers are unnecessary. In writing the purpose statement, we realize it has none. Which is nice–now, we can deep-six it.

One healthy exercise is to pretend we’ve never audited the company and that we have no prior year audit files. Then, with a blank page, we plan the audit. Once done, we compare the new plan to prior year files. If there’s any fat, start cutting. 

The key to eliminating unnecessary work lies in performing the following steps (in the order presented):

  1. Perform risk assessment
  2. Plan your audit based on the identified risks
  3. Perform the audit procedures

Too often, we roll the prior year file forward and rock on. If the prior year file has extraneous audit procedures, then we repeat them. This creates waste.


In summary, audit documentation continues to be a significant peer review problem. We can enhance the quality of our work papers by remembering we are not just auditing. We are communicating. It is our responsibility to provide a clear message.

Though this article is about having too little documentation, you can have the opposite problem of having too much documentation.

Below is a short video summarizing this article.