This post discusses CPAs providing fraud prevention services to compilation clients. If you haven’t done so in the past, it could be a new revenue stream for your firm.
The Greater Risk for Your Client
How many clients do you provide compilation services to? For most small- to medium-sized CPA firms, the answer is usually many. Now let me ask you another question.
What is the greater risk for your client?
Financial statements are misstated or
A trusted bookkeeper (or someone else) is stealing substantial sums of money from the business
You say, “But I’m not engaged to look for potential theft or prevent it.” Regarding compilation engagements, you are right. Notice, however, my question is about your client.
I find that most compiled financial statements are basically correct—often because of the CPA’s involvement. The risk of material misstatement is driven down, and obviously, this is a good thing, but what about the potential for theft?
It seems to me that CPAs seldom talk with their compilation clients about the potential of fraud, even though we know, for instance, that the client’s accounting staff consists of one bookkeeper. So, we are aware that the client’s accounting system lacks segregation of duties.
When fraud happens, clients will sometimes say, “my CPA is responsible”—even though compilations are not designed to prevent (or detect) fraud. Therefore, we must clearly define the services we are providing.
Defining Your Compilation Service
Here are two questions to consider in defining your compilation engagements when you are not providing fraud prevention services.
Do you verbally explain the limits of your engagements (that you are not providing fraud prevention or detection services)?
These two actions lessen your risk.
If, however, you desire to provide fraud prevention services in addition to the compilation, then include appropriate language in your engagement letter to cover the additional service or use a separate engagement letter to address the fraud prevention work. More about this in a moment.
Fraud Prevention and Compilation Services
Do you ever suggest to your client that he or she have you (or someone else trained in fraud prevention) review the accounting system and make fraud prevention suggestions? Here is where I believe you can add value to the compilation service. I also believe it is largely an untapped source of revenue for small- to medium-sized CPA firms.
Obviously, you need to understand internal controls and fraud prevention prior to providing fraud prevention services. If you don’t have that knowledge, you can obtain it from organizations such as the Association of Certified Fraud Examiners.
If you provide fraud prevention services, you need to create an engagement letter that addresses the boundaries of your work. It is wise to say what you are providing and, more importantly, what you are not providing.
I normally state that I am providing the additional fraud prevention service to mitigate fraud risk and that the additional work does not provide absolute assurance. I go on to say that once the work is complete, “that fraud can still occur.” (Check with your insurance carrier for appropriate language.)
In other words, your engagement is to lessen fraud risk, not to eliminate it, a reasonable proposition. (The risk of fraud can seldom, if ever, be fully eliminated. And I tell my clients this.)
Fraud Prevention Services Create Risk
But doesn’t providing fraud prevention services create additional risks for the CPA?
Yes.
Providing any additional service creates risk for the CPA. So this is ultimately a business decision for you and your firm. Additionally, contact your insurance company to see what they say.
If you desire to provide fraud prevention services, consider becoming a Certified Fraud Examiner (CFE) or obtain your Certified in Financial Forensics Credential. I became a CFE in 2004 and found the training eye-opening. Though I had been a CPA since 1987, I gained valuable knowledge about system design and fraud prevention.
CPA Independence
Will providing fraud prevention services impair your independence? Under existing AICPA independence standards, the answer could beyes (because you are assisting with the design of the internal control system). But the independence issue depends on what you do. Making recommendations probably would not impair independence. Fully designing the internal control structure would impair independence.
If your independence is impaired, you need to say so in the compilation report. Independence is not required in compilations. Take a look at Definitive Guide to Compilation Engagements.
Agree or Disagree?
What do you think about offering fraud prevention services to compilation clients?
Twenty-four percent of governmental frauds are billing schemes such as fictitious vendor theft, so says the Association of Certified Fraud Examiners. Fictitious vendor fraud is usually committed by a person with the ability to establish new vendors in the accounting system (often the accounts payable clerk). If you are going to prevent this fraud, you need to know how it works.
Fictitious Vendor Fraud
First, the clerk creates the fictitious vendor in the accounts payable system using his own address (or that of an accomplice). Alternatively, he may use a personal P.O. box (which is more common). Second, the clerk creates fictitious vendor invoices to support the payments; often, these invoices are for services rather than for a physical product. Since no shipped asset will be received by the government, it’s easier to conceal the fraud. Finally, the accounts payable clerk issues the vendor checks: since the fictitious vendor check address is that of the accounting clerk, the check is mailed directly to the fraudster (or his accomplice).
Here’s an example of how this fraud might happen.
Accounts Payable Clerk Fraud
John, the accounts payable clerk, sets up the fictitious vendor, Rutland Consulting, and keys his (John’s) address (P.O. Box 798, Atlanta, Georgia, 99890) into the vendor master file. To save time, the city has elected to have all checks signed electronically by the computerized system, so printed checks have signatures on them, and it just so happens that John prints all checks. John records an accounts payable amount of $53,322 to Rutland Consulting.
To conceal the fraud, John creates a fictitious consulting services invoice from Rutland Consulting (especially designed for the auditors), and he codes the expense to an account which has plenty of remaining budgetary appropriation. Now John prints and mails the checks (including the fictitious vendor check).
Two days later John picks up his check at his P.O. box. John has opened a bank account for—you guessed it—Rutland Consulting; he is the only authorized check signer for the account. After depositing the city-issued check to the Rutland Consulting checking account, he writes checks to himself. Soon John’s friends are impressed with his shiny new bass boat.
Other Fraudulent Disbursement Schemes
While reading about John’s fraud, you may be thinking, “Not a problem in my government. Our checks are physically signed.” Consider, however, that signed checks can be created by:
Forging signatures on manual checks
Signing checks with signature stamps
The fraudster might also, in another twist to this scheme, just wire the money electronically and record the transaction with a journal entry. If the fraudster can get a fake vendor added to the payables system and create a signed check or wire funds, then the fictitious vendor scheme becomes a possibility.
Banks generally do not visually inspect checks as they clear (how could they, given the volume of daily checks?), so a forged signature will usually suffice. John’s theft described above becomes easier if he also reconciles the related bank statement—no second pair of eyes will inspect the cleared checks.
Department Head Fraud
City or county department heads can also use a fictitious vendor scheme if they can submit believable new-vendor documentation. Many governments do not verify the existence of new vendors; therefore, a department head can merely send a fake invoice to the payables clerk and receive payment.
Oftentimes when an accounts payable clerk receives an invoice, he will add the new vendor to the accounts payable master file without verifying that the vendor is real. Since department heads often code and approve invoices (by writing the expense account number on the invoice and initialing the same), the payment will be recorded in an account of the department head’s choice.
Again, such invoices are usually for services (e.g., electrical repair)—that way, the accounts payable department is not waiting for receiving documents (e.g., packing slips) before payment is made.
Fictitious Vendor Fraud Factors
The fictitious vendor fraud hinges on three factors:
Getting the fictitious vendor added to the accounts payable vendor list (along with the false address)
Getting the payment made (either by controlling the whole payment process or by having the authority to approve disbursements)
Getting the payment posted to an account where its presence goes unnoticed
Lessen Fictitious Vendor Threat
To mitigate the risk of fictitious vendors, do the following:
Require vendors to provide a physical address (even if payments are to be mailed to a P.O. box)
Require the accounts payable clerk to verify the existence of the new vendor (by calling the vendor or googling the vendor’s address)
Have someone outside of accounts payable (e.g., controller) review new vendors added
Segregate duties (namely the ability to add new vendors and the power to authorize payments); have at least two persons involved in processing all payables
Have someone other than an accounts payable person reconcile the bank statement and require that that person compare the payee on cleared checks to the general ledger; if this suggestion is not viable, periodically review all cleared checks for a month and review the payees on the checks
Periodically review the list of vendors in your accounts payable system
While this is not a comprehensive article about fictitious vendor fraud, hopefully it will prompt you to consider whether your internal controls are sufficient in relation to this threat.
Honest people steal. Nice, innocent looking people take money that’s not theirs. How? One way is expense fraud.
The Honest Person’s Fraud
Expense fraud is one of the most common frauds. While the damage is usually low, this theft is pervasive in most businesses.
I teach a college Bible study, and in it, I sometimes talk about “acceptable sins,” things like gossip, impatience, anger. My point is they are all issues and not acceptable, but we like to pawn them off as being okay–especially when it’s me that’s angry.
Likewise, expense report fraud is often viewed as acceptable, at least when it’s within bounds. But we all know fraud is fraud. The taking of something that does not belong to us is theft. But, I must say, it is so human to fudge on expense reports. We think things like: If I drove 355 miles, isn’t it okay to round up to 375? After all, I forgot to turn on my distance gauge until I was at least three miles out of town. Such rationalizations are easy to come by.
It always amazes me that executives–making six figures–are willing to jeopardize their positions for a few measly dollars. But C-suite employees commit expense report fraud just like new-hires. You might remember the Health and Human Services Secretary once resigned over questions about travel. While the Secretary was not accused of expense report fraud, it’s an example of how powerful people can abuse the use of travel privileges and, in this case, cost his employer (the federal government) money.
So how do people inflate their expense reports?
Inflating mileage
Filing the same receipt multiple times
Asking for advances and then requesting a second payment after returning from the trip
Submitting receipts of a nonemployee (e.g., spouse)
Submitting hotel reservation printouts (with projected cost) but not spending the night there
The Control Weakness
Usually, the weakness is that no one is properly reviewing the expense reports. Also, the company may not appropriately communicate the penalties (what happens when fraud is detected) for false reporting.
Correcting the Control Weakness
Create a written expense report policy that all employees sign, acknowledging their agreement to abide by the guidance.
The person reviewing the expense reports should be trained. He needs to know what is acceptable–and what is not. And most importantly, the person reviewing expense reports must be supported by the leadership of the entity–he has to know that the CEO or board chair has his back. (It’s difficult to stand up to high-level employees unless the reviewer knows the leader supports him.)
Auditing for fraud is important, but some auditors ignore this duty. Even so, fraud risk is often present.
So what is an auditor’s responsibility for detecting fraud? Today, I answer that question in light of generally accepted auditing standards in the United States. We’ll look specifically at AU-C 240, Consideration of Fraud in a Financial Statement Audit.
Here’s an overview of this article:
Auditor’s responsibility for detecting fraud
Turning a blind eye to fraud
Signs of auditor disregard for fraud
Incentives for fraud
Discovering fraud opportunities
Inquiries required by audit standards
The accounting story and big bad wolves
Documenting control weaknesses
Brainstorming and planning your response to fraud risk
Auditor’s Responsibility for Detecting Fraud – AU-C 240
I still hear auditors say, “We are not responsible for detecting fraud.” But are we not? The detection of material misstatements whether caused by error or fraud is the heart and soul of an audit. So writing off our responsibility for fraud is not an option. We must plan to look for material fraud.
Audits will not, however, detect every material misstatement—even if the audit is properly planned and conducted. Audits are designed to provide reasonable assurance, not perfect assurance. Some material frauds will not be detected. Why? First, an auditor’s time is limited. He can’t audit forever. Second, complex systems make it extremely difficult to discover fraud. Third, the number of potential fraud schemes (there are thousands) makes it challenging to consider all possibilities. And, finally, some frauds are so well hidden that auditors won’t detect them.
Even so, auditors should not turn a blind eye to fraud.
Turning a Blind Eye to Fraud
Why do auditors not detect fraud?
We don’t look for fraud because we don’t understand it
Think of these reasons as an attitude—a poor one—regarding fraud. This disposition manifests itself in the audit file with signs of disregard for fraud.
Signs of Auditor Disregard for Fraud
A disregard for fraud appears in the following ways:
Asking just one or two questions about fraud
Limiting our inquiries to as few people as possible (maybe even just one)
Discounting the potential effects of fraud (after known theft occurs)
Not performing walkthroughs
We don’t conduct brainstorming sessions and window-dress related documentation
Our files reflect no responses to brainstorming and risk assessment procedures
Our files contain vague responses to the brainstorming and risk assessment (e.g., “no means for fraud to occur; see standard audit program” or “company employees are ethical; extended procedures are not needed”)
The audit program doesn’t change though control weaknesses are noted
In effect, auditors—at least some—dismiss the possibility of fraud, relying on a balance sheet approach.
So how can we understand fraud risks and respond to them? First, let’s look at fraud incentives.
Incentives for Fraud
The reasons for theft vary by each organization, depending on the dynamics of the business and people who work there. Fraudsters can enrich themselves indirectly (by cooking the books) or directly (by stealing).
Fraud comes in two flavors:
Cooking the books (intentionally altering numbers)
Theft
Cooking the Books
Start your fraud risk assessment process by asking, “Are there any incentives to manipulate the financial statement numbers.” For example, does the company provide bonuses or promote employees based on profit or other metrics? If yes, an employee can indirectly steal by playing with the numbers. Think about it. The chief financial officer can inflate profits with just one journal entry—not hard to do. While false financial statements is a threat, the more common fraud is theft.
Theft
If employees don’t receive compensation for reaching specific financial targets, they may enrich themselves directly through theft. But employees can only steal if the opportunity is present. And where does opportunity come from? Weak internal controls. So, it’s imperative that auditors understand the accounting system and—more importantly—related controls.
Discovering Fraud Opportunities
My go-to procedure in gaining an understanding of the accounting system and controls is walkthroughs. Since accounting systems are varied, and there are no “forms” (practice aids) that capture all processes, walkthroughs can be challenging. So, we may have to “roll up our sleeves,” and “get in the trenches.”
For most small businesses, performing a walkthrough is not that hard. Pick a transaction cycle; start at the beginning and follow the transaction to the end. Ask questions and note who does what. Inspect the related documents. As you do, ask yourself two questions:
What can go wrong?
Will existing control weakness allow material misstatements?
In more complex companies, break the transaction cycle into pieces. You know the old question, “How do you eat an elephant?” And the answer, “One bite at a time.” So, the process for understanding a smaller company works for a larger one. You just break it down and allow more time.
Discovering fraud opportunities requires the use of risk assessment procedures such as observations of controls, inspections of documents and inquiries. Of the three, the more commonly used is inquiries.
Inquiries Required by Audit Standards
Audit Standards (AU-C 240) state that we should inquire of management regarding:
Management’s assessment of the risk that the financial statements may be materially misstated due to fraud, including the nature, extent, and frequency of such assessments
Management’s process for identifying, responding to, and monitoring the risks of fraud in the entity, including any specific risks of fraud that management has identified or that have been brought to its attention, or classes of transactions, account balances, or disclosures for which a risk of fraud is likely to exist
Management’s communication, if any, to those charged with governance regarding its processes for identifying and responding to the risks of fraud in the entity
Management’s communication, if any, to employees regarding its views on business practices and ethical behavior
The auditor should make inquiries of management, and others within the entity as appropriate, to determine whether they know of any actual, suspected, or alleged fraud affecting the entity
For those entities that have an internal audit function, the auditor should make inquiries of appropriate individuals within the internal audit function to obtain their views about the risks of fraud; determine whether they have knowledge of any actual, suspected, or alleged fraud affecting the entity; whether they have performed any procedures to identify or detect fraud during the year; and whether management has satisfactorily responded to any findings resulting from these procedures
Notice that AU-C 240 requires the auditor to ask management about its procedures for identifying and responding to the risk of fraud. If management has no method of detecting fraud, might this be an indicator of a control weakness? Yes. What are the roles of management and outside auditors regarding fraud?
Management develops control systems to lessen the risk of fraud.
Auditors review the accounting system to see if fraud-prevention procedures are designed and operating appropriately.
So, the company creates the accounting system, and the auditor gains an understanding of the same. As auditors gain an understanding of the accounting system and controls, we put together the pieces of a story.
The Accounting Story and Big Bad Wolves
Think of the accounting system as a story. Our job is to understand the narrative of that story. As we describe the accounting system in our work papers, we may find missing pieces. Controls may be inadequate. When they are, we ask more questions to make the story complete.
The purpose of writing the storyline is to identify any “big, bad wolves.”
The threats in our childhood stories were easy to recognize. The wolves were hard to miss. Not so in walkthroughs. It is only in connecting the dots—the workflow and controls—that the wolves materialize.
So, how long should the story be? That depends on the size of the organization. Scale your documentation. If the transaction cycle is simple, the documentation should be simple. If the cycle is complex, provide more details. By focusing on control weaknesses that allow material misstatements, you’ll avoid distracting details.
I summarize the internal control strengths and weaknesses within the description of the system and controls and highlight the wording “Control weakness.” For example:
Control weakness: The accounts payable clerk (Judy Jones) can add new vendors and can print checks with digital signatures. In effect, she can create a new vendor and have a check sent to that provider without anyone else’s involvement.
Highlighting weaknesses makes them more prominent. Then I can use the identified fraud opportunities to brainstorm about how theft might occur and to develop my responses to the threats.
Brainstorming and Planning Your Responses
Now, you are ready to brainstorm about how fraud might occur and to plan your audit responses.
Armed with knowledge about the company, the industry, fraud incentives, and the control weaknesses, we are ready to be creative.
In what way are we to be creative? Think like a thief. By thinking like a fraudster, we unearth theft schemes. Why? So we can audit those possibilities. This is the reason for risk assessment procedures in the first place.
[Tweet “We think like a thief. By thinking like a fraudster, we unearth theft schemes.”]
What we discover in risk assessment informs the audit plan. Now we are ready to perform our fraud risk assessment. With the information gained in from the risk assessment procedures, we know where the risks are. If, for example, there is a risk that fictitious vendors are present, we might assess the risk of material misstatement at high for the expense occurrence assertion. (Our risks of material misstatement should be assessed at the assertion level.) Then we plan our response which might be testing new vendors added to determine if they are legitimate. So the fraud risk assessment occurs after we perform our risk assessment procedures. This tells us where the risks of material misstatement are.
The Auditor’s Responsibility for Detecting Fraud – AU-C 240
In conclusion, I started this post saying I’d answer the question, “What is an auditor’s responsibility for detecting fraud?”
Hopefully, you now better understand fraud procedures. But to understand the purpose of them, look at a standard audit opinion:
The procedures selected depend on the auditor’s judgment, including the assessment of the risks of material misstatement of the consolidated financial statements, whether due to fraud or error. In making those risk assessments,the auditor considers internal control relevant to the entity’s preparation and fair presentation of the consolidated financial statements in order to design audit procedures that are appropriate in the circumstances, but not for the purpose of expressing an opinion on the effectiveness of the entity’s internal control. Accordingly, we express no such opinion.
The purpose of fraud risk assessmentsis not to opine on internal control systems or to discover every fraud. It is to assist the auditor in determining where material misstatements—due to fraud—might occur.
Additionally, even well-performed audits will not detect all material fraud. As we saw above, some frauds are extremely difficult to detect. Audits are designed to provide reasonable assurance, not perfect assurance. The standard audit opinion states:
Our responsibility is to express an opinion on these financial statements based on our audits. We conducted our audits in accordance with auditing standards generally accepted in the United States of America. Those standards require that we plan and perform the audit to obtain reasonable assurance about whether the financial statements are free from material misstatement.
In summary, the auditor should conduct the audit in a manner to detect material fraud. But it is possible that some material frauds will be missed, even when we perform the audit correctly.
The Why and How of Auditing: A Blog Series About Audit Basics
You’ll see how to audit cash, receivables/revenues, payables/expenses, investments, and other transaction cycles. You’ll also see how to perform risk assessment procedures before you plan your further audit procedures.
Is it possible for one person to steal over $53 million from a city with an annual budget of less than $10 million? Yes. The Rita Crundwell story provides a cautionary tale for small businesses, governments, and nonprofits.
The Rita Crundwell Theft
Rita Crundwell, comptroller, and treasurer of Dixon, Illinois stole $53 million over a twenty-year period. The city of 16,000 residents held Crundwell in high esteem. One friend described her as “sweet as pie.” Another said: “You could not find a nicer person.”
So why did she steal? It appears Rita just enjoyed the good life. She used the money to fund one of the top quarter horse ranches in the country, and she did it with style: Some of the funds were used to purchase over $300,000 of jewelry and a $2.1 million motor coach vehicle.
Her annual salary? $80,000.
The city’s annual budget? $6 to $8 million
Were yearly audits performed? Yes.
Were budgets approved? Yes.
But even with budgets and audits, the Dixon, Illinois scandal happened.
Too Much Trust
So how did this happen? Rita Crundwell won the trust of those around her—especially that of mayor and council. In April 2011, finance commissioner and veteran council member, Roy Bridgeman, praised Crundwell calling her “a big asset to the city as she looks after every tax dollar as if it were her own.” Too much trust in a bookkeeper can lead to huge problems.
It was a disturbing moment when Dixon Mayor James Burke presented the FBI with evidence of Crundwell’s fraud. Burke later recalled his emotions and words: “I literally became sick to my stomach, and I told him that I hoped my suspicions were all wrong.” Such a response is understandable given that Crundwell had worked for the city for decades. She had fooled everyone.
Secret Bank Account
According to the mayor, the city’s annual audits raised no red flags, and the city’s primary bank never reported anything suspicious. So how did she steal the money? In 1990, Crundwell opened a secret bank account in the name of the city (titled the RSDCA account: the initials stood for reserve sewer development construction account). Crundwell was the only authorized check signer for the account, and the RSDCA bank account was never set up on the city’s general ledger. The City’s records reflected none of the RSDCA deposits or disbursements.
Crundwell would write and sign manual checks from a legitimate city capital project fund checking account, completing the check payee line with “Treasurer.” (Yes, Crundwell had the authority to issue checks with just her signature—even for legitimate city bank accounts.) She would then deposit the check into her secret account. From the bank’s perspective, a transfer had been made from one city bank account to another (from the capital projects fund to the reserve sewer development construction fund).
Accounting Cover-up
While the capital project fund disbursement was recorded on the city’s books, the RSDCA deposit was not. A capital project fund journal entry was made for each check debiting capital outlay expense and crediting cash. But no entry was made to the city’s records for the deposit to the RSDCA account. Once the money was in the RSDCA account, Crundwell wrote checks for personal expenses—and she did so for over twenty years.
To complete her deceit, Crundwell provided auditors with fictitious invoices from the Illinois Department of Transportation; these invoices included the following notation: Please make checks payable to Treasurer, State of Illinois. (So the canceled checks made out to Treasurer agreed with directions on the invoice, but the words “State of Illinois” were conveniently left off the check payee line.) Remember Crundwell was the treasurer of Dixon.
Those invoices and the related checks were often for round dollar amounts (e.g., $250,000) and most were for more than $100,000. In one year alone, Crundwell embezzled over $5 million.
Vacation Leads to Arrest
So how was she caught? While Rita was on an extended vacation for horse shows, the city hired a replacement for her. For some reason, Crundwell’s substitute requested all bank account statements from the city’s bank. As the bank statements were reviewed, the secret bank account was discovered. And soon after that, the mayor contacted the FBI.
The Control Weakness
Why was Rita Crundwell able to steal $53 million? Wait for it. A lack of segregation of duties.
Rita could:
Write checks
Approve payments
Create and monitor the budget
Enter transactions into the accounting system
Reconcile the bank statements
The Accounting Fix
Multiple people should perform accounting duties, not just one.
Moreover, accounting employees should annually take a one-week vacation (or longer). And while they are gone, someone else should perform the vacant person’s duties. The vacation itself is not the key to this control. The performance of the absent accountant’s duties is. Why? Doing so allows the replacement person to understand the work of the vacant employee. But, more importantly, the substitute can note any unusual or fraudulent activity.
Here’s another action to take: Periodically contact your organization’s bank and ask for a list of all bank accounts. Then compare the list to the bank accounts in your general ledger. If a bank account is not on the general ledger, see why. And request a copy of the related signature card from the bank.
Kelly Richmond Pope has masterfully captured the Rita Crundwell tale in the movie All the Queen’s Horses, available on Amazon. Think auditing is boring? Then watch the movie. It does a better job of explaining the psychological and financial damage of fraud than any textbook.
