Extended Audit Procedures: When Segregation of Duties is Absent

By Charles Hall | Accounting and Auditing

Dec 07

Should an auditor perform extended audit procedures when there is no segregation of duties? Or are basic procedures sufficient?

No Segregation of Duties

A few months ago, I was talking to a CPA about audit procedures where a client had only one person performing accounting duties. In other words, there was no segregation of duties, and no one reviewed the activity. Regarding cash, the CPA said basic procedures would be sufficient. In other words, test the bank reconciliation and tie the book balance back to the trial balance, and you’re done.I said, “What if the bookkeeper stole $100,000 before it was deposited? Would a test of the bank reconciliation detect the theft?” But he insisted that basic procedures were appropriate. Why? Because the entity was small.The size of the entity does not matter. The risks do.

extended audit procedures

Extended Procedures

When segregation of duties is lacking, especially if severe (e.g., one person does everything), extended procedures such as fraud detection steps are warranted. In the example above, the auditor should test receipts and disbursements.Balance sheet audit steps (like testing a bank reconciliation) will usually not detect theft of funds. Cash, receivables, and payables can still reconcile to the trial balance–but the stolen funds are gone.

Responsibility for Fraud Detection

Through the years, I’ve heard CPAs say, “I’m not responsible for fraud.” They incorrectly believe they don’t have to look for fraud. 

That idea died in 2002 with the issuance of SAS 99, Consideration of Fraud in a Financial Statement audit. Yes, it’s been a while. The auditor is responsible for the detection of material fraud. 

So, the auditor should plan to detect fraud if risk assessment calls for it. In the above situation, where there is no segregation of duties, the walkthroughs of cash receipts and disbursements would reveal high risks of material misstatement. 

Additionally, if the entity receives a significant amount of cash (currency, not checks), the risk is even higher. 

And how many ways can theft occur through disbursements? There are many. 

Let’s consider revenue and expense cycle tests that you might use when segregation of duties is lacking. 

Extended Procedures – Revenue Cycle

So, how does an auditor know what extended procedures might be appropriate?

First, review the revenue cycle processes and controls with a walkthrough. Consider the related risks of material misstatement, and plan your tests.  

Nonprofit Example

For example, if you are auditing a nonprofit that receives contributions through the mail, review the processes and controls. Here are example questions:

  • Who opens the mail?
  • Is a second person present when the mail is opened?
  • Is a list of daily receipts created and signed by the two persons opening the mail?
  • Does a video camera record those opening the mail? 
  • Are daily deposits reconciled to the daily cash receipts log?
  • Are contributions tracked in a contributions software package? If yes, does someone other than those who opened the mail enter the amounts received?
  • Do persons opening the mail (those with access to checks) reconcile the related bank account?
  • Are daily deposits made?
  • Who takes the daily cash receipts to the bank for deposit?
  • Are acknowledgment letters mailed to contributors? Are those reconciled to the daily receipts log and contributions software by someone who did not initially open the mail?

I could go on, but these are the types of questions to ask before deciding whether extended audit procedures are required and, if they are, what those might be. 

What extended audit procedures might the auditor perform in this situation?

Receipt Tests

Testing in the nonprofit environment described above is challenging, especially if currency is received in the mail. Even so, here are some extended procedures that one might perform:

  1. On a sample basis, reconcile the daily receipts log to the contributions software entries.
  2. On a sample basis, reconcile the daily receipts log to the daily deposits. Agree the bank deposit receipt to the total daily bank deposit.
  3. On a sample basis, compare the daily receipts log to the donor acknowledgment letter (you may need to review the contribution software entries if multiple payments are received). 

You could perform other tests, but these provide you with some examples for this entity.

For companies that bill and receive payment, it’s easier to design revenue cycle tests–and those tests will be different than the nonprofit examples. You can, for example, compare amounts billed with collections and review receivable write-offs for appropriateness.

But what about expense tests?

Extended Procedures – Expense Cycle

There are many ways to steal funds through the expense cycle, so I will provide a few examples. Again, understand the processes and controls walkthrough. Assess your risk and create your responses.

Here are example questions for a nonprofit:

  • Who can add vendors to the payables software?
  • Are new vendors reviewed for existence (to ensure the entity exists)? Who performs this review and how?
  • Who can authorize a payment, and how?
  • Who can sign checks or disburse funds in other ways (e.g., electronic payment)?
  • Who enters invoices in the payables software?
  • Who has logical access (as provided by I.T.) to the payables module?
  • Who reconciles the bank account used for vendor payments?
  • Is a budget-to-actual report provided to management?

Again, these are example questions. There are many more that you can ask.

Expense Tests

Once you understand the payables process, consider where fraud might occur. For example, if someone can sign checks, add vendors, and enter invoice amounts, theft could happen. Then you might perform extended audit procedures such as the following:

  1. On a sample basis, review cleared checks for appropriateness by inspecting the payees and comparing those to the descriptions in the general ledger
  2. On a sample basis, compare cleared checks to invoices
  3. Review new vendors with someone outside of the payables department who is familiar with vendors used by the company

As you can see, context (the processes and controls) aids in designing the control tests.


Test revenue and expense cycles when there is a lack of segregation of duties. You’ll know if the accounting system has this control weakness from your walkthroughs of the revenue and expense cycles. Once you understand those dynamics, you can assess the risks of material misstatement and plan your extended audit tests, such as those listed above.


About the Author

Charles Hall is a practicing CPA and Certified Fraud Examiner. For the last thirty-five years, he has primarily audited governments, nonprofits, and small businesses. He is the author of The Little Book of Local Government Fraud Prevention, The Why and How of Auditing, Audit Risk Assessment Made Easy, and Preparation of Financial Statements & Compilation Engagements. He frequently speaks at continuing education events. Charles consults with other CPA firms, assisting them with auditing and accounting issues.

  • Jackie says:

    Thank you for your insights. They have been very helpful in expanding and understanding the audit process. Your articles have been a value tool.

  • Julius says:

    Thank you Mr.Hall for your valuable insights and knowledge shared. Learnt alot from the this post.

  • >