auditing for fraud
Aug 08

Auditing for Fraud: The Why and How

By Charles Hall | Auditing , Fraud

Auditing for fraud is important, but some auditors ignore this duty. Even so, fraud risk is often present. 

So what is an auditor’s responsibility for detecting fraud? Today, I answer that question in light of generally accepted auditing standards in the United States. We’ll look specifically at AU-C 240, Consideration of Fraud in a Financial Statement Audit.

Here’s an overview of this article:

  • Auditor’s responsibility for detecting fraud
  • Turning a blind eye to fraud
  • Signs of auditor disregard for fraud
  • Incentives for fraud
  • Discovering fraud opportunities
  • Inquiries required by audit standards
  • The accounting story and big bad wolves
  • Documenting control weaknesses
  • Brainstorming and planning your response to fraud risk 

Auditor’s Responsibility for Detecting Fraud – AU-C 240

I still hear auditors say, “We are not responsible for detecting fraud.” But are we not? The detection of material misstatements whether caused by error or fraud is the heart and soul of an audit. So writing off our responsibility for fraud is not an option. We must plan to look for material fraud.

Audits will not, however, detect every material misstatement—even if the audit is properly planned and conducted. Audits are designed to provide reasonable assurance, not perfect assurance. Some material frauds will not be detected. Why? First, an auditor’s time is limited. He can’t audit forever. Second, complex systems make it extremely difficult to discover fraud. Third, the number of potential fraud schemes (there are thousands) makes it challenging to consider all possibilities. And, finally, some frauds are so well hidden that auditors won’t detect them.

Even so, auditors should not turn a blind eye to fraud.

Turning a Blind Eye to Fraud

Why do auditors not detect fraud?

Think of these reasons as an attitude—a poor one—regarding fraud. This disposition manifests itself in the audit file with signs of disregard for fraud.

Signs of Auditor Disregard for Fraud

A disregard for fraud appears in the following ways:

  • Asking just one or two questions about fraud
  • Limiting our inquiries to as few people as possible (maybe even just one)
  • Discounting the potential effects of fraud (after known theft occurs)
  • Not performing walkthroughs
  • We don’t conduct brainstorming sessions and window-dress related documentation
  • Our files reflect no responses to brainstorming and risk assessment procedures
  • Our files contain vague responses to the brainstorming and risk assessment (e.g., “no means for fraud to occur; see standard audit program” or “company employees are ethical; extended procedures are not needed”)
  • The audit program doesn’t change though control weaknesses are noted

In effect, auditors—at least some—dismiss the possibility of fraud, relying on a balance sheet approach.

So how can we understand fraud risks and respond to them? First, let’s look at fraud incentives.

Incentives for Fraud

The reasons for theft vary by each organization, depending on the dynamics of the business and people who work there. Fraudsters can enrich themselves indirectly (by cooking the books) or directly (by stealing).

Fraud comes in two flavors:

  1. Cooking the books (intentionally altering numbers)
  2. Theft

Two forms of fraud: Auditor's Responsibility for Fraud

Cooking the Books

Start your fraud risk assessment process by asking, “Are there any incentives to manipulate the financial statement numbers.” For example, does the company provide bonuses or promote employees based on profit or other metrics? If yes, an employee can indirectly steal by playing with the numbers. Think about it. The chief financial officer can inflate profits with just one journal entry—not hard to do. While false financial statements is a threat, the more common fraud is theft.

Theft

If employees don’t receive compensation for reaching specific financial targets, they may enrich themselves directly through theft. But employees can only steal if the opportunity is present. And where does opportunity come from? Weak internal controls. So, it’s imperative that auditors understand the accounting system and—more importantly—related controls. 

Discovering Fraud Opportunities

My go-to procedure in gaining an understanding of the accounting system and controls is walkthroughs.  Since accounting systems are varied, and there are no “forms” (practice aids) that capture all processes, walkthroughs can be challenging. So, we may have to “roll up our sleeves,” and “get in the trenches.” 

For most small businesses, performing a walkthrough is not that hard. Pick a transaction cycle; start at the beginning and follow the transaction to the end. Ask questions and note who does what. Inspect the related documents. As you do, ask yourself two questions:

  1. What can go wrong?
  2. Will existing control weakness allow material misstatements?

In more complex companies, break the transaction cycle into pieces. You know the old question, “How do you eat an elephant?” And the answer, “One bite at a time.” So, the process for understanding a smaller company works for a larger one. You just break it down and allow more time.

Discovering fraud opportunities requires the use of risk assessment procedures such as observations of controls, inspections of documents and inquiries. Of the three, the more commonly used is inquiries.

Inquiries Required by Audit Standards

Audit Standards (AU-C 240) state that we should inquire of management regarding:

  • Management’s assessment of the risk that the financial statements may be materially misstated due to fraud, including the nature, extent, and frequency of such assessments
  • Management’s process for identifying, responding to, and monitoring the risks of fraud in the entity, including any specific risks of fraud that management has identified or that have been brought to its attention, or classes of transactions, account balances, or disclosures for which a risk of fraud is likely to exist
  • Management’s communication, if any, to those charged with governance regarding its processes for identifying and responding to the risks of fraud in the entity
  • Management’s communication, if any, to employees regarding its views on business practices and ethical behavior
  • The auditor should make inquiries of management, and others within the entity as appropriate, to determine whether they know of any actual, suspected, or alleged fraud affecting the entity
  • For those entities that have an internal audit function, the auditor should make inquiries of appropriate individuals within the internal audit function to obtain their views about the risks of fraud; determine whether they have knowledge of any actual, suspected, or alleged fraud affecting the entity; whether they have performed any procedures to identify or detect fraud during the year; and whether management has satisfactorily responded to any findings resulting from these procedures

Notice that AU-C 240 requires the auditor to ask management about its procedures for identifying and responding to the risk of fraud. If management has no method of detecting fraud, might this be an indicator of a control weakness? Yes. What are the roles of management and outside auditors regarding fraud?

  • Management develops control systems to lessen the risk of fraud. 
  • Auditors review the accounting system to see if fraud-prevention procedures are designed and operating appropriately.

So, the company creates the accounting system, and the auditor gains an understanding of the same. As auditors gain an understanding of the accounting system and controls, we put together the pieces of a story.

The Accounting Story and Big Bad Wolves

Think of the accounting system as a story. Our job is to understand the narrative of that story. As we describe the accounting system in our work papers, we may find missing pieces. Controls may be inadequate. When they are, we ask more questions to make the story complete.

The purpose of writing the storyline is to identify any “big, bad wolves.”

The Auditor's Responsibility for Fraud - The Big Bad Wolves

The threats in our childhood stories were easy to recognize. The wolves were hard to miss. Not so in walkthroughs. It is only in connecting the dots—the workflow and controls—that the wolves materialize.

So, how long should the story be? That depends on the size of the organization. Scale your documentation. If the transaction cycle is simple, the documentation should be simple. If the cycle is complex, provide more details. By focusing on control weaknesses that allow material misstatements, you’ll avoid distracting details.

But what if control weaknesses are noted?

Documenting Control Weaknesses

I summarize the internal control strengths and weaknesses within the description of the system and controls and highlight the wording “Control weakness.” For example:

Control weakness: The accounts payable clerk (Judy Jones) can add new vendors and can print checks with digital signatures. In effect, she can create a new vendor and have a check sent to that provider without anyone else’s involvement.

Highlighting weaknesses makes them more prominent. Then I can use the identified fraud opportunities to brainstorm about how theft might occur and to develop my responses to the threats.

Brainstorming and Planning Your Responses 

Now, you are ready to brainstorm about how fraud might occur and to plan your audit responses.

The risk assessment procedures provide the fodder for the brainstorming session. 

Armed with knowledge about the company, the industry, fraud incentives, and the control weaknesses, we are ready to be creative. 

In what way are we to be creative? Think like a thief. By thinking like a fraudster, we unearth theft schemes. Why? So we can audit those possibilities. This is the reason for risk assessment procedures in the first place.

What we discover in risk assessment informs the audit plan. Now we are ready to perform our fraud risk assessment. With the information gained in from the risk assessment procedures, we know where the risks are. If, for example, there is a risk that fictitious vendors are present, we might assess the risk of material misstatement at high for the expense occurrence assertion. (Our risks of material misstatement should be assessed at the assertion level.) Then we plan our response which might be testing new vendors added to determine if they are legitimate. So the fraud risk assessment occurs after we perform our risk assessment procedures. This tells us where the risks of material misstatement are. 

The Auditor’s Responsibility for Detecting Fraud – AU-C 240

In conclusion, I started this post saying I’d answer the question, “What is an auditor’s responsibility for detecting fraud?”

Hopefully, you now better understand fraud procedures. But to understand the purpose of them, look at a standard audit opinion:

The procedures selected depend on the auditor’s judgment, including the assessment of the risks of material misstatement of the consolidated financial statements, whether due to fraud or error. In making those risk assessments, the auditor considers internal control relevant to the entity’s preparation and fair presentation of the consolidated financial statements in order to design audit procedures that are appropriate in the circumstances, but not for the purpose of expressing an opinion on the effectiveness of the entity’s internal control. Accordingly, we express no such opinion.

The purpose of fraud risk assessments is not to opine on internal control systems or to discover every fraud. It is to assist the auditor in determining where material misstatements—due to fraud—might occur.

Additionally, even well-performed audits will not detect all material fraud. As we saw above, some frauds are extremely difficult to detect. Audits are designed to provide reasonable assurance, not perfect assurance. The standard audit opinion states:

Our responsibility is to express an opinion on these financial statements based on our audits. We conducted our audits in accordance with auditing standards generally accepted in the United States of America. Those standards require that we plan and perform the audit to obtain reasonable assurance about whether the financial statements are free from material misstatement.

In summary, the auditor should conduct the audit in a manner to detect material fraud. But it is possible that some material frauds will be missed, even when we perform the audit correctly.

The Why and How of Auditing: A Blog Series About Audit Basics

Check out my series of posts: The Why and How of Auditing?

You’ll see how to audit cash, receivables/revenues, payables/expenses, investments, and other transaction cycles. You’ll also see how to perform risk assessment procedures before you plan your further audit procedures. 

Also, see my book The Why and How of Auditing on Amazon.

Rita Crundwell
Jul 19

Rita Crundwell Story: Why Some Ranches Stink

By Charles Hall | Asset Misappropriation

Is it possible for one person to steal over $53 million from a city with an annual budget of less than $10 million? Yes. The Rita Crundwell story provides a cautionary tale for small businesses, governments, and nonprofits.

The Rita Crundwell Theft

Rita Crundwell, comptroller, and treasurer of Dixon, Illinois stole $53 million over a twenty-year period. The city of 16,000 residents held Crundwell in high esteem. One friend described her as “sweet as pie.” Another said: “You could not find a nicer person.”

So why did she steal? It appears Rita just enjoyed the good life. She used the money to fund one of the top quarter horse ranches in the country, and she did it with style: Some of the funds were used to purchase over $300,000 of jewelry and a $2.1 million motor coach vehicle.

Rita Crundwell
Her annual salary? $80,000.

The city’s annual budget? $6 to $8 million

Were yearly audits performed? Yes.

Were budgets approved? Yes.

But even with budgets and audits, the Dixon, Illinois scandal happened. 

Too Much Trust

So how did this happen? Rita Crundwell won the trust of those around her—especially that of mayor and council. In April 2011, finance commissioner and veteran council member, Roy Bridgeman, praised Crundwell calling her “a big asset to the city as she looks after every tax dollar as if it were her own.” Too much trust in a bookkeeper can lead to huge problems. 

It was a disturbing moment when Dixon Mayor James Burke presented the FBI with evidence of Crundwell’s fraud. Burke later recalled his emotions and words: “I literally became sick to my stomach, and I told him that I hoped my suspicions were all wrong.” Such a response is understandable given that Crundwell had worked for the city for decades. She had fooled everyone.

Secret Bank Account

According to the mayor, the city’s annual audits raised no red flags, and the city’s primary bank never reported anything suspicious. So how did she steal the money? In 1990, Crundwell opened a secret bank account in the name of the city (titled the RSDCA account: the initials stood for reserve sewer development construction account). Crundwell was the only authorized check signer for the account, and the RSDCA bank account was never set up on the city’s general ledger. The City’s records reflected none of the RSDCA deposits or disbursements.

Crundwell would write and sign manual checks from a legitimate city capital project fund checking account, completing the check payee line with “Treasurer.” (Yes, Crundwell had the authority to issue checks with just her signature—even for legitimate city bank accounts.) She would then deposit the check into her secret account. From the bank’s perspective, a transfer had been made from one city bank account to another (from the capital projects fund to the reserve sewer development construction fund).

Accounting Cover-up

While the capital project fund disbursement was recorded on the city’s books, the RSDCA deposit was not. A capital project fund journal entry was made for each check debiting capital outlay expense and crediting cash. But no entry was made to the city’s records for the deposit to the RSDCA account. Once the money was in the RSDCA account, Crundwell wrote checks for personal expenses—and she did so for over twenty years.

To complete her deceit, Crundwell provided auditors with fictitious invoices from the Illinois Department of Transportation; these invoices included the following notation: Please make checks payable to Treasurer, State of Illinois. (So the canceled checks made out to Treasurer agreed with directions on the invoice, but the words “State of Illinois” were conveniently left off the check payee line.) Remember Crundwell was the treasurer of Dixon. 

Those invoices and the related checks were often for round dollar amounts (e.g., $250,000) and most were for more than $100,000. In one year alone, Crundwell embezzled over $5 million.

Vacation Leads to Arrest

So how was she caught? While Rita was on an extended vacation for horse shows, the city hired a replacement for her. For some reason, Crundwell’s substitute requested all bank account statements from the city’s bank. As the bank statements were reviewed, the secret bank account was discovered. And soon after that, the mayor contacted the FBI.

The Control Weakness

Why was Rita Crundwell able to steal $53 million? Wait for it. A lack of segregation of duties.

Rita could:

  • Write checks
  • Approve payments
  • Create and monitor the budget
  • Enter transactions into the accounting system
  • Reconcile the bank statements

The Accounting Fix

Multiple people should perform accounting duties, not just one.

Moreover, accounting employees should annually take a one-week vacation (or longer). And while they are gone, someone else should perform the vacant person’s duties. The vacation itself is not the key to this control. The performance of the absent accountant’s duties is. Why? Doing so allows the replacement person to understand the work of the vacant employee. But, more importantly, the substitute can note any unusual or fraudulent activity.

Here’s another action to take: Periodically contact your organization’s bank and ask for a list of all bank accounts. Then compare the list to the bank accounts in your general ledger. If a bank account is not on the general ledger, see why. And request a copy of the related signature card from the bank.

What Happened to Rita Crundwell?

So, what happened to Rita? She was sentenced to 19.5 years in prison. Here are pictures from the Chicago Tribune that shed light on the fraud.

All the Queens Horses

Kelly Richmond Pope has masterfully captured the Rita Crundwell tale in the movie All the Queen’s Horses, available on Amazon. Think auditing is boring? Then watch the movie. It does a better job of explaining the psychological and financial damage of fraud than any textbook. 

GASB 87 Lease Accounting
Jul 15

GASB 87 Lease Accounting

By Charles Hall | Accounting , Local Governments

Are you looking for GASB 87 lease accounting information? Are you a government that leases assets? Then you're in the right place. Below I provide information about lease terms, discount rates, accounting entries, and disclosure requirements.

GASB 87 Lease Accounting

Removal of Bright-Line Criteria

Historically governments have followed the guidance in FASB 13, Accounting for Leases. Lease classifications (i.e., operating or capital) were based on bright-line criteria such as whether the government leased an asset for more than 75% of its economic life. 

GASB 87, Leases, removes the bright-line criteria and calls for more judgment. (The words reasonably certain appears thirty-nine times in GASB 87.)

The new lease standard provides for various accounting alternatives. Let's see what they are.

Three Potential Accounting Alternatives

Regarding leases, there are now three accounting alternatives:

  1. Short-term leases
  2. Contracts that transfer ownership
  3. Contracts that do not transfer ownership

Before we dive deeper, here are three quick points about these alternatives:

First, know that short-term leases do not create a lease liability.

Second, understand that contracts that transfer ownership are a financed sale.

Third, know that contracts that do not transfer ownership create a lease liability. This third category is a catchall for arrangements that don't qualify for short-term lease treatment and don't transfer ownership.

Now, let's see how GASB defines a lease.

Definition of a Lease

GASB defines a lease this way:

A lease is defined as a contract that conveys control of the right to use another entity’s nonfinancial asset (the underlying asset) as specified in the contract for a period of time in an exchange or exchange-like transaction.

There are five points to this definition:

First, the lease must be a contract. 

Second, the contract must provide control of the right to use.

Third, this control is in relation to a nonfinancial asset.

Fourth, the control of the nonfinancial asset must be for a period of time.

And finally, the lease is an exchange or exchange-like transaction.

I think the terms contract, period of time, and exchange are easily understood. But the terms control and nonfinancial assets might cause some confusion. So let's clarify those.

Control

A government controls an asset if it has the right to the present service capacity and the right to determine the nature and manner of use of the asset.

In other words, the government must have the right to the benefits generated from the asset. A city can drive a leased police car. That is the benefit, the present service capacity.

Additionally, Nature and manner address whether the government controls the use of the asset. A city police officer can, for example, drive a leased police car at 3:00 a.m. And she can drive it as far as she likes. The police department determines the nature and manner of use.

Nonfinancial Asset

And what is a nonfinancial asset? It's generally anything that is not a financial asset (e.g., cash, receivable). Examples of nonfinancial assets include buildings, land, vehicles, and equipment. There are exceptions, however. 

GASB 87 Scope Exclusions

GASB 87 does not apply to:

  • Leases of intangible assets (e.g., rights to explore for oil and gas)
  • Leased biological assets (e.g., timber)
  • Inventory that is leased
  • Service concession arrangements
  • Leases in which the underlying asset is financed with outstanding conduit debt (unless the underlying asset and the conduit debt are reported by the lessor)
  • Supply contracts (e.g., power purchase agreements)

Now let's see how to determine the lease term.

Lease Term

Prior to GASB 87, the minimum lease payments determined the lease term. Not so any more. In some cases, GASB 87 provides for a more subjective determination of a lease's term, one based on what is reasonably certain.

Lease Options

Under GASB 87, lease terms are not just the noncancelable portion of the agreement. Governments add the following to the noncancelable period:

  • Periods covered by a lessee’s option to extend the lease if it is reasonably certain, based on all relevant factors, that the lessee will exercise that option 
  • Periods covered by a lessee’s option to terminate the lease if it is reasonably certain, based on all relevant factors, that the lessee will not exercise that option 
  • Periods covered by a lessor’s option to extend the lease if it is reasonably certain, based on all relevant factors, that the lessor will exercise that option  
  • Periods covered by a lessor’s option to terminate the lease if it is reasonably certain, based on all relevant factors, that the lessor will not exercise that option.
Reasonably Certain Factors

In determining what reasonably certain is, the government considers factors such as the economic impact of not exercising an option or how the government has acted in the past.

Once the lease term decision is made, document your basis for doing so. Why? So there is a record of the decision. (Your auditors may want to see this. Additionally, the record provides valuable information regarding future lease term decisions.)

Fiscal Funding Clauses Affect on Term

Additionally, you may be wondering if fiscal funding clauses affect leases. (Fiscal funding clauses allow a government to cancel a lease if the government does not appropriate funds for the payments.) If a government is reasonably expected to exercise such a provision, then this factor can impact the lease term. Personally, however, I've never seen a government terminate a lease through such a provision. Fiscal funding clauses will usually not affect lease terms.

So, should governments ever reassess the term period?

Reassessment of Term

Government will generally not reassess the lease term decision. 

Nevertheless, reassessment will occur in some cases. Consider this example. The government enters into a fifteen-year lease with a five-year lease extension. The government believes that it will not exercise the five-year extension. But then in year fifteen, it does so. Now the government binds itself for another five years. Therefore, the lease is extended. And the additional five years is added to the lease term. 

Now that you know about lease terms, you may be wondering about short-term leases. How does a government account for those?

Short-Term Leases

Treat leases with a maximum possible term of twelve months or less as short-term leases. And do not capitalize such leases. 

One word of caution: if there are renewal options, include those in making the short-term lease classification decision, regardless of probability. If, for example, the lease is for twelve months with an option to renew for another six months, then the lease is not short-term. Even if the government believes it will not exercise the option.

So, how do you record short-term lease payments? As expenses.

Contract that Transfers Ownership

If an agreement transfers ownership of the asset to the lessee by the end of the contract, then the contract is a financed purchase. For the lessee, the government records the purchased asset (not an intangible) and the related debt (not a lease liability).

So, what about a lease agreement with a bargain purchase option? Should it be treated as financed purchase? The answer is no. The presence of a bargain purchase option in a lease contract is not the same as a provision that transfers ownership of the underlying asset.

Multiple Components of a Lease Contract

If an agreement has lease and non-lease components, split the transaction. 

A government might, for example, lease floors four and five of a ten-story building. In doing so, it is required to pay for common area maintenance. Split this transaction into a lease and a maintenance contract. Record the lease exclusive of the maintenance payments. If, however, it is not practicable to determine the separate price allocation, the government should account for the transaction as a single lease.

If a lease involves multiple underlying assets (say a police car and a water tank), the government should account for each as a separate lease component. 

Lessee Accounting

If the government is leasing an asset, then it will use the following guidance. (An exception exists if the lease is short-term as explained above.)

GASB 87 Lessee accounting

Initial Recognition

At commencement, the government recognizes an (1) intangible right-to-use asset and (2) a lease liability. 

So the government does not recognize the asset itself (e.g., tractor), but the right to use the asset. This is an intangible asset.

Now let's see how to compute the lease asset.

1. Lease Asset 

So. what goes in the lease asset calculation?

The government should include:

  • Initial lease liability (see below)
  • Payments made to lessor at or before commencement less any lease incentives received from the lessor at or before the commencement of the lease term
  • Initial direct costs that are ancillary charges necessary to place the lease asset into service

So what costs are not included in the intangible asset? Governments should exclude any debt issuance costs.

Notice that the lease asset can be greater than the lease liability. The lease asset starts with the lease liability and increases if, for example, the government makes a payment to the lessor prior to commencement of the lease term.

In governmental funds (e.g., general fund), the initial accounting entry is a debit to capital outlay and a credit to other financing sources. In full accrual funds (e.g., enterprise fund), the initial entry is a debit to the intangible lease asset and a credit to the lease liability.

So, how should the lease asset be amortized?

Lease Asset Amortization

Amortize the lease asset in a systematic and rational manner over the shorter of the lease term or the asset's useful life. Usually this will be straight-line amortization.

And what are the journal entries for recording the lease asset?

Lease Asset Accounting

The government records the lease asset and then amortizes it using an entry such as the following (for full-accrual funds; e.g., water and sewer fund):

Account
Amortization Expense
Accumulated Amortization - Right-of-Use Asset
Debit
XX


Credit


XX

GASB 87 says to report the amortization as an outflow of resources (e.g., amortization expense). The amortization expense can, for financial reporting purposes, be combined with the depreciation expense of other capital assets. 

Modified accrual funds (e.g., general fund) will not record an amortization entry. Why? The asset does not appear on the balance sheet.

2. Lease Liability 

How does a government compute the lease liability?

Simply put, the lease liability is the present value of everything you think you're going to pay. Prior to GASB 87, governments used the present value of minimum lease payments. Now governments include payments that are reasonably certain. (See information above regarding what is reasonably certain.)

The computation is made up of the present value of:

  • Fixed payments
  • Variable payments that depend on an index or a rate (e.g., consumer price index) measured using the index or rate as of the commencement of the lease
  • Variable payments that are fixed in substance
  • Amounts that are reasonably certain of being required to be paid by the lessee under residual value guarantees
  • The exercise price of a purchase option if it is reasonably certain that the lessee will exercise that option
  • Payments for penalties for terminating the lease
  • Any lease incentives receivable from the lessor
  • Any other payments that are reasonably certain of being required based on an assessment of all relevant factors
Variable Payments Based on Future Performance

Governments will not include payments based on future performance or usage in the lease liability. Expense such payments in the period incurred. 

For example, if a government leases a vehicle with a provision for 12,000 miles annually but the car is driven 15,000 miles, expense the payment for the additional mileage as incurred.

So, where does the discount rate come from?

Discount Rate

Use the rate charged by the lessor if specified in the agreement. If not specified, use the incremental borrowing rate for the government. This is the estimated rate the government would pay if, during the life of the lease, it borrowed the funds for those lease payments.

Lease Liability Accounting

Once the initial lease is recorded as a liability, the government will begin making periodic payments to the lessor. The effective interest rate method will be used. Record the payments as follows (for full-accrual funds; e.g., water and sewer fund):

Account
Lease liability
Interest Expense

Cash

Debit
XX

XX

Credit


XX

Post the payments to principal and interest expenditures in modified accrual accounting funds (e.g., general fund).

GASB 87 Disclosures

The following disclosures are required for lessees:

  • A general description of its leasing arrangements 
  • The total amount of lease assets, and the related accumulated amortization, disclosed separately from other capital assets
  • The amount of lease assets by major classes of underlying assets, disclosed separately from other capital assets
  • The amount of outflows of resources recognized in the reporting period for variable payments not previously included in the measurement of the lease liability
  • The amount of outflows of resources recognized in the reporting period for other payments (e.g., termination penalties) not previously included in the measurement of the lease liability
  • Principal and interest requirements to maturity, presented separately, for the lease liability for each of the five subsequent fiscal years and in five-year increments thereafter
  • Commitments under leases before the commencement of the lease term
  • The components of any loss associated with an impairment 

Transition

Apply GASB 87 retroactively, if practicable, for all periods presented. Use the facts and circumstances existing at the beginning of the implementation period to record the leases.

The notes to the financial statements should disclose the nature of the restatement and its effect. 

GASB 87 says that the provisions of this statement need not be applied to immaterial items.

GASB 87 Effective Date

The effective date of GASB 87 is for reporting periods beginning after December 15, 2019. On May 8, 2020, the Governmental Accounting Standards Board (GASB) issued Statement No. 95Postponement of the Effective Dates of Certain Authoritative Guidance. This standard postponed GASB 87 by eighteen months.

So GASB 87 is effective for fiscal year-ends of June 30, 2022 (years starting after June 15, 2021) and calendar year-ends of December 31, 2022 (again, years starting after June 15, 2021). 

earnings manipulation
May 30

Earnings Manipulation with Accounting Tricks

By Charles Hall | Financial Statement Fraud

Earnings manipulation is easy with the right–or should I say wrong–accounting tricks such as cookie jar reserves. In this article, we explore how businesses inflate profits and sometimes decrease the same, depending on what the company desires. Financial statement fraud is common, so let’s see how these schemes work. 

One Wall Street Journal article said a California company used “a dozen or more accounting tricks” including “one particularly bold one: booking bogus sales to fake companies for products that didn’t exist.” These machinations inflated earnings, making the company look more profitable than it really was. 

Today I show you how fraudsters use financial statement fraud to magically transform a company’s appearance. Then you will better know how to prevent these earnings manipulations.

earnings manipulation

What does it mean to inflate earnings? Inflating earnings means a company uses fraudulent schemes to make their earnings look better than they really are. 

Financial Statement Fraud

Companies can magically create earnings by:

  • Accruing fictitious income at year-end with journal entries
  • Recognizing sales for products that have not been shipped
  • Inflating sales to related parties
  • Recognizing revenue in the present year that occurs in the next year (leaving the books open too long)
  • Recognizing shipments to a re-seller that is not financially viable (knowing the products will be returned)
  • Accruing projected sales that have not occurred
  • Intentionally understating receivable allowances

Think about it: A company can significantly increase its net income with just one journal entry at the end of the year. How easy is that?

You may be thinking, “But no one has stolen anything.” Yes, true, but the purpose of manipulating earnings is to increase the company’s stock price. Once the price goes up, the company executives sell their stock and make their profits. Then the company can, in the subsequent period, reverse the prior period’s inflated entries.

Earnings Manipulation Control Weakness

Such chicanery usually flows from unethical owners, board members, or management. The “tone at the top” is not favorable. These types of accounting tricks usually don’t happen in a vacuum. Normally the top brass demands “higher profits,” often not dictating the particulars. (These demands are typically made in closed-door meetings with no recorders or written notes.) Then years later, once the fraud is detected, those same leaders will plead ignorance saying their lieutenants worked alone.

This why the control environment, an entity-level control, is so important. Codes of conduct and conflict of interest statements do matter. Moreover, communicating appropriate ethical requirements is critical to an organization’s integrity. 

Lower the Risk of Earnings Manipulation

The fix is transparency. This sounds simple, but transparency will usually remove the temptation to inflate earnings. If you work for a company (or a boss) that is determined to “win at any cost,” and repeatedly hides things (“don’t tell anyone about what we’re doing”), it is time to look for another job. When people hide what they are doing, they know it’s wrong–otherwise, why they wouldn’t hide it?

A robust internal audit department can enhance transparency. The board should hire the internal auditors. Then these auditors should report directly to the board (not management). The company’s internal auditors should know that the board has their back. If not, then you’ll continue to have opaque reporting processes. Why? The internal auditors’ fear of reprisal from management (or the board itself).

And what if the leaders of an organization won’t allow transparency? If possible, remove them. Unethical leadership will destroy a business.

Deflating Earnings (Cookie Jar Reserves)

Though much less likely, some businesses intentionally decrease their earnings with fraudulent accounting. Why would they do so? Maybe the business has an exceptionally good year, and it would like to save some of those earnings for future periods. For instance, management bonuses might be tied to profit levels. If those thresholds have already been met, it’s possible that the company will defer some current year earnings in order to ensure bonuses in the following year.

Deferring earnings is often called a cookie jar reserve. For example, if a company’s allowance for uncollectibles accounts is acceptable within a range (say 1% to 2% of receivables), it might use the higher percent in the current year. The higher reserve decreases current year earnings (the allowance is credited and bad debt expense is debited, increasing expenses and decreasing net income). Then in the following year, the company might use 1% to increase earnings (even though 1.75% might be more appropriate). This is called smoothing. 

Honest companies record their numbers based on what is correct, not upon desired results. But not all companies are honest. 

See my full article regarding how to audit receivables and revenues.

test of controls
May 29

Test of Controls: When to Perform and How

By Charles Hall | Auditing

Most auditors don’t perform a test of controls? But should they? Below I explain when such a test is required. I also explain why some auditors choose to use this test even when not required. 

test of controls

Once risk assessment is complete, auditors have three further audit procedures they can use to respond to identified risks:

  1. Test of details 
  2. Substantive analytics
  3. Test of controls

This article focuses on the third option.

Below you will see:

  • The Right Response
  • Not Testing Controls (including video about the same)
  • The Decision Regarding Testing 
  • How to Test Controls
  • Required Tests
  • Which Controls to Test
  • Three-year Rotation of Testing
  • Interim or Period-End Testing

The Right Response 

Which responses to risks of material misstatement are best? That depends on what you discover in risk assessment.

If, for example, your client consistently fails to record payables, then assess control risk for completeness at high and perform a search for unrecorded liabilities (a substantive procedure).

By contrast, if the internal controls for receivables are strong, then assess control risk for the existence assertion at less than high, and test controls for effectiveness. (You do, however, have the option to perform substantive tests rather than test controls, even when controls are appropriate. More about this in a moment.)

Not Testing Controls

Many auditors assess control risk at high (after risk assessment is complete) and use a fully substantive approach. That is fine, especially in audits of smaller entities. Why? Because smaller entities tend to have weaker controls. As a result, controls may not be effective. Therefore, you may not be able to assess control risk at less than high. 

Control risk assessments of less than high must be supported with a test of controls to prove their effectiveness. But if controls are not effective, you must assess control risk at high. This is one reason why you might bypass testing controls: you know, either from prior experience or from current-year walkthroughs, that controls are not effective. If your test reveals ineffectiveness, you are back to square one: a control risk assessment of high. Then substantive procedures are your only option. In such a situation, the initial test was a waste of time. 

The Decision Regarding Testing 

But if controls are effective, why not test them? Doing so allows you to reduce your substantive procedures. There is one reason, however, why you might not test controls even though they appear appropriate: substantive tests may take less time.

Once risk assessment is complete, your responses—the further audit procedures—are based on efficiency and effectiveness. If control testing takes less time, then use this option. If substantive procedures takes less time, then perform a test of details or use substantive analytics. But, regardless of efficiency considerations, address all risks with appropriate responses.

How to Test Controls 

Suppose you’ve decided to test controls for effectiveness. But how? Let’s look at an example starting with risk assessment.

control test

Risk Assessment

Your approach to testing controls depends on risk. 

For example, suppose your billing and collections walkthrough reveals appropriate segregation of duties. You see that authorized personnel issue receipts for each payment received. Additionally, you determine that total daily cash inflows are reconciled by the collections supervisor to the online bank statement, and she signs off on a reconciliation sheet as evidence of this procedure. Lastly, you note that a person not involved in cash collections reconciles the monthly bank statement. In other words, controls are properly designed and in use. 

Furthermore, you believe completeness is a relevant assertion. Why? Theft of incoming cash is a concern since the business handles a high volume of customer checks. If checks are stolen, cash collections would not be complete. Consequently, the inherent risk for completeness is high. The fraud risk is a significant risk which requires a test of details in addition to the test of controls.

Test Supports Effectiveness

Now it’s time to test for effectiveness. 

Test the receipt controls on a sample basis. But before doing so, document the controls you desire to test and the sample size determinations. (See AICPA’s Audit Sampling standard, AU-C 530.)

The first control you are testing is the issuance of receipts by an authorized person and your sample size might be sixty. 

The second control you are testing is the daily reconciliation of cash to the bank statement. For example, you could agree total daily receipts to the bank statement for twenty-five days. As you do so, you review the daily sign-offs on the reconciliation sheets. Why? The collection supervisor’s sign-off is the evidence that the control was performed. 

The third control you are reviewing is the reconciliation of the bank account by a person not involved in the receipting process. So, you review the year-end bank reconciliation and confirm that the person that reconciled the bank statement was not involved in cash collections. 

Once the tests are performed, determine whether the controls are effective. If they are, assess control risk for the completeness assertion at less than high. Now you have support for that lower assessment. 

And what about substantive tests?

You need to perform a test of details since a significant risk (the fraud risk) is present. You might, for example, reconcile the daily total receipts to the general ledger for a month.

Test Doesn’t Support Effectiveness

If your tests do not support effectiveness, expand your sample size and examine additional receipts. Or skip the tests (if you believe the controls are not effective) and move to a fully substantive approach. Regardless, if controls are not effective, consider the need to communicate the control deficiency to management and those charged with governance. 

So, when should you test controls? First let’s look at required tests and then optional ones. 

Required Audit Tests of Controls

Here are two situations where you must test controls:

  • When there is a significant risk and you are placing reliance on controls related to that risk
  • When substantive procedures don’t properly address a risk of material misstatement

Let me explain.

Auditing standards allow a three-year rotation for control testing, as long as the area tested is not a significant risk. But if the auditor plans to rely on a test of controls related to a significant risk, operating effectiveness must be tested annually. 

Also a test of controls is necessary if substantive procedures don’t properly address a risk of material misstatement. For example, consider the controls related to reallocation of investments in a 401(k). The participant goes online and moves funds from one account to another. Other than the participant, there are no humans involved in the process. When processes are fully automated, substantive procedures may not provide sufficient audit evidence. If that is your situation, you must test of controls. Thankfully, a type 2 service organization control report is usually available in audits of 401(k)s. Such a report provides evidence that controls have already been tested by the service organization’s auditor. And you can place reliance upon those tests. In most cases, substantive procedures can properly address risks of material misstatement. So this test requirement is usually not relevant. 

Optional Audit Test of Controls

We just covered the two situations when testing is required. All other control testing is optional.

internal controls

Prior to making the decision about testing, consider the following:

  • Do you anticipate effectiveness? There’s no need to test an ineffective control. 
  • Does the control relate to an assertion for which you desire a lower control risk? 
  • Will it take less time to test the control than to perform a substantive procedure? Sometimes you may not know the answer to this question until you perform the test of controls. If the initial test does not prove effectiveness, then you have to expand your sample or just punt—in other words, use a fully substantive approach. 
  • Will you use the control testing in conjunction with a test of details or substantive analytics? How would effective controls reduce these substantive tests? In other words, how much substantive testing time would you save if the control is effective?
  • Is the control evidence physical or electronic? For example, are the entity’s receipts in a physical receipt book or in a computer? It’s usually easier to test electronic evidence.
  • How large will your sample size be? Some controls occur once a month. Others, thousands of times in the period. The larger the population, the larger the sample. And, of course, the larger the sample size, the more time it will take to perform the test. 
  • Can you test the population as a whole without sampling? Data analytics software—in some instances—can be used to test the entire population. For example, if a purchase order is required for all payments above $5,000, it might be easy to compare all payments above the threshold to purchase orders, assuming the purchase orders are electronic. 

Three-Year Rotation of Testing

As I said earlier, audit standards allow a three-year rotation for testing. For example, if you test accounts payable controls in 2020, then you can wait until 2023 to test them again. In 2021 and 2022, you need to ensure that these controls have not changed. You also want to determine that those controls have continuing relevance in the current audit. How? See if the controls continue to address a risk of material misstatement. And as you perform your annual walkthroughs, inquire about changes, observe the controls, and inspect documents. Why? You want to know that everything is working as it was in 2020, when the initial test was performed. And, yes, you do need to perform those walkthroughs annually, if that is how you corroborate your understanding of controls.

In short, testing for effectiveness can, in most cases, occur every three years. But walkthroughs are necessary each year. If you tested sixty transactions for an appropriate purchase order in 2020, then you can wait until 2023 to do so again. But review of the purchase order process each year in your annual walkthroughs. 

So should you test controls at interim or after year-end?

Interim or Period-End Testing

Some auditors test controls after the period-end (after year-end in most cases). Others at interim. Which is best?

It depends.

interim audit test

Perform interim tests if this fits better in your work schedule. Here’s an example: You perform an interim test on November 1, 2021. Later, say in February 2022, consider whether controls have changed during the last two months of the year. See if the same people are performing those controls. And consider performing additional tests for the November 1 to December 31 period. Once done, determine if the controls are effective. 

Testing on an interim date is not always the answer. For example, if management is inclined to manipulate earnings near year-end, then interim tests may not be appropriate

If you choose to test after period-end, then do so for the full period being audited. Your sample should be representative of that timeframe.

So should you ever test controls at a point in time and not over a period of time? Yes, sometimes. For example, test inventory count controls at year-end only. Why? Well those controls are only relevant to the year-end count, a point in time. Most controls, however, are in use throughout the period you are auditing. Therefore, you need to test those controls over that period of time (e.g., year).

Conclusion

As I said above, many auditors tend to rely fully on substantive responses to the risks of material misstatement. But, in some cases, that may not be the best or wisest approach. If controls are designed well and functioning, why not test them? Especially if it takes less time than substantive procedures.

Finally, take a look at my two related articles regarding responses to the risk of material misstatement: (1) Test of Details: Substantive Procedures and (2) Substantive Analytical Procedures: Power Up.

>