Do you ever feel trapped by an audit? Like you can’t finish. It started so well, but somewhere along the way, something went wrong. The wheels came off.
Maybe it started with your acceptance of a new client that you didn’t feel good about from the beginning.
Or possibly your new staff members don’t understand risk assessment. So they blindly followed last year’s work papers. However, the auditee has new risks, and the audit team failed to address them.
Wow, the audit budget is busted. But you still need to finish the substantive and wrap-up work. Just creating financial statements will take a week.
Additionally, you’re in a peer review year.
The clock is ticking. And how do you feel? Trapped!
My new book explains the full audit process, from beginning to end, from client acceptance to audit opinion issuance. Also, you’ll find helpful guidance for the audit of transaction cycles such as receivables and revenue, payables and expenses, debt, payroll, and more—all in one easy-to-understand book.
Discover helpful ways to plan, execute, and complete your audit engagements.
Imagine: quality audits finished on time.
Praise for The Why and How of Auditing
Need a quick-reference audit guide? This is it. Charles walks you from the beginning of the audit process all the way to the end, an excellent plain-english guide.
Mark Wiseman, CPA, CMA, Partner Brown, Edwards & Company, L.L.P. Roanoke, Virginia
This is a great how-to, hands-on guide that will help you conduct a quality audit and provide value to your clients. Go over a chapter a week with your audit team. The book provides the why and how behind your audit programs and workpapers.
James H. Bennett, CPA, Managing Member Bennett & Associates, CPAs PLLC Ann Arbor, Michigan
Thanks Charles for clarifying what’s important in an audit. Recommended reading for any auditor level.
Jay Miyaki, CPA, Partner Jay Miyaki, LLC Honolulu, Hawaii
The author steps through each audit area in a simple manner and clearly explains topics that are often complex by providing numerous examples and personal anecdotes. I highly recommended this text to anyone in the financial statement audit profession.
Jacob Gatlin, CPA, PhD CDPA, PC Athens, Alabama
Charles Hall’s “The Why and How of Auditing” is comprehensive, yet easy to implement. This guide will enhance the effectiveness of your audit engagements.
Armando Balbin, CPA, Partner Downey, California
I highly recommended Charles Hall’s latest book, “The Why and How of Auditing.” Charles takes a complicated subject and makes it simple. Our team found it particularly useful in the areas of questions to ask, procedures to follow, and work paper examples.
Bill Burke, CPA, Partner Burke, Worsham and Harrell, LLC Bainbridge, Georgia
A must-read for auditors! The Why and How of Auditing is insightful, practical, and rich with ideas. Charles takes a complex topic and breaks it down into an easy to read, well-defined road map.
So, let’s jump in. Here are three receipt-fraud tests.
Three Receipt-Fraud Tests
1. Test adjustments made to receivables
Why test?
Receipt clerks sometimes steal collected monies and write off (or write down) the related receivable. Why does the clerk adjust the receivable? So the customer doesn’t receive a second bill for the funds stolen.
How to test?
Obtain a download of receivable adjustments for a period (e.g., two weeks) and see if they were duly authorized. Review the activity with someone outside the receivables area (e.g., CFO) who is familiar with procedures but who has no access to cash collections.
If there are multiple persons with the ability to adjust receivable accounts (quite common in hospitals), compare weekly or monthly adjustments made by each employee.
Agree receipts with bank deposits.
2. Confirm rebate (or similar type) checks
Why test?
When rebate checks are not sent to a central location (e.g., receipting department), the risk of theft increases. Rebate checks are often not recorded as a receivable, so the company may not be aware of the amounts to be received. Stealing unaccrued receivable checks is easy.
How to test?
Determine which vendors provide rebate checks (or similar non-sales payments). Send confirmations to the vendors and compare the confirmed amounts with activity in the general ledger.
Theft of rebate checks is more common in larger organizations (e.g., hospitals) where checks are sometimes received by various executives. The executive receives a check in the mail and keeps it for a while (in his desk drawer – in case someone asks for it). Once he sees that no one is paying attention, he steals and converts the check to cash.
3. Search for off-the-book thefts of receipts
Why test?
The fraudster may bill for services through the company accounting system or an alternative set of accounting records and personally collect the payments.
How to test?
Compare revenues with prior years and investigate significant variances. Alternatively, start with source documents and walk a sample of transactions to revenue recognition, billing, and collection.
Here are a few examples of actual off-the-book thefts:
Police Chief Steals Cash
An auditor detected a decrease in police-fine revenue in a small city while performing audit planning analytics. Upon digging deeper, he discovered the police chief had two receipt books, one for checks that were appropriately deposited and a second for cash going into his pocket. Sometimes, even Andy Griffith steals.
Hospital CFO Steals Cash
A hospital CFO, while performing reorganization procedures, set up a new bank account specifically for deposit of electronic Medicaid remittances. He established himself as the authorized bank account check-signer.
The CFO never set up the bank account in the general ledger. As the Medicaid money was electronically deposited, the CFO transferred the funds to himself. What was the money used for? A beautiful home on Mobile Bay, new cars, and gambling trips.
Another Receipt Fraud to Consider
Sometimes it’s not the front-desk receipt clerk that steals. Surprisingly, your receipt supervisor can be on the take. So, consider that receipt theft takes place up-front and in the back-office.
Do you ever want to include justone disclosure in your financial statements without providing all the notes? Selected disclosures can be included in certain situations, including when you omit substantially all disclosures.
Do professional standards allow this? Yes. But only if you use AR-C 70 (the preparation guidance) or AR-C 80 (the compilation guidance).
Made with Canva
Selected Disclosures in Compilations
As you probably already know, a CPA can issue compiled financial statements without disclosures as long as the compilation report discloses the omission. An example follows.
Management has elected to omit substantially all of the disclosures required by accounting principles generally accepted in the United States of America. If the omitted disclosures were included in the financial statements, they might influence the user’s conclusions about the Company’s financial position, results of operations and cash flows. Accordingly, the financial statements are not designed for those who are not informed about such matters.
If the financial statements include one or two notes, then the financial statements still omit substantially all of the disclosures, so the accountant (still) uses the wording in the preceding paragraph.
Sample Selected Disclosure
An example of a selected disclosure follows:
ABC Company
Selected Information –
Substantially All Disclosures Required by Accounting Principles
Generally Accepted in the United States of America are Not Included
December 31, 2020
Note 1. Long-Term Debt.
ABC Company borrowed $450,000 on July 15, 2020, from XYZ Bank. The rate of interest is 5%, and the loan is collateralized by equipment of the Company. Payments are $10,000 per month plus interest for two years with a balloon payment for the balance of the amount owed.
Additionally, you can omit substantially all disclosures in a preparation engagement.
Preparation Engagements
AR-C 70 says:
The accountant may prepare financial statements that include disclosures about only a few matters in the notes to the financial statements. Such disclosures may be labeled “Selected Information—Substantially All Disclosures Required by [the applicable financial reporting framework] Are Not Included.”
So, the selected-disclosure option is available in a Preparation of Financial Statements engagement. Include the required disclaimer at the bottom of the page such as “No assurance is provided on these financial statements.”
Other Considerations
The accountant should consider whether management’s election to include only selected disclosures causes the financial statements to be misleading (for example, by omitting the disclosures that contain negative information). If so, the accountant should request that the financial statements be revised to include the omitted disclosures.
The selected-disclosure option is not available for financial statements subject to a review engagement. Such financial statements must be full disclosure.
What About You?
Do you ever use this selected-disclosure option? Any reservations about doing so?
What is the difference in an internal control and a process? Most company accounting manuals do not clearly define what a control is. The result: it can be difficult to identify a company’s key controls. As a result, some auditors incorrectly identify processes as internal controls in their walkthrough documentation. Below, I help you distinguish between controls and processes so you won’t make this mistake.
Processes and Controls in Risk Assessment
As you perform your annual walkthroughs, you determine if the company’s internal controls are designed properly and if they are implemented. But what are internal controls? And how do they differ from processes?
Processes are the actions performed by accounting personnel that are not controls. For example, a cashier receives payments.
Controls, on the other hand, are the actions that ensure safety and accuracy. For example, the cashier might restrictively endorse a check For Deposit Only and create a receipt. These are controls. A business can, however, receive payments without controls. But if they do, monies might be stolen or recorded incorrectly. In short, accounting controls (or internal controls) lessen misstatements in the financial statements and theft.
In performing risk assessment, you consider whether an account balance or transaction might be misstated, whether by error or fraud. And how do you do this? By performing certain procedures such as reviewing the internal control system. This is why it’s important to know what the key controls are.
Below I provide examples of cashier processes and internal controls.
Cashier Processes
Remember a process is whatis being done. The purpose of the process, in this example, is to receive and process payments.
The cashier’s work manual might require processes as follows:
Take your cash drawer from the vault each morning
Turn on your computer by 7:50 a.m. to ensure it is working properly
Open your station at 8:00 a.m.
Press the f7 key before entering the receipt
Ask customers to place their credit cards into the credit card machine at your window
Press the f3 key when the receipt entry is complete
Now, let’s look at sample internal controls.
Cashier Internal Controls
Controls ensure accuracy and lessen fraud. The accounting manual might spell out the following controls (this list is not comprehensive):
No purses or handbags are allowed in the cash collections area
Station security cameras record all activity; retain video for at least one month
No person receiving cash can write down or eliminate receivables (of if they can, a second person reviews and signs off on all adjustments)
The receipting software flags all amounts greater than $1,000 (most receipts are less than $500)
Only one cashier can work from a cash drawer; the cashier must lock his or her drawer upon leaving their station and must log out of their computer
Cashiers issue a receipt for each payment received
The cash supervisor observes the daily closeout count of one cashier at least once per week
The cash supervisor creates the daily summary deposit and provides the same to the courier for delivery to the bank
Notice the segregation of duties andthe second-person reviews. The internal controls lessen the potential for misstatements and theft.
Some controls may sound like policies alone—and not controls—such as no purses are allowed in the collection area. But what is the purpose of the requirement? To lessen theft. So I consider this to be both a policy and a control.
Also, notice that some controls are automated such as the entry flag for amounts greater than $1,000. The purpose of this control is to lessen data entry error.
In summary, we see that a processes are the actions performed to get something done. Cashiers receive and process payments. By contrast, controls ensure that the resulting numbers are correct and that assets are secure from theft.
Understanding the differences in controls and processes helps you identify key controls. And why is this important? Understanding the distinction allows you to properly identify key controls in your walkthrough documentation. You don’t want to identify a process as a control when it’s not.
Today, we talk about auditing plant, property, and equipment (or capital assets if you work with governments).
Plant, property, and equipment is often the largest item on a balance sheet. But the risk is often low to moderate. After all, it’s difficult to steal land or a building. And the accounting is usually not difficult. So the dollar amount can be high but the risk low.
In this post, we’ll answer questions such as, “how should we test additions and retirements of property?” and “what should we do in regard to fair value impairments?”
Auditing Plant, Property, and Equipment — An Overview
I will—at times in this article—refer to plant, property, and equipment as property. Governments use the term capital assetsto refer to plant, property and equipment, but again, I will, for the most part, use the term property in this article.
Property is purchased for use in a business. For example, a corporate office might be bought or constructed. The building is an asset that is depreciated over its economic life. As depreciation is recorded, the book value (cost less accumulated depreciation) of the building decreases as depreciation is recognized. In other words, you expense the building as it is used.
In most reporting frameworks, including GAAP, assets are recorded at cost. Appreciation in market value is not recorded, but significant decreases, known as impairments, are booked. Property improvements (e.g., adding a new room to an existing building) are capitalized and depreciated. Repairs (e.g., painting a room) that don’t extend the life of an asset are expensed.
Also, most businesses elect to use a capitalization threshold such as $5,000. For these entities, amounts paid below the threshold are not capitalized, even if they extend the life of the asset. The amounts below the threshold are expensed as incurred.
So, how do most entities track property purchases and compute the related depreciation? They use depreciation software. Then when property is purchased, it is added to the depreciation software and an economic life (e.g., ten years) is assigned.
Below we will cover the following:
Primary property assertions
Property walkthroughs
Directional risk for property
Primary risks for property
Common property control deficiencies
Risk of material misstatement for property
Substantive procedures for property
Common property work papers
Primary Property Assertions
The primary relevant property assertions are:
Existence and occurrence
Completeness
Valuation
Classification
Of these assertions, I believe—in general—existence, occurrence, and classification are most important. So, the client is asserting that property exists, that depreciation expense is appropriate, and that amounts paid for property are capitalized (and not expensed).
Property Walkthroughs
As we perform walkthroughs of property, we are looking for ways that property might be overstated (though understatements can occur as well).
As we perform the property walkthrough, we ask, “what can go wrong, whether intentionally or by mistake?”
In performing the walkthrough, ask questions such as:
Are property ledgers reconciled to the general ledger?
Does the entity use reasonable and consistent depreciation methods?
Are the depreciation methods in accordance with the reporting framework (e.g., straight line for GAAP or accelerated for tax basis)
Who records depreciation?
Are the economic lives assigned to property appropriate?
What controls ensure that property is recorded in the right period?
What controls ensure that capital leases are capitalized as property (if applicable, see GAAP lease standards)?
Is there appropriate segregation of duties between persons that purchase, record, reconcile, and physically possess property?
What software is used to compute depreciation?
Does the company perform periodic physical inventories of property?
Are assets removed from the depreciation schedule upon sale?
What controls ensure that property purchases are added to the depreciation schedule (and not expensed as repairs and maintenance)?
What controls ensure that repair expenses are not capitalized as property?
What is the capitalization threshold (e.g., $5,000)?
As we ask questions, we also inspect documents (e.g., depreciation reports) and make observations (e.g., who has access to moveable property?).
If control weaknesses exist, we create audit procedures to respond to them. For example, if—during the walkthrough—we see that one person purchases property, has physical access to equipment, and performs the related accounting, then we will perform theft-related substantive procedures.
Directional Risk for Property
The directional risk for property is overstatement. So, in performing your audit procedures, perform procedures to ensure that property is not overstated. For example, vouch all significant property additions to invoices. See if the amounts added are equal to or greater than the capitalization threshold (e.g., $5,000).
Primary Risks for Property
The primary risks for property are:
Property is intentionally overstated
Repair expenses (or any other expenses) are improperly capitalized as property
Purchases that should be recorded as property are expensed
Depreciation is improperly computed and recorded (e.g., accelerated depreciation is used when straight-line is more appropriate)
Moveable property (e.g., equipment) is stolen
Common Property Control Deficiencies
In smaller entities, it is common to have the following control deficiencies:
One person performs more than one of the following:
Authorizes the purchase of property
Enters the property in the general ledger and depreciation schedule
Has physical custody of the property
Has responsibility for reconciling the depreciation schedule to the general ledger
The person computing depreciation doesn’t have sufficient knowledge to do so
A second person does not review the depreciation methods for appropriateness and economic lives assigned to each property
No one performs surprise audits of property
No one performs physical inventories of property
There are no controls over the disposal of property
Appropriate bidding procedures are not used
No one reconciles the depreciation schedule to the general ledger
Property is not reviewed for potential impairments of value
In smaller engagements, I usually assess control risk at high for each assertion. If control risk is assessed at less than high, then controls must be tested to support the lower risk assessment. Assessing risks at high is usually more efficient than testing controls.
When control risk is assessed at high, inherent risk becomes the driver of the risk of material misstatement (controls risk X inherent risk = risk of material misstatement). The assertions that concern me the most are existence (for additions to property), occurrence (for depreciation), and classification (of property). With regard to classification, the business determines whether the amount should be capitalized or expensed. So my RMM for these assertions is usually moderate to high.
My response to higher risk assessments is to perform certain substantive procedures: namely, the vouching of additions to property. As RMM increases I lower the dollar threshold for vouching property additions.
If controls related to bids are weak, your RMM for existence can be high. Bid rigging or kickbacks—fraudulent vendor actions—can result in overstatements of asset additions.
Substantive Procedures for Property
My customary audit tests are as follows:
1. Vouch property additions to related invoices
2. Agree opening property balances in the depreciation schedule to the prior year ending balances
3. Review economic lives assigned to new property for appropriateness
4. Review the selected depreciation method in light of the property’s life
5. Compute a ratio of depreciation to property and compare the result with prior periods
6. Review new lease agreements to determine if they should be capitalized
7. Inquire about potential decreases in the value of property and request valuations if necessary
Common Property Work Papers
My property work papers normally include the following:
An understanding of property-related internal controls
Documentation of control deficiencies related to property
Property audit program
A copy of the depreciation schedule that agrees to the general ledger
A summary of additions and retirements of property in the current audit period
Bid documents for significant construction projects or other property purchases
A valuation of a significant asset by a valuation specialist, if merited (potential impairment)
In Summary
In this article, we looked at how to perform property risk assessment procedures, the relevant property assertions, the property risk assessments, and substantive property procedures.
