secret bank accounts
Feb 27

Secret Bank Accounts Cause Fraud Losses

By Charles Hall | Asset Misappropriation

Secret bank accounts lead to havoc. 

Substantial losses can occur when unauthorized bank accounts are opened by company personnel. 

secret bank accounts


Secret Bank Account Leads to $53 in Theft

A finance director opened an unknown bank account in the name of a city, stealing over $53 million

Four things happened:

1. The fraudster opened an unauthorized bank account in the name of the entity (and signed the bank’s signature card).

2. That person did not set up the secret bank account in the general ledger.

3. The fraudster transferred money from a legitimate bank account to a hidden one. (The thief provided fake invoices to support the payments.)

4. The fraudster withdrew money from the hidden account.

Covering Up the Theft

Here’s the journal entry when step 3 occurred:

Debit - Expense    $200,000

Credit - Cash                               $200,000

The payments from the secret bank account (step 4.) are not recorded (since that bank account is not on the entity’s general ledger). 

Weak Segregation of Duties

Such a scheme is possible when the fraudster can:

1. Sign checks for the real bank account (or by other means, transfer money from the legitimate bank account to the unauthorized bank account)

2. Reconciles the real bank account (and no one else sees the cleared checks)

Another Secret Bank Account Fraud

Another twist on this type of fraud:

1. A hospital CFO set up a secret bank account for State Medicaid payments. (CFO had signature authority for the bank account.)

2. The hospital CFO did not set up the unauthorized bank account in the general ledger.

3. The State made electronic payments to the secret bank account.

4. CFO wrote checks to himself (for over $10 million).

Actions to Take: Ask your banks for a list of all bank accounts; compare that list to the bank accounts on your general ledger. Additionally, you should contact other banks in your area, those with which your company does not do business. Finally, you should contact all payors (e.g., Medicaid) and confirm the bank accounts to which they make payments; see if those bank accounts are on the general ledger

Another Bank Account Fraud

In another fraud, a company made frequent payments to vendor bank accounts.

The company’s CFO set up bank accounts in the name of actual vendors and made payments to those accounts

The CFO withdrew funds from the secret vendor bank accounts

When the CFO was about to be caught, he fled and hid on the Appalachian Trail for over five years. 

Action to Take: Confirm bank account numbers with vendors. 

SAS 143
Feb 18

SAS 143, Auditing Accounting Estimates

By Charles Hall | Auditing

In this article, I explain SAS 143, Auditing Accounting Estimates and Related Disclosuresa new audit standard applicable for periods ending on or after December 15, 2023.   

We'll look at the objectives of SAS 143, auditor responsibilities (including risk assessment and responses), the nature of estimates, documentation requirements, and overall evaluation of your work to ensure appropriateness and completeness. 

Auditing estimates

Estimate Examples

To get us started, here are a few examples of estimates:

So, what is an accounting estimate? It's a monetary amount for which the measurement is subject to estimation uncertainty. Of course, you need to consider the financial reporting framework as you think about the estimate. For example, an estimate might be significantly different when using GAAP versus a regulatory basis. 

But what is estimation uncertainty? It's the susceptibility of an estimate to an inherent lack of precision in measurement. In layperson's terms, it's an estimate that is hard to pin down.

SAS 143 Objectives

The objective of SAS 143 is to see if the accounting estimate and related disclosures are reasonable by obtaining sufficient appropriate audit evidence. 

Nature of Estimates

Some estimates are simple, while others are difficult. For example, estimating the economic life of a vehicle is straightforward, but computing an allowance for uncollectible receivables might be complex.

But even one type of estimate, such as an allowance for uncollectible, can vary in complexity. For example, the allowance computation for uncollectible receivables is usually more complex for a healthcare entity (e.g., more payor types) than for a small business. Why? Because it is more complex and more challenging to determine. Therefore, the estimation uncertainty for a healthcare entity (with many payor types) is higher than that of a small business with one type of customer. Additionally, the volume of transactions could be higher for a healthcare entity versus a small business. 

Estimation Uncertainty

So, the inherent subjectivity of an estimate creates estimation uncertainty. 

Consider estimation uncertainty in this manner: ask twenty people to compute the allowance for a hospital and then ask them to do the same for the small business's uncollectible estimate. How much variation would you expect? Yes, much more for the hospital because the inherent risk is higher. 

SAS 143 tells us to increase our risk assessment procedures and further audit procedures as the estimation uncertainty increases. We perform more risk assessment work concerning the hospital's allowance than that of the small business. Moreover, we complete more extensive further audit procedures for the hospital's allowance than for the small business's estimate. 

More risk, more work. 

To understand SAS 143, we need to know the underlying concepts.

SAS 143 Concepts

SAS 143

Relevant Assertions

You need to assess the risk of material misstatement at the relevant assertion level. Further, you are required to assess inherent risk and control risk separately. And as you assess inherent risk, you might encounter significant risks. 

The Spectrum of Inherent Risk

Usually, a hospital's valuation assertion related to receivables is relevant, and the inherent risk is often high due to its subjectivity, complexity, and volume of transactions (i.e., inherent risk factors). Therefore, the valuation assertion's risk might fall toward the end of the spectrum of inherent risk. On a ten-point scale, we might assess the inherent risk as a nine or a ten. And if we do, it is a significant risk, affecting our professional skepticism.

Professional Skepticism and Estimates

Our professional skepticism increases as the estimation uncertainty rises (or at least, it should). Why? The potential for management bias may be present since it's easier to manipulate complex estimates. And complexity can be a smokescreen to hide bias, increasing the need for internal controls.

Estimate Controls

As estimates become more complex, entities increase internal controls (or at least, they should). And consequently, auditors need to evaluate the design and implementation of those controls. Additionally, auditors must determine whether they will test the controls for effectiveness. 

Another SAS 143 concept is the reasonableness of the estimate.

Reasonableness of Estimates

For an estimate to be reasonable, the applicable financial reporting framework must be its basis. Additionally, management should consider the facts and circumstances of the entity and the related transactions. In creating a reasonable estimate, management will often use the following:

  • A method
  • Certain assumptions
  • Data

Let's consider these elements using the allowance for uncollectible receivables. 

First, management considers the financial reporting framework. If the entity uses GAAP, it makes sense to create the estimate. No allowance is necessary if the cash basis of accounting is in use. In this example, we'll assume the company is using GAAP.

Estimate Method

In computing an allowance for uncollectible, an entity might calculate the estimate as a total of the following:

  • 20% of receivables outstanding for more than 60 days
  • 60% of receivables outstanding for more than 90 days
  • 90% of receivables outstanding for more than 120 days

Estimate Assumptions

And what assumptions might management consider? Bad debt percentages have stayed the same over time. The company needs to increase the percentages if collectible amounts erode. 

Estimate Data

Finally, consider the allowance data. In this example, it would typically be an aged receivable listing. Such a listing breaks receivables into aging categories (e.g., 0 to 30 days; 31 to 60 days; etc.). Such data should be consistent. Suppose the company purchases new software that computes the aged amounts differently using different data than previously. If this occurs, management and the auditors need to consider the reasonableness of the new data. 

Is the Estimate Reasonable?

Most importantly, estimates need to make sense (to be reasonable) in light of the circumstances. While consistent methods, assumptions, and data are desirable, change, such as a slowdown in the economy, can require new ways of computing estimates.

One more concept is that of management's point estimate and disclosure.

Management's Point Estimate and Disclosure

The auditor will examine management's point estimate and the related disclosures to see if they are reasonable. How? Review the estimate's development (how was it computed?) and the nature, extent, and sources of estimation uncertainty. 

If circumstances are similar to the prior year, then the estimate's method, assumptions, and data will typically be similar. Likewise, the disclosure will be much like the preceding period. 

But if, for example, the economy slows significantly, the percentages applied to the aged receivable categories (see above) may need to increase so that the allowance for uncollectible is higher. The auditor might question the estimate if management did not raise these percentages. 

The company should disclose how the estimate is created and the nature, extent, and sources of estimation uncertainty. 

Now, let's see what the SAS 143 requirements are.

SAS 143 Requirements

SAS 143

The requirements for estimates are conceptually the same as in any area. The auditor does the following:

  • Perform risk assessment procedures
  • Identify and assess the risk of material misstatement
  • Develop responses to the identified risks and carry those out

1. Perform Risk Assessment Procedures for Estimates

As you consider the entity and its environment, consider the following:

  • Transactions and other events that give rise to the need for estimates and changes in estimates
  • The applicable financial reporting framework as it relates to estimates
  • Regulatory factors affecting estimates, if any
  • The nature of estimates and related disclosures

Next, as you consider internal control, ask about the following:

  • Nature and extent of estimate oversight (who oversees the estimate? how often is the estimate being reviewed?)
  • How does management identify the need for specialized skills or knowledge concerning the estimate?
  • How do the entity's risk assessment protocols identify and address risks related to estimates?
  • What are the classes of transactions, events, and conditions giving rise to estimates and related disclosures?
  • How does management identify the estimate's methods, assumptions, and data sources?
  • Regarding the degree of estimation uncertainty, how does management determine the range of potential measurement outcomes?
  • How does management address the estimation uncertainty, including a point estimate and related disclosures?
  • What are the control activities relevant to the estimate? (e.g., second-person review of the computation)
  • Does management review prior estimates and the outcome of those estimates? How does management respond to that review?

Additionally, the auditor reviews the outcome of prior estimates for potential management bias

If there are any significant risks (inherent risk falling toward the end of the spectrum of risk), the auditor should understand the related controls and, after that, see if they are designed appropriately and implemented. 

And finally, the auditor considers if specialized skills or knowledge are needed to perform risk assessment procedures related to estimates. 

Of course, after you do your risk assessment work, it's time to assess the risk.

2. Identify and Assess the Risk of Material Misstatement

SAS 143, as we have already seen, requires a separate assessment of inherent risk and control risk for each relevant assertion.

In assessing inherent risk, the auditor will consider risk factors such as complexity, subjectivity, and change. It's also important to consider the estimate method and the data used in computing management's point estimate. 

Some estimates represent significant risks. So, for example, if the computation of warranty liability is complex or has a high degree of estimation uncertainty, then identify the liability as a significant risk since the valuation assertion is high risk (toward the upper end of the spectrum of inherent risk).

Auditing estimates

3. Responses to Assessed Risk of Material Misstatement

Once the assessment of risk is complete, you are in a position to create responses. As usual, document linkage from the risk level to the planned procedures. Higher risk calls for more extensive actions. 

If, for example, the auditor identifies an estimate as a significant risk, go beyond basic techniques (i.e., more than a basic audit program). 

Additionally, base those responses on the reasons for the assessments. In other words, create audit procedures based on the nature of the risk. Performing more procedures unrelated to the identified risk is of no help. 

Three Responses to Risks Related to Estimates

The audit procedures need to include one or more of the following three steps:

  1. Obtain audit evidence from events occurring up to the date of the auditor's report
  2. Test how management made the accounting estimate by reviewing the following: 
    • Methods in light of: 
      • Reporting framework
      • Potential management bias
      • The estimation computation (is it mathematically correct?)
      • Use of complex modeling, if applicable
      • Maintenance of the assumptions and data integrity (does this information have integrity?)
    • Assumptions; address the following: 
      • Whether the assumptions are appropriate
      • Whether the judgments made in selecting the assumptions give rise to potential bias
      • Whether assumptions are consistent with each other
      • When applicable, whether management has the intent and ability to carry out specific courses of action
    • Data; address the following: 
      • Whether the data is appropriate
      • Whether judgments made in selecting the data give rise to management bias
      • Whether the data is relevant and reliable
      • Whether management appropriately understands and interprets the data
    • Management's point estimate and related disclosure; address the following: 
      • How management understands estimation uncertainty
      • See if management took appropriate steps in developing the point estimate and related disclosure
      • If the auditor believes management has not sufficiently addressed estimation uncertainty, the following should occur: 
        • Request management perform additional procedures to understand the estimation uncertainty; consider disclosing more information about the estimation uncertainty
        • Develop an auditor's point estimate or range if management's response to the auditor's request in the prior step is not sufficient
        • Evaluate whether an internal control deficiency exists
  3. Develop an auditor's point estimate or range; do the following: 
    • Include procedures to evaluate whether methods, assumptions, or data are appropriate
    • When the auditor develops a range,  
      • Determine whether the range includes only amounts supported by sufficient audit evidence and are reasonable in the context of the reporting framework
      • Review disclosures related to estimation uncertainty, design and perform procedures regarding the risk of material misstatement (i.e., determine if the disclosure provides sufficient information regarding estimation uncertainty)

Once you complete your audit work related to estimates, evaluate what you've done. 

Overall Evaluation of Estimate Work

SAS 143

Evaluate the sufficiency of your estimate work by considering the following:

  • Are the risk assessments at the relevant assertion level still appropriate?
  • Do management's decisions regarding recognition, measurement, presentation, and disclosure of the estimates agree with the financial reporting framework? 
  • Has sufficient appropriate evidential matter been obtained?
  • If evidence is lacking, consider the impact on the audit opinion
  • Has management included disclosures beyond those required by the financial reporting framework when needed for fair presentation?

Here are some additional considerations in determining if your work is complete.

Documentation of Estimate Work

SAS 143 says that the auditor's documentation should include the following:

  • The auditor's understanding of the entity and its environment, including internal controls related to estimates
  • Linkage of further audit procedures with the risks of material misstatement at the assertion level
  • Auditor's responses when management has not taken appropriate steps to understand and address estimation uncertainty
  • Indicators of possible management bias related to estimates
  • Significant judgments related to estimates and related disclosures in light of the reporting framework

Governance Communication Regarding Estimates

Finally, consider whether you should communicate estimate matters to those charged with governance, especially if a high estimation uncertainty is present. 

SAS 143 Summary

While SAS 143 requires that auditors understand the estimation process and then perform procedures to ensure the reasonableness of the numbers and disclosures, there's nothing unusual about this. We gain an understanding of the estimates, assess the risk, and create responses. 

Many estimates, such as plant, property, and equipment depreciation, are simple. In those areas, there's little to do. But as always, our risk assessment and responses will increase as complexity and uncertainty increase. 

You may also be interested in my article titled SAS 145: New Risk Assessment Standard.

Over Auditing
Jan 28

Are You Over Auditing and Wasting Time?

By Charles Hall | Auditing

Are you over auditing?

In this article, I explain how you can stop over auditing and wasting precious time. You’ll soon know why to leave in and what to leave out.

Over auditing

Are You Over Auditing?

Ten audit engagements.

Each audit file with a different risk profile.

Each with a different audit plan.

Each file begging for attention in certain areas.

This afternoon I met with two CPAs to discuss ten audits they perform. Specifically we were looking to see what needed to be done, and maybe more importantly, what was not needed.

The concern was “over auditing.”

For as long as I can remember, CPAs have asked, “what am I doing that is not necessary?”

My answer is always the same: audit areas that have a risk of material misstatement. Drop everything else.

Removing Unnecessary Audit Steps

Well, how do you know if an audit procedure is not needed?

Look at the prior year workpaper and ask, “what relevant assertion and in what transaction cycle does this procedure address?” If you can’t connect the workpaper to a risk, then it’s probably not needed.

You can “reverse engineer” an audit by looking at the prior year workpapers and asking this same question over and over again: “what risk of material misstatement does this workpaper address?”

Adding Necessary Audit Steps

Then—and more importantly—“forward engineer” the audit plan by assessing your risk for each relevant assertion and planning (and linking) a procedure to satisfy (lower) the risk of material misstatement.

Brevity of Audit File

An audit file needs to be tight, without waste.

Moreover, let it speak of the important—and nothing else. An audit file is somewhat like a good speech: There are no wasted words.

So, can excessive work papers create problems?

Excessive Work Papers Create (at least) Two Problems

Excessive (or unneeded) work papers can create problems, including:

1. Clutter (which degrades the message)
2. Legal exposure

Why do I say legal exposure? If your work papers are subpoenaed and there are unnecessary work papers, the opposing party may find contradictory information that works against you.

Then you know what would come next: the opposing attorney holding up a damning document as she asks, “did this work paper come from YOUR audit file?”

Keep things lean.

Right Audit Steps

In summary, say what needs to be said, and nothing more.

In other words, follow these steps:

1. First, assess risk.

2. Next, plan responses to those risks.

3. Then, perform those procedures.

4. And finally, don’t do anything else. 

With these steps, your audit file will say what it needs to say—and nothing else. And you will not be over auditing.

See my related article titled Seven Excuses for Unnecessary Audit Work Papers

Check out my book on Amazon: The Why and How of Auditing

New SSARS Book
Jan 07

New SSARS Book – Second Edition

By Charles Hall | Preparation, Compilation & Review

Are you looking for preparation of financial statement assistance? How about compilation engagement guidance? If you are a CPA that provides these services, you'll find help in the second edition of my book: Preparation of Financial Statements and Compilation Engagements.


Purpose of the Book

CPAs create and issue financial statements. In doing so, they follow Statement on Standards for Accounting and Review Services (SSARS), including AR-70 (Preparation of Financial Statements) and AR-80 (Compilation Engagements). But in doing so, they run into questions such as:

  • Can I issue financial statements without a compilation report?
  • What is the difference between a preparation engagement and a compilation engagement?
  • Which basis of accounting can I use?
  • What disclosures are required?
  • Can I include supplementary information with financial statements?
  • Who can use the financial statements?
  • What documents are necessary for the engagement file?
  • Is an engagement letter required?
  • Must I be independent?
  • What actions commonly impair independence?
  • Is a peer review required if I perform preparation and compilation services?

To help you answer these questions and many others, I have updated my book (2nd edition): Preparation of Financial Statements and Compilation Engagements.

It's an easy-to-understand reference book for those of you performing preparation and compilation engagements.

SSARS book

Praise for the Book

Here's what CPAs are saying about the book:

Charles is a master at illustrating and contrasting preparation and compilation engagements and pointing out potential pitfalls to be aware of. Much more user-friendly and applicable to the small-firm practitioner than the big-ticket reference manuals. 
Don Vieira, CPA
 Centinel Pacific Accounting, LLC
Wasilla, Alaska

I recommend this book be a part of your guidance materials used when preparing financial statements or performing a compilation under the Statements on Standards for Accounting and Review Services. 
Mike Brand, CPA, CGMA
BMSS Advisors & CPAs
Huntsville, Alabama

In Preparation of Financial Statements and Compilation Engagements, Charles provides practitioners with an easy-to-reference manual on the best practices around preparation and compilation engagements. This easy-to-read book will help practitioners ensure they are meeting the standards. 
Melisa F. Galasso, CPA, CSP, CPTD
CEO, Galasso Learning Solutions

Get the New SSARS Book

The book is available on Amazon in a Kindle or paperback format. 

Check it out here.

Finance and operating leases
Dec 11

Finance and Operating Leases: Lessees

By Charles Hall | Accounting

Most CPAs grapple with leases from the lessee’s point of view, so in this post, we’ll look at finance and operating leases from the lessee’s perspective. Under the new lease standard (ASC 842, Leases), what are the types of leases? Does the accounting vary based on the type of lease? Are lease expenses different?

First, let’s start by defining the types of leases and how to classify them.

Lease accounting

The Types of Leases

Upon the commencement date of the lease, the company should classify the lease as either a finance or an operating lease using ASC 842. (Under ASC 840, a finance lease was referred to as a capital lease.)

Finance Lease

So what is a finance lease? A lease is considered a finance lease if it meets any of the following criteria:

  1. The lease transfers ownership of the underlying asset to the lessee by the end of the lease term
  2. The lease grants the lessee an option to purchase the underlying asset that the lessee is reasonably certain to exercise
  3. The lease term is for the major part of the remaining economic life of the underlying asset (today, we use the 75% rule)
  4. The present value of the sum of the lease payments and residual value guarantee equals or exceeds substantially all of the fair value of the underlying asset (today, we use the 90% rule)
  5. The underlying asset is of such a specialized nature that it is expected to have no alternative use to the lessor at the end of the lease term

While the bright-line criteria (e.g., the lease term of 75% or more of economic life) have been removed, the basis for conclusions in the new lease standard acknowledges some old rules of thumb.  It says that one reasonable approach to determining whether the lease is for a significant portion of the asset’s life is the 75% threshold. The conclusion goes on to say that “90 percent or greater is ‘substantially all’ of the fair value of the underlying asset.” So, in effect, FASB removed the bright lines as a rule but not in principle–the conclusion says FASB “does not mandate those bright lines.”

Operating Lease

And what is an operating lease? It’s any lease that is not a financing lease.

Accounting Similarities and Differences

Both operating and finance leases result in a right-of-use asset and a lease liability. The subsequent accounting for the two types of leases is quite different.

Finance Lease Accounting

The accounting for a finance lease–using ASC 842–is similar to capital lease accounting under ASC 840.

When a company enters a finance lease, it records the right-of-use asset and the lease liability. The amortization of the right-of-use asset will be straight-line, and the amortization of the liability will be accounted for using the effective interest method. Consequently, lease expenses are front-loaded (i.e., expenses will decline throughout the lease term). The amortization and interest expenses will be presented separately on the income statement.

As we are about to see, operating lease accounting is significantly different, particularly with regard to accounting for the lease expense and the amortization of the right-of-use asset.

Operating Lease Accounting

The primary change in lease accounting lies in the operating lease area. Under ASC 842, a company will book a right-of-use asset and a lease liability for all operating leases greater than twelve months in length (an election has to be made to exclude leases of twelve months or less). Under ASC 840, no asset or liability was recorded.

Will the operating lease expense be any different than it has been? No. But the recording and amortization of the right-of-use asset and the lease liability are new.

The Initial Operating Lease Entries

Let’s say a company has a five-year operating lease for $1,000 per month and will pay $60,000 over the life of the lease. How do we account for this lease? First, the company records the right-of-use asset and the lease liability by discounting the present value of the payments using the effective interest method.  In this example, the present value might be $54,000. As the right-of-use asset and lease liability are amortized, the company will (each month) debit rent expense for $1,000—the amount the company is paying. So the expense amount is the same as it was under ASC 840.

Amortizing the Right-of-Use Asset and the Lease Liability

How does the company amortize the right-of-use asset and the lease liability? The lease liability is amortized using the effective interest method, and the interest expense is a component of the rent expense. What’s the remainder of the $1,000? The amortization of the right-of-use asset. The $1,000 rent expense comprises two parts: (1) the interest expense for the month and (2) the right-of-use amortization amount, which is a plug to make the entry balance. Even though the rent expense is made up of these two components, it appears on the income statement as one line: rent expense (unlike the finance lease, which reflects interest expense and amortization expense separately).

Potential Impairments

Due to the straight-line lease expense calculation mechanics, the right-of-use asset amortization expense is back-loaded (i.e., the amortization expense component is less in the early part of the lease). One potential consequence of this slower amortization is that the right-of-use asset is more likely be impaired (at least as compared to a financing lease). The impairment rules do apply to the right-of-use asset.

Here’s a video showing you the journal entries for financing and operating leases.

Your Thoughts

So, what do you think of the new lease accounting? Is it better? Worse?

You can see my first two lease posts here:

Post 1: How to Understand the New Lease Accounting Standard

Post 2: Get Ready for Changes in Leases and the Leasing Industry

>