Should an auditor perform extended audit procedures when there is no segregation of duties? Or are basic procedures sufficient?
A few months ago, I was talking to a CPA about audit procedures where a client had only one person performing accounting duties. In other words, there was no segregation of duties, and no one reviewed the activity. Regarding cash, the CPA said basic procedures would be sufficient. In other words, test the bank reconciliation and tie the book balance back to the trial balance, and you’re done.I said, “What if the bookkeeper stole $100,000 before it was deposited? Would a test of the bank reconciliation detect the theft?” But he insisted that basic procedures were appropriate. Why? Because the entity was small.The size of the entity does not matter. The risks do.
When segregation of duties is lacking, especially if severe (e.g., one person does everything), extended procedures such as fraud detection steps are warranted. In the example above, the auditor should test receipts and disbursements.Balance sheet audit steps (like testing a bank reconciliation) will usually not detect theft of funds. Cash, receivables, and payables can still reconcile to the trial balance–but the stolen funds are gone.
Through the years, I’ve heard CPAs say, “I’m not responsible for fraud.” They incorrectly believe they don’t have to look for fraud.
That idea died in 2002 with the issuance of SAS 99, Consideration of Fraud in a Financial Statement audit. Yes, it’s been a while. The auditor is responsible for the detection of material fraud.
So, the auditor should plan to detect fraud if risk assessment calls for it. In the above situation, where there is no segregation of duties, the walkthroughs of cash receipts and disbursements would reveal high risks of material misstatement.
Additionally, if the entity receives a significant amount of cash (currency, not checks), the risk is even higher.
And how many ways can theft occur through disbursements? There are many.
Let’s consider revenue and expense cycle tests that you might use when segregation of duties is lacking.
So, how does an auditor know what extended procedures might be appropriate?
First, review the revenue cycle processes and controls with a walkthrough. Consider the related risks of material misstatement, and plan your tests.
For example, if you are auditing a nonprofit that receives contributions through the mail, review the processes and controls. Here are example questions:
I could go on, but these are the types of questions to ask before deciding whether extended audit procedures are required and, if they are, what those might be.
What extended audit procedures might the auditor perform in this situation?
Testing in the nonprofit environment described above is challenging, especially if currency is received in the mail. Even so, here are some extended procedures that one might perform:
You could perform other tests, but these provide you with some examples for this entity.
For companies that bill and receive payment, it’s easier to design revenue cycle tests–and those tests will be different than the nonprofit examples. You can, for example, compare amounts billed with collections and review receivable write-offs for appropriateness.
But what about expense tests?
There are many ways to steal funds through the expense cycle, so I will provide a few examples. Again, understand the processes and controls walkthrough. Assess your risk and create your responses.
Here are example questions for a nonprofit:
Again, these are example questions. There are many more that you can ask.
Once you understand the payables process, consider where fraud might occur. For example, if someone can sign checks, add vendors, and enter invoice amounts, theft could happen. Then you might perform extended audit procedures such as the following:
As you can see, context (the processes and controls) aids in designing the control tests.
Test revenue and expense cycles when there is a lack of segregation of duties. You’ll know if the accounting system has this control weakness from your walkthroughs of the revenue and expense cycles. Once you understand those dynamics, you can assess the risks of material misstatement and plan your extended audit tests, such as those listed above.
Charles Hall is a practicing CPA and Certified Fraud Examiner. For the last thirty-five years, he has primarily audited governments, nonprofits, and small businesses. He is the author of The Little Book of Local Government Fraud Prevention, The Why and How of Auditing, Audit Risk Assessment Made Easy, and Preparation of Financial Statements & Compilation Engagements. He frequently speaks at continuing education events. Charles consults with other CPA firms, assisting them with auditing and accounting issues.