Charles Hall is a practicing CPA and Certified Fraud Examiner. For the last thirty years, he has primarily audited governments, nonprofits, and small businesses.
He is the author of The Little Book of Local Government Fraud Prevention and Preparation of Financial Statements & Compilation Engagements. He frequently speaks at continuing education events.
Charles is the quality control partner for McNair, McLemore, Middlebrooks & Co. where he provides daily audit and accounting assistance to over 65 CPAs. In addition, he consults with other CPA firms, assisting them with auditing and accounting issues.
Some fraudsters funnel money into fake bank accounts. Today, I show you how one controller did so and walked away with millions—and then hid on the Appalachian Trail.
Fake Bank Account
In May 2015 James Hammes was arrested for the theft of $8.7 million from his former employer, G&P Pepsi-Cola Bottlers. After Mr. Hammes was confronted about the theft in February 2009, he left his home and hid on the Appalachian Trail, which runs from Georgia to Maine. Hammes assumed a hiking name of “Bismarck” and spent several years on the popular trail. Fellow hikers enjoyed Bismarck since he seemed to be one of them.
Court documents show that Hammes’ embezzlement began around 1998. As a controller, he was responsible for all financial accounting and internal controls for his division, including supervising accounts payable to several hundred outside vendors. He carried out the fraud by establishing a new bank account for an existing vendor at a different bank. He then deposited hefty payments to that vendor—often $100,000 at a time—in the phantom account that he alone controlled. He then could transfer money from the phantom account to his personal accounts.
“He knew how to cover his tracks by manipulating audits and ledger entries,” Jones said. “He got away with it for so long because he knew how to manipulate his subordinates and how not to raise accounting red flags.”
So, Hammes opened a fraudulent bank account at a bank that the vendor did not use and deposited vendor checks into that account. Then he transferred funds out of the fraudulent bank account to himself. Since he opened the account, he was the authorized check signer. Simple but effective.
You may be wondering how the theft could occur so long without detection.
Vendor Payment Controls Lacking
If extra payments were made to vendors (and it appears that occurred), then the company may not have been reviewing vendor payments. If appropriate controls are not in place, it’s easy for a fraudster to make fraudulent vendor payments without detection, especially if hundreds of monthly checks are processed.
Also, it appears the company may have lacked sufficient segregation of duties since Hammes was able to disburse extra vendor payments without detection.
Vendor Payment Controls
Periodically, review the total payments made to each vendor. For example, generate the total monthly payments made to XYZ Company. Then compare the monthly payments over a two to three year period. If payments increase greatly, then someone within the company may be making additional payments and stealing those checks. Or there may a legitimate reason for the increase. Either way, it’s wise to review vendor payments for anomalies.
Another test you can perform is to look for multiple addresses for the same vendor. There may be legitimate reasons for more than one address, but you want to create a list of vendor addresses and verify that they are appropriate. The same is true for electronic vendor payments: see if there are multiple bank accounts you are wiring payments to. Then determine if these are appropriate. Additionally, obtain the physical address of each vendor and determine if the company is real. Do not accept P.O. Box addresses for verification purposes; again, you need to know if the company exists. (See my article Fictitious Vendor Fraud: Preventing It.)
If your company pays hundreds of vendors, you may want your internal audit (or external auditors) to periodically test vendor payments for appropriateness. Tell your payables personnel this will be done from time to time on a surprise basis. This will help keep them honest.
Maybe with these controls, you can prevent payments to fake bank accounts and keep your employees off the Appalachian Trail.
From time to time, I have clients ask me “What is funded depreciation?” And more importantly, they ask, “How can this technique make my organization more profitable and less stressful?”
Here’s a simple explanation.
Funded depreciation is the setting aside of cash in amounts equal to an organization’s annual depreciation. The purpose: to fund future purchases of capital assets with cash.
Suppose you buy a $10,000 whiz-bang gizmo—a piece of equipment—that you expect to use for ten years, and at the end of the ten years you expect it to have no value. Your annual depreciation is $1,000.
In this example, a $1,000 depreciation expense is recognized annually on your income statement (depreciation decreases net income) even though no cash outlay occurs. The balance sheet includes the cost of the whiz-bang gizmo, but at the end of ten years, the equipment has a $0 book value, being fully depreciated.
The smart manager will annually set aside $1,000 in a safe investment—such as a certificate of deposit or money market account—for the future replacement of the whiz-bang gizmo.
If the company does not annually invest the $1,000, it has a few options at the end of the ten-year period:
Borrow the full amount for the replacement cost
Seek outside funding (e.g., grants)
Use other funds from within the organization
Lease the equipment
Ask U2 to do a special benefits concert—just kidding
Obviously, if you borrow money to replace the equipment, you will have to pay interest—another cash outlay. Suppose the rate is 10%. Now the organization must pay out $1,100 each year. So, if the organization funds the depreciation (invests $1,000 annually), it earns interest. But if the entity chooses not to fund depreciation, it pays interest.
Businesses that fund depreciation are always making money from interest (granted not much these days) rather than paying for it.
Another advantage to funding depreciation: you know you will have the money to purchase the capital asset. You’re not concerned with whether a creditor will lend you the money for the acquisition. You’re financially stronger.
Why Doesn’t Every Entity Fund Depreciation?
So why doesn’t everyone fund depreciation?
Some don’t understand the concept
Some had rather spend the cash flows for the ten years (e.g., owners taking too much in distributions)
Some need the money just to run the organization
In governments, elected officials desire to keep tax rates low while they are in office
In growing businesses, the owners may need the money to fund the growth of the company
Most importantly, it may require two cash payments
Concerning the last point, if the business had to borrow money to purchase the initial capital asset, then it must make debt service payments (cash outlay 1). If the company also funds depreciation for that same asset (making investments equal to the annual depreciation), another cash flow occurs (cash outlay 2). Nevertheless, if the business can ever get into a position where it pays cash for new equipment, it will be better off. Then only one cash outlay (investment funding) occurs, and the company is making–not paying–interest.
What if the organization cannot–due to cash flow constraints–fund depreciation for all new equipment purchases? Consider doing so for just one or two pieces of equipment–over time, the entity may be able to move into a fully funded position.
Who Should Fund Depreciation?
So, who should fund depreciation?
Organizations with sufficient cash flow and discipline. It’s the smart thing to do.
Imagine a world with no debt, a world where you don’t have to wonder how you will pay for equipment. Dreaming? Maybe, but funded depreciation is worth your consideration.
This article teaches you how to develop your audit plan and strategy. Once you complete your risk assessment, it’s time to build these critical pieces of your audit engagement.
Effectiveness and efficiently are both possible with a good audit plan. Below I explain how to do this. Additionally, we’ll also take a look at three common mistakes made in planning. See if you make any of these.
To be in compliance with audit standards, we need to develop:
The characteristics of the engagement (these define its scope)
The reporting objectives (these affect the timing of the audit and the nature of the reports to be provided)
The significant factors (these determine what the audit team will do)
The results of preliminary engagement activities (these inform the auditor’s actions)
Whether knowledge gained on other engagements is relevant (these potentially provide additional insight)
Think of the audit strategy as the big picture.
We are documenting:
The scope (the boundaries of the work)
The objectives (what the deliverables are)
The significant factors (e.g., is this a new or complex entity?)
The risk assessment (what are the risk areas?)
The planned resources (e.g., the engagement team)
Much can be achieved with the right strategy—even walking on the moon.
Strategy for Walking on the Moon
When NASA planned to put a man on the moon, a strategy was created. It could have read as follows:
We will put a man on the moon. The significant factors of our mission include mathematical computations, gravitational pull, thrust, and mechanics. The risks include threats to our astronauts’ lives, so we need to provide sufficient food, air, sound communications, and a safe vessel. The deliverable will be the placement of one man on the moon and the safe return of our three astronauts. The engagement team will include three astronauts, launch personnel at Kennedy Space Center, and mission-control employees in Houston, Texas.
A sound strategy led to Neil Armstrong’s historic walk on July 20, 1969.
Our audit strategy—in a more pedestrian pursuit—is a summary of objectives, resources, and risk. It’s the big picture. Our strategy leads to the successful issuance of our audit opinion (not quite as exciting as walking on the moon, but still important).
What’s in an Audit Strategy?
The audit strategy doesn’t have to be complicated or long, especially for smaller entities—it can be a short memo. What are we after? A summary of risks, needed resources, and objectives.
My firm uses an internally-developed strategy form—mainly, to ensure consistency. The form contains structure, such as references to risk assessment work and blank boxes in certain areas—such as partner directions—so it is flexible. As a result, the form has structure and flexibility.
Here are the main areas we cover:
Deliverables and deadlines
A time budget
The audit team
Key client contacts
New accounting standards affecting the audit
Problems encountered in the prior year
Anticipated challenges in the current year
Partner directions regarding key risk areas
References to work papers addressing risk
Who Creates the Audit Strategy?
Who should create the strategy? The in-charge can create it with the assistance of the engagement partner, or the partner can do so.
Audit Strategy as the Central Document
If you want to see one document that summarizes the entire audit, this is it. As you can see, the strategy is general in nature, but you also need a detailed plan to satisfy the demands of the strategy—this is the audit plan (commonly referred to as the audit program). NASA had a mission statement for Apollo 11, but—I’m sure—written guidelines directed the step-by-step execution of the project.
Audit Plan (or Audit Program)
Now we create the detailed planning steps—the audit program. Think of the audit program as the final stage of audit planning. What have we done to get to this stage of the audit?
The audit plan is the linkage between planning and further audit procedures. What are “further audit procedures”? They are the tactical steps to address risk including substantive procedures and test of controls. The audit program links back to the identified risks and points forward to the substantive procedures and test of controls. Substantive procedures include tests of details and substantive analytical procedures.
Creating the Audit Program
How—in a practical sense—do we create the audit programs? Most auditors tailor the prior year audit programs. That works—as long as we revise them to address the current year risks. Audit programs are not—at least, they should not be—static documents. Even so, the current year audit program can be the same as last year—as long as the risks are the same.
Sufficient Audit Steps
How do we know if we have adequate audit program steps? Look at your risks of material misstatement (RMM)—which, hopefully, are assessed at the assertion level (e.g., completeness). Audit steps should address all high and moderate RMMs.
Integrating Risk Assessment with the Audit Program
How else can we integrate our documentation? Put the relevant assertions next to each audit step—this makes the connections between the RMMs (at the assertion level) and the audit steps clear.
AU-C 330 says the auditor is required to apply substantive procedures to all relevant assertions related to each material class of transactions, account balance, and disclosure. So, the audit program should reflect steps for all material areas.
Creating Efficiency in the Audit Plan
Once you complete your risk assessment work, you want to ask, “Which is the more efficient route? Testing controls or performing substantive procedures.” Then go with your instincts.
Generally, I assess control risk at high. While we can’t default to a high control, we can—once the risk assessment work is complete—decide to assess control risk at high as an efficiency measure. Why? If we assess control risk at below high, we must test the controls as a basis for the lower risk assessment. The testing of controls can—sometimes—take longer than substantive procedures.
For example, is it better to test the controls related to fixed asset additions or is it more efficient to vouch the invoices for significant additions? Usually, the vouching of the invoices will get you to your desired destination quicker than testing controls. Generally—at least in my opinion—this line of reasoning is less true for more complex organizations. Larger organizations process more transactions and tend to have better controls. So it can be better to test controls for larger entities.
There you have it—the creation of the audit strategy and the audit plan. Your strategy includes the risks, needed resources, and objectives. And your audit program contains the tactical steps to address risks. You are set to go.
I find that auditors usually understand the above, but still make one of the following three audit planning mistakes.
Three Mistakes in Audit Planning
Auditors make three common planning mistakes: (1) not tailoring audit programs and (2) allowing prior year work papers to drive the audit process, and (3) using a balance sheet audit approach. Let’s see how these happen.
1. Not Tailoring Audit Programs
Where do most audit programs come from? They are purchased from forms providers, usually international publishing companies. These purchased programs are useful, but they can become a crutch, leading to canned audit approaches that are not responsive to risks.
If we use unrevised audit programs and if our audit approach is always the same, what good is risk assessment? Another way to say this is, If audit programs never change, why perform walkthroughs, preliminary analytics, and other risk assessment procedures?
Canned audit programs are one reason auditors give lip-service to risk assessment. In the auditor’s mind, he may be thinking, I already know what I’m going to do, so why waste time with risk assessment?This cookie-cutter approach is dangerous, but quite common. And why is it dangerous? Because it can lead to an intentional blindness toward internal controls and significant risks. And deficiencies in risk assessment lead to deficiencies in audit procedures. The result: material misstatements are not identified and an unmodified audit opinion is rendered. In other words, audit failure occurs.
Audit programs can be tailored: steps can be added, changed, or deleted. These steps can be amended based on the risk of material misstatement. But some auditors don’t change their audit plan.
And not tailoring audit programs can lead to several problems such as:
Audit team members signing off on steps not performed
Team members typing Not Applicable (N/A) next to several audit steps
Auditors performing unnecessary procedures
Auditors not performing necessary procedures
In addition to not tailoring audit programs, some auditors hit autopilot and use their prior year work papers as their current year plan.
2. Prior Year Work Papers as the Audit Plan
Audit documentation should develop sequentially:
Audit work papers
But poor auditors tend to follow the prior year work papers and complete the audit program as an afterthought. Worse yet, the risk assessment work is completed at the end of the engagement, if at all. The tail wags the dog. This same-as-last-year approach leads to incongruities in risks of material misstatement and the procedures performed. In effect, the prior year work papers become the current year audit program.
Another common audit planning mistake is the use of a balance sheet audit approach.
3. Balance Sheet Audit Approach
Many auditors use a fully substantive approach, meaning they don’t test controls for effectiveness. Moreover, some auditors test balance sheet accounts and little else. But this approach can lead to problems.
I have heard auditors say: If I audit all of the balance sheet accounts, then the only thing that can be wrong is the composition of revenues and expenses. But is this true?
The accounting equation says:
Totals assets = Total liabilities plus Total equity
Another way to say this is:
Total equity = Total assets minus Total liabilities
If we disregard stock purchases and sales, equity is usually the accumulation of retained earnings. And retained earnings comes from the earnings or losses on the income statement. In other words, retained earnings comes from revenues and expenses. So the net income or loss (revenues minus expenses) has to fit into the accounting equation (equity equals assets minus liabilities).
Therefore, if we audit all assets and liability accounts, doesn’t it make sense that the only thing that can be wrong is the composition of revenues and expenses? Mathematically I see why someone might say this, but a flaw lurks in the construct.
Audit Failure Example
I once saw an audit firm sued for several million dollars. The CPAs audited the company for several years, issuing an unqualified opinion each year, but a theft was occurring all along.
So what were the audit firm’s mistakes? They relied too heavily upon a balance sheet audit approach, and they did not gain an understanding of the company’s key internal controls.
The auditors used substantive procedures such as:
Testing bank reconciliations
Sending receivable confirmations and vouching subsequent collections
Computing annual depreciation and agreeing it to the general ledger
Vouching additions to plant, property, and equipment
Performing a search for unrecorded liabilities in payables
The balance sheet accounts reconciled to the general ledger, and no problems were noted in the audit of the balance sheet accounts. But millions were missing.
So what flaw lies in a balance sheet audit approach? Millions can go missing while the balance sheet accounts reconcile to the general ledger. Consequently, auditing the balance sheet accounts alone may not detect theft. Therefore, gaining an understanding of the internal controls and developing appropriate responses is critical to identifying material misstatements, especially when fraud is possible.
So as we plan our substantive procedures, we need to avoid the flawed balance sheet approach. Yes, substantive procedures for the balance sheet accounts are important, but fraud detection procedures are necessary when control weaknesses are present. A test of details is necessary when a significant risk (such as a fraud risk) is present.
Develop an audit strategy and plan once you complete your risk assessments procedures. Then link the risks of material misstatement to your further audit procedures. Doing so will help ensure that your audit is successful. In other words, that no material misstatements are present when you issue an unmodified opinion.
Moreover, don’t make these three audit planning mistakes: (1) not tailoring audit programs and (2) allowing prior year work papers to drive the audit process, and (3) using a balance sheet audit approach.
See my audit series The Why and How of Auditingto learn even more about the full audit process, including how to audit transaction cycles such as cash, receivables, payables, and debt.
In this article, I provide information about various special purpose reporting frameworks (e.g., cash basis, modified-cash basis, and income tax basis) and how you can use them to create financial statements for your clients.
Suppose you’ve been contacted by your client to prepare their financial statements and issue a compilation report. At first, you think, I’ll create the financials in accordance with GAAP, but then you remember there are special purpose reporting frameworks. Maybe the cash basis or income tax basis is a better option.