In this article I explain how you can use unpredictable audit procedures.
The audit standards require elements of unpredictability. Why? So clients can’t guess what the auditor is going to do. Clients naturally observe and learn what auditors normally do. The client’s knowledge of what is audited (and what is not) makes it easier to steal. The client takes from unaudited areas. This knowledge also enables the company to manipulate numbers. The client alters unaudited balances.
The purpose of the unpredictable element is to create uncertainty–in the client’s mind–regarding audit procedures. We do so by using unpredictable audit procedures.
Elements of Unpredictability – The Audit Standards
In determining overall responses to address the assessed risks of material misstatement due to fraud at the financial statement level, the auditor should…incorporate an element of unpredictability in the selection of the nature, timing, and extent of audit procedures.
AU-C 240.A42 states:
Incorporating an element of unpredictability in the selection of the nature, timing, and extent of audit procedures to be performed is important because individuals within the entity who are familiar with the audit procedures normally performed on engagements may be better able to conceal fraudulent financial reporting. This can be achieved by, for example,
performing substantive procedures on selected account balances and assertions not otherwise tested due to their materiality or risk.
adjusting the timing of audit procedures from that otherwise expected.
using different sampling methods.
performing audit procedures at different locations or at locations on an unannounced basis.
Unpredictable Audit Procedures
To introduce elements of unpredictability, perform procedures such as these:
Examine payments less than your normal threshold in your search for unrecorded liabilities (e.g., in the last three years your threshold was $7,000; this year, it’s $3,000)
Perform a surprise unannounced review of teller cash (for a bank client)
Make a physical visit to the inventory location one month after the end of the year and review inventory records (assuming you don’t normally do so)
Review payroll salary authorization sheets for ten employees and agree to amounts in the payroll master table (in the payroll software)
Test a bank reconciliation for the seventh month in the year being audited (in addition to the year-end bank reconciliation)
Confirm an immaterial bank account that you haven’t confirmed in the past
Pick ten vendors at random and perform procedures to verify their existence (as a test for fictitious vendors)
Document Your Unpredictable Audit Procedures
Since unpredictable tests are required in every audit, document where you performed this procedure. Reference your audit program step for unpredictable tests to the work performed. Title your work paper, “Unpredictable Test,” and then add a purpose statement such as, “Purpose: To confirm the immaterial bank account with ABC Bank as an unpredictable test.” Doing so will eliminate the potential for a peer reviewer to say, “that’s a normal procedure.” You are overtly stating the purpose of the test is to satisfy the unpredictable test requirement.
Change Your Unpredictable Tests Annually
Change your unpredictable tests annually. Otherwise, they will–over time–become predictable.
Over the last thirty-five years, I have reviewed audit files for CPA firms and have commonly asked this question: Why is this work paper in the file?
Here are a seven answers I’ve received.
1. It was there last year.
But is it relevant this year? Resist the temptation to mindlessly bring forward work papers from the prior year. Performing a proper audit entails risk assessment (e.g., walkthroughs, analytics), planning (i.e., creating an audit plan), and execution (i.e., carrying out the audit plan). Likewise, compilations and reviews should reflect current year planning and performance.
2. The client gave it to me.
Inexperienced auditors tend to put everything given to them in the file. Some auditors believe “if the client gave it to me, it must be important.” But this is not necessarily true. Every work paper needs a purpose.
3. I may need it next year.
Then save it for next year—somewhere other than in the current file. If the information does not provide current year engagement evidence, then it does not belong in the file.
Consider creating a file for next year and placing next year’s information in that file. Or create a folder in the current year file titled: Nextyear’s work papers. Then move this section to next year’s file as you close the engagement.
4. I might need it this year.
Before going paperless (back in the prehistoric days when we moved work papers with hand trucks ), I kept a manila folder titled: File 13. The physical folder was my hang-on-to-it-in-case-I-need-it repository.
Since my files are now paperless, I create an electronic folder titled Recycle Bin that sits at the bottom of my file. If I receive information that is not relevant to the current year (but there is a chance I will need it), I move it to the recycle bin, and when I am wrapping up the engagement, I dispose of the folder.
5. It’s an earlier version of a work paper.
Move earlier versions of work papers to your recycle bin—or delete them.
6. I need it for my tax work.
Then it belongs in the tax file (unless it’s related to your attest work – e.g., deferred taxes).
7. We always do this.
But why is it being done this year? Maybe a fraud was missed ten years ago and the partner said, from now on we will…
The most important reason for minimizing work paper content is to reduce your legal exposure. Excess work papers may provide ammunition to an opposing attorney: “Mr. Hall, here’s a work paper from your own audit file that reveals fraud was occurring, and you didn’t see it?” (So don’t, for example, leave the full general ledger in your work papers.)
What are your thoughts about removing unnecessary audit work papers?
Segregation of duties is key to reducing fraud. But smaller entities may not be able to do so. Today, I tell you how overcome this problem, regardless of the entity’s size.
The Environment of Fraud
Darkness is the environment of wrongdoing.
No one will see us. Or so we think.
Fraud occurs in darkness.
In J.R.R. Tolkien’s Hobbit stories,Sméagol, a young man murders another to possess a golden ring, beautiful in appearance but destructive in nature. The possession of the ring and Sméagol’s hiding of self and his precious (the ring) transforms him into a hideous creature–Gollum. I know of no better or graphic portrayal of how that which is alluring in the beginning, is destructive in the end.
Fraud opportunities have those same properties: they are alluring and harmful. And, yes, darkness is the environment where fraud happens.
What’s the solution? Transparency. It protects businesses, governments, and nonprofits.
But while we desire open and understandable processes, our businesses often have just a few employees that perform the accounting duties. And, many times, no one else understands how the system works.
It is desirable to divide accounting duties among various employees, so no one person controls the whole process. This division of responsibility creates transparency. How? By providing multiple eyes to see what’s going on.
But this segregation of duties is not always possible.
Lacking Segregation of Duties
Some people says here are three key duties that must always be separated under a good system of internal controls: (1) custody of assets, (2) record keeping or bookkeeping, and (3) authorization. I add a fourth: reconciliation. The normal recommendation for lack of segregation of duties is to separate these four accounting duties to different personnel. But many organizations are unable to do so, usually due to a limited number of employees.
Some small organizations believe they can’t overcome this problem. But is this true? I don’t think so.
Here’s two easy steps to create greater transparency and safety when the separation of accounting duties is not possible.
1. Bank Account Transparency
First, consider this simple control: Provide all bank statements to someone other than the bookkeeper. Allow this second person to receive the bank statements before the bookkeeper. While no silver bullet, it has power.
Persons who might receive the bank statementsfirst (before the bookkeeper) include the following:
A nonprofit board member
The mayor of a small city
The owner of a small business
The library director
A church leader
What is the receiver of the bank statements to do? Merely open the bank statements and review the contents for appropriateness (mainly cleared checks).
In many small entities, accounting processes are a mystery to board members or owners. Why? Only one person (the bookkeeper) understands the disbursement process, the recording of journal entries, billing and collections, and payroll.
Fraud decreases when the bookkeeper knows someone is watching. Suppose the bookkeeper desires to write a check to himself but realizes that a board member will see the cleared check. Is this a deterrent? You bet.
Don’t want to send the bank statements to a second person? Request that the bank provide read-only online access to the second person. And let the bookkeeper know.
Even the appearance of transparency creates (at least some) safety. Suppose the second person reviewer opens the bank statements (before providing them to the bookkeeper) and does nothing else. The perception of a review enhances safety. I am not recommending that the review not be performed. Butif the bookkeeper even thinks someone is watching, fraud will lessen.
When you audit cash, see if these types of controls are in place.
Now, let’s look at the second step to overcome a lack of segregation of duties. Surprise audits.
2. Surprise Audits
Another way to create small-entity transparency is to perform surprise audits. These reviews are not opinion audits (such as those issued by CPAs). They involve random inspections of various areas such as viewing all checks clearing the May bank statement. Such a review can be contracted out to a CPA. Or they can be performed by someone in the company. For example, a board member.
Additionally, adopt a written policy stating that the surprise inspections will occur once or twice a year.
The policy could be as simple as:
Twice a year a board member (or designee other than the bookkeeper) will inspect the accounting system and related documents. The scope and details of the inspection will be at the judgment of the board member (or designee). An inspection report will be provided to the board.
Why word the policy this way? You want to make the system general enough that the bookkeeper has no idea what will be examined but distinct enough that a regular review occurs.
Surprise Audit Ideas
Here are some surprise audit ideas:
Inspect all cleared checks that clear a particular month for appropriate payees and signatures and endorsements
Agree all receipts to the deposit slip for three different time periods
Review all journal entries made in a two week period and request an explanation for each
Inspect two bank reconciliations for appropriateness
Review one monthly budget to actual report (look for unusual variances)
Request a report of all new vendors added in the last six months and review for appropriateness
The reviewer may not perform all of the procedures and can perform just one. What is done is not as important as the fact that something is done. In other words, the primary purpose of the surprise audit is to make the bookkeeper think twice about whether he or she can steal and not get caught.
I will say it again. Having multiple people involved reduces the threat of fraud.
Segregation of Duties Summary
In summary, the beauty of these two procedures (bank account transparency and surprise audits) is they are straightforward and cheap to implement. Even so, they are powerful. So shine the light.
Management can override internal controls, resulting in fraudulent financial reporting. Below I provide examples of management override of internal controls and how you can audit for these potential threats.
Controls can be overridden, even when properly designed and operating. Accounting personnel usually comply with the wishes of management either out of loyalty or fear. So if a trusted C.E.O. asks the accounting staff to perform questionable actions, they will sometimes comply because they trust the leader. Alternatively, management can threaten accounting personnel with the loss of their jobs if they don’t comply. Either way, management gets what it wants by overriding internal controls.
Examples of Management Override of Internal Controls
Here are examples of management override of internal controls:
Booking journal entries to inflate profits or cover up theft
Using significant transactions outside the normal course of business to dress up the financial statements
Transferring company cash to their personal accounts
Auditors consider management override in all audits (or at least, they should). Why? Because it’s always possible. That's why audit standards require that we respond to the risk of management override in all audits.
First, let’s consider how management overrides controls with journal entries.
1. Journal Entry Fraud
Think about the WorldCom fraud. Expenses were capitalized to inflate profits. Income statement amounts were moved to the balance sheet with questionable entries. Once the fraud was discovered, the internal auditors were told the billion-dollar entries were based on what management wanted. The entries were not in accordance with generally accepted accounting principles. And why was this done? To increase stock prices. Management owned shares of WorldCom, so they profited from the climbing stock values. The fraud led to prison sentences and the demise of the company, all because of management override.
Journal entries are an easy way to override controls. Consider this scenario: Management meets at year-end, and they have not met their goals; so they manipulate earnings by recording nonexistent receivables and revenues, or they record revenues before they are earned. For example, management accrues $10 million in fake revenue, or they book January revenues in December.
Journal Entry Testing
Auditors should test journal entries for potential fraud, but how? First, understand the normal process for making journal entries: who makes them, when are they made, and how. Also, inquire about journal entry controls and consider any fraud incentives, such as bonuses related to profits. Then think about where fraudulent entries might be made and test those areas. Fraudulent journal entries are often made at year-end, so make sure you test those. Here are some additional journal entry test ideas:
Examine entries made to seldom-used accounts
Review consolidating entries (also known as top-side entries)
Test entries made at unusual hours (e.g., during the night)
Vet entries made by persons that don’t normally make journal entries
You don’t need to perform all of the above tests, just the ones that are higher risk in light of journal entry controls and fraud incentives. Data mining software can be helpful in vetting journal entries. For example, you can search for journal entries made by unauthorized persons. Just extract all journal entries from the general ledger and group them by persons making the entries; thereafter, scan the list for unauthorized persons.
Fraudulent journal entries are not the only way to override controls. The books can be cooked with related party transactions.
2. Funny Business
Sometimes, as an auditor, you’ll see funny transactions. No, I don’t mean they are amusing. I mean they are unusual. Management can alter profits with transactions outside the normal course of business, and these are often related party transactions.
For example, Burning Fire, an audit client, is owned by Don Jackson. Mr. Jackson also owns another business, Placid Lake. As you are auditing Burning Fire, you see it received a check for $10 million dollars from Placid Lake. So you ask for transaction support, but there is little. The CFO says the payment was made for “prior services rendered,” but it doesn’t ring true. This could be fraud and is an example of a transaction outside the normal course of business. Why would a company record such an entry? Possibly to bolster Burning Fire’s financial statements. When you see such a transaction, consider whether a fraud incentive is present. For example, do loan covenants require certain financial ratios and does this transaction bring them into compliance?
Next, we look at how management can juice up profits by manipulating estimates.
3. Manipulating Estimates
Auditing standards require a retrospective review of estimates as a risk assessment procedure. Why? Because management can manipulate estimates to inflate earnings and assets. Auditing standards call such tendencies bias, a sign that fraudulent financial reporting might exist. That’s why auditors review prior estimates and related results.
For instance, suppose a company has a policy of reserving 90% of receivables that are ninety days or older. If at year-end the greater-than-ninety-days bucket contains $1,000,000, management can increase earnings $400,000 by lowering the reserve to 50%. What an easy way to increase net income!
Retrospective Review of Estimates
So, how does an auditor perform a retrospective review of an allowance for uncollectible accounts? Compare the year-end reserve with that of the last two or three years. If the reserve decreases, ask why. There might be legitimate reasons for the decline. But if there is no reasonable basis for the smaller allowance, bias could be present. Note such changes in your risk assessment summary. For example, in the accounts receivable section, you might say: The allowance for uncollectible accounts appears to have decreased without a reasonable basis. Why? Because you’ve identified a fraud risk that deserves attention.
Complex estimates are easier to manipulate without detection than simple ones. Why? Because intricate estimates are harder to understand, and complexity creates a smokescreen, making bias more difficult to spot. As an example, consider pension plan assumptions and estimates. Very complex. And changes in the assumptions can dramatically affect the balance sheet and net income.
Now, let's look at how to document your retrospective review.
Documenting Your Retrospective Review
Document your retrospective review. How? List the current and prior year estimates and explain the basis for each. Also, examine the results of the prior year estimates. For example, compare the current year bad debts with the prior year uncollectible allowance. Additionally, consider including incentives for manipulating profits such as bonuses.
Label the workpaper Retrospective Review of Estimates to communicate its purpose. Also, consider adding purpose and conclusion statements such as:
Purpose of workpaper: To perform a retrospective review of estimates to see if bias is present.
Conclusion: While the allowance estimate is higher in the current year, the judgments and assumptions are the same. It does not appear that bias is present. All other prior year estimates appear reasonable.
Other conclusion examples follow:
Conclusion: The rate of return used in computing the pension liability increased by 1%. The increase does not appear to be warranted given the mix of investments and past history. Bias appears to be present and is noted in the risk assessment summary form (in the payroll and benefits section).
Conclusion: Based on our review of the economic lives of assets in the prior year depreciation schedule, no bias is noted.
Conclusion: We reviewed bad debt write-offs in the current year and compared them to the uncollectible allowance in the prior year. No management bias is noted.
Is there another way that management might override controls? Yes, sometimes management requires accounting personnel to transfer company cash to personal bank accounts.
4. Transferring Company Cash to Personal Accounts
Years ago I audited a hospital in Alabama. The C.E.O. would sometimes go to Panama City Beach, and while there, direct his accounting staff to wire funds to his personal account—and they did. Why? The threat of losing their jobs. Some management personnel, especially those with muscle, can intimidate the accounting employees into doing the unbelievable. I’ve seen this happen and once the C.E.O. is called out, he pretends to know nothing about the prior conversations with accounting.
Management Override of Internal Controls
In your future audits, consider that management override of internal controls is always a possibility.
So don't allow yourself to believe that management is too honest to commit fraud. (A personal friend of mine just went to jail for stealing $3.5 million; he was part of the company's management team. I've known him for twenty years, so I was stunned to hear this.) Conduct your audits to detect material misstatements, including fraud--even if you've known the management team for many years.
Want to perform your audits correctly but with less time? Then understand audit materiality, performance materiality, and trivial misstatements. Below you’ll see how to use audit materiality in the planning, conduct, and conclusion of your engagements. You’ll also see how to use performance materiality and trivial misstatements.
Materiality is to reasonable assurance what white stripes are to a basketball court. And understanding materiality is a key to making sure no one blows the whistle on you. Moreover, understanding trivial misstatements can reduce your audit time.
So let’s define audit materiality and consider its use.
Financial statements are seldom perfect. Some misstatements are present, and that’s okay as long as they aren’t too large. But how big can they be without affecting financial statement users’ decisions? Audit materiality provides the answer. It is a boundary, like white stripes on a basketball court.
That boundary, however, is not precise. The white stripes are different for each audit. Why? Because materiality is judgmental. The boundary is based on what is important to financial statement users. And different users focus on different information.
In one audit, the benchmark is total revenues. In another, it’s total assets. And what is a benchmark? It’s what’s most important to the financial statement users. Once the benchmark is chosen, auditors apply a percent to it to compute materiality. For example, one percent of total assets.
Additionally, qualitative factors, such as risks of the client, play into materiality, but auditors need a clearly defined boundary. That’s why materiality is number, not a feeling. Auditors use materiality in planning their audits; they assess the risk of material misstatement at the assertion level. It’s also used in the conduct and evaluation of evidential matter at the conclusion of the engagement, particularly in reviewing passed audit journal entries. Passed journal entries should not exceed materiality.
The omission or misstatement of an item in a financial report is material if, in light of surrounding circumstances, the magnitude of the item is such that it is probable that the judgment of a reasonable person relying upon the report would have been changed or influenced by the inclusion or correction of the item.
Interesting. This definition is not a formula such as one percent of total assets. Even so, we need clearly laid stripes, do we not? We need a number.
So, consider that material misstatements include:
the omission of a significant disclosure
an incomplete disclosure
a known financial statement line misstatement
an unknown financial statement line misstatement
an unreasonable estimate
Also keep in mind that financial statement readers—management, owners, lenders, vendors—make decisions. The FASB lumps these together as a reasonable person whose judgment…would have changed if the misstatement were not present. So, what does this reasonable person look for? What omission or misstatement affects her judgment? And what magnitude of misstatement alters her decisions? The answers tell us what materiality is.
Additionally, an entity’s risks are important. One business might have a high level of debt, for example. The lender is concerned about debt covenant compliance. Another business has an inventory obsolescence issue. The owners might focus here. Risk impacts materiality for each user.
In light of a myriad of factors, the auditor’s job is to provide reasonable assurance that the financial statements are materially correct. So how do we do this? We begin by computing materiality.
Computing Audit Materiality
In order to compute audit materiality, we must first decide which benchmark is best. Examples include total revenues, total assets, and net income. We select a benchmark that is relevant to financial statement users and stable over time. Often total assets or total revenues are good choices. So what’s a poor example? Net income. Why? Because some businesses “salary out” their profits. Zero net income gives you little to work with. (Net income can, however, be appropriate for some entities.)
Once the benchmark is selected, we need to apply a percent to compute materiality. The percent is not defined in professional standards, so again, it’s judgmental. Most CPAs use percentages in materiality forms provided by third-party publishers; others create their own. Either way, auditors must provide reasonable assurance that the financial statements are fairly stated. So, materiality and the related percentages need to be sufficiently low. There are no magical percentages, but an excessively high materiality can lead to an improper audit opinion.
Moreover, materiality is proportional. For instance, a $100,000 error in a billion dollar company may not affect users’ decisions. But a $100,000 error in a million dollar company might.
Uncorrected and Undetected Misstatements
Even with a good materiality number, uncorrected and undetected misstatements can create problems.
The total of undetected errors may exceed materiality. What if, for example, materiality is $100,000, there are no uncorrected audit adjustments, but undetected misstatements of $80,000, $20,000, and $25,000 exist in receivables, inventory, and investments, respectively? Well, an aggregate material misstatement is present.
Similarly, what if materiality is $100,000, the client refuses to post an $80,000 audit adjustment, and there are $45,000 in undetected misstatements? In such a situation, the auditor might think the financial statements are fairly stated, but they are not.
Because uncorrected and undetected errors are sometimes material, we need a cushion, a number less than materiality. Something to protect us. And what is that cushion? Performance materiality.
Audit Performance Materiality
Performance materiality is another key to ensuring your audits don’t result in improper audit opinions. This number is usually less than overall audit materiality and applies to transaction classes, account balances, and disclosures.
AU-C 320.A14 describes performance materiality in the following manner:
Performance materiality is set to reduce to an appropriately low level the probability that the aggregate of uncorrected and undetected misstatements in the financial statements exceeds materiality for the financial statements as a whole. Similarly, performance materiality relating to a materiality level determined for a particular class of transactions, account balance, or disclosure is set to reduce to an appropriately low level the probability that the aggregate of uncorrected and undetected misstatements in that particular class of transactions, account balance, or disclosure exceeds the materiality level for that particular class of transactions, account balance, or disclosure.
As you can see, performance materiality calls for materiality thresholds at the transaction class, account balance, and disclosure level. Usually performance materiality is calculated at 50% to 75% of materiality. Why the range? Different risk levels for different clients. If you believe the risk of undetected misstatements is high, then use a lower percent (e.g., 55% of materiality). Likewise, if your client is not inclined to record detected errors, lower the percent. Remember your goal: the combined undetected error and uncorrected misstatements must be less than materiality—both for the statements as a whole and for classes of transactions, account balances, and disclosures. We don’t want misstatements, in whatever form, to wrongly influence the decisions of financial statement users.
As we perform an audit, we need to summarize uncorrected misstatements.
AU-C 450.11 says the following about uncorrected misstatements:
The auditor should determine whether uncorrected misstatements are material, individually or in the aggregate. In making this determination, the auditor should consider:
the size and nature of the misstatements, both in relation to particular classes of transactions, account balances, or disclosures and the financial statements as a whole, and the particular circumstances of their occurrence and
the effect of uncorrected misstatements related to prior periods on the relevant classes of transactions, account balances, or disclosures and the financial statements as a whole.
We need to accumulate uncorrected misstatements in a manner that allows us to judge them at these levels: classes of transactions, account balances, or disclosures and the financial statements as a whole. And this is more than just computing performance materiality and comparing it to passed adjustments. We should always ask, “Will these uncorrected misstatements adversely affect a user’s judgment?” Misstatements caused by fraud, for example, are more significant than those caused by error.
So what are the documentation requirements for uncorrected misstatements?
AU‐C 450.12 requires the auditor to document:
The amount designated by the auditor below which misstatements need not be accumulated (clearly trivial)
All misstatements accumulated and whether they have been corrected
A conclusion as to whether uncorrected misstatements, individually or in the aggregate, cause the financial statements to be materially misstated, and the basis for the conclusion
Some identified misstatements are so small that they will not be accumulated. We call these trivial misstatements.
Audit Trivial Misstatements
AU-C 420.A2 says the following about trivial misstatements:
The auditor may designate an amount below which misstatements would be clearly trivial and would not need to be accumulated because the auditor expects that the accumulation of such amounts clearly would not have a material effect on the financial statements.
Why create a trivial misstatement amount? Efficiency. All misstatements below the trivial threshold (e.g., $5,000) are not accumulated. The auditor simply notes the trivial difference on the work paper, and she is done. No journal entry is proposed, and no other documentation is necessary. If you expect dozens of passed adjustments, then the trivial threshold should be smaller. You don’t want the cumulative trivial misstatements to become material.
Audit Materiality Summary
Now you know about materiality in auditing.
Want to become a better auditor? Then use materiality, performance materiality, and trivial misstatements in the right manner. And you’ll be well on your way.
If you’ve found this information useful, consider signing up for my free newsletter. After doing so, I’ll notify you each time I create new content. (No spam or unnecessary emails. I promise.) Join the 2,600 other accountants and auditors that already receive these updates.
Sign up in the subscription box at the top of this blog.