What are the keys to auditing debt?

While auditing debt can be simple, sometimes it’s tricky.  For instance, classification issues can arise when debt covenant violations occur. Should the debt be classified as current or noncurrent? Likewise, some forms of debt (with detachable warrants) have equity characteristics, again leading to classification issues. Is it debt or equity—or both? Additionally, leases can create debt, even if that is not the intent. 

Most of the time, however, auditing debt is simple. A company borrows money. An amortization schedule is created. And thereafter, debt service payments are made and recorded. 

Either way, whether complicated or simple, below I show you how to audit debt.

In many governments, nonprofits, and small businesses, debt is a significant part of total liabilities. Consequently, it is often a significant transaction area.

In this post, we will cover the following:

• Primary debt assertions
• Debt walkthroughs
• Debt-related fraud
• Debt mistakes
• Directional risk for debt
• Primary risks for debt
• Common debt control deficiencies
• Risk of material misstatement for debt
• Substantive procedures for debt
• Common debt work papers

The primary relevant debt assertions include:

• Completeness
• Classification
• Obligation

I believe, in general, completeness and classification are the most important debt assertions. When a company shows debt on its balance sheet, it is asserting that it is complete and classified correctly. By classification, I mean it is properly displayed as either short-term or long-term. I also mean the instrument is debt and recorded as such (and not equity). By obligation, I mean the debt is legally owed by the company and not another entity.

Keep these three assertions in mind as you perform your transaction cycle walkthroughs.

Early in your audit, perform a walkthrough of debt to see if there are any control weaknesses. As you perform this risk assessment procedure, what questions should you ask? What should you observe? What documents should you inspect? Here are a few suggestions.

As you perform your debt walkthrough ask or perform the following:

• Are there any debt covenant violations?
• If the company has violations, is the debt classified appropriately (usually current)?
• Is someone reconciling the debt in the general ledger to a loan amortization schedule?
• Inspect amortization schedules.
• Does the company have any unused lines of credit or other credit available?
• Inspect loan documents.
• Has the company refinanced its debt with another institution? Why?
• Who approves the borrowing of new money?
• Who approves new leases? Who handles lease accounting and are they competent?
• Does the company have any leases that should be recorded as debt?
• Inspect new loan and lease approvals. 
• How are debt service payments made (e.g., by check or wire)? Who makes those payments?
• Are there any sinking funds? If yes, who is responsible for making deposits and how is this done?
• Observe the segregation of duties for persons:
• Approving new loans,
• Receipting loan proceeds,
• Recording debt in the general ledger, and
• Reconciling the debt in the general ledger to the loan amortization schedules
• Is the company required to file periodic (e.g., quarterly) reports with the lender? Inspect sample debt-related reports, if applicable.
• Does the company have any convertible debt or debt with detachable warrants? Are they properly recorded?
• Is the company following reporting framework requirements (e.g., FASB Codification) for debt?
• Has collateral been pledged? If yes, what?
• What are the terms of the debt agreements?
• Has all debt of the company been recorded in the general ledger?
• Have debt issuance costs been accounted for properly based on the reporting framework requirements? (FASB requires the netting of such costs with debt.)
• Has the company guaranteed the debt of another entity?

If control weaknesses exist, create audit procedures to address them. For example, if—during the walkthrough—we see that one person approves loans, deposits loan proceeds, and records the related debt, then we will perform fraud-related substantive procedures.

A company can fraudulently inflate its equity by intentionally omitting debt from its balance sheet. (Total assets equal liabilities plus equity. Therefore, if debt is not reported, equity increases.) 

As we saw with Enron, some entities place their debt on another company’s balance sheet. (Enron did so using special purpose entities.) So auditors need to consider that companies can intentionally omit debt from their balance sheets.

Another potential fraudulent presentation is showing short-term debt as long-term. When might this happen? When debt covenant violations occur. Such violations can trigger a requirement to classify the debt as current. If accounting personnel are aware of the requirement to classify debt as current and don’t do so, then the reporting can be considered fraudulent.  

Additionally, mistakes can lead to errors in debt accounting.

Errors in accounting for debt can occur when debt service payments are misclassified as expenses rather than a reduction of debt. Also, debt can—in error—be presented as long-term when it is current. Why? Maybe the company’s accountant doesn’t understand the accounting rules.

Some forms of debt, such as certain types of leases, can be difficult to interpret. Consequently, a company might errantly fail to record debt when required. 

So, what is the directional risk for debt? An overstatement or an understatement?

The directional risk for debt is an understatement. So, audit for completeness (and determine that all debt is recorded).

Primary risks for debt include:

1. Debt is intentionally understated (or omitted)
2. Debt is recorded as noncurrent (due more than one year from the balance sheet date) though the amount is current (due within one year of the balance sheet date)

It’s obvious why a company might want to understate its debt. The company looks healthier. But why would a business desire to classify current debt as noncurrent? For the same reason: to make the company look stronger. By recording current debt as noncurrent, the company’s working capital ratio (current assets divided by current liabilities) improves. 

As you think about the above risks, consider the control deficiencies that allow debt misstatements.

In smaller entities, it is common to have the following control deficiencies:

• One person performs two or more of the following:
• Approves the borrowing of new funds,
• Enters the new debt in the accounting system, 
• Deposits funds from the debt issuance
• Funds are borrowed without appropriate approval
• Debt postings are not agreed to amortization schedules
• Accounting personnel don’t understand the accounting standards for debt (including lease accounting)

Another key to auditing debt is understanding the risks of material misstatement.

In auditing debt, the assertions that concern me the most are classification, completeness, and obligation. So my risk of material misstatement for these assertions is usually moderate to high. 

My response to the higher risk assessments is to perform certain substantive procedures: namely, a review of debt covenant compliance and a review of debt and lease agreements—and the related accounting. Why?

As we saw above, debt covenant violations may require the company to reclassify debt from noncurrent to current. Doing so can be significant. The loan could be called by the lender, depending on the loan agreement. So, proper classification of debt can be critical. 

Also, some leases should be recorded as debt. If such leases are not recorded, the company looks healthier than it is. Our audit should include procedures that address the completeness of debt and the obligations of the company.

Once your risk assessment is complete, decide what substantive procedures to perform.

My customary tests for auditing debt are as follows:

1. Summarize and test debt covenants
2. Review new leases to determine if debt should be recorded
3. Confirm all significant debt with lenders
4. Determine if all debt is classified appropriately (as current or noncurrent)
5. Agree the end-of-period balances in the general ledger to the amortization schedules
6. Agree future debt service payment summaries to amortization schedules 
7. Review accruals of any significant interest 
8. Review interest expense (usually comparing current and prior year interest)

In light of my risk assessment and substantive procedures, what debt work papers do I normally include in my audit files?

My debt work papers normally include the following:

• An understanding of debt-related internal controls 
• Documentation of any internal control deficiencies related to debt
• Risk assessment of debt at the assertion level
• Debt audit program
• A copy of all significant debt agreements (including lease and line-of-credit agreements)
• Minutes reflecting the approval of new debt
• A summary of debt activity (beginning balance plus new debt minus principal payments and ending balance)
• Amortization schedules for each debt
• Summary of all debt information for disclosure purposes (e.g., future debt service to be paid, interest rates, types of debt, collateral, etc.) 

If there are questions regarding debt agreements and their presentation, I include additional language in the representation letter to address the issues. For example, if an owner loans funds to the company but there is no written  debt agreement, the owner or management might verbally explain the arrangement. In such cases, I include language in the management representation letter to cover the verbal responses.

In this article we’ve looked at the keys to auditing debt. Those keys include risk assessment procedures, determining relevant assertions, creating risk assessments, and developing substantive procedures. The most important issues to address are usually (1) the classification of debt (especially if debt covenant violations exist) and (2) lease accounting.

Next we’ll look at how to audit equity.

​

Auditing payroll is a critical skill. Today I explain how.

While payroll is often seen as a low-risk area, considerable losses can occur here. So, knowing how to audit payroll is important.  

Auditing Payroll - An Overview

Payroll exceeds fifty percent of total expenses in many governments, nonprofits, and small businesses. Therefore, it is often a significant transaction area.

To assist you in understanding how to audit payroll, let me provide you with an overview of a typical payroll process.

First, understand that entities have payroll cycles (e.g., two weeks starting on Monday). Then, payments are made at the end of this period (e.g., the Tuesday after the two-week period). Also, understand that most organizations have salaried and hourly employees. Salaried personnel are paid a standard amount each payroll, and hourly employees earn their wages based on time.

Second, an authorized person (e.g., department head) hires a new employee at a specified rate (e.g., $80,000 per year).

Third, human resources assists the new-hire with the completion of payroll forms, including tax forms and elections to purchase additional benefits such as life insurance. 

Fourth, a payroll department employee enters the approved wage in the accounting system. The employee’s bank account number is entered into the system (if direct deposit is used). 

Fifth, employees clock in and out so that time can be recorded.  

Sixth, once the payroll period is complete, a person (e.g., department supervisor) reviews and approves the recorded time. 

Seventh, a second person (e.g., payroll supervisor) approves the overall payroll. 

Eighth, the payroll department processes payments. Direct deposit payments are made (and everyone is happy). 

In this article, we will cover the following:

• Primary payroll assertions
• Payroll walkthroughs
• Payroll fraud
• Payroll mistakes
• Directional risk for payroll
• Primary risks for payroll
• Common payroll control deficiencies
• Risk of material misstatement for payroll
• Substantive procedures for payroll
• Common payroll work papers

Primary Payroll Assertions

The primary relevant payroll assertions are:

• Completeness
• Cutoff
• Occurrence

I believe—in general—completeness and cutoff (for accrued payroll liabilities) and occurrence (for payroll expenses) are the most important payroll assertions. When a company accrues payroll liabilities at period-end, it is asserting that they are complete and that they are recorded in the right period. Additionally, the company is saying that recorded payroll expenses are legitimate.

Additionally, payroll auditing requires an understanding of threats in light of these assertions. So how do I gain this knowledge? Payroll walkthroughs.

Payroll Walkthroughs

Perform a walkthrough of payroll to see if there are any control weaknesses. How? Walk transactions from the beginning (the hiring of an employee) to the end (a payroll payment and posting). And ask questions such as the following:

• Does the company have a separate payroll bank account?
• How often is payroll processed? What time period does the payroll cover? On what day is payroll paid?
• Who has the authority to hire and fire employees?
• What paperwork is required for a new employee? For a terminated employee?
• Is payroll budgeted?
• Who monitors the budget to actual reports? How often?
• Who controls payroll check stock? Where is it stored? Is it secure? 
• If the company uses direct deposit, who keys the bank account numbers into the payroll system? Who can change those numbers?
• Do larger salary payments require multiple approvals?
• Who approves overtime payments?
• Who monitors compliance with payroll laws and regulations?
• Who processes payroll and how?
• Who signs checks or makes electronic payments? If physical checks are used, are they signed electronically (as checks are printed) or physically?
• How are payroll tax payments made? How often? Who makes them?
• Who creates the year-end payroll tax documents (e.g., W-2s) and how?
• What controls ensure the recording of payroll in the appropriate period?
• Are the following duties assigned to different persons:
• Approval of each payroll,
• Processing and recording payroll, 
• The reconciliation of related bank statements
• Possession of processed payroll checks
• Ability to enter or change employee bank account numbers
• Ability to add employees to the payroll system or to remove them
• Who can add or remove employees from the payroll system? What is the process for adding and removing employees from the payroll system?
• Who can change the master pay rate file? Does the computer system provide an audit trail of those changes?
• Who approves salary rates and how?
• Who reconciles the payroll bank statements and how often?
• Who approves bonuses? 
• What benefits (e.g., retirement accounts) does the company offer? Who pays for the benefits (e.g., employee) and how (e.g., payroll withholding)?
• Who reconciles the payroll withholding accounts and how often?
• Are any salaries capitalized rather than expensed? If yes, how and why?
• Are surprise payroll audits performed? If yes, by whom?
• Does the company outsource its payroll to a service organization? If yes, does the payroll company provide a service organization control (SOC) report? What are the service organization controls? What are the complementary controls (those performed by the employing company)?

Moreover, as we ask these questions, we need to inspect documents (e.g., payroll ledger) and make observations (e.g., who signs checks or makes electronic payments?).

If controls weaknesses exist, we create audit procedures to respond to them. For example, during the walkthrough, if we see that one person prints and signs checks, records payments, and reconciles the bank statement, then we will plan fraud-related substantive procedures.

As we perform payroll walkthroughs, we are asking, “What can go wrong—whether intentionally or by mistake?”

Payroll Fraud

When payroll fraud occurs, understatements or overstatements of payroll expense may exist.

If a company desires to inflate its profit, it can—using bookkeeping tricks—understate its expenses. As (reported) costs go down, profits go up.

On the other hand, overstatements of payroll can occur when theft is present. For example, if a payroll accountant pays himself twice, payroll expenses are higher than they should be.

Payroll Mistakes

Mistakes also lead to payroll misstatements. Payroll errors can occur when payroll personnel lack sufficient knowledge to carry out their duties. Additionally, misstatements occur when employees fail to perform internal control procedures such as reconciling bank statements. 

Directional Risk for Payroll

The directional risk for payroll is an understatement. So, audit for completeness (determining that all payroll is recorded). Nevertheless, when payroll theft occurs (e.g., duplicate payments), overstatements can occur. 

Primary Risks for Payroll

The primary payroll risks include:

1. Payroll is intentionally understated
2. Inappropriate parties receive payments
3. Employees receive duplicate payments

As you think about these risks, consider the control deficiencies that allow payroll misstatements.

Common Payroll Control Deficiencies

In smaller entities, it is common to have the following control deficiencies:

• One person performs two or more of the following: 
  • Approves payroll payments to employees,
  • Enters time or salary rates in the payroll system,
  • Issues payroll checks or makes direct deposit payments, 
  • Adds or removes employees from the payroll system
  • Reconciles the payroll bank account
• No one reviews and approves recorded time
• No one reviews and approves payroll before processing
• No one performs surprise audits of payroll
• Appropriate procedures for adding and removing employees are not present
• No one reviews the removal of terminated employees from payroll 
• No one compares payroll expenses to a budget

(Here are suggestions to make your payroll controls stronger.)

Another key to auditing payroll is understanding the risks of material misstatement.

Risk of Material Misstatement for Payroll

In auditing payroll, the assertions that concern me the most are completeness, occurrence, and cutoff. So my risk of material misstatement for these assertions is usually moderate to high.

My response to higher risk assessments is to perform certain substantive procedures: namely, a reconciliation of payroll in the general ledger to quarterly 941s. Why? The company has an incentive to accurately file 941s since the returns are subject to audit by governmental authorities. So, if the 941s are correct, the reconciliation provides support for recorded payroll.

Additionally, consider theft which can occur in numerous ways, such as duplicate payments or ghost employees. 

In a duplicate payment fraud, the thief, usually a payroll department employee, pays himself twice. 

Ghost employees exist when payroll personnel leave a terminated employee on the payroll. Why would someone in the payroll department intentionally leave a terminated employee in the payroll system? To steal the second payment. How? By changing the terminated employee’s direct deposit bank account number to his own. The result? He receives two payments (his own and that of the terminated employee). 

Once your payroll risk assessment is complete, decide what substantive procedures to perform.

Substantive Procedures for Auditing Payroll

My customary tests for auditing payroll are as follows:

1. Reconcile 941s to payroll
2. Recompute accrued payroll liability (amount recorded at period-end)
3. Review payroll withholding accounts for appropriateness and vouch subsequent payments for any significant amounts
4. Compare payroll expenses (including benefits) to budget and examine any unexplained variances
5. When control weaknesses are present, design and perform procedures to address the related risks
6. Compare accrued vacation to prior periods and current payroll activity

In light of my risk assessment and substantive procedures, what payroll work papers do I normally include in my audit files?

Common Payroll Work Papers

My payroll work papers normally include the following:

• An understanding of payroll-related internal controls
• Risk assessment of payroll at the assertion level
• Documentation of any payroll control deficiencies
• Payroll audit program
• Accrued salaries detail at period-end
• A summary of any significant payroll withholding accounts with supporting information
• A detail of vacation payable (if material) with comparisons to prior periods
• Budget to actual payroll reports
• A reconciliation of payroll in the general ledger to quarterly 941s 
• Fraud-related payroll work papers (when needed)

In Summary

In this article we looked at the keys to auditing payroll. Those keys include risk assessment procedures, determining relevant assertions, assessing risks, and developing substantive procedures. My go-to substantive procedure is to reconcile payroll to 941s. I also review payroll withholding accounts and recompute salary accruals. Comparisons of payroll expenses are useful. Finally, if merited, I perform fraud-related payroll procedures.

In the next post in this series, we’ll look at how to audit debt.

Accounts payable is usually one of the more important audit areas. Why? Risk. First, it’s easy to increase net income by not recording period-end payables. Second, many forms of theft occur in the accounts payable area.

In this post, I’ll answer questions such as, “how should we test accounts payable?” And “should I perform fraud-related expense procedures?” We’ll also take a look at common payables-related risks and how to respond to them. In short, you will learn what you need to know about auditing accounts payable.

Auditing Accounts Payable and Expenses — An Overview

What is a payable? It’s the amount a company owes for services rendered or goods received. Suppose the company you are auditing receives $2,000 in legal services in the last week of December 2019, but the law firm sends the related invoice in January 2020. The company owes $2,000 as of December 31, 2019. The services were provided, but the payment was not made until after the year-end. Consequently, the company should accrue (record) the $2,000 as payable at year-end.

In determining whether payables exist, I like to ask, “if the company closed down at midnight on the last day of the year, would it have a legal obligation to pay for a service or good?” If the answer is yes, then record the payable even if the invoice is received after the year-end. Was a service provided or have goods been received by year-end? If yes (and the amount has not already been paid), accrue a payable.

In this chapter, we will cover the following:

• Primary accounts payable and expense assertions
• Accounts payable and expense walkthroughs
• Directional risk for accounts payable and expenses
• Primary risks for accounts payable and expenses
• Common accounts payable and expense control deficiencies
• Risks of material misstatement for accounts payable and expenses
• Search for unrecorded liabilities
• Auditing for accounts payable and expense fraud
• Substantive procedures for accounts payable and expenses
• Typical accounts payable and expense work papers

So, let’s begin our journey of auditing accounts payable and expenses.

Primary Accounts Payable and Expense Assertions

The primary relevant accounts payable and expense assertions are:

• Existence
• Completeness
• Cutoff
• Occurrence

Of these assertions, I believe completeness and cutoff (for payables) and occurrence (for expenses) are usually most important. When a company records its payables and expenses by period-end, it is asserting that they are complete and that they are accounted for in the right period. Additionally, the company is implying that amounts paid are legitimate.

Accounts Payable and Expense Walkthroughs

As we perform walkthroughs of accounts payable and expenses, we are looking for understatements (though they can also be overstated as well). We are asking, “what can go wrong?” whether intentionally or by mistake.

In performing accounts payable and expense walkthroughs, ask questions such as:

• Who reconciles the accounts payable summary to the general ledger?
• Does the company use an annual expense budget?
• Are budget/expense reports provided to management or others? Who receives these reports?
• What controls ensure the recording of payables in the appropriate period?
• Who authorizes purchase orders? Are any purchases authorized by means other than a purchase order? If yes, how?
• Are purchase orders electronic or physical?
• Are purchase orders numbered?
• How does the company vet new vendors?
• Who codes invoices (specifies the expense account) and how?
• Are three-way matches performed (comparison of purchase order with the receiving document and the invoice)?
• Are paid invoices marked “paid”?
• Does the company have a purchasing policy?
• Can credit cards be used to bypass standard purchasing procedures? Who has credit cards and what are the limits? Who reviews credit card activity?
• Are bids required for certain types of purchases or dollar amounts? Who administers the bidding process and how?
• Do larger payments require multiple approvals?
• Which employees key invoices into the accounts payable module?
• Who signs checks or makes electronic payments?
• Who is on the bank signature card?
• Are signature stamps used? If yes, who has control of the signature stamps and whose signature is affixed?
• How are electronic payments made (e.g., ACH)?
• Is there adequate segregation of duties for persons:
  • Approving purchases,
  • Paying payables,
  • Recording payables, and
  • Reconciling the related bank statements
• Which persons have access to check stock and where is the check stock stored?
• Who can add vendors to the payables system?
• What are the entity’s procedures for payments of travel and entertainment expenses? 
• Who reconciles the bank statements and how often?

As we ask these questions, we inspect documents (e.g., payables ledger) and make observations (e.g., who signs checks or makes electronic payments?). So, we are inquiring, inspecting, and observing. 

If controls weaknesses exist, we create audit procedures to respond to them. For example, if--during the walkthrough--we see that one person prints and signs checks, records payments, and reconciles the bank statement, then we will perform fraud-related substantive procedures (more about this in a moment).

Here's a short video about risk assessment in accounts payable. 

Directional Risk for Accounts Payable and Expenses

The directional risk for accounts payable and expenses is an understatement. So, perform procedures to ensure that invoices are properly included. For example, perform a search for unrecorded liabilities (see below).

Primary Risks for Accounts Payable and Expenses

The primary risks for accounts payable and expenses are:

1. Accounts payable and expenses are intentionally understated 
2. Payments are made to inappropriate vendors
3. Duplicate payments are made to vendors 

Keep these in mind as you audit accounts payable.

Common Payable and Expense Control Deficiencies

In smaller entities, it is common to have the following control deficiencies:

• One person performs two or more of the following:
• Approves purchases,
• Enters invoices in the accounts payable system,
• Issues checks or makes electronic payments, 
• Reconciles the accounts payable bank account,
• Adds new vendors to the accounts payable system
• A second person does not review payments before issuance
• No one performs surprise audits of accounts payable and expenses 
• Bidding procedures are weak or absent
• No one reconciles the accounts payable detail to the general ledger
• New vendors are not vetted for appropriateness
• The company does not create a budget
• No one compares expenses to the budget
• Electronic payments can be made by one person (with no second-person approval or involvement)
• The bank account is not reconciled on a timely basis
• When bank accounts are reconciled, no one examines the canceled checks for appropriate payees (the dollar amount on the bank statement is agreed to the general ledger but no one compares the payee name on the cleared check to the vendor name in the general ledger)

Risks of Material Misstatement for Payables and Expenses

In smaller engagements, I usually assess control risk at high for each assertion. When I assess control risk at less than high, I have to test controls to support the lower risk assessment. Therefore, assessing risks at high is usually more efficient (than testing controls).

Search for Unrecorded Liabilities

How does one perform a search for unrecorded liabilities? Use these steps:

1. Obtain a complete check register for the period subsequent to your audit period
2. Pick a dollar threshold ($10,000) for the examination of subsequent payments
3. Examine the subsequent payments (above the threshold) and related invoices to determine if the payables are suitably included or excluded from the period-end accounts payable detail
4. Inquire about any unrecorded invoices

As the RMM for completeness increases, vouch payments at a lower dollar threshold.

How should you perform a detailed analysis of expense accounts? First, compare your expenses to budget—if the entity has one—or to prior year balances. If you note any significant variances (that can’t be explained), then obtain a detail of those particular expense accounts and investigate the cause.

Theft can occur in numerous ways—such as fictitious vendors or duplicate payments. If control weaknesses are present, consider performing fraud-related procedures. When fraud-related control weaknesses exist, assess the RMM for the occurrence assertion at high. Why? There is a risk that the expense (the occurrence) is fraudulent. 

So, how should you respond to such risks?

Auditing for Fraud

Substantive Procedures for Accounts Payable and Expenses

My customary audit tests are as follows:

1. Vouch subsequent payments to invoices using the steps listed above (in Search for Unrecorded Liabilities)
2. Compare expenses to budget and examine any unexplained variances
3. When control weaknesses are present, design and perform fraud detection procedures

If there are going concern issues, you may need to examine the aged payables listing. Why? Management can fraudulently shorten invoice due dates. Doing so makes the company appear more current. For example, suppose the business has three unpaid invoices totaling $1.3 million that were due over ninety days ago. The company changes the due dates in the accounts payable system, causing the invoices to appear as though they were due just thirty days ago. Now the aged payables listing looks better than it would have. 

Typical Payable and Expense Work Papers

Get Your Copy of the Why and How of Auditing

Click the book cover below to go to Amazon.

What is the difference in an internal control and a process? Most accounting directions do not clearly define what a control is. So it can be difficult to sift through a thick accounting manual and identify key controls. Below, I help you distinguish between controls and processes. Why? So you can see the controls that are relevant to your audit.

Processes and Controls in Risk Assessment

Difference in Internal Controls and Processes

In summary, we see that a processes are the actions performed to get something done. Cashiers receive and process payments. By contrast, controls ensure that the resulting numbers are correct and that assets are secure from theft. 

Understanding the differences in controls and processes helps you identify key controls. And why is this important? So you can clearly see key controls while performing audit risk assessment.

Control Risk Assessment