white collar crime
Sep 04

White Collar Crime is Knocking at Your Door: Are You Prepared?

By Charles Hall | Fraud

If your business has money and employees, then you’re a candidate for white-collar crime.

white collar crime

White Collar Crime Happens!

For most organizations, it’s not a matter of if fraud will occur, it’s a question of how much will be taken. The Association of Certified Fraud Examiners’ biennial survey shows that the average business loses 5% of its revenues to fraud. Imagine adding that amount to your bottom line, because when theft occurs, your net income is reduced by the amount taken.

Learn About Fraud Prevention

Subscribe to get our latest weekly newsletter by email.

Powered by ConvertKit

No One Steals from My Business

Most business owners, board members, governments, and nonprofits think “fraud may happen in other organizations, but not in our place. Our people are honest.” Well, let me say I’ve seen plenty of “honest” people steal.

In almost every fraud I’ve seen, the business owners and fellow employees are greatly surprised by the theft–usually by a trusted employee

And these trusted people steal because they can. You may be thinking, “What?” Let me repeat, the reason people steal is because they can. In fraud prevention parlance, we call it “opportunity.”

Fraud Cycle

And, how do trusted employees steal? Here’s the typical cycle:

  • We hire a likable, trustworthy person
  • The employee serves the organization well
  • He moves to higher positions (where he has greater opportunity to steal)
  • No one monitors the employee because he is honest–or at least, he appears that way
  • The employee believes he can steal without detection
  • Small amounts of money are taken to test the water
  • Larger amounts are taken when he is sure no one is watching

So, the employee goes from trusted employee to fraudster. The transformation occurs gradually. Then when the discovery of fraud occurs, everyone is shocked.

Examples of People Who Steal

And what kinds of trusted people steal?

I have seen the following individuals take money:

  • Chief executive officer
  • Board member
  • Pastor
  • Church secretary
  • Healthcare executive
  • A lady who was dying
  • Doctor
  • College president
  • Swim club volunteer
  • Seminary Foundation employee
  • School principal

I could go on, but you get my point. People who we think would never steal, do.

So, how can we prevent–or at least lessen–the threat of fraud? Transparency is a key.

Transparency Lessens Fraud

If transparency is important, why don’t businesses create it?

Small businesses often lack the ability to segregate accounting duties, and this lack of segregation creates opportunities for theft. Why? One employee controls several critical accounting processes, resulting in the ability to steal without detection.

To lessen the possibility of fraud, we must create transparency in accounting processes. Employees are less likely to steal when their actions are visible to others. That’s why segregation of duties is necessary–more eyes see the accounting activity, making it more difficult for theft to occur without detection. Even if an organization has few employees, it’s possible to create transparency and lessen the threat of theft. 

How CPA Hall Talk Helps

CPA Hall Talk is designed to provide you with fraud prevention information.

While I can’t visit everyone that needs fraud prevention assistance, I can provide (free) information about how theft occurs and how you can lessen the threat of fraud.

Here are some of my fraud prevention posts (each with a clickable link):

I hope you find these articles helpful in fighting fraud in your organization. 

Finally, I hope you’ll join us here at CPA Hall Talk for more information about fraud prevention, accounting, and auditing. See the subscription box below.

Key Numbers from the 2018 ACFE Fraud Survey
Aug 20

Episode 13 – Key Numbers from the 2018 ACFE Fraud Survey

By Charles Hall | Fraud , Podcast

If you’re going to prevent or detect fraud, you have to know where to look. 

In this podcast episode, we take a look at the key numbers from the 2018 ACFE Fraud Survey. For instance, the median duration of a fraud prior to detection is 16 months and the median theft loss for small entities is $200,000. This global survey provides you with unique insights into how frauds occur–and the related damages. 

Listen now to be in the know.

 

Assessing control risk at high and saving time
Aug 17

Episode 12 – Assessing Control Risk at High and Saving Time

By Charles Hall | Risk Assessment

Some auditors have been told they can’t assess control risk at high. Is this true? Also, is it possible to assess control risk at high and not test controls?

Additionally, some auditors believe that control risk is assessed at high only if internal controls are not in place. But is that true?

Listen now to hear the answers. Hint — assessing control risk at high might be your best solution.

Developing your audit strategy and plan
Aug 08

Audit Planning: Developing Your Audit Strategy and Plan

By Charles Hall | Auditing

This article teaches you how to develop your audit strategy and audit plan. In the last few posts, we’ve explored the risk assessment process. Now it’s time to link your risk assessment work to your audit strategy and plan.

AU-C 300 states, “The objective of the auditor is to plan the audit so that it will be performed in an effective manner.” We also desire—though not an objective of the audit standards—to plan for efficiency, so the engagement is profitable. 

Developing your audit strategy and plan

Audit Strategy and Plan

To be in compliance with audit standards, you need to develop:

  • Your audit strategy
  • Your audit plan

Developing Your Audit Strategy

What’s in the audit strategy? AU-C 300.08 states that the audit strategy should include the following:

  • The characteristics of the engagement (these define its scope)
  • The reporting objectives (these affect the timing of the audit and the nature of the reports to be provided)
  • The significant factors (these determine what the audit team will do)
  • The results of preliminary engagement activities (these inform the auditor’s actions)
  • Whether knowledge gained on other engagements is relevant (these potentially provide additional insight)

Also, consider the resources necessary to perform the engagement.

Think of the audit strategy as the big picture. You are documenting:

  • The scope (the boundaries of the work)
  • The objectives (what the deliverables are) 
  • The significant factors (e.g., is this a new or complex entity?)
  • The risk assessment (what are the risk areas?)
  • The planned resources (e.g., the engagement team) 

Strategy for Walking on the Moon

When NASA planned to put a man on the moon, they—I am sure—created a strategy for Apollo 11. It could have read as follows:

We will put a man on the moon. The significant factors of our mission include mathematical computations, gravitational pull, thrust, and mechanics. The risks include threats to our astronauts’ lives, so we need to provide sufficient food, air, sound communications, and a safe vessel. The deliverable will be the placement of one man on the moon and the safe return of our three astronauts. The engagement team will include three astronauts, launch personnel at Kennedy Space Center, and mission-control employees in Houston, Texas. 

developing your audit strategy and plan

The strategy led to Neil Armstrong’s historic walk on July 20, 1969.

Our audit strategy—in a more pedestrian pursuit—is a summary of objectives, resources, and risk. It’s the big picture. Our strategy leads to the successful issuance of our audit opinion (not quite as exciting as walking on the moon, but still important).

Did NASA perform any risk assessments before creating its strategy and plans? You bet. The lives of Neil Armstrong, Michael Collins, and Buzz Aldrin counted on it. So, the Agency took every precaution. NASA used the risks to define the project details—what we call our audit plan (or audit program). As with all projects, you must know your risks before you develop your plan. Doing so led to “one small step for man, one giant leap for mankind,” and—more importantly—the return of three brave astronauts. In a word: Success.

What’s in an Audit Strategy?

The audit strategy doesn’t have to be complicated or long, especially for smaller entities—it can be a short memo. What are we after? A summary of risks, needed resources, and objectives.

My firm uses an internally-developed strategy form—mainly, to ensure consistency. The form contains structure, such as references to risk assessment work and blank boxes in certain areas—such as partner directions—so it is flexible. As a result, the form has structure and flexibility.

Here are the main areas we cover:

  • Deliverables and deadlines
  • A time budget
  • The audit team
  • Key client contacts
  • New accounting standards affecting the audit
  • Problems encountered in the prior year 
  • Anticipated challenges in the current year 
  • Partner directions regarding key risk areas
  • References to work papers addressing risk

Who Creates the Audit Strategy?

Who should create the strategy? The in-charge can create it with the assistance of the engagement partner, or the partner can do so. 

Audit Strategy as the Central Document

If you want to see one document that summarizes the entire audit, this is it. As you can see, the strategy is general in nature, but you also need a detailed plan to satisfy the demands of the strategy—this is the audit plan (commonly referred to as the audit program). NASA had a mission statement for Apollo 11, but—I’m sure—written guidelines directed the step-by-step execution of the project. 

Audit Plan (or Audit Program)

Now we create the detailed planning steps—the audit program. Think of the audit program as the final stage of audit planning. What have we done to get to this stage of the audit? 

  1. Performed risk assessment procedures
  2. Developed our audit strategy

Now it’s time to create the audit plan.

The audit plan is the linkage between planning and further audit procedures. What are “further audit procedures”? They are the tactical steps to address risk including substantive procedures and test of controls. The audit program links back to the identified risks and points forward to the substantive procedures and test of controls.

Creating the Audit Program

How—in a practical sense—do we create the audit programs? Most auditors tailor the prior year audit programs. That works—as long as we revise them to address the current year risks. Audit programs are not—at least, they should not be—static documents. Even so, the current year audit program can be the same as last year—as long as the risks are the same.

Sufficient Audit Steps

How do we know if we have adequate audit program steps? Look at your risks of material misstatement (RMM)—which, hopefully, are assessed at the assertion level (e.g., completeness). Audit steps should address all high and moderate RMMs. 

Integrating Risk Assessment with the Audit Program

How else can we integrate our documentation? Put the relevant assertions next to each audit step—this makes the connections between the RMMs (at the assertion level) and the audit steps clear.

AU-C 330.18 says the auditor is required to apply substantive procedures to all relevant assertions related to each material class of transactions, account balance, and disclosure. So, the audit program should reflect steps for all material areas.

Creating Efficiency in the Audit Plan

Once you complete your risk assessment work, you want to ask, “Which is the more efficient route? Testing controls or performing substantive procedures.” Then go with your instincts. 

Generally, I assess control risk at high. While we can’t default to a high control, we can—once the risk assessment work is complete—decide to assess control risk at high as an efficiency measure. Why? If we assess control risk at below high, we must test the controls as a basis for the lower risk assessment. The testing of controls can—sometimes—take longer than substantive procedures. 

For example, is it better to test the controls related to fixed asset additions or is it more efficient to vouch the invoices for significant additions? Usually, the vouching of the invoices will get you to your desired destination quicker than testing controls. Generally—at least in my opinion—this line of reasoning is less true for more complex organizations. Larger organizations process more transactions and tend to have better controls. So it can be better to test controls for larger entities.

In Summary

There you have it—the creation of the audit strategy and the audit plan. Your strategy includes the risks, needed resources, and objectives. And your audit program contains the tactical steps to address risks. You are set to go. Now it’s time to execute our audit program.

Stay with me. In my upcoming posts, I will delve into the details of auditing by transaction areas. What specific steps should an auditor perform for cash, receivables, payables—for example? In the coming weeks, I will share with you audit approaches for significant transaction cycles. Subscribe below to ensure you don’t miss out.

To see my earlier posts in this series, click here.

>