Journal entry testing is required in all audits. Why? The use of journal entries to manipulate financial statements is always present--even in accounting systems with good internal controls. Thus the journal entry test requirement in AU-C 240, Consideration of Fraud in a Financial Statement Audit.
In this article, I explain how auditors can understand and test journal entries to ensure management is not cooking the books.
Understand the Journal Entry Process
First, auditors should gain an understanding of the journal entry process. Ask questions such as:
- Who can post journal entries (see logical access assignments in the software)?
- How are journal entries posted?
- Who approves journal entries?
- Can one person post a journal entry without a second-person approval? If yes, who?
- How often are journal entries posted, and for what purpose?
- Have there been any unusual journal entries during the year?
- Are estimates adjusted or recorded with journal entries? If yes, who makes those entries, and how often?
- Does the company have a separate journal entry software package (such as Blackline) that interfaces with the general ledger?
- What journal entries are made in creating the financial statements, including those after the trial balance is taken from the accounting package (for example, the company downloads the trial balance to Excel)?
- Are all journal entries in the financial statement creation phase reviewed and approved by a second person? If yes, by whom?
- Has management asked anyone to override journal entry controls or protocols?
Inspect sample documents and journal entries. Also, observe who is doing what. Then document your inquiries, the records inspected, and your observations as a part of your walkthrough process. Also, document who you talked with and on what date.
Scan a Month's Journal Entries
Consider downloading all journal entries for a particular month and scanning those. Doing so will enable you to see the typical entries made. Most accounting systems differentiate journal entries from other transactions, so it's usually easy to segregate all journal entries for review.
Scanning a month's journal entries is not a required procedure, but one that I suggest.
So, as you scan the journal entries, what are you looking for? What types of entries might imply that fraud is present?
Indicators of Fraud Risk
The following are potential indicators of fraud risk:
- Nonstandard journal entries made at year-end, especially those for round numbers
- Entries made to seldom-used accounts
- Post-closing entries with no explanation
- Entries made by persons that seldom do so
- Entries made to force accounts to balance without performing proper reconciling procedures
Plan Your Journal Entry Responses
Plan to test journal entries based on your risk assessment procedures. If you notice particular risks, then audit those areas.
Here are examples of risks and responses:
- Test more entries if one person records journal entries without a second-person approval. Why? There's more risk.
- If you note unusual logical access rights, consider downloading all journal entries and sorting them by persons to see if there are any unusual journal entries.
- If significant revenue entries are made in the last month, test those.
- If one person consolidates the financial statements in Excel, making adjustments without a second-person review, test that process.
Journal entries may be appropriate throughout the year because they are subject to good controls. Even so, someone might inflate the numbers in the financial statement creation process (after exporting the original numbers to a spreadsheet, for example).
Test Journal Entries in Every Audit
AU-C 240, Consideration of Fraud in a Financial Statement Audit, requires auditors to test journal entries in every audit. Why? There is always a possibility that management might override controls, and journal entries are an easy way to make the company look better than it is. Think about it: one journal entry in the last month of the year can increase revenues and receivables by millions.
Test Entries Late in the Year
It is wise to test journal entries made late in the year. As management approaches year-end, they might realize the company needs to meet specific targets (e.g., a certain level of net income) for them to earn bonuses. If true, management has a potential motivation to manipulate the numbers, especially at year-end.
See my article about management override of controls for more information about manipulation of financial statements and potential theft.