Church theft happens, and it’s not uncommon–though I wish it was.
Pastors, deacons, church members, priests, and even nuns steal. Yes, they do. Every time I see an article about this, I shake my head. But they are flawed human beings just like me. So theft happens in churches, synagogues, and other places of worship.
In this article, I explain why fraud is (more) common in the places you least expect. And I provide tips for preventing theft.
Theft of Church Offerings
My mother gave me nickels and dimes to put in the offering plate as a kid, but I never thought about where they went. In my mind, maybe to God or Heaven. But no, they went to a church bank account to pay the expenses of our place of worship. And, thankfully, there were no thefts (that I know of).
But over the years, I’ve seen thefts from churches, synagogues, parishes, church schools, seminaries, campus ministries, relief agencies, and Bible colleges.
People are Flawed
As I said earlier, first, people are flawed, even religious folks. As I’m fond of saying, “Why is ‘Thou shalt not steal’ one of the Ten Commandments? Because people steal.”
Too Much Trust
Secondly, religious persons (and I’m one) tend to be too trusting. We think that because someone works for a ministry or a church-affiliated organization, they are always honest. While this is largely true, some religious people steal, especially when no one is paying attention to what they do. In other words, when there are no internal controls and no oversight.
Ironically, when religious bodies place too much trust in people, they tempt those pastors, priests, deacons, and others. Religious people usually don’t plan to steal but realize–after years of being in a position–they can. After all, no one is watching because trust is over-abundant. And since we can rationalize our actions, we do things we know we should not. No different than any other temptation.
Don’t Tempt Your People
Religious bodies do their people a favor by creating and maintaining proper internal controls. Yes, a favor. Temptation goes down because there are multiple eyes on the processes, as there should be.
I sometimes hear people say that a church is not a business, but a ministry, as though sound business practices are not necessary in a religious environment. My rejoinder is we need to be good stewards of the funds entrusted to us (funds that can be used for wonderful purposes). Ministries lose the trust of their contributors when theft occurs. So, churches need to institute sound internal controls.
Church theft is common due to the nature of cash flowing into a place of worship.
The Church Cash Problem
Most religious institutions receive cash contributions to support their missions. And that’s wonderful, but if you’re a fraud prevention guy like me, that’s problematic. Cash, especially physical currencies (like that received during church services), is easily stolen. So, all religious bodies need to review how cash comes into a church body to see if there are internal controls all along the way.
Monies coming in during church services, mail, or any other way need to make it to the bank account safely. So, consider how funds come into your places of worship or support organizations. And make sure multiple people are involved in the collection and deposit process, what we commonly refer to as segregation of duties.
For instance, multiple people (e.g., ushers or deacons) should count funds collected during a church service, and a count sheet should be signed by those present. Later, someone other than the count team should compare the count sheet to the bank deposit. Enter all contributions in the accounting software and periodically provide statements to those persons. The person making these bookkeeping entries should not be on the count team or have any access to cash. Why? The church bookkeeper could steal money but still make entries to the contributions software. Then, the contributor receives a periodic statement reflecting the amount given, but the money doesn’t make it into the church bank account.
In addition to considering regular church services receipts, think about those that are outside your normal processes. For instance, people might drop by the church during the week and provide a contribution to the bookkeeper.
Church Cash Outflows
While theft of cash inflows is more common, funds can be stolen as they are disbursed. So, be sure you review your payment controls. Again, you want multiple people involved in the process. For example, the persons signing the checks should not be the person entering those transactions in the bookkeeping system. And it’s preferable for the person reconciling the bank account to not sign checks. Then, the person reconciling the bank statement can review the cleared checks for appropriate payees.
Additionally, make sure your controls over credit cards are strong as well. Support (e.g., receipts) should be provided for each credit card charge, and the person using the card should not be the same person reviewing transactions for appropriateness.
Obviously, religious bodies also need appropriate payroll controls to ensure those funds are paid to the right persons and in the correct amount.
In summary, religious bodies need internal controls, just like any entity that receives and spends money. Placing too much trust in religious people is a mistake and can increase church theft. So, protect your church and your people by implementing sound internal controls for funds flowing into and out of your place of worship.
Here’s a Single Audit overview in five minutes. This video provides an overview of what a Single Audit is and what an auditor does in performing such an engagement.
Single Audit Overview
First, understand that some entities receive multiple federal grants. Rather than performing an audit of each individual, the Uniform Guidance allows one audit (a Single Audit) based on risk. So, if a city receives seven federal grants in one year, an auditor can perform a single audit that addresses the riskier programs. The video explains how the auditor determines major programs, the riskier grants of the seven received. Those are the ones that will be audited.
The applicability of the Single Audit to a grantee is based on the entity’s federal expenditures. Audit the entity using the Uniform Guidance when more than $750,000 in federal funds are expended.
In the video, I also explain how auditors use the Compliance Supplement to audit federal programs. The Compliance Supplement provides a summary of the applicable compliance provisions for federal grants. You can locate a particular grant by searching the Compliance Supplement by its federal assistance listing number. For example, 14.321 is HUD’s Emergency Systems Grant Program.
Single Audit Compliance Areas
Potential compliance areas for federal programs include:
Auditors choose the compliance areas that are direct and material, those that are most important. These areas are audited for each major program.
Single Audit Reports
Additionally, Single Audit reports are created by the auditor to communicate the results of the audit. That way, financial statement readers can see if the grantee (e.g., city) used the grant funds appropriately and whether the entity had proper internal controls. The auditor opines upon the major program grant compliance. If noncompliance is present or if related internal controls were not in use, the auditor reports the noncompliance or deficiencies in the Single Audit report.
Moreover, Single Audit reports include a schedule of expenditures of federal awards (SEFA). The SEFA includes a listing of expended federal awards.
Federal Audit Clearinghouse
Finally, the Single Audit report is filed with the federal audit clearinghouse once completed. The report is publicly available, so anyone can see the results of the audit.
Watch the video for the Single Audit overview in five minutes.
Most auditors don’t perform a test of controls? But should they? Below I explain when such a test is required. I also explain why some auditors choose to use this test even when not required.
Once risk assessment is complete, auditors have three further audit procedures they can use to respond to identified risks:
Test of details
Test of controls
This article focuses on the third option.
Below you will see:
The Right Response
Not Testing Controls (including video about the same)
The Decision Regarding Testing
How to Test Controls
Which Controls to Test
Three-year Rotation of Testing
Interim or Period-End Testing
The Right Response
Which responses to risks of material misstatement are best? That depends on what you discover in risk assessment.
If, for example, your client consistently fails to record payables, then assess control risk for completeness at high and perform a search for unrecorded liabilities (a substantive procedure).
By contrast, if the internal controls for receivables are strong, then assess control risk for the existence assertion at less than high, and test controls for effectiveness. (You do, however, have the option to perform substantive tests rather than test controls, even when controls are appropriate. More about this in a moment.)
Not Testing Controls
Many auditors assess control risk at high (after risk assessment is complete) and use a fully substantive approach. That is fine, especially in audits of smaller entities. Why? Because smaller entities tend to have weaker controls. As a result, controls may not be effective. Therefore, you may not be able to assess control risk at less than high.
Control risk assessments of less than high must be supported with a test of controls to prove their effectiveness. But if controls are not effective, you must assess control risk at high. This is one reason why you might bypass testing controls: you know, either from prior experience or from current-year walkthroughs, that controls are not effective. If your test reveals ineffectiveness, you are back to square one: a control risk assessment of high. Then substantive procedures are your only option. In such a situation, the initial test was a waste of time.
The Decision Regarding Testing
But if controls are effective, why not test them? Doing so allows you to reduce your substantive procedures. There is one reason, however, why you might not test controls even though they appear appropriate: substantive tests may take less time.
Once risk assessment is complete, your responses—the further audit procedures—are based on efficiency and effectiveness. If control testing takes less time, then use this option. If substantive procedures takes less time, then perform a test of details or use substantive analytics. But, regardless of efficiency considerations, address all risks with appropriate responses.
How to Test Controls
Suppose you’ve decided to test controls for effectiveness. But how? Let’s look at an example starting with risk assessment.
Your approach to testing controls depends on risk.
For example, suppose your billing and collections walkthrough reveals appropriate segregation of duties. You see that authorized personnel issue receipts for each payment received. Additionally, you determine that total daily cash inflows are reconciled by the collections supervisor to the online bank statement, and she signs off on a reconciliation sheet as evidence of this procedure. Lastly, you note that a person not involved in cash collections reconciles the monthly bank statement. In other words, controls are properly designed and in use.
Furthermore, you believe completeness is a relevant assertion. Why? Theft of incoming cash is a concern since the business handles a high volume of customer checks. If checks are stolen, cash collections would not be complete. Consequently, the inherent risk for completeness is high. The fraud risk is a significant risk which requires a test of details in addition to the test of controls.
Test Supports Effectiveness
Now it’s time to test for effectiveness.
Test the receipt controls on a sample basis. But before doing so, document the controls you desire to test and the sample size determinations. (See AICPA’s Audit Sampling standard, AU-C 530.)
The first control you are testing is the issuance of receipts by an authorized person and your sample size might be sixty.
The second control you are testing is the daily reconciliation of cash to the bank statement. For example, you could agree total daily receipts to the bank statement for twenty-five days. As you do so, you review the daily sign-offs on the reconciliation sheets. Why? The collection supervisor’s sign-off is the evidence that the control was performed.
The third control you are reviewing is the reconciliation of the bank account by a person not involved in the receipting process. So, you review the year-end bank reconciliation and confirm that the person that reconciled the bank statement was not involved in cash collections.
Once the tests are performed, determine whether the controls are effective. If they are, assess control risk for the completeness assertion at less than high. Now you have support for that lower assessment.
And what about substantive tests?
You need to perform a test of details since a significant risk (the fraud risk) is present. You might, for example, reconcile the daily total receipts to the general ledger for a month.
Test Doesn’t Support Effectiveness
If your tests do not support effectiveness, expand your sample size and examine additional receipts. Or skip the tests (if you believe the controls are not effective) and move to a fully substantive approach. Regardless, if controls are not effective, consider the need to communicate the control deficiency to management and those charged with governance.
So, when should you test controls? First let’s look at required tests and then optional ones.
Required Audit Tests of Controls
Here are two situations where you must test controls:
When there is a significant risk and you are placing reliance on controls related to that risk
When substantive procedures don’t properly address a risk of material misstatement
Let me explain.
Auditing standards allow a three-year rotation for control testing, as long as the area tested is not a significant risk. But if the auditor plans to rely on a test of controls related to a significant risk, operating effectiveness must be tested annually.
Also a test of controls is necessary if substantive procedures don’t properly address a risk of material misstatement. For example, consider the controls related to reallocation of investments in a 401(k). The participant goes online and moves funds from one account to another. Other than the participant, there are no humans involved in the process. When processes are fully automated, substantive procedures may not provide sufficient audit evidence. If that is your situation, you must test of controls. Thankfully, a type 2 service organization control report is usually available in audits of 401(k)s. Such a report provides evidence that controls have already been tested by the service organization’s auditor. And you can place reliance upon those tests. In most cases, substantive procedures can properly address risks of material misstatement. So this test requirement is usually not relevant.
Optional Audit Test of Controls
We just covered the two situations when testing is required. All other control testing is optional.
Prior to making the decision about testing, consider the following:
Do you anticipate effectiveness? There’s no need to test an ineffective control.
Does the control relate to an assertion for which you desire a lower control risk?
Will it take less time to test the control than to perform a substantive procedure? Sometimes you may not know the answer to this question until you perform the test of controls. If the initial test does not prove effectiveness, then you have to expand your sample or just punt—in other words, use a fully substantive approach.
Will you use the control testing in conjunction with a test of details or substantive analytics? How would effective controls reduce these substantive tests? In other words, how much substantive testing time would you save if the control is effective?
Is the control evidence physical or electronic? For example, are the entity’s receipts in a physical receipt book or in a computer? It’s usually easier to test electronic evidence.
How large will your sample size be? Some controls occur once a month. Others, thousands of times in the period. The larger the population, the larger the sample. And, of course, the larger the sample size, the more time it will take to perform the test.
Can you test the population as a whole without sampling? Data analytics software—in some instances—can be used to test the entire population. For example, if a purchase order is required for all payments above $5,000, it might be easy to compare all payments above the threshold to purchase orders, assuming the purchase orders are electronic.
Three-Year Rotation of Testing
As I said earlier, audit standards allow a three-year rotation for testing. For example, if you test accounts payable controls in 2020, then you can wait until 2023 to test them again. In 2021 and 2022, you need to ensure that these controls have not changed. You also want to determine that those controls have continuing relevance in the current audit. How? See if the controls continue to address a risk of material misstatement. And as you perform your annual walkthroughs, inquire about changes, observe the controls, and inspect documents. Why? You want to know that everything is working as it was in 2020, when the initial test was performed. And, yes, you do need to perform those walkthroughs annually, if that is how you corroborate your understanding of controls.
In short, testing for effectiveness can, in most cases, occur every three years. But walkthroughs are necessary each year. If you tested sixty transactions for an appropriate purchase order in 2020, then you can wait until 2023 to do so again. But review of the purchase order process each year in your annual walkthroughs.
So should you test controls at interim or after year-end?
Interim or Period-End Testing
Some auditors test controls after the period-end (after year-end in most cases). Others at interim. Which is best?
Perform interim tests if this fits better in your work schedule. Here’s an example: You perform an interim test on November 1, 2021. Later, say in February 2022, consider whether controls have changed during the last two months of the year. See if the same people are performing those controls. And consider performing additional tests for the November 1 to December 31 period. Once done, determine if the controls are effective.
Testing on an interim date is not always the answer. For example, if management is inclined to manipulate earnings near year-end, then interim tests may not be appropriate.
If you choose to test after period-end, then do so for the full period being audited. Your sample should be representative of that timeframe.
So should you ever test controls at a point in time and not over a period of time? Yes, sometimes. For example, test inventory count controls at year-end only. Why? Well those controls are only relevant to the year-end count, a point in time. Most controls, however, are in use throughout the period you are auditing. Therefore, you need to test those controls over that period of time (e.g., year).
As I said above, many auditors tend to rely fully on substantive responses to the risks of material misstatement. But, in some cases, that may not be the best or wisest approach. If controls are designed well and functioning, why not test them? Especially if it takes less time than substantive procedures.
Auditing payroll is a critical skill. Today I explain how.
While payroll is often seen as a low-risk area, considerable losses can occur here. So, knowing how to audit payroll is important.
Auditing Payroll – An Overview
Payroll exceeds fifty percent of total expenses in many governments, nonprofits, and small businesses. Therefore, it is often a significant transaction area.
To assist you in understanding how to audit payroll, let me provide you with an overview of a typical payroll process.
First, understand that entities have payroll cycles (e.g., two weeks starting on Monday). Then, payments are made at the end of this period (e.g., the Tuesday after the two-week period). Also, understand that most organizations have salaried and hourly employees. Salaried personnel are paid a standard amount each payroll, and hourly employees earn their wages based on time.
Second, an authorized person (e.g., department head) hires a new employee at a specified rate (e.g., $80,000 per year).
Third, human resources assists the new-hire with the completion of payroll forms, including tax forms and elections to purchase additional benefits such as life insurance.
Fourth, a payroll department employee enters the approved wage in the accounting system. The employee’s bank account number is entered into the system (if direct deposit is used).
Fifth, employees clock in and out so that time can be recorded.
Sixth, once the payroll period is complete, a person (e.g., department supervisor) reviews and approves the recorded time.
Seventh, a second person (e.g., payroll supervisor) approves the overall payroll.
Eighth, the payroll department processes payments. Direct deposit payments are made (and everyone is happy).
In this article, we will cover the following:
Primary payroll assertions
Directional risk for payroll
Primary risks for payroll
Common payroll control deficiencies
Risk of material misstatement for payroll
Substantive procedures for payroll
Common payroll work papers
Primary Payroll Assertions
The primary relevant payroll assertions are:
I believe—in general—completeness and cutoff (for accrued payroll liabilities) and occurrence (for payroll expenses) are the most important payroll assertions. When a company accrues payroll liabilities at period-end, it is asserting that they are complete and that they are recorded in the right period. Additionally, the company is saying that recorded payroll expenses are legitimate.
Additionally, payroll auditing requires an understanding of threats in light of these assertions. So how do I gain this knowledge? Payroll walkthroughs.
Perform a walkthrough of payroll to see if there are any control weaknesses. How? Walk transactions from the beginning (the hiring of an employee) to the end (a payroll payment and posting). And ask questions such as the following:
Does the company have a separate payroll bank account?
How often is payroll processed? What time period does the payroll cover? On what day is payroll paid?
Who has the authority to hire and fire employees?
What paperwork is required for a new employee? For a terminated employee?
Is payroll budgeted?
Who monitors the budget to actual reports? How often?
Who controls payroll check stock? Where is it stored? Is it secure?
If the company uses direct deposit, who keys the bank account numbers into the payroll system? Who can change those numbers?
Do larger salary payments require multiple approvals?
Who approves overtime payments?
Who monitors compliance with payroll laws and regulations?
Who processes payroll and how?
Who signs checks or makes electronic payments? If physical checks are used, are they signed electronically (as checks are printed) or physically?
How are payroll tax payments made? How often? Who makes them?
Who creates the year-end payroll tax documents (e.g., W-2s) and how?
What controls ensure the recording of payroll in the appropriate period?
Are the following duties assigned to different persons:
Approval of each payroll,
Processing and recording payroll,
The reconciliation of related bank statements
Possession of processed payroll checks
Ability to enter or change employee bank account numbers
Ability to add employees to the payroll system or to remove them
Who can add or remove employees from the payroll system? What is the process for adding and removing employees from the payroll system?
Who can change the master pay rate file? Does the computer system provide an audit trail of those changes?
Who approves salary rates and how?
Who reconciles the payroll bank statements and how often?
Who approves bonuses?
What benefits (e.g., retirement accounts) does the company offer? Who pays for the benefits (e.g., employee) and how (e.g., payroll withholding)?
Who reconciles the payroll withholding accounts and how often?
Are any salaries capitalized rather than expensed? If yes, how and why?
Are surprise payroll audits performed? If yes, by whom?
Does the company outsource its payroll to a service organization? If yes, does the payroll company provide a service organization control (SOC) report? What are the service organization controls? What are the complementary controls (those performed by the employing company)?
Moreover, as we ask these questions, we need to inspect documents (e.g., payroll ledger) and make observations (e.g., who signs checks or makes electronic payments?).
If controls weaknesses exist, we create audit procedures to respond to them. For example, during the walkthrough, if we see that one person prints and signs checks, records payments, and reconciles the bank statement, then we will plan fraud-related substantive procedures.
As we perform payroll walkthroughs, we are asking, “What can go wrong—whether intentionally or by mistake?”
When payroll fraud occurs, understatements or overstatements of payroll expense may exist.
If a company desires to inflate its profit, it can—using bookkeeping tricks—understate its expenses. As (reported) costs go down, profits go up.
On the other hand, overstatements of payroll can occur when theft is present. For example, if a payroll accountant pays himself twice, payroll expenses are higher than they should be.
Mistakes also lead to payroll misstatements. Payroll errors can occur when payroll personnel lack sufficient knowledge to carry out their duties. Additionally, misstatements occur when employees fail to perform internal control procedures such as reconciling bank statements.
Directional Risk for Payroll
The directional risk for payroll is an understatement. So, audit for completeness (determining that all payroll is recorded). Nevertheless, when payroll theft occurs (e.g., duplicate payments), overstatements can occur.
Primary Risks for Payroll
The primary payroll risks include:
Payroll is intentionally understated
Inappropriate parties receive payments
Employees receive duplicate payments
As you think about these risks, consider the control deficiencies that allow payroll misstatements.
Another key to auditing payroll is understanding the risks of material misstatement.
Risk of Material Misstatement for Payroll
In auditing payroll, the assertions that concern me the most are completeness, occurrence, and cutoff. So my risk of material misstatement for these assertions is usually moderate to high.
My response to higher risk assessments is to perform certain substantive procedures: namely, a reconciliation of payroll in the general ledger to quarterly 941s. Why? The company has an incentive to accurately file 941s since the returns are subject to audit by governmental authorities. So, if the 941s are correct, the reconciliation provides support for recorded payroll.
Additionally, consider theft which can occur in numerous ways, such as duplicate payments or ghost employees.
In a duplicate payment fraud, the thief, usually a payroll department employee, pays himself twice.
Ghost employees exist when payroll personnel leave a terminated employee on the payroll. Why would someone in the payroll department intentionally leave a terminated employee in the payroll system? To steal the second payment. How? By changing the terminated employee’s direct deposit bank account number to his own. The result? He receives two payments (his own and that of the terminated employee).
Once your payroll risk assessment is complete, decide what substantive procedures to perform.
Substantive Procedures for Auditing Payroll
My customary tests for auditing payroll are as follows:
Reconcile 941s to payroll
Recompute accrued payroll liability (amount recorded at period-end)
Review payroll withholding accounts for appropriateness and vouch subsequent payments for any significant amounts
Compare payroll expenses (including benefits) to budget and examine any unexplained variances
When control weaknesses are present, design and perform procedures to address the related risks
Compare accrued vacation to prior periods and current payroll activity
In light of my risk assessment and substantive procedures, what payroll work papers do I normally include in my audit files?
Common Payroll Work Papers
My payroll work papers normally include the following:
An understanding of payroll-related internal controls
Risk assessment of payroll at the assertion level
Documentation of any payroll control deficiencies
Payroll audit program
Accrued salaries detail at period-end
A summary of any significant payroll withholding accounts with supporting information
A detail of vacation payable (if material) with comparisons to prior periods
Budget to actual payroll reports
A reconciliation of payroll in the general ledger to quarterly 941s
Fraud-related payroll work papers (when needed)
In this article we looked at the keys to auditing payroll. Those keys include risk assessment procedures, determining relevant assertions, assessing risks, and developing substantive procedures. My go-to substantive procedure is to reconcile payroll to 941s. I also review payroll withholding accounts and recompute salary accruals. Comparisons of payroll expenses are useful. Finally, if merited, I perform fraud-related payroll procedures.
Chances are white-collar crime is occurring in your business as you read this–or at least within the last thirty days. Those you trust may be taking you for a ride. Therefore, you need to know how to prevent white-collar crime.
Below I provide you with plenty of free understandable resources to help you stop fraud. Take a look.
White Collar Crime Happens!
For most organizations, it’s not a matter of if fraud will occur, it’s a question of how much will be taken. The Association of Certified Fraud Examiners’ biennial survey shows that the average business loses 5% of its revenues to fraud. Imagine adding that amount to your bottom line, because when theft occurs, your net income is reduced by the amount stolen.
No One Steals from My Business
Most business owners, board members, governments, and nonprofits think “fraud may happen in other organizations, but not in our place.Our people are honest.” Well, let me say I’ve seen plenty of “honest” people steal.
In almost every fraud I’ve seen, the business owners and fellow employees are greatly surprised by the theft, usually by a trusted employee.
And these trusted people steal because they can. You may be thinking, “What?” Let me repeat, the reason people steal is because they can. In fraud prevention parlance, we call it “opportunity.”
And, how do trusted employees steal? Here’s the typical cycle:
We hire a likable, trustworthy person
The employee serves the organization well
He moves to higher positions (where he has greater opportunity to steal)
No one monitors the employee because he is honest–or at least, he appears that way
The employee believes he can steal without detection
Small amounts of money are taken to test the water
Larger amounts are taken when he is sure no one is watching
So, the employee goes from trusted employee to fraudster. The transformation occurs gradually. Then when the discovery of fraud occurs, everyone is shocked.
Examples of People Who Steal
And what kinds of persons commit white-collar crime?
I have seen the following individuals take money:
Chief executive officer
A lady who was dying
Swim club volunteer
Seminary Foundation employee
I could go on, but you get my point. People who we think would never steal, do.
So, how can we prevent–or at least lessen–the threat of fraud? Transparency is a key.
Transparency Lessens Fraud
If transparency is important, why don’t businesses create it?
Small businesses often lack the ability to segregate accounting duties, and this lack of segregation creates opportunities for theft. Why? One employee controls several critical accounting processes, resulting in the ability to steal without detection.
To lessen the possibility of fraud, we must create transparency in accounting processes. Employees are less likely to steal when their actions are visible to others. That’s why segregation of duties is necessary: more eyes see the accounting activity, making theft more difficult to occur without detection. But even if an organization has few employees, it’s possible to create transparency and lessen the threat of theft.
Stop White-Collar Crime
CPA Hall Talk provides you with fraud prevention information to help you stop white-collar crime.
While I can’t visit everyone that needs fraud prevention assistance, I can provide (free) information about how theft occurs and how you can lessen the threat of fraud.
Here are some of my fraud prevention posts (each with a clickable link):