Substantive Analytical Procedures
May 06

Substantive Analytical Procedures: Power Up

By Charles Hall | Auditing

Are you using substantive analytical procedures in your audits? Many auditors rely solely on tests of details when a better option is available. Substantive analytics, in some cases, provide better evidential matter. And they are often more efficient than tests of details.

In this article, I provide:

  • Substantive Analytics – A Video Overview
  • Analytics in Three Stages
  • Substantive Analytics
  • Responses to Risk of Material Misstatement
  • Substantive Analytical Assurance Level
  • Examples of Substantive Analytics
  • Documenting Substantive Analytical Procedures
  • Other Substantive Analytical Considerations

Professional standards define analytical procedures as evaluations of financial and non-financial data with plausible relationships. An example of such a relationship is salaries may be expected to be a certain percent of total expenses. In other words, numbers behave in particular ways. Because they do, we can use these relationships as evidential matter for our audit opinions.

Substantive Analytics – A Video Overview

This video provides an overview of substantive analytical procedures. 

Before we look at what substantive analytics are and how we use them, let’s see how analytical procedures are used in audits.

Analytics in Three Stages

Auditors use analytics in three stages:

  1. Preliminary (risk assessment)
  2. Final (wrap up)
  3. Substantive (response to risk of misstatement)

Preliminary analytics are performed as a risk assessment procedure. We use them to locate potential material misstatements. And if we identify unexpected activity, we plan a response. For example, if we expect payroll to go up 5% but it goes down 8%, then we plan further audit procedures to see why: these can include tests of details, substantive analytics, and test of controls. 

At the completion of the audit, we use final analytics to determine if we have addressed all risks of material misstatement. Here we compare our numbers and ask, “Have we dealt with all risks of material misstatement?” If yes, fine. If not, then we may need to perform additional further audit procedures. 

Less precision is necessary for preliminary and final analytics as compared to substantive analytics. Preliminary analytics locate misstatements and final analytics confirm the results of the audit. But substantive analytics are used to prove material misstatements are not present. 

Substantive Analytics

Substantive analytical procedures can, in certain cases, be more effective and efficient than a test of details. 

For example, if the ratio of salaries to total expenses has been in the 46% to 48% range for the last few years, then you can use this ratio as a substantive analytic to prove the payroll occurrence assertion. If your expectation is that payroll would be in this range and your computation yields 48%, then your substantive analytic provides evidence that salaries occurred. And this is much easier than a test of details such as a test of forty payroll transactions (where you might agree hours paid to time records and payroll rates to authorized amounts). 

Disaggregation of Data

For a small entity with six employees, one payroll substantive analytic might be sufficient, but you may need to disaggregate the payroll information for a larger company with six hundred people. For instance, you might divide departmental salaries by total salaries and compare those ratios to the prior year. Disaggregation adds more precision to the analytic, resulting in better evidential matter. 

Another example of disaggregation is in relation to revenues. If the company has four major sources of revenue, disaggregate the substantive analytical revenue sources. You might use a trend analysis by revenue source for the last three years. Or you might recompute an estimate of one or more revenue sources based of units sold or property rented. 

The type of substantive analytic is dependent on the nature of the transaction or account balance. If a company rents fifty apartments at the same monthly rate, computing an estimate of revenue is easy. But if a company sells fifty different products at different prices, you may need to disaggregate the substantive analytical data. 

Additionally, consider disaggregating substantive analytics by region if the company has different geographic locations. 

Not for Significant Risk Areas (at least not alone)

Are there audit areas where substantive analytical procedures should not be used alone? Yes. When responding to a significant risk. A test of details must be used when a significant risk is present. For example, a bank’s allowance for loan losses. This allowance is a highly complex estimate; therefore, a test of details is required. You could not solely compare the allowance to prior years,  for example, though such a comparison could complement a test of details. In other words, you could perform a test of details and use a substantive analytic. But a substantive analytic alone would not do. 

Now let’s consider how auditors use substantive analytics to respond to the risk of material misstatement.

Responses to Risks of Material Misstatement

Once you identify a risk of material misstatement, you plan further audit procedures including (1) test of details, (2) substantive analytical procedures, and (3) test of controls. Many auditors use a test of details without performing substantive analytics. Why? For many, it’s habit. We’ve always tested bank reconciliations, for example, so we continue to do so. But maybe we’ve never used substantive analytics to prove revenues or expenses. 

A test of details is often used in relation to balance sheet accounts such as cash, receivables, and debt. 

Substantive Analytical Procedures as a Response

Substantive analytics, on the other hand, are sometimes more fitting for income statement accounts such as revenue or expenses. Why? Because income statement accounts tend to be more consistent from year to year. Here are some examples:

  • Depreciation expense
  • Payroll expense
  • Lease revenue
  • Property tax revenue (in a government)

So consider using substantive analytics when the volume of transactions is high and the account balance is predictable over time. Additionally, use substantive analytics in lower risk areas, including some balance sheet accounts such as: 

  • Plant, property, and equipment (if no significant additions or retirements)
  • Debt (if no new debt or early payoffs)
  • Prepaid assets (e.g., prepaid insurance)

Audit standards tell us that substantive analytics are more appropriate when the risk of misstatement is lower. The higher the risk of misstatement, the more you should use a test of details. For instance, it’s better to use tests of details for significant receivable accounts. But substantive analytics may work well for prepaid insurance. 

Additionally, substantive analytics can be combined with a test of details or a test of controls. If, for example, you’re planning a risk response for accounts payable and expenses, you might use a combined approach: a test of details for accounts payable (e.g., search for unrecorded liabilities) and substantive analytics for expense (e.g., departmental expenses divided by total expenses compared to the prior year).

Another common combined approach is a test of details sample along with substantive analytics. If the substantive analytics are effective, you can reduce the sample size, making the overall approach more efficient. 

Substantive Analytical Assurance Level

Certain substantive analytics provide higher levels of assurance. For example, computing expected rental income provides high assurrance. If your client rents fifty identical apartments at $2,000 a month, the computation is easy and the assurance is high. 

How to Increase Assurance When Using Substantive Analytics

Other types of analytics provide lower assurance: topside ratios or period-to-period comparisons at the financial statement level, as examples. You can, however, increase the substantive analytical assurance level by taking actions such as:

  • Using more comparative periods (e.g., years or months)
  • Comparing ratios to independently published industry statistics 
  • Disaggregating the data (e.g., revenues by product line and units sold)
  • Documenting expectations prior to creating the analytics (to remove bias)
  • Documenting client responses regarding differences along with the follow up procedures and results

Comparing balances with a prior period and providing no explanations is not sufficient as a substantive analytic. Also, if the activity is unexpected, solely documenting client responses to questions is not sufficient. For example, these client answers will not do:

  • Client expected revenues to go up
  • Numbers declined because sales activity went down
  • Client said it’s reasonable

Vague responses are not evidential matter and can result in audit failure, or—worse yet—litigation against your firm. 

Substantive analytics can be used in a wide variety of ways. 

substantive analytical procedures

Examples of Substantive Analytics

Here are examples of substantive analytics:

  • Comparison of monthly sales for the current year with that of the preceding year (to test occurrence)
  • Comparison of profit margins for the last few months of the audit period with those subsequent to period-end (to test cutoff)
  • Percent of expenses to sales compared with the prior year (to test occurrence)
  • Current ratio compared to prior year (to test for solvency and going concern)
  • Comparing current year profit margins with prior periods (to test accuracy and occurrence)
  • For pension or postemployment benefit plans: actuarial value of plan assets divided by actuarial accrued liability compared to prior year (to test completeness and accuracy)
  • For debt: total debt divided by total assets compared to prior year (to test the financial strength of the entity and going concern)
  • For inventory: cost of goods sold divided by average inventory compared to prior year (to test existence and occurrence)

Now let’s see how to document your substantive analytics.

Documenting Substantive Analytical Procedures

In performing substantive analytical procedures, document the following:

1. The reliability of the data 

Document why you believe the data is trustworthy. Reasons could include your prior experience with the client’s accounting system and internal controls related to the information you are using. Though a walkthrough sheds light on those controls, a test of controls for effectiveness provides even greater support for the reliability of the data. Testing controls is optional, however. 

2. Assessed risk of material misstatement by assertion 

Document the assertions being addressed and the related risks of material misstatement. 

3. Expectation 

Document a sufficiently precise expected result of the computation or comparison. You can use a range. Document the expectation prior to examining the recorded numbers. Why? To reduce bias. If the current year expectation is different from the prior year, explain why. For example, if payroll has been stable over the last three years but is expected to increase eight percent in the current year, document why. A less precise expectation may be acceptable if a test of details is performed along with the substantive analytic. 

4. Approach 

Document if the substantive analytic is to be used alone or in conjunction with a test of details. 

5. Acceptable difference 

The acceptable difference is the amount that requires no further investigation. So, for example, if the analytic is $30,000 different from the recorded amount and the acceptable difference is $50,000, you are done. No additional work is necessary. Unacceptable differences require further investigation such as inquiries of management and other audit procedures. Consider the performance materiality for the transaction or account balance as you develop the acceptable difference amount. Also, consider the assessed risk of material misstatement. Higher risk requires a lower acceptable difference. 

6. Conclusion 

Document whether the computation or comparison falls within your expectation. Perform and document other procedures performed if the result is not within your acceptable difference. Your conclusion should include a statement regarding whether you believe the account or transaction balance is materially correct. After all, that’s the purpose of the substantive analytic. 

Here are some concluding thoughts about substantive analytics. 

Other Substantive Analytical Considerations

Substantive analytics are not required. So, think of them as an efficient alternative to test of details.

If the company has weak internal controls or a history of significant misstatements, rely more on tests of details. Substantive analytics work better in stable environments. Additionally, if you, as the auditor, expect to make several material audit adjustments, record those prior to creating substantive analytics. This will help reduce the distortion from those misstatements. 

Testing of controls for effectiveness lends strength to substantive analytics. If the controls are effective, you’ll have more confidence in the substantive analytics. For example, if you test the disbursement approval controls and find them to be effective, the expense analytics will be more trustworthy. If you are testing controls for effectiveness, you may want to do so before creating any related substantive analytics. 

You may also want to see AU-C 520, Analytical Procedures in the audit standards. 

emphasis of matter
Apr 25

Emphasis of Matter & Other Matter Paragraphs: SAS 134

By Charles Hall | Accounting and Auditing

Do you know what you need to know about emphasis of matter and other matter paragraphs? Sometimes auditors elect to or are required to add an extra paragraph. You need to know why and when and how. This article provides information about emphasis of matter (EOM) paragraphs and other matter (OM) paragraphs. (This article is based on AU-C 706, Emphasis-of-Matter Paragraphs and Other-Matter Paragraphs in the Independent Auditor’s Report. See my prior EOM and OM article if you have not adopted SAS 134, 137, 140 and 141.)

emphasis of matter

Definitions

First, let’s first define the two terms.

AU-C 706.07 provides the following definitions:

Emphasis-of-matter paragraph. A paragraph included in the auditor’s report that is required by GAAS, or is included at the auditor's discretion, and that refers to a matter appropriately presented or disclosed in the financial statements that, in the auditor's professional judgment, is of such importance that it is fundamental to users’ understanding of the financial statements.
Other-matter paragraph. A paragraph included in the auditor’s report that is required by GAAS, or is included at the auditor's discretion, and that refers to a matter other than those presented or disclosed in the financial statements that, in the auditor's professional judgment, is relevant to users’ understanding of the audit, the auditor’s responsibilities, or the auditor’s report.

Notice that an EOM refers to “a matter appropriately presented or disclosed in the financial statements,” while an OM refers to “a matter other than those presented or disclosed in the financial statements.” So, EOMs are used in relation to information included in the financial statements, and OMs are used in reference to information outside the financial statements.

Now, let us take a look at sample EOM and OM paragraphs.

Sample Emphasis of Matter Paragraph

Here’s a sample EOM paragraph:

Emphasis of Matter

As discussed in Note X to the financial statements, subsequent to the date of the financial statements, there was flood damage to the Company’s inventory facilities. Our opinion is not modified with respect to that matter.

Sample Other Matter Paragraph

Here is a sample OM paragraph:

Other Matter

In our report dated April 18, 20X5, we expressed a qualified opinion since the Company’s main office had a material unrecognized impairment loss. As disclosed in Note 12, the Company has now recognized the impairment in conformity with accounting principles generally accepted in the United States of America. Accordingly, our present opinion on the restated 20X4 financial statements, as presented herein, is different from that expressed in our previous report.

You also need to know the presentation requirements for EOM and OM paragraphs.

Presentation Requirements for an Emphasis of Matter

The purpose of the EOM is to draw attention to information contained in the financial statements.

AU-C 706.08 and 706.09 provides EOM guidance. These paragraphs tell you how and when to provide an EOM paragraph.

How to Present an Emphasis of Matter

The auditor should:

  • Refer only to information presented or disclosed in the financial statements
  • Include the paragraph in a separate part of the auditor’s report with a heading (such as Emphasis of Matter)
  • Include in the heading Emphasis of Matter when key audit matters are communicated in the report
  • Include a clear reference to the matter being emphasized and the location of relevant disclosures
  • State that the auditor’s opinion is not modified with respect to the matter emphasized

The EOM can be located just after the Basis for Opinion paragraph unless there is a key audit matters section. If there is a key audit matter section, the EOM can be placed after the Basis for Opinion paragraph or after the Key Audit Matters section. (AU-C 706.A14 does not specify placement of the EOM or OM. It says placement depends on the auditor’s judgment about the significance of the information compared to other elements of the report.)

So, when should an EOM be provided?

When to Present an Emphasis of Matter Paragraph

The auditor presents an EOM when he or she believes the information is fundamental to a user’s understanding of the financial statements. But the auditor can only provide an EOM when (1) the auditor is not qualifying the opinion because of the matter, and (2) when the matter is not a key audit matter. EOMs are sometimes required by audit standards.

Exhibit B of AU-C 706, “List of AU-C Sections Containing Requirements for Emphasis-of-Matter Paragraphs” provides information about audit standards requiring an EOM. Those include:

  • AU-C 560.16c, Subsequent Events and Subsequently Discovered Facts
  • AU-C 708.08-.09 and 708.11-.13, Consistency of Financial Statements

See Exhibit B of AU-C 706 for the full list.

Now let us look at other matter paragraph requirements.

Presentation Requirements for an Other Matter

An OM is used to highlight information external to the financial statements, usually regarding the auditor’s actions, responsibilities, or report. In other words, an OM addresses information not included in the financial statements or notes.

AU-C 706.10 provides OM guidance.

The auditor should:

  • Include the paragraph within a separate part of the auditor’s report with the heading Other Matter or other appropriate wording
  • Not include an OM for an issue that is a key audit matter (such information is reported in the key audit matter section)

How to Present an Other Matter

AU-C 706.A14 does not specify where the OM is to be placed in the auditor’s report, saying the placement “depends on the nature of the information” and “the auditors judgement.” Nevertheless, see AU-C 706.A14 for guidance, especially if there are key audit matters, or legal or regulatory requirements. AU-C 706.A17 shows the OM paragraph following Key Audit Matters paragraph in Illustration 2. (The order in this illustration is Basis of Opinion, Emphasis of Matter, Key Audit Matters, and Other Matter. So, if there are no Emphasis of Matter or Key Audit Matter paragraphs, the OM could—based on this illustration—follow the Basis of Opinion paragraph.)

When to Present an Other Matter Paragraph

Auditors can elect to provide an OM paragraph to provide information about the audit, including the auditor’s responsibilities and report. However, there are instances where such a paragraph is required. Exhibit C of AU-C 706, “List of AU-C Sections Containing Requirements for Other-Matter Paragraphs” provides information about auditing standards that require an OM. Those include:

  • AU-C 700.55-.56 and .58-59, Forming an Opinion and Reporting on Financial Statements
  • AU-C 800.20, Special Considerations—Audits of Financial Statements Prepared in Accordance with Special Purpose Frameworks

See exhibit C of AU-C 706 for the full list.

Simple Summary

Use EOMs and OMs to highlight important matters

SAS 134 amends the EOM and OM requirements

EOMs refer to matters presented or disclosed in the financial statements

OMs refer to a matter other than those presented or disclosed in the financial statements

EOMs and OMs are—in certain situations—required by audit standards

An EOM should refer to the note that describes the issue; include the heading “Emphasis of a Matter” or other appropriate heading

An OM should include the heading “Other Matter” or other appropriate heading

You might find my companion article SAS 134 Unmodified and Modified Opinions useful as well. 

SOC Report
Apr 24

When are SOC Reports Needed by an External Auditor?

By Charles Hall | Auditing

Service organization control (SOC) reports are often necessary to understand outsourced accounting services. So, what are SOC reports and when are they needed?

SOC Report

What are SOC Reports?

When an entity provides services to other entities (e.g., ADP payroll services), the service organization desires to provide comfort to their clients. Why? Well the service organization wants to provide assurance regarding the safety and effectiveness of its services. Trust is foundational to the business relationship. Therefore, the service organization provides comfort to clients by hiring an outside independent auditor to review its accounting system. The result of that review is a service organization control report. 

So if ADP desires to give comfort to its clients regarding the design and operation of its accounting system, it will hire an outside audit firm to review and render an opinion on its internal controls. While SOC reports provide comfort the service organization’s clients, they are also used in another manner. 

Suppose ADP provides payroll services to Jet Sports, Inc. The auditors of Jet Sports will review ADP’s SOC report to see if their accounting system is appropriately designed and operating. After all, ADP, in this example, is an extension of Jet Sports, Inc.’s accounting system. Jet’s auditors view ADP’s services as a part of Jet’s accounting system: Jet has simply outsourced their payroll services to ADP. That’s why ADP’s SOC report is relevant to Jet Sports, Inc.’s audit. 

When are SOC Reports Needed?

SOC reports are needed when:

  • The user entity’s complementary controls are not sufficient to lessen the possibility of material misstatements
  • The SOC report provides information concerning a significant transactions cycle

Many organizations outsource portions of their accounting to service organizations, such as ADP’s payroll services. External auditors need to understand a service organization’s system and related controls–particularly if that work could allow material misstatements in the user’s financial statements. This understanding is provided in SOC reports.

All financial statement audits focus upon whether material misstatements are occurring. Moreover, the auditor’s opinion is supported by audit evidence proving the financial statements are fairly stated. But does (some of this) audit evidence come from SOC reports? Sometimes, yes.

A financial statement auditor is concerned with material misstatements, regardless of how or where they occur, and regardless of who allows the misstatement. Therefore, auditors look for internal controls weaknesses in both the entity being audited and service organizations.

As we will see, the external auditor may not need all SOC reports. On the other hand, some SOC reports may be needed but don’t exist.

Definitions Related to Service Organizations

Before delving into the details of service organization controls, let’s define a few key words

Complementary user entity controls. These are the controls performed by users of a service organization’s services. These entity controls complement the service organization’s controls: both are necessary to ensure the process is safe and effective. For example, your client might perform the complementary control of reviewing payroll hours reported before providing those to an outside payroll service organization. 

Service auditor. The auditor that reports on controls at a service organization.

Service organization. An organization that provides services to user entities that impact the user entity’s financial reporting.

User auditor. The auditor that audits the financial statements of a user entity.

User entity. An entity that uses a service organization and its related SOC report. 

Audit Standard for Service Organizations

AU-C 402, Audit Considerations Relating to an Entity Using a Service Organization, states the following:

Services provided by a service organization are relevant to the audit of a user entity’s financial statements when those services and the controls over them affect the user entity’s information system, including related business processes, relevant to financial reporting.

So if a service organization’s activities affect an entity’s information system, business processes, or financial reporting, then that activity is relevant. 

When is a SOC report not needed?

When does the external auditor not need SOC reports or other information related to a service organization? Paragraph .05 of AU-C 402 answers that question as follows:
 
This section does not apply to services that are limited to processing an entity’s transactions that are specifically authorized by the entity, such as the processing of checking account transactions by a bank or the processing of securities transactions by a broker (that is, when the user entity retains responsibility for authorizing the transactions and maintaining the related accountability).
 
Additionally, complementary user entity controls may be strong enough to eliminate the need for information about the service organization’s controls.

Complementary User Entity Controls

The user entity–an entity that uses a service organization and whose financial statements are being audited–may have controls sufficient to eliminate the need for SOC reports or other information from the service organization. Sometimes the user entity has controls that mitigate the risk of material misstatements caused by service organization deficiencies. Such controls are referred to as complementary user entity controlsIf the complementary controls operate effectively, the user auditor–the auditor who audits and reports on the financial statements of a user entity–may not need SOC reports or other service organization information.

Alternatively, if the service organization initiates, executes, and does the processing and recording of the user entity’s transactions and the complementary controls would not detect material misstatements, then the user auditor may need SOC reports or other service organization information.

When complementary controls are present, they should be reviewed in the walkthrough of controls by the user auditor. For example, if your client reviews payroll time recorded prior to submission to an outside payroll service provider, then determine if this control is designed appropriately and implemented (as you do for all key controls). SOC reports usually provide a list of complementary controls, so look there for potential client controls. Then see if they are in use. 

Is the Placement of a SOC Report in the Audit File Sufficient?

Placing a SOC report in an audit file without reading and understanding it provides little-to-no audit evidence.

A SOC report provides information about how the service organization’s controls lessen the possibility of material misstatement. So, the user auditor needs to read and document how the service organization’s controls lessen the risk of material misstatement. This understanding of controls is necessary if the service organization’s work affects a significant transaction cycle such as payroll.

Think of SOC reports in this manner: Pretend there is no service organization and the company being audited performs the same processes and controls. If the audited entity performs these controls–and no service organization exists–the auditor gains an understanding of the controls using risk assessment procedures such as inquiry, observations, and inspections of documents. Potential control weaknesses are exposed by the risk assessment process. Thereafter, the identified risks are used to develop the audit program and substantive procedures. The same audit process is true when there is a service organization. But when a service organization is used, the user auditor is using the SOC report to gain the understanding of the service organization’s part of the entity’s accounting system.

If controls weaknesses are noted in the SOC report, the user auditor may–as a response–perform substantive procedures. By doing so the auditor lowers the overall audit risk (which is the risk that the auditor will issue an unmodified opinion when one is not merited).

Type 1 or Type 2 SOC Reports?

Service organization auditors can issue type 1 or type 2 reports.

A type 1 SOC report provides a description of a service organization’s system and the suitability of the design of controls.

A type 2 SOC report includes a service organization auditor’s opinion on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design and operating effectiveness of the controls.

The type 1 report provides information about the service organization’s system and related controls. The type 2 report provides an opinion on the system description and the design and effectiveness of the controls. A type 1 or a type 2 report can be used to gain an understanding of the controls.

You may see, in some of these SOC reports, carve-outs. 

Carve-Outs

Many SOC reports carve out services that are provided to the service organization by another service provider (a service provider to a service provider, if you will). In such a situation, consider whether you need to review the sub-service provider’s SOC report. (Sub-service providers are named in the SOC report along with what they do.)

So, should you (the user auditor) ever visit a service organization’s office?

Should the Auditor Visit the Service Organization?

Usually, the user auditor does not need to visit the service organization, but sometimes it is necessary to do so. If the service organization provides no SOC report and the complementary user controls are not sufficient, then the auditor may have no choice but to review the service organization’s system and controls. Only do so if the service organization handles significant parts of the accounting system.

SOC Reports Summary

In summary, if you audit an entity that uses a service organization, consider whether you need a SOC report. If the service organization provides services that impact a significant transaction cycle or account balance, then you probably need to review the related SOC report. Why? To see if there are any service organization internal control weaknesses that impact your client’s audit. 

Fraudster’s refuge
Apr 17

Fake Bank Accounts and the Appalachian Trail

By Charles Hall | Asset Misappropriation

Some fraudsters funnel money into fake bank accounts. Today, I show you how one controller did so and walked away with millions—and then hid on the Appalachian Trail.

Fake bank accounts

Fake Bank Account

In May 2015 James Hammes was arrested for the theft of $8.7 million from his former employer, G&P Pepsi-Cola Bottlers. After Mr. Hammes was confronted about the theft in February 2009, he left his home and hid on the Appalachian Trail, which runs from Georgia to Maine. Hammes assumed a hiking name of “Bismarck” and spent several years on the popular trail. Fellow hikers enjoyed Bismarck since he seemed to be one of them.

So how did he steal the money?

How the Funds Were Stolen

The FBI reported the following:

Court documents show that Hammes’ embezzlement began around 1998. As a controller, he was responsible for all financial accounting and internal controls for his division, including supervising accounts payable to several hundred outside vendors. He carried out the fraud by establishing a new bank account for an existing vendor at a different bank. He then deposited hefty payments to that vendor—often $100,000 at a time—in the phantom account that he alone controlled. He then could transfer money from the phantom account to his personal accounts.

“He knew how to cover his tracks by manipulating audits and ledger entries,” Jones said. “He got away with it for so long because he knew how to manipulate his subordinates and how not to raise accounting red flags.”

So, Hammes opened a fraudulent bank account at a bank that the vendor did not use and deposited vendor checks into that account. Then he transferred funds out of the fraudulent bank account to himself. Since he opened the account, he was the authorized check signer. Simple but effective.

You may be wondering how the theft could occur so long without detection.

Vendor Payment Controls Lacking

If extra payments were made to vendors (and it appears that occurred), then the company may not have been reviewing vendor payments. If appropriate controls are not in place, it’s easy for a fraudster to make fraudulent vendor payments without detection, especially if hundreds of monthly checks are processed.

Also, it appears the company may have lacked sufficient segregation of duties since Hammes was able to disburse extra vendor payments without detection.

Vendor Payment Controls

Periodically, review the total payments made to each vendor. For example, generate the total monthly payments made to XYZ Company. Then compare the monthly payments over a two to three year period. If payments increase greatly, then someone within the company may be making additional payments and stealing those checks. Or there may a legitimate reason for the increase. Either way, it’s wise to review vendor payments for anomalies. 

Another test you can perform is to look for multiple addresses for the same vendor. There may be legitimate reasons for more than one address, but you want to create a list of vendor addresses and verify that they are appropriate. The same is true for electronic vendor payments: see if there are multiple bank accounts you are wiring payments to. Then determine if these are appropriate. Additionally, obtain the physical address of each vendor and determine if the company is real. Do not accept P.O. Box addresses for verification purposes; again, you need to know if the company exists. (See my article Fictitious Vendor Fraud: Preventing It.)

If your company pays hundreds of vendors, you may want your internal audit (or external auditors) to periodically test vendor payments for appropriateness. Tell your payables personnel this will be done from time to time on a surprise basis. This will help keep them honest.

Maybe with these controls, you can prevent payments to fake bank accounts and keep your employees off the Appalachian Trail.

For more information about auditing payables, see my article Auditing Accounts Payable and Expenses: A Guide.

Funded depreciation
Apr 05

Funded Depreciation: Becoming More Profitable

By Charles Hall | Accounting and Auditing , Local Governments

From time to time, I have clients ask me “What is funded depreciation?” And more importantly, they ask, “How can this technique make my organization more profitable and less stressful?”

Funded depreciation

Here’s a simple explanation.

Funded depreciation is the setting aside of cash in amounts equal to an organization’s annual depreciation. The purpose: to fund future purchases of capital assets with cash.

Funded Depreciation

Suppose you buy a $10,000 whiz-bang gizmo—a piece of equipment—that you expect to use for ten years, and at the end of the ten years you expect it to have no value. Your annual depreciation is $1,000.

In this example, a $1,000 depreciation expense is recognized annually on your income statement (depreciation decreases net income) even though no cash outlay occurs. The balance sheet includes the cost of the whiz-bang gizmo, but at the end of ten years, the equipment has a $0 book value, being fully depreciated.

The smart manager will annually set aside $1,000 in a safe investment—such as a certificate of deposit or money market account—for the future replacement of the whiz-bang gizmo.

If the company does not annually invest the $1,000, it has a few options at the end of the ten-year period:

  • Borrow the full amount for the replacement cost
  • Seek outside funding (e.g., grants)
  • Use other funds from within the organization
  • Lease the equipment
  • Ask U2 to do a special benefits concert—just kidding

Obviously, if you borrow money to replace the equipment, you will have to pay interest—another cash outlay. Suppose the rate is 10%. Now the organization must pay out $1,100 each year. So, if the organization funds the depreciation (invests $1,000 annually), it earns interest. But if the entity chooses not to fund depreciation, it pays interest.

Businesses that fund depreciation are always making money from interest (granted not much these days) rather than paying for it.

Another advantage to funding depreciation: you know you will have the money to purchase the capital asset. You’re not concerned with whether a creditor will lend you the money for the acquisition. You’re financially stronger.

Why Doesn’t Every Entity Fund Depreciation?

So why doesn’t everyone fund depreciation?

  • Some don’t understand the concept
  • Some had rather spend the cash flows for the ten years (e.g., owners taking too much in distributions)
  • Some need the money just to run the organization
  • In governments, elected officials desire to keep tax rates low while they are in office
  • In growing businesses, the owners may need the money to fund the growth of the company
  • Most importantly, it may require two cash payments 

Concerning the last point, if the business had to borrow money to purchase the initial capital asset, then it must make debt service payments (cash outlay 1). If the company also funds depreciation for that same asset (making investments equal to the annual depreciation), another cash flow occurs (cash outlay 2). Nevertheless, if the business can ever get into a position where it pays cash for new equipment, it will be better off. Then only one cash outlay (investment funding) occurs, and the company is making–not paying–interest.

What if the organization cannot–due to cash flow constraints–fund depreciation for all new equipment purchases? Consider doing so for just one or two pieces of equipment–over time, the entity may be able to move into a fully funded position.

Who Should Fund Depreciation?

So, who should fund depreciation?

Organizations with sufficient cash flow and discipline. It’s the smart thing to do.

Imagine a world with no debt, a world where you don’t have to wonder how you will pay for equipment. Dreaming? Maybe, but funded depreciation is worth your consideration.

See my article Auditing Plant, Property, and Equipment

>