$16 million stolen from bakery
Jul 01

How $16 Million was Stolen from a Bakery

By Charles Hall | Asset Misappropriation

$16 million was stolen from a bakery. You read that right.

Today I show you how large sums of money can be taken from a small business with one simple fraud scheme.

The Theft

Sandy Jenkins, the controller of Collin Street Bakery in Corsicana, Texas, made off with more than just fruitcakes. He took over $16 million, so says the FBI. And what did Mr. Jenkins do with the money?

He used the funds in the following ways:

  • $11 million on a Black American Express card
  • $1.2 million at Neiman Marcus in Dallas
  • 532 luxury items, including 41 bracelets, 15 pairs of cufflinks, 21 pairs of earrings, 16 furs, 61 handbags, 45 necklaces, 9 sets of pearls, 55 rings, and 98 watches (having an approximate value of $3.5 million)
  • Wine collection (having an approximate value of $50,000)
  • Steinway electronic piano (having a value of $58,500)
  • 223 trips on private jets (primarily Santa Fe, New Mexico; Aspen, Colorado; and Napa, California, among other places), with a total cost that exceeded $3.3 million
  • 38 vehicles, including many Lexus automobiles, a Mercedes Benz, a Bentley, and a Porsche
  • And more…

How the money was stolen

You might think that stealing $16 million would require an elaborate scheme. But did it? 

Here’s an example of his method: Jenkins would print a check to his personal credit card company, but he would void the check in the accounting system. (He still had the printed check.) Then, he would generate a second check for the same amount to a legitimate vendor, but the second check was never mailed. Next, Jenkins would send the first check to his credit card company.

The result: Jenkins’ credit card was paid, but the general ledger reflected a payment to an appropriate vendor.

$16 million was stolen from bakery

The Weakness that Led to the Theft

No one was comparing the cleared check payees to the general ledger. 

The Fix that Will Detect the Theft

Someone other than those who create checks should reconcile the bank statements to the general ledger. As they do, they should compare the cleared check payees to the vendor name in the accounting system. Some businesses have hundreds (or even thousands of checks) clearing monthly. Therefore, they may not desire to examine every cleared check. 

Alternatively, the business could periodically sample the cleared checks, comparing the cleared checks to the vendor payments in the general ledger. The persons creating checks should know that this test work will be performed. Doing so creates the camera effect. When people know their actions (in this case, the creation of checks) will be examined, they act differently–they are much less likely to steal.

If you desire a preventive control, require a second-person review of canceled checks.

Additionally, someone should be reviewing the profit margins of the company, comparing the ratios with prior periods.

Lastly, when segregation of duties is not possible, have the bank statements mailed to someone outside the accounting department such as an owner. That person should review the cleared checks before providing them to the accounting department. Alternatively, provide online access to the reviewing person. The reviewer should examine the cleared checks and provide documentation of his or her examination to the accounting department.

What Happened to Sandy Jenkins?

Sandy Jenkins was sentenced by U.S. District Judge Ed Kinkeade to serve a total of 120 months in federal prison. His wife, Kay Jenkins also pleaded guilty to one count of conspiracy to commit money laundering. Ms. Jenkins was sentenced to five years of probation.

In March 2019, Sandy Jenkins passed away in a federal prison.

Forthcoming Movie

You may be familiar with the movie Catch Me If You Can which chronicled the exploits of Frank Abagnale, one of the most brilliant cons of all time. Now, it appears there will be a new movie about another: Sandy Jenkins. 

Auditing Equity
Jun 15

Auditing Equity: The Why and How Guide

By Charles Hall | Auditing

Auditing equity is easy, until it’s not. 

Auditing equity is usually one of the easiest parts of an audit. For some equity accounts, you agree the year-end balances to the prior year ending balance, and you’re done. For instance paid-in-capital seldom changes. Often, the only changes in equity are from current year profits and owner distributions. And testing those equity additions and reductions in equity takes only minutes.

Nevertheless, auditing equity can be challenging, especially for businesses that desire to attract investors. Such companies offer complicated equity instruments. Why? The desire to attract cash without giving away (too much) power. And this balancing act can lead to complex equity instruments.  

Regardless of whether a company’s equity is easy to audit or not, below I show you how to focus on important equity issues.

Auditing Equity

Auditing Equity — An Overview

In this post, we will cover the following:

  • Primary equity assertions
  • Equity walkthroughs
  • Equity-related fraud and errors
  • Directional risk for equity
  • Primary risks for equity
  • Common equity control deficiencies
  • Risk of material misstatement for equity
  • Substantive procedures for equity
  • Common equity work papers
Continue reading
CPA's Office Setup
Jun 14

CPA’s Office Setup: A Behind-the-Scenes Spotlight

By Charles Hall | Technology

Is a CPA’s office setup important? You bet.

Like you, I am continually looking for ways to be more productive. I buy books, watch videos, and take note of how others work.

I like to see the offices of other CPAs. Here’s mine.

Multiple Monitors

Docking Station – I use a docking station that allows me to push one button to disconnect and place my laptop into a bag for travel. The docking station provides connectivity inputs behind my computer. Rather than disconnecting several wires to “set my computer free,” I push one button.

Multiple Monitors – I use multiple monitors. See how to review financial statements on computer screens.

50″ Monitor (on a swivel hinge) – This monitor is about two feet behind my desk. I use this screen as a fourth working monitor. For example, when I am reviewing financial statements, I sometimes place the balance sheet on the 50″ screen and a second copy of the financial statements on my lower center monitor. Then as I review the remainder of the statements (e.g., notes), I can glance at the balance sheet.

The 50″ monitor hangs from a swivel hinge. The swivel hinge allows me to tilt the screen in other directions when I am sharing information from my laptop with others in my office. We also use the monitor to watch webcasts. 

Todoist Checklist – I place all my outstanding to-do items in Todoist. Since Todoist integrates with Outlook, I usually have Outlook docked on the 50″ monitor. With just a glance, I can quickly see what I need to complete. With one click, I can add a new to-do item. And the to-do items I add on my laptop show up on my iPad and iPhone Todoist apps (and vice versa)–this integration is why I started using Todoist.

Logitech Camera – I often have online meetings and share information on my computer screen with those I am speaking with (I use Zoom). This Logitech camera (C930e) creates an excellent picture and sound so those I’m sharing with can see and hear me

iPhone on a Stand – Do you ever lay your phone down and later you can’t find it? (We used just to lose our keys, now it’s the phone and the keys.) This stand provides me with a consistent place for my phone. elago M2 Stand for all iPhones, Galaxy, and Smartphones (Angled Support for FaceTime), Black

printer shot

Fujitsu ScanSnap S1500 Scanner – When I receive physical paper documents, my usual first step is to scan the paper and place it (the paper) in my shred box. I use this scanner several times a day. Fujitsu ScanSnap iX1500 Color Duplex Document Scanner with Touch Screen for Mac and PC

Deluxe Shred Box – My deluxe shred box is a box top. I know, sophisticated, huh?

Landline Phone – I keep my phone over on my side table to keep it off my main desktop.

HP Printer – Many CPAs use a central printer for several people but think about the cumulative time you waste walking to the printer. HP Laserjet P2035 Printer

CPA's Office Setup

iPad – This is my favorite device. I use it mainly outside the office, but I place it on the corner of my desk, so I can quickly pick it up as I go out.

The Physical Library – I order most publications electronically, but for my physical books, I keep them handy here.

Adjustable Standup Desk – In my attempt to be a (little) more healthy, I bought this standup desk about three years ago. About once a day, I will print and stand while I review a set of financial statements–mainly to get my rear out of the chair. There has been a great deal of press lately about professionals (slowly) killing themselves by sitting too much. This desk does adjust down to the level of my main desktop, and it is mobile, so I use it–when I’m tired of standing–as an extension of my main desktop. I recently purchased a Varidesk for my home (not pictured). It raises up and down electronically. Somewhat expensive but the quality is outstanding.

Paper-in Tray – I use a three-level tray for my incoming paper. The top shelf is for newly arrived paper information.

conference space

Corner Meeting Spot –  I use this corner area as a place to meet with partners and staff, especially if they bring paper copies in to discuss.

Coffee Maker – This is probably the most important appliance in my office. No coffee, no Charles.


Whiteboard – If someone needs to draw an idea out, here’s the place. I sometimes take iPhone pictures of the information drawn on the board and then store it in Evernote.

Watercooler – Drinking plenty of water each day will enhance your stamina. You want to create energy that sustains you.

Your Ideas

How would you change my office? What additional ideas would you add to these?

Single Audit Major Program Determination
Jun 13

Single Audit Major Program Determination

By Charles Hall | Auditing

Single Audit major program determination can be challenging. And if this determination is wrong, your Single Audit will be wrong. 

So in this article, I explain how you can correctly determine your major programs in four steps. 

Single Audit Major Program Determination

First, understand that Single Audits focus on major programs. This is how you know which programs to test. So if your auditee has multiple federal programs, it's important to determine which are major and which are not. 

Here is a summary of the four steps of Single Audit major program determination:

  1. Identify Type A programs
  2. Identify Type A low-risk programs
  3. Identify Type B high-risk programs
  4. Determine major programs

(If you desire a deeper dive, watch the following video with a case study.)

Before you do any of these, create a list of all federal programs, similar to the schedule of expenditure of federal awards (the SEFA). The list is comprised of each federal program and the amounts expended. 

Next, apply the four steps to this list. We'll start by identifying the type A programs.

1. Identify Type A Programs

The type A threshold is $750,000 when the total federal awards expended are $25 million or less. So if you have a federal program of $750,000 or greater, then it's a type A program. Type B programs are those of less than $750,000. 

When total federal awards exceed $25 million, see the table below.

Total federal awards expended

Type A/B threshold

≥$750,000 and ≤ $25 million


>$25 million but ≤ $100 million

total federal awards expended times .03

>$100 million but ≤ $ 1 billion

$3 million

> $1 billion but ≤ $10 billion

total federal awards expended times .003

>$10 billion but ≤ $20 billion

$30 million

>$20 billion

total federal awards expended times .0015

Remove the Large-Loan Program Distortion

Large loan programs can potentially cause some type A programs to be excluded. In other words, large loan programs can cause some programs to be deemed type B though they should be type A. Therefore, the auditor subtracts any large loan balances from the total federal programs before determining what programs are type A.

And what are large loan balances? They are loan programs that exceed four times the largest non-loan program.

So see what the largest non-loan program is and multiply that amount times four. Then see if any loan programs exceed that amount. If they do, subtract the large loan program from the total federal awards before determining the A/B thresholds. See §200.518 (b)(3) for more information. 

Clusters are One Program

Additionally, if the entity has a cluster such as student financial aid, then treat that program as one program. Clusters have multiple CFDA numbers for each grant but are treated as one program when performing a Single Audit. The Compliance Supplement states "a cluster of programs means a grouping of closely related programs that share common compliance requirements." So if you have a cluster, add all the grants together to see if the total cluster exceeds the type A threshold. (See part 5 of the Compliance Supplement for additional information about clusters.)

No Type A Programs

What if there are no type A programs? Then go to step 4 and pick enough programs to satisfy the coverage requirement. 

Next, we'll see how to identify low-risk type A programs. 

2. Identify Low-Risk Type A Programs

The Uniform Guidance provides the auditor with criteria in §200.518 (c) for determining whether a type A program is low risk. Type A programs that meet these criteria are low-risk. Programs that do not meet these criteria are not low-risk. 

The Uniform Guidance says,

For a Type A program to be considered low-risk, it must have been audited as a major program in at least one of the two most recent audit periods.

Consequently, a type A program will be major at least once every three years.

Additionally, the Uniform Guidance goes on to say:

in the most recent audit period, the program must have not had:
(i) Internal control deficiencies which were identified as material weaknesses in the auditor's report on internal control for major programs as required under §200.515 Audit reporting, paragraph (c);
(ii) A modified opinion on the program in the auditor's report on major programs as required under §200.515 Audit reporting, paragraph (c); or
(iii) Known or likely questioned costs that exceed five percent of the total Federal awards expended for the program.

Additionally, federal agencies can request that programs not be considered low-risk for certain recipients. If such a request is made, the program will not be low risk. 

But if the factors listed above don't lead to a high-risk classification, can the auditor use inherent risk factors such as size and complexity to move the assessment to high risk? No. The auditor must use the criteria listed above. 

And what if there are no low-risk programs?

No Low-Risk Type A Programs

If there are no low-risk type A programs then step 3, identifying high-risk type B programs, is not necessary. Go directly to step 4: Determine major programs. 

Now, let's take a look at step 3: Identifying high-risk type B programs.

3. Identifying High-Risk Type B Programs

The auditor identifies the type B programs by using their judgment and criteria such as that listed below. But how many high-risk type B programs should the auditor identify? No more than at least one-fourth the number of low-risk type A programs.

Additionally, the auditor is only required to perform risk assessments of type B programs that exceed 25% of the type A threshold (e.g., 25% of 750,000 is $187,500). If all of the type B programs are less than this amount, then none are assessed. And you skip step 3. But if you have type B programs greater than this 25% amount, perform risk assessments.

In determining whether a type B program is high-risk, the auditor should use factors such as:

  • The complexity of the program
  • The phase of the program in its life cycle (newer programs may be higher risk)
  • The degree of significant changes in the program or related statutes and regulations
  • The size of the program (programs with larger expenditures are higher risk)
  • Weaknesses in internal controls as related to compliance requirements (e.g., controls to ensure allowability of costs)
  • Prior audit findings
  • The structure of the internal control system (multiple structures tend to be higher risk)
  • Federal programs not recently audited as a major program
  • Oversight by a federal agency (if their review noted issues, then the program could be higher risk)

Other than known material control weaknesses in internal controls pertaining to compliance requirements or known compliance problems, a single risk criterion will seldom cause the program to be high risk.

But what if there are no high-risk type B programs?

No High-Risk Type B Programs

If there are no high-risk type B programs, then none are major. This is true even if there are low-risk type A programs. You can't make a type B program high-risk just because a low-risk type A program exists (and you're trying to meet the one-fourth of type A low-risk requirement). So, assess the program in light of the criteria. And let it be what it is, whether high-risk or low-risk.

If, however, there are multiple high-risk type B programs, a potential problem arises: identifying too many high-risk programs.

Identify Only What is Required

Don't make the mistake of identifying more high-risk type B programs than what is necessary. If you do, then you must test them all (those you identified as high-risk). So, once you have identified the requisite number of high-risk type B programs, stop. 

If there are multiple potential type B high-risk programs and not all are identified as high-risk, then consider rotating the programs tested each year. 

Rotate Programs Tested

The Uniform Guidance (§200.518) encourages providing "an opportunity for different high-risk type B programs to be audited as major over a period of time." So if the auditor only needs one type B high-risk program, for example, and there are multiple potential high-risk type B programs, then it is desirable to identify a different one as major each year. That way, different type B high-risk programs will be audited over time.

We're almost done. Now, let's determine the major programs.

4. Determine Major Programs

At a minimum, the following will be your major programs:

  • All type A programs not identified as low risk
  • All type B programs identified as high-risk
  • Any additional programs needed to comply with the percentage of coverage rule

So what is the percentage of coverage rule? It's 20% for low-risk auditees and 40% for those that are not low-risk auditees. But what does this mean? Well, let's look at an example to clarify.

Suppose the entity is a low-risk auditee. And suppose the entity has type A program that is not low risk (it's a major program). It makes up 17% of the total federal awards. All other programs are type B and none is considered major. What should be done? Pick a type B program and test it. But the program picked must bring the total tested to at least 20% of the total federal awards. Now you've complied with the coverage rule.

The low-risk auditee criteria follows below. Though there are similarities with program risk assessment criteria shown above, there are differences as well. 

Low-Risk Auditee

An auditee must meet all of the following conditions for each of the preceding two audit periods to qualify as a low-risk auditee:

  • An annual Single Audit was performed and the reporting package was timely filed with the Federal Audit Clearinghouse
  • The auditor issued an unmodified opinion on the financial statements and on the schedule of expenditures of federal awards
  • There were no internal control material weaknesses in the Yellow Book report
  • The auditor's opinion did not report substantial doubt about the entity's ability to continue as a going concern
  • No federal programs had findings from any of the following in the preceding two years:
    • No material weaknesses in internal control for a major program
    • No modified opinion on a major program
    • No known or likely questioned costs that exceeded five percent of the total federal awards expended for a type A program during the audit period

So if the entity meets all of these conditions, it is a low-risk auditee and you can use the 20% threshold. If not, use 40%.

Meeting the percentage of coverage rule does not by itself permit the auditor to skip remaining steps. Suppose in step 2. that one type A program is 50% of the total federal awards and is identified as a major program, can the auditor skip step 3.? Not necessarily. Coverage does not exempt the auditor from following the remaining steps. 

Four Steps of Major Program Determination

Now you know how to determine which programs are major. These are the programs you'll test for compliance. You'll also test related compliance internal controls.

Additionally, you now know how to determine whether an entity is a low-risk auditee.

You may want to save this article and keep it handy. Why? Well, the four-step determination is relevant in every Single Audit. 

If you're looking for information about whether an entity is required to have a Single Audit, see my article

Single Audit Applicability
Jun 07

Single Audit Applicability and Objectives

By Charles Hall | Auditing , Local Governments

Your organization received federal funds but you're not sure about Single Audit applicability. Should you engage an audit firm to perform a Single Audit or not? 

In this article, I'll help you determine whether a Single Audit is needed. I'll also explain the objectives of such an audit. Why? So you can understand what auditors are looking for.

Single Audit Applicability

Single Audit: What is it?

Many nonprofits and governments receive federal funds from the United States government. And some of those entities are required to have a Single Audit.

But what is a Single Audit? It's just what it says: a single audit. Of what? A single audit of all federal awards received by a nonprofit or a government. 

For example, a county government might receive disaster funds from FEMA and a block grant from HUD. But rather than contracting for two separate audits, a Single Audit of both programs is performed. This audit requirement is usually triggered when total federal awards exceed $750,000 in one year.

The Uniform Guidance

So what guidance does the auditor and the nonfederal organization (government or nonprofit) follow? The Office of Management and Budget's (OMB) Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awardscommonly referred to as the Uniform Guidance.

Subpart F, Audit Requirements, provides guidance for auditors.

Next, let's dig a little deeper regarding Single Audit applicability.

Single Audit Applicability

When is a Single Audit required? The Uniform Guidance states: A non-Federal entity that expends $750,000 or more during the non-Federal entity's fiscal year in Federal awards must have a single audit. (There is an exception. That's when the entity elects to have a program specific audit.)

But what does expend mean? Typically the word means that an entity spends money. But the word expend has a broader meaning in Single Audits. For example, the word includes:

  • receipt of federal property or goods (e.g., surplus property or commodities)
  • receipt and use of federal loans 
  • loan balances with the federal government (when there are continuing compliance requirements)
  • interest subsidies from the federal government

So if the government or nonprofit expends at least $750,000 in federal funds during its fiscal year, a Single Audit is necessary. If it expends less than $750,000, then a Single Audit is normally not required. States may, however, require a Single Audit even though amounts expended are less than $750,000.

Does the entity look solely at funds received directly from the federal government? No. Federal awards may come directly from a federal agency. But they may also come indirectly through a pass-through entity such as a state. The nature of the federal funds does not change as it passes through an entity (e.g., a state). It's still federal money.

In light of these facts, how does the Uniform Guidance define federal financial assistance? Let's take a look.

What is Federal Financial Assistance?

The Uniform Guidance defines federal assistance in the following manner:

§ 200.40 Federal financial assistance.

(a) Federal financial assistance means assistance that non-Federal entities receive or administer in the form of:

  (1) Grants;

  (2) Cooperative agreements;

  (3) Non-cash contributions or donations of property (including                 donated surplus property);

  (4) Direct appropriations;

  (5) Food commodities; and

  (6) Other financial assistance (except assistance listed in paragraph       (b) of this section).

(b) For § 200.202 Requirement to provide public notice of Federal financial assistance programs and Subpart F - Audit Requirements of this part, Federal financial assistance also includes assistance that non-Federal entities receive or administer in the form of:

  (1) Loans;

  (2) Loan Guarantees;

  (3) Interest subsidies; and

  (4) Insurance.

Total of Federal Assistance

The non-federal entity adds all federal financial assistance together to see if they exceed the $750,000 threshold. If, for example, a county government expends $500,000 in block grant funds and $450,000 in disaster funds during its fiscal year, then a Single Audit is necessary. 

Now that you understand Single Audit applicability, you may be wondering what the objectives are. 

Objectives of a Single Audit

The easiest way to understand the objectives of a Single Audit is to look at a Single Audit report. See example 13-1 from the AICPA. There are two main objectives. 

1. Opinion on Compliance with Federal Program Requirements

First, understand that the auditor provides an opinion regarding the entity's compliance with major federal program requirements.

A portion of that wording reads as follows:

Opinion on Each Major Federal Program
In our opinion, Example Entity complied, in all material respects, with the types of compliance requirements referred to above that could have a direct and material effect on each of its major federal programs for the year ended June 30,20X1.
2. Reporting on Internal Control Testing

Second, understand that the auditor reports on internal control testing. While no audit opinion is rendered by the auditor, the controls are tested nonetheless.  

A portion of that wording reads as follows:

Report on Internal Control Over Compliance
Management of Example Entity is responsible for establishing and maintaining effective internal control over compliance with the types of compliance requirements referred to above. In planning and performing our audit of compliance, we considered Example Entity's internal control over compliance with the types of requirements that could have a direct and material effect on each major federal program to determine the auditing procedures that are appropriate in the circumstances for the purpose of expressing an opinion on compliance for each major federal program and to test and report on internal control over compliance in accordance with the Uniform Guidance, but not for the purpose of expressing an opinion on the effectiveness of internal control over compliance. Accordingly, we do not express an opinion on the effectiveness of Example Entity's internal control over compliance.

Single Audit Applicability and Objectives

In summary, Single Audits are necessary when an entity expends $750,000 or more. And the objectives of the audit are to provide an opinion on compliance with federal requirements and to report on the internal control testing.