Accounts payable is usually one of the more important audit areas. Why? Risk. First, it’s easy to increase net income by not recording period-end payables. Second, many forms of theft occur in the accounts payable area.

In this post, I’ll answer questions such as, “how should we test accounts payable?” And “should I perform fraud-related expense procedures?” We’ll also take a look at common payables-related risks and how to respond to them. In short, you will learn what you need to know about auditing accounts payable.

Auditing Accounts Payable and Expenses — An Overview

What is a payable? It’s the amount a company owes for services rendered or goods received. Suppose the company you are auditing receives $2,000 in legal services in the last week of December 2019, but the law firm sends the related invoice in January 2020. The company owes $2,000 as of December 31, 2019. The services were provided, but the payment was not made until after the year-end. Consequently, the company should accrue (record) the $2,000 as payable at year-end.

In determining whether payables exist, I like to ask, “if the company closed down at midnight on the last day of the year, would it have a legal obligation to pay for a service or good?” If the answer is yes, then record the payable even if the invoice is received after the year-end. Was a service provided or have goods been received by year-end? If yes (and the amount has not already been paid), accrue a payable.

In this chapter, we will cover the following things an accounts payable auditor need to consider:

• Primary accounts payable and expense assertions
• Accounts payable and expense walkthroughs
• Directional risk for accounts payable and expenses
• Primary risks for accounts payable and expenses
• Common accounts payable and expense control deficiencies
• Risks of material misstatement for accounts payable and expenses
• Search for unrecorded liabilities
• Auditing for accounts payable and expense fraud
• Substantive procedures for accounts payable and expenses
• Typical accounts payable and expense work papers

So, let’s begin our journey of auditing accounts payable and expenses.

Primary Accounts Payable and Expense Assertions

The primary relevant accounts payable and expense assertions are:

• Existence
• Completeness
• Cutoff
• Occurrence

Of these assertions, I believe completeness and cutoff (for payables) and occurrence (for expenses) are usually most important. When a company records its payables and expenses by period-end, it is asserting that they are complete and that they are accounted for in the right period. Additionally, the company is implying that amounts paid are legitimate.

Accounts Payable and Expense Walkthroughs

As we perform walkthroughs of accounts payable and expenses, we are looking for understatements (though they can also be overstated as well). We are asking, “what can go wrong?” whether intentionally or by mistake.

In performing accounts payable and expense walkthroughs, ask questions such as:

• Who reconciles the accounts payable summary to the general ledger?
• Does the company use an annual expense budget?
• Are budget/expense reports provided to management or others? Who receives these reports?
• What controls ensure the recording of payables in the appropriate period?
• Who authorizes purchase orders? Are any purchases authorized by means other than a purchase order? If yes, how?
• Are purchase orders electronic or physical?
• Are purchase orders numbered?
• How does the company vet new vendors?
• Who codes invoices (specifies the expense account) and how?
• Are three-way matches performed (comparison of purchase order with the receiving document and the invoice)?
• Are paid invoices marked “paid”?
• Does the company have a purchasing policy?
• Can credit cards be used to bypass standard purchasing procedures? Who has credit cards and what are the limits? Who reviews credit card activity?
• Are bids required for certain types of purchases or dollar amounts? Who administers the bidding process and how?
• Do larger payments require multiple approvals?
• Which employees key invoices into the accounts payable module?
• Who signs checks or makes electronic payments?
• Who is on the bank signature card?
• Are signature stamps used? If yes, who has control of the signature stamps and whose signature is affixed?
• How are electronic payments made (e.g., ACH)?
• Is there adequate segregation of duties for persons:
  • Approving purchases,
  • Paying payables,
  • Recording payables, and
  • Reconciling the related bank statements
• Which persons have access to check stock and where is the check stock stored?
• Who can add vendors to the payables system?
• What are the entity’s procedures for payments of travel and entertainment expenses? 
• Who reconciles the bank statements and how often?

As we ask these questions, we inspect documents (e.g., payables ledger) and make observations (e.g., who signs checks or makes electronic payments?). So, we are inquiring, inspecting, and observing. 

If controls weaknesses exist, we create audit procedures to respond to them. For example, if--during the walkthrough--we see that one person prints and signs checks, records payments, and reconciles the bank statement, then we will perform fraud-related substantive procedures (more about this in a moment).

Here's a short video about risk assessment for accounts payable auditors. 

Directional Risk for Accounts Payable and Expenses

The directional risk for accounts payable and expenses is an understatement. So, perform procedures to ensure that invoices are properly included. For example, perform a search for unrecorded liabilities (see below).

Primary Risks for Accounts Payable and Expenses

The primary risks for accounts payable and expenses are:

1. Accounts payable and expenses are intentionally understated 
2. Payments are made to inappropriate vendors
3. Duplicate payments are made to vendors 

Keep these in mind as you audit accounts payable.

Common Payable and Expense Control Deficiencies

In smaller entities, it is common to have the following control deficiencies:

• One person performs two or more of the following:
• Approves purchases,
• Enters invoices in the accounts payable system,
• Issues checks or makes electronic payments, 
• Reconciles the accounts payable bank account,
• Adds new vendors to the accounts payable system
• A second person does not review payments before issuance
• No one performs surprise audits of accounts payable and expenses 
• Bidding procedures are weak or absent
• No one reconciles the accounts payable detail to the general ledger
• New vendors are not vetted for appropriateness
• The company does not create a budget
• No one compares expenses to the budget
• Electronic payments can be made by one person (with no second-person approval or involvement)
• The bank account is not reconciled on a timely basis
• When bank accounts are reconciled, no one examines the canceled checks for appropriate payees (the dollar amount on the bank statement is agreed to the general ledger but no one compares the payee name on the cleared check to the vendor name in the general ledger)

Risks of Material Misstatement for Payables and Expenses

In smaller engagements, I usually assess control risk at high for each assertion. When I assess control risk at less than high, I have to test controls to support the lower risk assessment. Therefore, assessing risks at high is usually more efficient (than testing controls).

Search for Unrecorded Liabilities

How does one perform a search for unrecorded liabilities? Use these steps:

1. Obtain a complete check register for the period subsequent to your audit period
2. Pick a dollar threshold ($10,000) for the examination of subsequent payments
3. Examine the subsequent payments (above the threshold) and related invoices to determine if the payables are suitably included or excluded from the period-end accounts payable detail
4. Inquire about any unrecorded invoices

As the RMM for completeness increases, vouch payments at a lower dollar threshold.

Auditing for Fraud

Substantive Procedures for Accounts Payable and Expenses

My customary audit tests are as follows:

1. Vouch subsequent payments to invoices using the steps listed above (in Search for Unrecorded Liabilities)
2. Compare expenses to budget and examine any unexplained variances
3. When control weaknesses are present, design and perform fraud detection procedures

If there are going concern issues, you may need to examine the aged payables listing. Why? Management can fraudulently shorten invoice due dates. Doing so makes the company appear more current. For example, suppose the business has three unpaid invoices totaling $1.3 million that were due over ninety days ago. The company changes the due dates in the accounts payable system, causing the invoices to appear as though they were due just thirty days ago. Now the aged payables listing looks better than it would have. 

Typical Payable and Expense Work Papers

Get Your Copy of the Why and How of Auditing

Click the book cover below to go to Amazon.

In June of 2018, FASB issued ASU 2018-08: Clarifying the Scope and the Accounting Guidance for Contributions Received and Contributions Made.

Today I provide an overview of how this standard affects nonprofit revenue recognition. 

ASU 2018-08: Nonprofit Contribution Recognition

The purpose of the standard is to provide guidance in regard to recognizing contributions in nonprofit organizations. This standard is conceptually consistent with Topic 606, Revenue from Contracts with Customers, which requires revenue to be recognized when performance obligations are satisfied. ASU 2018-08 requires contribution revenue recognition when conditions are met (see below).

Once ASU 2018-08 becomes effective (years ending December 31, 2019 for many nonprofits), nonprofits will recognize revenues in one of three ways:

1. Exchange transaction
2. Conditional Contribution
3. Unconditional Contribution

The financial statement presentation of the revenue can be affected by the nature of the transaction. For example, there might be a conditional contribution and a donor restriction for the same monies. So contribution revenue will not be recognized until the barriers are satisfied (see below), but revenue will appear in with donor restriction or without donor restriction on the statement of activities, depending on the specifics of the transaction. 

1. Exchange transaction

If a nonprofit is paid based on commensurate value, then there is an exchange transaction. The nonprofit recognizes revenue as it provides the service or goods. Apply Topic 606, Revenue from Contracts With Customers, for these transactions. An example of an exchange transaction is a nonprofit is paid market rate for painting a local store.

ASU 2018-08 makes it plain that benefits received by the public as a result of the assets transferred is not equivalent to commensurate value received by the resource provider.

2. Conditional Contribution

A conditional contribution is one where: 

• a barrier is present and
• a right of return or right of release for the contributor exists

Barriers

The following are indicators of a barrier:

• Recipient must achieve a measurable, performance-related outcome (e.g., providing a specific level of service, creating an identified number of units of output, holding a specific event)
• A stipulation limits the recipient’s discretion on the conduct of the activity (e.g., specific guidelines about incurring qualifying expenses)
• A stipulation is related to the primary purpose of the agreement (e.g., must report on funded research)

Recognize revenue when the barrier is overcome.

An example of meeting a measurable outcome would be if the donor requires the serving of meals to 1,000 homeless persons. Another example of the first indicator above is a matching requirement.

An example of limited discretion would be a requirement to hire specific individuals to conduct an activity.

Stipulation Related to Grant's Primary Purpose

An example of a stipulation related to the primary purpose of the agreement is a grant that requires the filing of an annual report of funded research. If the grantor requires repayment of the amount received should the report not be filed, then the requirement is a barrier. 

Judgment is necessary to determine whether a requirement is a barrier. For example, filing routine reports to a resource provider showing progress on a funded activity may be seen as routine and not a barrier. Goals or budgets where no penalty is assessed if the organization fails to achieve them are not considered barriers.

Effect of Budgets

Are budgets an indicator of limited discretion? A line-item budget for a grant is often seen as a guardrail rather than a barrier. A June 2019 FASB Q&A states “Thus, stipulations other than adherence to a budget (for example, the need to incur qualifying expenses) would normally need to be present for a barrier to entitlement to exist.” The Q&A goes on to say, “The unique facts and circumstances of each grant agreement must be analyzed within the context of the indicators to conclude whether a barrier to entitlement exists.”

Recognition of Contribution

Per ASU 2018-08 “Conditional contributions received are accounted for as a liability or are unrecognized initially, that is, until the barriers to entitlement are overcome, at which point the transaction is recognized as unconditional and classified as either net assets with restrictions or net assets without restrictions.”

3. Unconditional Contribution

If there are no barriers or if barriers have been overcome, the receipt is unconditional. There might still be a purpose or time restriction, resulting in the funds being classified as “With Donor Restrictions” until the restriction is satisfied. Recognize the revenue either as:

• Net Assets with Donor Restriction
• Net Assets without Donor Restriction

Effective Date 

A public company or a not-for-profit organization that has issued, or is a conduit bond obligor for, securities that are traded, listed, or quoted on an exchange or an over-the-counter market would apply the new standard for transactions in which the entity serves as a resource recipient to annual reporting periods beginning after June 15, 2018, including interim periods within that annual period. Other organizations would apply the standard to annual reporting periods beginning after December 15, 2018, and interim periods within annual periods beginning after December 15, 2019.

A public company or a not-for-profit organization that has issued, or is a conduit bond obligor for, securities that are traded, listed, or quoted on an exchange or an over-the counter market would apply the new standard for transactions in which the entity serves as a resource provider to annual reporting periods beginning after December 15, 2018, including interim periods within that annual period. Other organizations would apply the standard to annual reporting periods beginning after December 15, 2019, and interim periods within annual periods beginning after December 15, 2020.

Applicability

Per ASU 2018-08, “Accounting for contributions is an issue primarily for not-for-profit (NFP) entities because contributions are a significant source of revenue for many of those entities. However, the amendments in this Update apply to all entities, including business entities, that receive or make contributions of cash and other assets, including promises to give within the scope of Subtopic 958-605 and contributions made within the scope of Subtopic 720-25, Other Expenses—Contributions Made.”

The AICPA has issued SSARS 25. It is titled Materiality in a Review of Financial Statements and Adverse Conclusions. Below I tell you how this standard affects your future review engagements.

Materiality in Review Engagements

Until SSARS 25, there was no requirement for you to document materiality in review engagements. Some firms, like my own, decided to do so any way. Others have not. Now, there's no choice. SSARS 25 explicitly requires that we determine and use materiality.

Makes sense. The accountant's conclusion says we are not aware of any material modifications that should be made. The conclusion paragraph follows:

Accountant's Conclusion

Based on our review, we are not aware of any material modifications that should be made to the accompanying financial statements in order for them to be in accordance with accounting principles generally accepted in the United States of America. 

It would be difficult to plan or conclude a review engagement without knowing what materiality is. SSARS 25 requires that we design and perform analytical procedures and inquiries to address all material items in the financial statements. This includes disclosures.

New Inquiry Requirements

SSARS 25 adds new inquiries of management including:

• Material commitments, contractual obligations, or contingencies
• Material nonmonetary transactions
• Significant changes in the business activities or operations
• Significant changes to the terms of contracts that materially affect the financial statements
• Significant journal entries
• Status of any uncorrected misstatements from the previous review engagement
• How management determined that significant estimates are reasonable
• Management's assessment of the entity's ability to continue as a going concern, and whether there are conditions that cast doubt about the entity's ability to continue as a going concern

Related Party Transactions

Additionally, SSARS 25 requires that the accountant remain alert for related party transactions that were not disclosed by management. The accountant should inquire of management about transactions outside the normal course of business. You want to know if related party transactions are being used to make the financial statements look better than they really are. 

Next, you will see that the standard now permits adverse conclusions.

Adverse Conclusions in Review Engagements

In the past, adverse conclusions in a review engagement were not allowed. SSARS 25 changes this. If the financial statements are materially and pervasively misstated, you can issue an adverse conclusion.

SSARS 25 provides an illustrative accountant's review report with an adverse conclusion. (See illustration 7 on pages 85 and 86 of SSARS 25.) That example states the financial statements are not in accordance with accounting principles generally accepted in the United States of America.

Here's the adverse review report conclusion:

Adverse Conclusion

Based on my (our) review, due to the significance of the matter described in the Basis for Adverse Conclusion paragraph, the financial statements are not in accordance with accounting principles generally accepted in the United States of America.

One more thing, SSARS 25 requires a statement in the review report regarding independence.

Independence in Review Reports

Independence is still required to perform a review engagement. What is different, however, is the accountant must include a statement in the review report saying he or she is independent. That phrase, to be included in the Accountant's Responsibility section of the report, reads as follows:

We are required to be independent of ABC Company and to meet our other ethical responsibilities, in accordance with the relevant ethical requirements related to our review.

See examples of the independence wording in the illustrative reports in SSARS 25. Those reports start on page 75 of the standard.

So when is SSARS 25 effective?

SSARS 25 Effective Date 

The effective date for SSARS 25 is for periods ending on or after December 15, 2021. Early implementation is permitted.

Control risk continues to create confusion in audits. Some auditors assess control risk at less than high when they shouldn't. Others assess control risk at high when it would be better if they did not. The misunderstandings about this risk can result in faulty audits and problems in peer review. In this article, I explain what control risk is and how you can best leverage it to perform quality audits in less time. 

Control Risk Defined

What is control risk? It’s the chance that an entity’s internal controls will not prevent or detect material misstatements in a timely manner. 

Companies develop internal controls to manage inherent risk. The greater the inherent risk, the greater the need for controls.

Audit Risk Model

As we begin this article, think about control risk in the context of the audit risk model:

Audit risk = Inherent risk X Control risk X Detection risk

Recall the client’s risk is made up of inherent risk and control risk. And the remainder, detection risk, is what the auditor controls. Auditors gain an understanding of inherent risk and control risk. Why? To develop their audit plan and lower their detection risk (the risk that the audit will not detect material misstatements). Put more simply, the auditor understands the client’s risk in order to lower her own.

Further Audit Procedures

And how does the auditor reduce detection risk? With further audit procedures. Those include test of controls and substantive procedures (test of details or substantive analytics). 

After the auditor gains an understanding of the entity and its environment, including internal controls, control risk is often assessed at high. Why? Two reasons: one has to do with efficiency and the other with weak internal controls.

Assessing Control Risk at High

Consider the first reason for high control risk assessments: efficiency. 

Control risk can be assessed at high, even if—during your walkthroughs— you see that controls are properly designed and in use. But why would you assess this risk at high when controls are okay? 

Let me answer that question with a billing and collection example. 

Risk At High: Efficiency Decision

You can test billing and collection internal controls for effectiveness (assuming your walkthrough reveals appropriate controls). But if this test takes eight hours and a substantive approach takes five hours, which is more efficient? Obviously, the substantive approach. And if you use a fully substantive approach, you must assess control risk at high for all relevant assertions. 

At this point, you may still be thinking, But, Charles, if controls are appropriately designed and implemented, why is control risk high? Because a test of controls is required for control risk assessments below high: the auditor needs a basis (evidence) for the lower assessment. And a walkthrough is not (in most cases) considered a test of controls for effectiveness: it does not provide a sufficient basis for the lower risk assessment. A walkthrough provides an initial impression about controls, but that impression can be wrong. That’s why a test of controls is necessary when control risk is below high, to prove the effectiveness of the control.

In our example above, a substantive approach is more efficient than testing controls. So we plan a substantive approach and assess control risk at high for all relevant assertions. 

Risk at High: Weak Controls

Now, let’s look at the second reason for high control risk assessments: weak internal controls. Here again, allow me to explain by way of example. 

If the billing and collection cycle walkthrough reveals weak internal controls, then control risk is high. Why? Because the controls are not designed appropriately or they are not in use. In other words, they would not prevent or detect a material misstatement. You could test those controls for effectiveness. But why would you? They are ineffective. Consequently, risk has to be high. Why? Again, because there is no basis for the lower risk assessment. (Even if you tested controls, the result would not support a lower risk assessment: the controls are not working.)

If, on the other hand, controls are appropriate, then you might test them (though you are not required to). 

Assessing Control Risk at Less than High

What if, based on your walkthrough, controls are okay. And you believe the test of controls will take four hours while a substantive approach will take eight hours? Then you can test controls for effectiveness. And if the controls are effective, you can assess the risk at less than high. Now you have support for the lower risk assessment. 

But what if you test controls for effectiveness and the controls are not working? Then a substantive approach is your only choice. 

Many auditors don’t test controls for this reason: they are afraid the test of controls will prove the controls are ineffective. For example, if you test sixty transactions for the issuance of a purchase order, and seven transactions are without purchase orders, the sample does not support effectiveness. The result: the test of controls is a waste of time. 

Some auditors mistakenly believe they don’t need an understanding of controls because they plan to use a fully substantive audit approach. But is this true?

Fully Substantive Audit Approach

Weak internal controls can result in more substantive procedures, even if you normally use a substantive approach. 

Suppose you assess control risk at high for all billing and collection cycle assertions and plan to use a fully substantive approach. Now, consider two scenarios, one where the entity has weak controls, and another where controls are strong.

Billing and Collection Cycle - Weak Controls

Think about a business that has a cash receipt process with few internal controls. Suppose the following is true:

• Two employees receipt cash  
• They both work from one cash drawer 
• The two employees provide receipts to customers, but only if requested
• They apply the payments to the customer’s accounts, but they also have the ability to adjust (reduce or write off) customer balances 
• At the end of the day, one of the two employees creates a deposit slip and deposits the money at a local bank (though this is not always done in a timely manner)
• These same employees also create and send bills to customers 
• Additionally, they reconcile the related bank account 

Obviously, a segregation of duties problem exists and theft could occur. For example, the clerks could steal money and write off the related receivables. Child’s play. 

Billing and Collection Cycle - Strong Controls

But suppose the owner detects theft and fires the two employees. He does background checks on the replacements. Now the following is true:

• A separate cash drawer is assigned to each clerk
• The controller is required to review customer account adjustments on a daily basis (the controller can’t adjust receivable accounts)
• The cash receipt clerks reconcile their daily activity to a customer receipts report, and the money along with the report is provided to the controller 
• The controller counts the daily funds received and reconciles the money to the cash receipts report
• Then the controller creates a deposit slip and provides the funds and deposit slip to a courier
• Once the deposit is made, the courier gives the bank deposit receipt to the controller
• A fourth person (that does not handle cash) reconciles the bank statement in a timely manner
• The monthly customer bills are created and mailed by someone not involved in the receipting process
• Moreover, the owner reviews a monthly cash receipts report 

Now, let me ask you: would you use the same substantive audit procedures for each of the above scenarios? Hopefully not. The first situation begs for a fraud test. For example, we might test the adjustments to receivables on a sample basis. Why? To ensure the clerks are not writing off customer balances and stealing cash. 

Audit Procedures: Basic and Extended

Basic audit procedures for the billing and collection cycle might include:

• Test the period-end bank reconciliation
• Create substantive analytics for receivable balances and revenues
• Confirm receivable accounts and examine subsequent receipts

We perform these basic procedures whether controls are good or weak. But we would add—when controls are weak and might allow theft—extended substantive procedures such as testing accounts receivable adjustments. 

Do you see how the understanding of controls impacts planning (even when control risk is assessed at high)? If we were unaware of the control weaknesses, we would not plan the needed fraud detection procedures. 

In summary, we need to understand controls even if we plan to use a fully substantive approach, and even if risks are assessed at high for all assertions. More risk means more audit work. 

A Simple Summary

• Control risk is the probability that an entity’s internal controls will not prevent or detect material misstatements in a timely manner
• Internal control weaknesses may require a control risk assessment of high
• Control risk can only be assessed below high when a test of control proves the control to be effective (the test of control provides the basis for the lower risk assessment)
• If walkthroughs show controls to be appropriately designed and implemented, the auditor can (1) assess control risk at high and use a fully substantive approach, or (2) assess control risk below high and test controls for effectiveness, whichever is most efficient
• Even if an auditor intends to use a fully substantive approach, walkthroughs are necessary to determine if additional substantive tests are needed; additional substantive procedures may be necessary when material fraud is possible due to internal control weaknesses

See my inherent risk article here. 

For additional information about risk assessment, see the AICPA's SAS 145, Understanding the Entity and Its Environment and Assessing the Risk of Material Misstatement.  The guidance was issued in October 2021.