Segregation of duties is key to reducing fraud. But smaller entities may not be able to do so. Today, I tell you how overcome this problem, regardless of the entity’s size.
The Environment of Fraud
Darkness is the environment of wrongdoing.
Why?
No one sees us. Or so we think.
Fraud occurs in darkness.
In J.R.R. Tolkien’s Hobbit stories,Sméagol, a young man murders another to possess a golden ring, beautiful in appearance but destructive in nature. The possession of the ring transforms Sméagol into a hideous creature–Gollum.
And what does this teach us? That which is alluring in the beginning can be destructive in the end.
Fraud opportunities have those same properties: they are alluring and harmful. And, yes, darkness is the environment where fraud happens.
What’s the solution? Transparency. It protects businesses, governments, and nonprofits.
But while we desire open and understandable processes, our businesses often have just a few employees that perform the accounting duties. And, many times, no one else understands how the system works.
It is desirable to divide accounting duties among various employees, so no one person controls the whole process. This division of responsibility creates transparency. How? By providing multiple eyes to see what’s going on.
But this segregation of duties is not always possible.
Lacking Segregation of Duties
Some people says here are three key duties that must always be separated under a good system of internal controls: (1) custody of assets, (2) record keeping or bookkeeping, and (3) authorization. I add a fourth: reconciliation. The normal recommendation for lack of segregation of duties is to separate these four accounting duties to different personnel. But many organizations are unable to do so, usually due to a limited number of employees.
Some small organizations believe they can’t overcome this problem. But is this true? I don’t think so.
Here’s two easy steps to create greater transparency and safety when the separation of accounting duties is not possible.
1. Bank Account Transparency
First, consider this simple control: Provide all bank statements to someone other than the bookkeeper. Allow this second person to receive the bank statements before the bookkeeper. While no silver bullet, it has power.
Persons who might receive the bank statementsfirst (before the bookkeeper) include the following:
A nonprofit board member
The mayor of a small city
The owner of a small business
The library director
A church leader
What is the receiver of the bank statements to do? Merely open the bank statements and review the contents for appropriateness (mainly cleared checks).
In many small entities, accounting processes are a mystery to board members or owners. Why? Only one person (the bookkeeper) understands the disbursement process, the recording of journal entries, billing and collections, and payroll.
Fraud decreases when the bookkeeper knows someone is watching. Suppose the bookkeeper desires to write a check to himself but realizes that a board member will see the cleared check. Is this a deterrent? You bet.
Don’t want to send the bank statements to a second person? Request that the bank provide read-only online access to the second person. And let the bookkeeper know.
Even the appearance of transparency creates (at least some) safety. Suppose the second person reviewer opens the bank statements (before providing them to the bookkeeper) and does nothing else. The perception of a review enhances safety. I am not recommending that the review not be performed. Butif the bookkeeper even thinks someone is watching, fraud will lessen.
When you audit cash, see if these types of controls are in place.
Now, let’s look at the second step to overcome a lack of segregation of duties. Surprise audits.
2. Surprise Audits
Another way to create small-entity transparency is to perform surprise audits. These reviews are not opinion audits (such as those issued by CPAs). They involve random inspections of various areas such as viewing all checks clearing the May bank statement. Such a review can be contracted out to a CPA. Or they can be performed by someone in the company. For example, a board member.
Additionally, adopt a written policy stating that the surprise inspections will occur once or twice a year.
The policy could be as simple as:
Twice a year a board member (or designee other than the bookkeeper) will inspect the accounting system and related documents. The scope and details of the inspection will be at the judgment of the board member (or designee). An inspection report will be provided to the board.
Why word the policy this way? You want to make the system general enough that the bookkeeper has no idea what will be examined but distinct enough that a regular review occurs.
Surprise Audit Ideas
Here are some surprise audit ideas:
Inspect all cleared checks that clear a particular month for appropriate payees and signatures and endorsements
Agree all receipts to the deposit slip for three different time periods
Review all journal entries made in a two week period and request an explanation for each
Inspect two bank reconciliations for appropriateness
Review one monthly budget to actual report (look for unusual variances)
Request a report of all new vendors added in the last six months and review for appropriateness
The reviewer may not perform all of the procedures and can perform just one. What is done is not as important as the fact that something is done. In other words, the primary purpose of the surprise audit is to make the bookkeeper think twice about whether he or she can steal and not get caught.
I will say it again. Having multiple people involved reduces the threat of fraud.
Segregation of Duties Summary
In summary, the beauty of these two procedures (bank account transparency and surprise audits) is they are straightforward and cheap to implement. Even so, they are powerful. So shine the light.
Review engagements provide limited assurance using AR-C 90, Review of Financial Statements. And these engagements can be done with much less effort than audits.
So, what are the requirements of a review engagement? When might a review be preferable to an audit? Must the CPA be independent? Can the CPA prepare the financial statements and perform the review engagement? Can a special purpose reporting framework be used? Who might desire a review report (rather than an audit or a compilation report)?
I'll answer these questions below, but, first here's a quick video introduction to the post.
Though this article is long, it's not intended to be comprehensive. It's an overview.
Applicability of AR-C 90
You should perform a review engagement when engaged to do so. If your client asks for this service and you accept, you are engaged.
A review engagement letter should be prepared and signed by the accountant or the accountant’s firm and management or those charged with governance. See engagement letter guidance below.
AR-C 90 Objectives
The objective of the accountant in a review engagement is to provide limited assurance regarding the financial statements. Other historical information such as supplementary information can also be included.
So how does an accountant perform a review engagement? Primarily with inquiries and analytics.
How does the limited assurance in a review engagement compare with compilations and audits?
In a compilation engagement, no assurance is provided. What procedures are employed in a compilation? Primarily, the accountant reads the financial statements for appropriateness. Why perform a compilation rather than a review? Economy and cost. Since procedures are minimal, it's easier to perform a compilation and less costly to the client.
In an audit, the accountant provides a high level of assurance. The accountant performs procedures beyond inquires and analytics such as confirmations. Audit risk assessment and planning requirements are much more rigorous than that of a review. While audits provide a higher level of assurance, they are more time-consuming. Consequently, the additional time raises the cost for the client. This is why reviews are sometimes performed rather than an audit.
Prior to performing a review engagement, make sure all stakeholders will accept this product. Some lenders might require an audit.
Review Reports
A review report is always required in a review engagement.
The standard review report states that no material modifications are necessary for the financial statements to be in accordance with the reporting framework. (See a sample review report below.)
If material misstatements are identified and relate to specific amounts in the financial statements, you will issue a review report with a basis for qualified conclusion paragraph and you'll have a qualified conclusion. See Exhibit C, illustration 5 in AR-C 90 for a sample review report with a departure from GAAP. If the effects of the departure are determined, they are disclosed in the report. If not known, the paragraph states that the effects have not been determined.
If misstatements are material and pervasive, an adverse conclusion is appropriate. The review report will also have a basis for adverse conclusion paragraph. See Exhibit C, illustration 7 in AR-C 90 for a sample review report with an adverse conclusion.
Review Financial Statements
The accountant prepares financial statements as directed by management or those charged with governance. The financials should be prepared using an acceptable reporting framework including any of the following:
All of the above bases of accounting, with the exception of GAAP, are referred to as special purpose frameworks. When such a frameworkis used, a description is required andcan be included in:
The financial statement titles
The notes to the financial statements, or
Otherwise on the face of the financial statements
The financial statement should disclose how the special purpose framework differs from generally accepted accounting principles. If, for example, a company uses accelerated depreciation in tax-basis statements, the financial statements should disclose how this method differs from straight-line (the usual GAAP method).
The review report language changes when a company uses a special purpose reporting framework. See Exhibit C, illustration 3 in AR-90 for a tax-basis review report.
Which Financial Statements?
Management specifies the financial statements to be prepared. Normally a company desires a balance sheet, an income statement, and a cash flow statement. The accountant can, however, issue just one financial statement (e.g., income statement).
Who prepares the financial statements? The company or the CPA firm can prepare them.
Can the cash flow statement be omitted? GAAP requires a cash flow statement when a statement of financial condition and an income statement are included. Compilation standards allow for the omission of the GAAP cash flow statement if the omission is noted in the compilation report. Not so in a review engagement. The cash flow statement must be included when GAAP is used.
But is the cash flow statement required when the tax-basis of accounting is used? No, the cash flow statement can be omitted when the financial statements are tax-basis.
Disclosures in Reviewed Financial Statements
What about disclosures? Are they required in a review engagement?
In compilation engagements, disclosures can be omitted. Not so in a review engagement. Full disclosure is required, regardless of the reporting framework.
References to Review Report and Notes
Should a reference to the review report and the notes be included at the bottom of each financial statement page? While not required by the SSARS, it is acceptable to add a reference such as:
See Accountant’s Report and accompanying notes
See Accountant’s Review Report and accompanying notes, or
See Independent Accountant’s Review Report and accompanying notes
Review Engagement Documentation Requirements
The accountant should prepare and retain the following documentation:
Engagement letter
A copy of the reviewed financial statements
Accountant’s review report
Communications with management and those charged with governance about significant matters arising during the engagement
Communications with other accountants that reviewed or audited financial statements of significant components
Emphasis-of-matter or other-matter paragraph communications with management or others
The representation letter (see Exhibit B of AR-C 90 for sample wording)
Information about how any inconsistencies were addressed when the accountant identified information that was inconsistent with the accountant's findings regarding significant matters affecting the financial statements
The review documentation should be sufficient to enable an experienced accountant, having no previous connection to the engagement to understand:
the nature, timing, and extent of the review procedures,
the evidence obtained and the accountant's conclusions based on that evidence
significant matters and the related conclusions and judgments
Review Engagement Letter
While it is possible for the accountant to perform only a review and not prepare the financial statements, most review engagement letters will state that the following will be performed by the accountant:
Preparation of the financial statements (a nonattest service)
A review engagement (an attest service)
Since a nonattest service and an attest service are being provided, the accountant will add language to the engagement letter describing the client’s responsibility for the nonattest service.
See illustrative engagement letters in Exhibit A of AR-C 90.
AICPA independence standards require the accountant to consider whether he is independent when the CPA performs an attest service (e.g., review) and a nonattest service (e.g., preparation of financial statements) for the same client. If management does not possess the skill, knowledge, and experience to oversee the preparation of the financial statements and accept responsibility, the accountant may not be independent.
So, must the accountant be independent? Yes, independence is required in review engagements.
AR-C 90 Review Procedures
The accountant should:
Make inquiries,
Perform analytical procedures, and
Perform other procedures, as appropriate
Direct your procedures to areas with increased risks of material misstatement. An understanding of the entity and the industry in which the entity operates will better enable you to identify potential misstatements.
1. Review Inquiries
AR-90.29 provides a series of inquiries that should be made of management and others. Those questions include matters such as fraud, subsequent events, related party transactions, and litigation. Additionally, once you create your analytical procedures, you may have questions regarding unexpected changes.
The accountant should remain alert for related party transactions outside the normal business course. Inquiries should be made about such transactions.
2. Review Analytical Procedures
Apply analytical procedures to the numbers. What kind? Well, that depends. What numbers are most important? What numbers are most likely to be misstated? What types of analytics illuminate the client's business? Consideration of such factors will lead you to the right analytics.
Here are examples:
Comparing the current year's financial statement numbers with the prior year
Comparing the current year trial balance numbers with the prior year
Ratios such as debt/equity or current assets/current liabilities or depreciation/total depreciable assets
Computing numbers with nonfinancial information such as the number of units sold times the average price
Comparing quarterly revenues by location
As you can see, judgment is required. Moreover, you need to develop expectations before computing the numbers. AR-C 90 says that the expectations should enable you to identify material misstatements. So the expectations have to be precise enough to yield that result.
Here are the five steps I use:
Develop expectations
Compute the numbers
See if the numbers align with expectations
Follow up with additional inquiries if expectations are not met
Develop a conclusion
I find that many accountants fail to document their expectations. Or if expectations are documented, a second problem occurs: The numbers don't align with the expectation and there's no documented follow-up. If the numbers don't align with expectations, make sure you determine why.
Expectations
How do we develop expectations?
It is helpful to discuss current operations with management before computing your numbers. You want to know, for example, if sales rose during the year or if there were reductions in the workforce. The conversation informs your expectations.
Also, if you've previously worked with the client, you are familiar with their profit margins or debt levels. This prior knowledge informs your expectations.
Finally, you might also read the minutes (if there are any) before computing your numbers.
3. Other Review Procedures
AR-C 90 states that procedures include inquiry, analytics, and other procedures. The third element--other procedures-- is a general category that encompasses reading the financial statements and responding to risks. You might, for example, identify potential misstatements as you perform analytical procedures. If revenues are up 25% but you expected them to be stable, you'll perform additional procedures to see why.
Interestingly (at least to me), AR-C 90.A45 states that you can perform audit procedures in a review engagement. Though your review engagement letter states you are not performing an audit, your review file can include audit procedures. Why would the AICPA provide this latitude? To give you the ability to reach beyond your typical review procedures (inquiry and analytics). You need a basis for the limited assurance you are providing. And in some situations, you may need audit procedures to get you there.
Materiality in Review Engagements
AR-C 90 requires accountants to determine and use materiality. This makes sense given the review report says the following:
Those standards require us to perform procedures to obtain limited assurance as a basis for reporting whether we are aware of any material modifications that should be made to the financial statements for them to be in accordance with accounting principles generally accepted in the United States of America.
You can't know what a "material modification" is without knowing what materiality is. So, the accountant should use materiality in the planning and conduct of the review engagement. AR-C 90 says the determination of materiality is a matter of professional judgment.
Review Representation Letter
A signed representation letter is required in all review engagements.
The date of the representation letter will agree with the date of the review report. In no event should the date of the representation letter precede the date of the review report. (The accountant is not required to have physical possession of the letter on the date of the review report. But the accountant should have the signed letter before releasing the financial statements.)
Provide the draft of the financial statements to the client promptly so they can review them and assume responsibility. Thereafter, the client can sign the representation letter.
Additionally, the representation letter should cover all financial statements and all periods in the report.
Exhibit B of AR-90 provides a sample representation letter.
Review Report Sample
The following is a review report sample (sometimes referred to as an accounting review report):
Independent Accountant's Review Report
[Appropriate Addressee]
I (We) have reviewed the accompanying financial statements of XYZ Company, which comprise the balance sheets as of December 31, 20X2 and 20X1, and the related statements of income, changes in stockholders' equity, and cash flows for the years then ended, and the related notes to the financial statements. A review includes primarily applying analytical procedures to management's (owners') financial data and making inquiries of company management (owners). A review is substantially less in scope than an audit, the objective of which is the expression of an opinion regarding the financial statements as a whole. Accordingly, I (we) do not express such an opinion.
Management's Responsibility for the Financial Statements
Management (Owners) is (are) responsible for the preparation and fair presentation of these financial statements in accordance with accounting principles generally accepted in the United States of America; this includes the design, implementation, and maintenance of internal control relevant to the preparation and fair presentation of financial statements that are free from material misstatement whether due to fraud or error.
Accountant's Responsibility
My (Our) responsibility is to conduct the review engagements in accordance with Statements on Standards for Accounting and Review Services promulgated by the Accounting and Review Services Committee of the AICPA. Those standards require me (us) to perform procedures to obtain limited assurance as a basis for reporting whether I am (we are) aware of any material modifications that should be made to the financial statements for them to be in accordance with accounting principles generally accepted in the United States of America. I (We) believe that the results of my (our) procedures provide a reasonable basis for my (our) conclusion.
We are required to be independent of XYZ Company and to meet our ethical responsibilities, in accordance with the relevant ethical requirements related to our reviews.
Accountant's Conclusion
Based on my (our) reviews, I am (we are) not aware of any material modifications that should be made to the accompanying financial statements in order for them to be in accordance with accounting principles generally accepted in the United States of America.
[Signature of accounting firm or accountant, as appropriate]
[Accountant's city and state]
[Date of the accountant's review report]
Exhibit C of AR-C 90 provides seven review report illustrations.
Reporting When There are Other Accountants
What are your responsibilities if you are performing the review of a consolidated entity that includes a subsidiary audited or reviewed by another accountant?
First, obtain and read the subsidiary report.
Second, decide whether to refer to the other accountants in your review report. If reference is made, AR-C 90.122 states the accountant should clearly indicate in the accountant's review report that the accountant used the work of other accountants. The report should also include the magnitude of the portion of the financial statements audited or reviewed by the other accountants." See Illustration 6 in Appendix C of AR-C 90 for sample report language. If you refer to the other accountant, you will state that your conclusion, as it relates to the entity reviewed by the other accountants, is based solely on their report.
Third, regardless of whether you decide to refer to the other accountants, communicate with the other accountants. Determine the following:
That the other accountants are familiar with the relevant reporting framework and review or auditing standards, as applicable.
Advise them that you are including the subsidiary's financials in the consolidation and that their report will be relied upon, and when applicable, that the other accountant's report will be referred to in your review report.
Communicate the ethical requirements of the engagement, mainly independence.
And finally, advise them that you are reviewing matters affecting the intercompany eliminations.
Going Concern in Review Engagements
If the reporting framework requires that management evaluate going concern (FASB has such a requirement), then you should perform going concern review procedures. Those procedures include:
Determining whether the going concern basis of accounting is appropriate
Reviewing management's evaluation of whether substantial doubt exists
When there is substantial doubt, reviewing management's plans to mitigate the conditions
If the applicable reporting framework does not require management to evaluate going concern but you become aware of conditions or events that raise substantial doubt about the entity's ability to continue as a going concern, do the following:
Ask management if the going concern basis of accounting is appropriate
Ask management about their plans to address the adverse effects of the conditions or events
Review the going concern disclosures to see if they are appropriate
Other Historical Information in Review Engagements
In addition to historical financial statements, AR-C 90 may be applied to the following:
Specified elements, accounts, or items of a financial statement, including schedules of:
Rents
Royalties
Profit participation, or
Income tax provisions
Supplementary information
Required supplementary information
Tax return information
Review Engagements Conclusion
There you have it. Now you know how to perform a review engagement.
The main purpose of a review is to provide limited assurance in regard to the information. Inquiries and analytics are required. A signed representation letter is also required.
If you desire to issue financial statements without a compilation or review report, consider the use of AR-C 70, Preparation of Financial Statements.
If you desire to issue financial statements without a review report, consider using AR-C 80, Compilation Engagements.
The AICPA provides the full text of AR-C 90 online. You can download the PDF if you like. Once you download the document, you can use control-f to find particular words. I find this useful.
Unpaid fees can impair your independence in attest engagements. This article explains changes in the Unpaid Fees interpretation in the AICPA Code of Conduct.
Peer review checklists ask if fees have been paid prior to issuance of attest reports. Why? A loan to an attest client can impair independence. The thought here is that the CPA may have a self-interest in the client; namely, the collection of unpaid fees. And this self-interest could potentially lead the CPA to assist the client by issuing inappropriate attest reports.
So, has there been a change in the unpaid fees section of the Code of Conduct? Yes.
The old rule of just looking back one year is no longer the sole consideration in determining your independence in regard to unpaid fees; current year fees, if significant, can also affect independence.
The bolded fonts and underlines below are added by the blogger.
Unpaid Fees Interpretation
The independence interpretation (1.230.010) in the Code of Conduct says:
Threats to the covered member’s compliance with the “Independence Rule” [1.200.001] are at an acceptable level if, when the current-year attest report is issued, unpaid fees are both clearly insignificant to the covered member and relate to professional services provided less than one year prior to the date of the current-year attest report.
Alternatively, threats would not be at an acceptable level if, when the current-year attest report is issued, unpaid fees are both significant to the covered member and relate to professional services provided more than one year prior to the issue date of the current-year attest report.
That guidance provides factors to consider in evaluating your independence.
Unpaid Fees Factors to Consider
Factors to consider (ET 1.230.010.02) when evaluating whether threats are at an acceptable level include the following:
a. The significance of the unpaid fees to the covered member
b. The length of time the fees have been due from the attest client
c. The attest client’s agreement to pay the unpaid fees
d. The covered member’s assessment of factors affecting the ability of the attest client to pay the fees
So, what should you do if a significant threat is present? Consider safeguards.
Unpaid Fees Safeguards
You may use safeguards (ET 1.230.010.04) to mitigate the independence threat:
a. Have an appropriate reviewer who has not provided attest or nonattest services to the attest client review the attest work performed before the current-year attest report is issued.
b. Obtain partial payment of the unpaid fees balance before the current year attest report is issued such that the remaining unpaid balance is insignificant to the covered member.
c. Obtain an agreement from the attest client to a payment schedule before the current-year attest report is issued.
d. Suspend further work on current attest engagements and not accept new engagements with this attest client.
ET 1.230.010.05 goes on to say:
Communication with those charged with governance regarding evaluation of the unpaid fees and safeguards applied is not a sufficient safeguard when applied alone; however, it may be considered a safeguard when supplemented by other safeguard(s).
If the safeguards are not sufficient, you are not independent.
So, how do we define unpaid fees?
Unpaid Fees Defined
Unpaid fees include billed and unbilled services.
If you provide a service whereby you expect payment, it’s a fee–whether you billed it or not. The issue is whether the client owes you for the service.
Not Applicable for Attest Clients in Bankruptcy
ET 1.230.010.06 says that this interpretation does not apply to attest clients in bankruptcy.
Collection Incentive
Oddly, the potential impairment of independence may assist you (the CPA) in collecting past-due accounts. If the client needs the current year attest report, and the CPA can’t provide it without payment, then the client may find a way to come up with the money for past fees.
Still Not Sure
If after doing the above, you’re still not sure whether your independence is impaired, consider contacting the AICPA to get their thoughts. You can email them at ethics@aicpa.org.
Are you aware of the option in the SSARS titled Preparation of Financial Statements (AR-C 70)? Many CPAs still believe the lowest level of service in the SSARS is a compilation, but this is not true. CPAs can and do issue financial statements without a compilation report. Today I provide an in-depth look at AR-70, Preparation of Financial Statements.
Preparation of Financial Statements
Guidance
AR-C 70, Preparation of Financial Statements, is the guidance for the preparation of financial statements.
Applicability - AR-C Section 70
AR-C section 70, Preparation of Financial Statements, is applicable when a public accountant is engaged to prepare financial statements or prospective financial information.
This section can also be applied to the preparation of other historical financial information (e.g., schedule of rents).
AR-C 70 does not apply when the accountant prepares financial statements or prospective financial information:
And is engaged to perform an audit, review, or compilation of financial statements
Solely for submission to taxing authorities
For inclusion in written personal financial plans
In conjunction with litigation services that involve pending or potential legal or regulatory proceedings, or
In conjunction with business valuation services
Are there other times when AR-C 70 is not applicable? Yes. The preparation guidance does not apply when the accountant is merely assisting in the preparation of financial statements; such services are considered bookkeeping.
Examples of bookkeeping services include:
Preparing or proposing certain adjustments, such as those applicable to deferred income taxes or depreciation
Drafting financial statement notes
Entering general ledger transactions or processing payments in the client’s accounting software
When AR-C 70 is applicable, certain compliance actions—such as the creation of a signed engagement letter—are required. If the accountant is merely assisting with bookkeeping services, AR-C 70 is not triggered, and compliance with the standard is not necessary.
If the accountant is only entering transactions into a general ledger and making journal entries, he is merely assisting with bookkeeping. Such assistance is often provided in an online bookkeeping software such as QuickBooks. If this is the only service provided, AR-C 70 is not applicable.
If the accountant is engaged to prepare financial statements and performs any of the following, then AR-C 70 applies.
The accountant prepares financial statements that are provided to another accountant (another firm) for audit purposes
The accountant prepares financial statements separately from a tax return (e.g., the accountant might prepare a tax return that includes financial statements and then—at the client’s request—creates financial statements separately from the return)
The accountant uses the client’s general ledger information to prepare financial statements outside of the accounting software (e.g., the accountant places information from a Quickbooks general ledger into Excel and creates financial statements)
As you can see, the preparation standard makes a distinction between:
Preparing financial statements (which triggers AR-C 70) and
Merely assisting (which does not trigger AR-C 70)
Are there any other situations where AR-C 70 does not apply? Yes. The AICPA’s Center for Plain English Accounting addressed this question in the following question and answer:
Q: If financial statements are prepared by the accountant as a by-productof another engagement (for example, an engagement to prepare a tax return), is the accountant required to follow section 70 of SSARS No. 21 and include any special disclaimer or “no assurance” statement on those financial statements?
A: No. The accountant is only required to perform the preparation engagement in accordance with section 70 of SSARS No. 21 when engaged to prepare financial statements. Therefore, because the accountant was not engaged to prepare the financial statements, there is no requirement to include a statement on each page of the financial statements indicating that no assurance is provided on the financial statements.
The author requested that the AICPA define the word engaged. They responded that a client’s request for the preparation of financial statements service is the trigger for being “engaged.” In other words, a client’s request for the preparation of financial statements means we are “engaged,” provided we accept the work. Once the client makes the request, the accountant will create an engagement letter in compliance with AR-C 70.
If the client does not request the preparation of financial statements and the accountant creates the statements as a byproduct of another service (e.g., tax return), he is not subject to the requirements of AR-C 70.
So when is AR-C 70 applicable? When a public accountant is engagedtoprepare financial statements.
AR-C 70 Objective
The objective of the accountant is to prepare financial statements in accordance with the chosen reporting framework.
AR-C 70 Reports
A compilation report from the accountant is not required (and should not be provided) when preparing financial statements under AR-C 70.
Financial Statements
The accountant can prepare financial statements as directed by management or those charged with governance. The financials should be prepared using an acceptable reporting framework such as the following:
Cash basis
Tax basis
Regulatory basis
Contractual basis
Other basis (as long as the basis uses reasonable, logical criteria that are applied to all material items)
Generally accepted accounting principles (GAAP)
When preparing financial statements in accordance with a special purpose framework (e.g., tax basis), the accountant is required to include a description of the financial reporting framework either on the face of the financial statements or in a note. Here’s a sample disclosure in a financial statement title: Statement of Assets, Liabilities, and Equity—Tax Basis.
Management determines the financial statements to be prepared. Financial statements normally include the following:
Balance sheet
Income statement
Cash flow statement
The accountant can, if so directed by management, create and issue just one financial statement (e.g., income statement).
The financial statements can be for an annual period or for a shorter or longer period. So, financial statements can be for a fiscal year, quarterly, or monthly, for example.
The accountant should also obtain an understanding of the significant accounting policies to be used in the preparation of the financial statements.
In preparing the financial statement, the accountant may need to assist management with judgements regarding amounts or disclosures. The accountant should discuss these judgments with management. Why? So management can understand and accept responsibility for the financial statements.
Documentation Requirements - AR-C 70
The accountant should prepare and retain the following documentation:
Engagement letter (or contract)
The financial statements
Documentation related to significant consultations or professional judgments are to be included in the engagement file. Also, if the accountant departs from a relevant presumptively mandatory requirement, he should document the justification for the departure and how the alternative procedures performed were sufficient to achieve the intent of the requirement. (The SSARSs use the word should to indicate a presumptively mandatory requirement.)
AR-C 70 Engagement Letter
Is an engagement letter required for a preparation service? Yes. Moreover, the letter should be signed by the accountant or the firm and management or those charged with governance. A verbal understanding is not sufficient. Though AR-C 70 does not specify how often the engagement letter should be updated, it is best to do so annually.
The engagement letter should specify:
The objectives of the engagement
The responsibilities of management
The responsibilities of the accountant
The limitations of the preparation engagement
Identification of the applicable financial reporting framework
The agreement of management that:
Each page of the financial statements will include a statement that no assurance is provided, or
The accountant will issue a disclaimer stating that no assurance is provided
Whether the financial statements will:
Contain known departures from the applicable reporting framework, and
Whether substantially all disclosures will be omitted
As noted above, no compilation report will be issued for a preparation service. The preparation service is considered a nonattest, nonassurance service, and no compilation, review, or audit procedures are required.
The accountant will do one of the following:
On each financial statement page (including the related notes), indicate, at a minimum, that “no assurance is provided,” or
Provide a disclaimer (see example below)
If the accountant uses the first option, wording such as the following should be included on each page of the financial statements (including the related notes):
No assurance is provided on these financial statements
These financial statements have not been subjected to an audit or review or compilation engagement, and no assurance is provided on them, or
ABC CPAs prepared these financial statements in accordance with professional standards of the AICPA, and no assurance is provided
Other statements can be used to communicate that no assurance is provided, but the minimum wording must include “No assurance is provided.” The “no assurance” wording is made at management’s discretion, and the accountant’s firm name is notrequired to be included. The wording is normally placed at the bottom of each page. If the client does not allow the accountant to include such a statement on each page of the financial statements, the accountant should:
Issue a disclaimer (see below)
Perform a compilation in accordance with AR-C 80, or
Withdraw from the engagement
Preparation of Financial Statements Disclaimer
If the disclaimer option is used, AR-C 70 provides the following language:
The accompanying financial statements of XYZ Company as of and for the year ended December 31, 20XX, were not subjected to an audit, review, or compilation engagement by me (us) and I (we) do not express an opinion, a conclusion, nor provide any assurance on them.
[Signature of accounting firm or accountant, as appropriate]
[Accountant’s city and state]
[Date]
Though not required, the disclaimer can be placed on firm letterhead. Notice that the disclaimer language above has no disclaimer title. While the standard is silent about providing a title, the accountant may add one. For example, Accountant’s Disclaimer. A salutation is not required, but may be added.
Some accountants prefer to provide a disclaimer on letterhead. Why? Any third party reader can see that the accounting firm is involved in the preparation of the statements and that no assurance is provided.
A third party may not know that an external accountant was involved in preparing the statements if the “no assurance is provided” legend is used and the firm’s name is not included. Remember, however, it is the client’s decision as to whether the “no assurance” legend is added or a disclaimer is provided.
Independence
Preparation of financial statements is a nonattest, nonassurance service. When an accountant performs only a preparation engagement, consideration of independence is not necessary.
If an accountant signs client checks and performs bookkeeping services, independence is not required. Moreover, if the accountant prepares financial statements for the same client, independence is not required. Signing checks, bookkeeping, and the preparation of financial statements are all nonattest services.
But what happens if the accountant prepares financial statements and issues a compilation report?
Suppose an accountant issues monthly financial statements for January through November with no compilation report (using the preparation option), but in December issues financial statements with a compilation report. Providing the monthly preparation services and the December compilation service triggers a requirement to consider independence.
Just remember this for now: Independence is not required for preparation engagements, and there are no requirements to disclose a lack of independence in a preparation engagement.
Omission of Substantially All Disclosures
Can the accountant omit all disclosures (notes to the financial statements) in a preparation engagement? Yes. Alternatively, the accountant can provide selected disclosures or if needed, full disclosure. In short, the accountant can do any of the following:
Omit all disclosures
Provide selected disclosures
Provide full disclosure
Regardless, the engagement letter should describe the level of disclosure to be provided in the financial statements. Also, the omission of substantially all disclosures should be communicated either on the face of the financial statements or in a selected note. There is no provision in the preparation standard to report the omission of disclosures in the accountant’s disclaimer that precedes the financial statements.
The accountant can communicate the omission of disclosures by including wording such as the following at the bottom of each financial statement page or in a note:
Substantially all disclosures required by accounting principles generally accepted in the United States are not included.
Substantially all disclosures ordinarily included in financial statements prepared in accordance with the tax-basis of accounting are not included.
The accountant can also communicate the omission of disclosures in the title of the financial statements. For example:
ABC Company
Statement of Income
Substantially All Disclosures Omitted
December 31, 2020
Information Provided is Incomplete or Inaccurate
Deficiencies in the information provided to the accountant should be communicated to management, and the inaccuracy or incompleteness of such information should be corrected. Deficiencies in the information include insufficient records, documents, explanations, and judgments.
Reporting Known Departures from the Applicable Financial Reporting Framework
How should a departure from the applicable financial reporting framework be reported? Discuss the departure with management to see if it can be corrected. If it is not corrected, disclose the departure. How?
A departure from the applicable financial reporting framework should be disclosed either on the face of the financial statements or in a note. If it takes more than a few words to describe the departure, note disclosure may be the better option—you’ll have more room there. There is no provision in the preparation standard to disclose departures in the accountant’s disclaimer that precedes the financial statements.
AR-C 70 Other Historical or Financial Information
In addition to historical financial statements, AR-C 70 may be applied to the following:
Specified elements, accounts, or items of a financial statement, including schedules of:
Rents
Royalties
Profit participation, or
Income tax provisions
Supplementary information
Required supplementary information
Pro forma financial information
AR-C 70 Prospective Financial Information
AR-C 70 can be applied to prospective information.
Prospective financial information is defined as any financial information about the future.
Prospective financial information can be presented as:
A complete set of financial statements, or
One or more elements, items, or accounts
If you prepare prospective financial information, the summary of significant assumptions must be included Why? It is considered essential to the user’s understanding of such information.
If you prepare a financial projection, you should not exclude:
The identification of hypothetical assumptions, or
The description of the limitations on the usefulness of the presentation
AR-C 70 references the AICPA Guide Prospective Financial Information as suitable criteria for the preparation and presentation of prospective financial information.
AR-C 70 Prescribed Forms
Is it permissible to perform a preparation of financial statement engagement with regard to prescribed forms?
Yes. There is nothing in AR-C 70 that prohibits the accountant from performing a preparation engagement with regard to prescribed forms (e.g., bank personal financial statement). However, the accountant is required to follow all of the preparation guidance. Clients may not want to add wording to the prescribed forms such as “no assurance is provided” or “substantially all disclosures are omitted.” As an alternative to adding such wording, the accountant can provide a disclaimer before the prescribed form.
Selected notes can follow the form if needed. If this option is used, the order of the deliverable is as follows:
Disclaimer
Prescribed form
Selected notes
When a bank, credit union, regulatory or governmental agency, or other similar entity designs a prescribed form to meet its needs, there is a presumption that the required information is sufficient. What should be done if the prescribed form conflicts with the applicable basis of accounting? For example, what if the prescribed form requires all numbers to be in compliance with GAAP with the exception of receivables? Follow the form. In effect, the prescribed form is the reporting framework. Report departures from the prescribed form and its related instructions on the face of the financial statements (the form) or in a note.
Draft Financial Statements
The client may request a draft copy of the financial statements prior to final issuance. To avoid confusion, mark statements with words like:
Draft Financial Statements
Working Draft
Draft - Subject to Change
Preparation of Financial Statements - A Simple Summary
AR-C 70 is applicable when the accountant is engaged to prepare financial statements and is not applicable when the accountant is engaged to perform a compilation or if the accountant is merely assisting with bookkeeping
The objective of the accountant is to prepare financial statements in accordance with the chosen reporting framework
The financial statements can be prepared in accordance with GAAP or a special purpose reporting framework
The financial statements can be distributed to third parties (and not just management)
The accountant must either:
State on each financial statement page that “no assurance is provided,” or
Provide a disclaimer
Documentation requirements include:
The engagement letter, and
The financial statements
An engagement letter must be signed by:
The accountant or the accountant’s firm, and
Management or those charged with governance
No report (e.g., compilation report) is attached to the financial statements
Consideration of independence is not required
Substantially all disclosures can be omitted
The omission of substantially all disclosures should be:
Disclosed on the face of the financial statements, or
In a note
Selected disclosures can be provided
Departures from the applicable financial reporting framework should be:
Disclosed on the face of the financial statements, or
In a note
A preparation engagement can be applied to historical financial statements and historical information (e.g., specified items of a financial statement).
A preparation engagement can be applied to prospective financial information. The summary of significant assumptions must be included.
A preparation engagement can be performed in relation to prescribed forms (e.g., bank personal financial statements)
Mark draft financial statements with appropriate wording (e.g., Draft Financial Statements)
Auditors often fail to capture and communicate internal control weaknesses, even though such communications are required by the audit standards.
But making our clients aware of control weaknesses can help them. How? It allows them to improve their accounting system. The result: prevention of future fraud and errors.
In this article, I’ll show you how to capture and communicate internal control deficiencies. By doing so, you’ll add value to your audit servicesand you’ll help your client protect their business.
At the end of the post, you’ll also see a video that summarizes this information.
A Common End-of-Audit Problem
You are concluding another audit, and it’s time to consider whether you will issue a letter communicating internal control deficiencies. A month ago you noticed some control issues in accounts payable, but presently you’re not sure how to describe them. You hesitate to call the client to rehash the now-cold walkthrough. After all, the client thinks you’re done. But you know that boiler-plate language will not clearly communicate the weakness or tell the client how to fix the problem. Now you’re kicking yourself for not taking more time to document the control weakness (back when you initially saw it).
Here’s a post to help you capture and document internal control issues as you audit.
Capture and Communicate Internal Control Deficiencies
Today, we’ll take a look at the following control weakness objectives:
How to discover them
How to capture them
How to communicate them
As we begin, let’s define three types of weaknesses:
Material weaknesses – A deficiency, or a combination of deficiencies, in internal control, such that there is a reasonable possibility that a material misstatement of the entity’s financial statements will not be prevented, or detected and corrected, on a timely basis.
Significant deficiencies – A deficiency, or a combination of deficiencies, in internal control that is less severe than a material weakness yet important enough to merit attention by those charged with governance.
Other deficiencies – For purposes of this blog post, we’ll define other deficiencies as those less than material weaknesses or significant deficiencies.
Now let’s take a look at discovering, capturing, and communicating control weaknesses.
1. Discover Control Weaknesses
Capture control weaknesses as you perform the audit. You might identify control weaknesses in the following audit stages:
Planning – Risk assessment and walkthroughs
Fieldwork – Transaction-level work
Conclusion – Wrapping up
A. Planning Stage
You will discover deficiencies as you perform walkthroughs which are carried out in the early stages of the engagement. Correctly performed walkthroughs allow you to see process shortcomings and where duties are overly concentrated (what auditors refer to as a lack of segregation of duties).
Notice the first letters of these words spell CRAB (I know it’s cheesy, but it helps me remember).
Auditors often make statements such as, “Segregation of duties is not possible due to the limited number of employees.”
I fear such statements are made only to protect the auditor (should fraud occur in the future). It is better that we be specific about the control weakness and what the potential impact might be. For example:
The accounts payable clerk can add new vendors to the vendor file. Since checks are signed electronically as they are printed, there is a possibility that fictitious vendors could be added and funds stolen. Such amounts could be material.
Such a statement tells the client what the problem is, where it is, and the potential damage.
Fraud: A Cause of Misstatements
While I just described how a lack of segregation of duties can open the door to theft, the same idea applies to financial statement fraud (or cooking the books). When one person controls the reporting process, there is a higher risk of financial statement fraud.Appropriate segregation lessens the chance that someone will manipulate the numbers.
Within each transaction cycle, accounting duties need to be performed by different people. Doing so lessens the possibility of theft. If one person performs multiple duties, ask yourself, “Is there any way this person could steal funds?” If yes, then the client should add a control in the form of a second-person review.
If possible, the client should have a second person examine reports or other supporting documentation. How often should the review be performed? Daily, if possible. If not daily, as often as possible. Regardless, a company should not allow someone with the ability to steal to work alone without review. The fear of detection lessens fraud.
If a transaction cycle lacks segregation of duties, then consider the potential impact from the control weakness. Three possible impacts exist:
Theft that is material (material weakness)
Theft that is not material but which deserves the attention of management and the board anyway (significant deficiency)
Theft of insignificant amounts (other deficiency)
My experience has been that if any potential theft area exists, the board wants to know about it. But this is a decision you will make as the auditor.
Errors: Another Cause of Misstatements
While auditors should consider control weaknesses that allow fraud, we should also consider whether errors can lead to potential misstatements. So, ask questions such as:
Do the monthly financial statements ever contain errors?
Are invoices mistakenly omitted from the payable system?
Do employees forget to obtain purchase order numbers prior to buying goods?
Do bookkeepers fail to reconcile the bank statements on a timely basis?
B. Fieldwork Stage
While it is more likely you will discover process control weaknesses in the planning stage of an audit, the results of control deficiencies sometimes surface during fieldwork. How? Audit journal entries. What are audit entries but corrections? And corrections imply a weakness in the accounting system.
When an auditor makes a material journal entry, it’s difficult to argue that a material weakness does not exist. We know the error is “reasonably possible” (it happened). We also know that prevention did not occur on a timely basis.
C. Conclusion Stage
When concluding the audit, review all of the audit entries to see if any are indicators of control weaknesses. Also, review your internal control deficiency work papers (more on this in a moment). If you have not already done so, discuss the noted control weaknesses with management.
Your firm may desire to have a policy that only managers or partners make these communications. Why? Management can see the auditor’s comments as a criticism of their own work. After all, they designed the accounting system (or at least they oversee it). So, these discussions can be a little challenging.
Now let’s discuss how to capture control weaknesses.
2. Capture Internal Control Weaknesses
So, how do you capture the control deficiencies?
First, and most importantly, document internal control deficiencies as you see them.
Why should you document control weaknesses when you initially see them?
You may not be on the engagement when it concludes (because you are working elsewhere) or
You may not remember the issue (weeks later).
Second, create a standard form (if you don’t already have one) to capture control weaknesses.
Internal Control Capture Form
What should be in the internal control form? At a minimum include the following:
Check-mark boxes for:
Significant deficiency
Material weakness
Other control deficiency
Other issues (e.g., violations of laws or regulations)
Whether the probability of occurrence is at least reasonably possible and whether the magnitude of the potential misstatement is material
Description of the deficiency and the verbal or written communications to the client; also the client’s response
The cause of the condition
The potential effect of the condition
Recommendation to correct the issue
Person identifying the issue and the date of discovery
Whether the issue is a repeat from the prior year
An area for the partner to sign off that he or she agrees with the description of the deficiency and the category assigned to it (e.g., material weakness)
Reference to related documentation in the audit file
After capturing the weaknesses, it’s time to communicate them.
3. Communicate Control Weaknesses
Material weaknesses and significant deficiencies must be communicated in writing to management and those charged with governance. Other deficiencies can be given verbally to management, but you must document those discussions in your work papers.
Provide a draft of any written communications to management before issuing your final letter. That way if something is incorrect (your client will let you know), you can make it right–before it’s too late. Additionally, discuss the control weakness with relevant personnel when you initially discover it. You don’t want to surprise the client with adverse communications in the written internal control letter.
Internal Control Video Summary
Here’s a video that summarizes the information above.
Summary
The main points in capturing and communicating internal control deficiencies are:
Capture control weaknesses as soon as you see them
Develop a form to document the control weaknesses
Communicate significant deficiencies and material weaknesses in writing
These communications can be somewhat challenging since you’re telling management they need to make improvements. So make sure all information is correct and let your senior personnel do the communicating.
How Do You Capture and Report Control Deficiencies?
Whew! We’ve covered a lot of ground today. How do you capture and report control deficiencies? I’m always looking for new ideas: Please share.
