Category Archives for "Auditing"

Payment fraud tests
Apr 24

Payment Fraud Tests: Five Powerful Ideas

By Charles Hall | Auditing , Fraud

Are you looking for payment fraud tests? Ways to detect fraudulent payments and create unpredictable tests. Here’s your article.

You are leading the audit team discussion concerning disbursements, and a staff member asks, “Why don’t we ever perform fraud tests? It seems like we never introduce elements of unpredictability.”

You respond by saying, “Yes, I know the audit standards require unpredictable tests, but I’m not sure what else to do. Any fresh ideas?”

The staff member sheepishly responds, “I’m not sure.”

And you are thinking, “What can we do?”

Man looking for payment fraud

Five Payment Fraud Tests

Here are five payment fraud tests that you can perform in most any audit.

1. Test for duplicate payments

Why test for duplicate payments?

Theft may occur as the accounts payable clerk generates the same check twice, stealing and converting the second check to cash. The second check may be created in a separate check batch, a week or two later. This threat increases if (1) checks are signed electronically or (2) the check-signer does not normally examine supporting documentation and the payee name.

How can you test for duplicate payments?

Obtain a download of the full check register in Excel. Sort by dollar amount and vendor name. Then investigate same-dollar payments with same-vendor names above a certain threshold (e.g., $25,000).

2. Review the accounts payable vendor file for similar names

Why test for similar vendor names?

Fictitious vendor names may mimic real vendor names (e.g., ABC Company is the real vendor name while the fictitious name is ABC Co.). Additionally, the home address of the accounts payable clerk is assigned to the fake vendor (alternatively, P.O. boxes might be used).

The check-signer will probably not recognize the payee name as fictitious.

How can you test for similar vendor names?

Obtain a download of all vendor names in Excel. Sort by name and visually compare any vendors with similar names. Investigate any near-matches.

3. Check for fictitious vendors

Why test for fictitious vendors?

The accounts payable clerk may add a fictitious vendor. What address will be entered for the fictitious vendor? You guessed it: the payable clerk’s home address (or P.O. Box).

Pay particular attention to new vendors that provide services (e.g., consulting) rather than physical products (e.g., inventory). Physical products leave audit trails; services, less so.

How can you test for fictitious vendors?

Obtain a download in Excel of new vendors and their addresses for a period of time (e.g., month or quarter). Google the business addresses to check for validity. If necessary, call the vendor. Or ask someone familiar with vendors to review the list (preferably someone without vendor set-up capabilities).

YouTube player

4. Compare vendor and payroll addresses

Why compare vendor and payroll addresses?

Those with vendor-setup ability can create fictitious vendors associated with their own home address. If you compare all addresses in the vendor file with addresses in the payroll file, you may find a match. (Careful – sometimes the match is legitimate, such as travel checks being processed through accounts payable.) Investigate any suspicious matches.

How can you test for the same vendor and payroll addresses?

Obtain a download in Excel of (1) vendor names and addresses and (2) payroll names and addresses. Merge the two files; sort the addresses and visually inspect for matches.

5. Scan all checks for proper signatures and payees

Why test checks for proper signatures and payees?

Fraudsters will forge signatures or complete checks with improper payees such as themselves.

How can you test for proper signatures and payees?

Pick a period of time (e.g., two months), obtain the related bank statements, and scan the checks for appropriate signatures and payees. Also, consider scanning endorsements (if available).

Your Payment Fraud Tests

Those are a few of my payment fraud tests. Please share yours.

Need additional ideas regarding how fraud might occur. Check out my post: 25 Ways Fraud Happens.

My fraud book provides more insights into why fraud occurs, how to detect it, and–most importantly–how to prevent it. See The Little Book of Local Government Fraud Prevention. The book focuses on local government fraud, but most of the information is equally applicable to small businesses.

Audit mistakes
Feb 09

Audit Mistakes: Seven Deadly Sins

By Charles Hall | Auditing

Seven deadly audit sins can destroy you. These audit mistakes kill your profits and effectiveness.

You just completed an audit project, and you have another significant write-down. Last year’s audit hours came in well over budget, and—at the time—you thought, This will not happen again. But here it is, and it’s driving you insane.

Insanity: doing the same thing year after year but expecting different results.

Are you ready for better results?

Audit Mistakes

Here are seven deadly (audit) sins that cause our engagements to fail.

Audit mistakes

1. We don’t plan

Rolling over the prior year file does not qualify as planning. Using canned audit programs is not planning.

What do I mean? We don’t know what has changed. Why? Because we have not performed real risk assessment such as current year walkthroughs. We have not (really) thought about current year risks of material misstatement.

Each year, audits have new wrinkles.

Are there any fraud rumors? Has the CFO left without explanation? Have cash balances decreased while profits increased? Does the client have a new accounting program or new staff? Can you still obtain the reports you need? Are there any new audit or accounting standards?

Anticipate issues and be ready for them with a real audit plan.

2. SALY lives

Elvis may not be in the house, but SALY is.

Performing the same audit steps is wasteful. Just because we needed the procedure ten years ago does not mean we need it today. Kill SALY. (No, I don’t mean your staff member; SALY stands for Same As Last Year).

I find that audit files are like closets. We allow old thoughts (clothes) to accumulate without purging. It’s high time for a Goodwill visit. After all, this audit mistake has been with you too long. So ask yourself Are all of the prior audit procedures relevant to this year’s engagement?

Will better planning require us to think more in the early phases of the engagement? Yes. Is this hard work? Yes. Will it result in less overall effort? Yes.

Sometimes the Saly issue occurs because of weak staff.

3. We use weak staff

Staffing your engagement is the primary key to project success. Excellent staff makes a challenging engagement pan out well. Poor staff causes your engagement time to balloon–lots of motion, but few results. Maybe you have smart people, but they need training. Consider AuditSense.

Another audit mistake is weak partner involvement.

4. We don’t monitor

Partners must keep an eye on the project. And I don’t mean just asking, “How’s it going?” Look in the audit file. See what is going on. In-charges will usually tell you what you want to hear. They hope to save the job on the final play, but a Hail Mary often results in a lost game.

As Ronald Reagan once said: Trust but verify.

Engagement partners need to lead and monitor. They also need to provide the right technology tools.

5. We use outdated technology

Are you paperless? Using portable scanners and monitors? Are your auditors well versed in Adobe Acrobat? Are you electronically linking your trial balances to Excel documents? Do you use project management software (e.g., Basecamp)? How about conferencing software (e.g., Zoom)? Do you have secure remote access to audit files? Do you store files securely in the cloud (e.g., Box)? Are you using data mining software such as Idea? Do you send electronic confirmations

Do your staff members fear you so much that they don’t give you the bad news?

6. Staff (intentionally) hide problems

Remind your staff that bad news communicated early is always welcome.

Early communication of bad news should be encouraged and rewarded (yes, rewarded, assuming the employee did not cause the problem).

Sometimes leaders unwittingly cause their staff to hide problems. In the past, we may have gone ballistic on them–now they fear the same.

And here’s one last audit mistake: no post-engagement review.

7. No post-engagement review

Once our audit is complete, we should honestly assess the project. Then make a list of inefficiencies or failures for future reference.

If you are a partner, consider a fifteen-minute meeting with staff to go over the list.

Your ideas to overcome audit mistakes

What do you do to keep your audits within budget?

internal control reporting
Feb 05

Internal Control Reporting When There are No Issues

By Charles Hall | Auditing

In this post, I provide an overview of the internal control reporting requirements when no significant deficiencies or material weaknesses are noted in an audit of the financial statements. I also provide guidance for when such an engagement is subject to the Government Auditing Standards (i.e., Yellow Book). You’ll see a video that shows you what the audit opinion and Yellow Book reports look like when both are in play, and there are no issues. 

internal control reporting

Internal Control Reporting Standards

There are two sets of rules when you perform an audit that is subject to the Yellow Book requirements:

  1. Generally accepted auditing standards from AICPA
  2. Government Auditing Standards (i.e., Yellow Book) from GAO

And only one set of rules if the audit is not subject to the Yellow Book requirements:

  1. Generally accepted auditing standards from AICPA

Consider two scenarios.

1. Perform an audit not subject to Yellow Book 

If you perform an audit (not subject to Yellow Book) and have no significant deficiencies or material weaknesses, then no internal control letter is required (for anyone). I refer to this letter as the “SAS 115 letter” since that’s where the original generally accepted auditing rule came from. Some people opt to issue one anyway. But again, this is not required.

In this scenario, you issue one report:

Audit opinion (and no internal control letter is issued)

2. Perform an audit subject to Yellow Book 

If you perform an audit that is subject to Yellow Book and have no significant deficiencies or material weaknesses, then no SAS 115 internal control letter is requiredSome people opt to issue one anyway.

A Yellow Book report is required (even though there are no significant deficiencies or material weaknesses) and is included in the audited financial statements, usually after the notes to the financial statement. 

You do not need to send this report to anyone separately (i.e., the government) since it’s included in the bound audit report.

So, in this scenario, you issue two reports:

  1. Audit opinion, and
  2. Yellow Book report

But what do these reports look like? 

Yellow Book Report and Amendments to Audit Opinion

Here is a video that shows you what a Yellow Book reports looks like when there are no significant deficiencies or material weaknesses. 

I also show you how to amend your standard audit opinion (governmental example) when the Yellow Book report is provided. 

See my related article about capturing and reporting control deficiencies. I define significant deficiencies and material weaknesses in another post.

YouTube player
predecessor auditor
Feb 03

Tips for Communicating with a Predecessor Auditor

By Charles Hall | Auditing

Communicating with a predecessor auditor can be trying. Even so, audit standards require that you (at least try to) contact them. 

After not sufficiently vetting a potential new client and paying the price for it, I can tell you, “This part of client acceptance is crucial.” You can avoid many headaches. 

In this article, I tell you when to make contact, what inquiries to make, what responses you might receive, how to document the conversations, and how reviewing predecessor work papers will help you audit opening balances. 

Let’s start with an example conversation between the prospective and predecessor auditors.

predecessor auditor

Example Conversation with Predecessor Auditor

“Hi Bill, I am Charles Hall of Johnson & Hitchcock CPAs. I am calling about the 2024 audit of Bird Lighting. They said they would contact you and authorize this conversation. Have they done that?”

“Yes, we heard from them last week. I can respond to your questions.”

So, I ask, “Have there been any illegalities or noncompliance issues you’ve encountered previously?” His response is a hesitant no. I sense Bill is not happy to talk with me (which I understand–we’ve been cross-town competitors for over a decade). He’s responding but is not volunteering any additional information. Probing further, I question the company’s financial condition. Bill admits to cash flow troubles, causing difficulties in compensating accounting staff. 

Now, I’m wondering if they have competent accountants. 

I ask, “How many journal entries did you propose last year, and were there any disagreements about those?” And he responds, “about 35.” He hesitates before disclosing that a heated debate preceded the posting of two material entries

We discuss other matters before arranging a meeting to examine their work papers. Bill says, “We’ll make the prior year’s work papers available for viewing in our office on May 4 at 10:00 a.m. You can request copies of work papers, but we reserve the right to refuse. For example, we don’t give copies of our walkthroughs or risk assessments. We’ll also ask that you sign a letter stating that you will not use this information in any way that might harm our firm.”

Now that we’ve visited a typical predecessor auditor conversation let’s see what the audit standards say about this. 

When to Initiate the Conversation

The auditor should initiate this communication before being engaged to perform the engagement.

Why? Because you want to be aware of any potential problem areas before you accept the engagement. For instance, if management is unethical, you want to know that. If management has used fraudulent accounting, being aware of such practices is to your advantage. Consequently, audit standards necessitate communication before the auditor is engaged.

Contacting the Predecessor Auditor

You should initiate communication with the predecessor auditor and make inquiries according to AU-C 210, Terms of Engagement. Such inquiries should include potential fraudulent activities involving management or employees and noncompliance or suspected noncompliance with applicable laws and regulations. Those inquiries might also include asking if the predecessor knows why the auditee is making the change in auditors. 

Additional potential problem areas include:

–leadership integrity issues

–combative attitudes

–financial problems

–lack of client responsiveness to requests for information

–excessive number of audit adjustments

–client expectations that you do additional work without compensation

–management override of controls

–disagreements over audit fees

Before establishing contact, the company’s management must authorize the predecessor auditor to respond to the successor auditor’s inquiries. If the potential client does not permit this communication, think twice about doing this audit. 

A prospective auditor can make a proposal to do the audit before contacting the predecessor auditor, but can’t accept the engagement (it’s not final) until they have communicated with the predecessor auditor. 

Not communicating with the predecessor auditor can be equivalent to walking into a minefield when anticipating a leisurely hike. The more you know as you accept a new client, the better. 

The Predecessor Auditor’s Response

Sometimes, the predecessor will not respond, as though you don’t exist. (Makes me think, “E.T., phone home.”) Why? They are probably unhappy that you’ve just taken a client from them. That’s understandable. It may not be professional, but again, it’s understandable. (This is what makes these conversations so difficult.)

The predecessor auditor is to be timely in their responses. 

Predecessor auditor

Limited Responses

Other times, the predecessor might give you a limited response. You might think this when there are conversational pauses or stammerings. Such hesitations might indicate that you need to tread carefully and consider whether you should accept the client. For example, is the predecessor privy to information that would be useful to you but potentially damaging to them (i.e., the company sues them for slander)? Sometimes, you don’t know. 

Additionally, the predecessor auditor sometimes provides a limited response due to extenuating circumstances, such as pending litigation. In that case, they should say their response is limited per AU-C 210, Terms of Engagement

Now, let’s think about evaluating the responses. 

Evaluate the Responses

The successor auditor should evaluate the implications of the responses received (or not received) and document that information in the audit file. Why? One reason is peer reviewers look for predecessor auditor communication in an initial audit file. You need to prove you at least tried to initiate a conversation.

There’s little you can do when a predecessor auditor is nonresponsive. Even so, document your attempts to communicate. For example, include copies of letters and emails in your audit file. 

If the predecessor does respond, consider asking to see their prior year’s audit work papers. 

Reviewing Predecessor Audit Work Papers

A customary request by a potential successor auditor pertains to accessing predecessor auditor work papers. Viewing those work papers facilitates verification of opening balances for your new audit if you accept the engagement.

By the way, it is usual for the predecessor to ask you to sign a letter saying that you’ll not use the prior year’s work papers in any manner that might harm them, which is a reasonable request. 

The predecessor decides whether you can see any work papers and what they will allow you to review. They might not provide, for example, their walkthroughs. Why? Because it takes a great deal of time to create these, and they may not want to give their competitor free work.  


Not only do professional standards require you to contact the predecessor auditor, but it’s the better part of wisdom for you to do so. No, it’s not a fun process, but you’ll be glad you did. Your peer reviewer will also be happy you followed the audit standards. 

In June 2022, the AICPA Auditing Standards Board (ASB) issued Statement on Auditing Standards (SAS) No. 147, Inquiries of the Predecessor Auditor Regarding Fraud and Noncompliance With Laws and Regulations. It is effective for periods beginning on or after June 30, 2023.

Client Acceptance and Continuance
Feb 01

Client Acceptance: How to Do It Right

By Charles Hall | Auditing

Client acceptance and continuance may be the most critical step in an audit, but it’s one that gets little attention. A prospective client calls saying, “Can you audit my company?” and we respond, “sure.” While new business can be a good thing, relationships need appropriate vetting. Not doing so can lead to significant (and sometimes disastrous) consequences.

New Relationships

My daughter recently met a young man on Instagram. Not unusual these days. But now the relationship is entering into its third month. They talk every day for two or three hours. So far, they have not been in the same room—and not even in the same city. Skype, yes. Physical presence, no. That’s happening at the end of this month. (He lives eight hours away.)

So what do Mom and Dad think about all of this? Well, it’s fine. My wife checked him out on Facebook (I know you’ve never done this). And my daughter has told us all about the “fella” and his family. We like what we’re hearing. He has similar beliefs. He has a job (Yay!), and he has graduated from college. His family background is like ours.

Why do we want to know all the details about the young man? Because relationships impact people—my daughter, the young man, his family members, and yes, my wife and I. We want everyone to be happy.

Client Acceptance 

And that’s what good relationships create. Happiness. The same is true with clients. As Steven Covey said, “think win, win.” When the customer wins, and your CPA firm wins, everyone is happy. Mutual needs are met.

Careless CPAs accept business with only one consideration: Can I get paid? 

While getting paid is important, other factors are also critical.

Before accepting an audit engagement consider:

  1. Are they ethical?
  2. Are you independent?
  3. Do you have the technical ability to serve them?
  4. Do you the capacity to serve them?

Are They Ethical?

I want my daughter to marry a guy with beliefs that correspond with who she is. Is he honest? Would he steal? Is he transparent? Who are his associates? What do others think of him? 

We ask similar questions about accepting a new client. Audit standards require us to consider whether the prospective client has integrity. If the company is not morally straight, then there’s no need to move forward. Ethics is a key to client acceptance.

(The predecessor auditor can provide information about their interactions with the company. Audit standards require contact with the predecessor auditor prior to acceptance. This is an initial year consideration.)

Are You Independent?

Independence is another key to client acceptance. And the time to determine your firm’s independence is the beginning—not at the conclusion of the audit.

Consider what happens—during a peer review—when a firm is not independent, and it has issued an audit opinion. The original audit report will be recalled, and I’ll bet the company asks for and receives a full refund of your audit fee. Now, the company needs to be re-audited.  (Oh, and there’s that impact on the peer review report.)

Pay attention to requested nonattest services—such as preparation of financial statements. If the client has no one with sufficient skill, knowledge, and experience to accept responsibility for such services, you may not be independent. See the AICPA’s Plain English Guide to Independence for more information. (You can see additional help-aids in my list of online resources for CPAs. )

Do You Have the Technical Ability to Serve Them?

If you can pick up a client in an industry in which you have no experience, should you? Possibly, but it depends on whether you can appropriately understand the client and their industry before you conduct the engagement. Some new customers may not be complicated. In those cases, CPE may get you into position to provide the audit. 

But what if the potential engagement involves a highly sophisticated industry and related accounting standards for which you are ill-equipped? It may be better to let the engagement go and refer it to an audit firm that has the requisite knowledge. Or maybe you can partner with the other firm. 

Do You Have the Capacity to Serve Them?

A prospective client calls saying, “Can you audit my company? We have a December 31 year-end, and we need the audit report by March 31.” After some discussion, I think the fee will be around $75,000. But my staff is already working sixty hours a week during this time of the year. Should I take the engagement? 

My answer would be no unless I can create the capacity. How? I can hire additional personnel or maybe I can contract with another firm to assist. If I can’t build additional capacity, then I may let the opportunity pass. 

Far too many firms accept work without sufficient capacity. When this happens, corners are cut, and staff members and partners suffer. Stuffingeven morework into a stressful time of the year is not (always) a wise thing. We lose staff. And if the engagement is deficient, peer review results may take a hit.

When you don’t have the capacity to accept new good clients, consider whether you should discontinue service to existing bad customers.

The Continuance Decision

Quality controls standards call for CPAs to not only develop acceptance procedures, but we are to create continuance protocols as well.

I previously said CPAs often don’t give proper attention to acceptance procedures. So, how about continuance decisions? Even worse. 

Each year, we should ask, “If this was a new client opportunity, would I accept them?” If the answer is no, then why do we continue serving them? 

Here are a few questions to ponder:

  • Has the client paid their prior year fees? 
  • Am I still independent (consider the new Hosting Services interpretation)?
  • Does the client demand more from me than the fee merits?
  • Do I enjoy working with this client?
  • Is the client’s financial condition creating additional risks for my firm?
  • Is the client acting ethically?

Each year, well before the audit starts, ask these questions.

And then consider, is the bottom 10% of my book of business keeping me from accepting better clients? My experience has been that when I have the capacity, new business appears. When capacity is lacking, I don’t. The decision to hold on to bad clients is a decision to close the door to better clients. Don’t be afraid to let go.

Risk Assessment Starts Now

When should we start thinking about risk assessment? Now.

Whether you are going through the initial acceptance procedures or you are making your continuance decision, start thinking about risk assessment now. Assuming you accept the client, you’ll be a step ahead as you begin to develop your audit plan. Ask questions such as:

  • How is your cash flow?
  • Do you have any debt with covenants?
  • Who receives the financial statements?
  • Has the company experienced any fraud losses?
  • How experienced is management?
  • Why are you changing auditors?

Keep these notes for future reference and audit planning. 

The Strangest Audit Ever

As I close this post, I thought I’d share an old war story. One where I did not perform client acceptance correctly. You’ll find this story hard to believe. But it’s true.

YouTube player
1 2 3 15