In this post, I provide an overview of the internal control reporting requirements when no significant deficiencies or material weaknesses are noted in an audit of the financial statements. I also provide guidance for when such an engagement is subject to the Government Auditing Standards (i.e., Yellow Book). You’ll see a video that shows you what the audit opinion and Yellow Book reports look like when both are in play, and there are no issues.
Internal Control Reporting Standards
There are two sets of rules when you perform an audit that is subject to the Yellow Book requirements:
Generally accepted auditing standards from AICPA
Government Auditing Standards (i.e., Yellow Book) from GAO
And only one set of rules if the audit is not subject to the Yellow Book requirements:
Generally accepted auditing standards from AICPA
Consider two scenarios.
1. Perform an audit not subject to Yellow Book
If you perform an audit (not subject to Yellow Book) and have no significant deficiencies or material weaknesses, then no internal control letter is required (for anyone). I refer to this letter as the “SAS 115 letter” since that’s where the original generally accepted auditing rule came from. Some people opt to issue one anyway. But again, this is not required.
In this scenario, you issue one report:
Audit opinion (and no internal control letter is issued)
2. Perform an audit subject to Yellow Book
If you perform an audit that is subject to Yellow Book and have no significant deficiencies or material weaknesses, then no SAS 115 internal control letter is required. Some people opt to issue one anyway.
A Yellow Book report is required (even though there are no significant deficiencies or material weaknesses) and is included in the audited financial statements, usually after the notes to the financial statement.
You do not need to send this report to anyone separately (i.e., the government) since it’s included in the bound audit report.
So, in this scenario, you issue two reports:
Audit opinion, and
Yellow Book report
But what do these reports look like?
Yellow Book Report and Amendments to Audit Opinion
Here is a video that shows you what a Yellow Book reports looks like when there are no significant deficiencies or material weaknesses.
I also show you how to amend your standard audit opinion (governmental example) when the Yellow Book report is provided.
Church theft happens, and it’s not uncommon–though I wish it was.
Pastors, deacons, church members, priests, and even nuns steal. Yes, they do. Every time I see an article about this, I shake my head. But they are flawed human beings just like me. So theft happens in churches, synagogues, and other places of worship.
In this article, I explain why fraud is (more) common in the places you least expect. And I provide tips for preventing theft.
Theft of Church Offerings
My mother gave me nickels and dimes to put in the offering plate as a kid, but I never thought about where they went. In my mind, maybe to God or Heaven. But no, they went to a church bank account to pay the expenses of our place of worship. And, thankfully, there were no thefts (that I know of).
But over the years, I’ve seen thefts from churches, synagogues, parishes, church schools, seminaries, campus ministries, relief agencies, and Bible colleges.
People are Flawed
As I said earlier, first, people are flawed, even religious folks. As I’m fond of saying, “Why is ‘Thou shalt not steal’ one of the Ten Commandments? Because people steal.”
Too Much Trust
Secondly, religious persons (and I’m one) tend to be too trusting. We think that because someone works for a ministry or a church-affiliated organization, they are always honest. While this is largely true, some religious people steal, especially when no one is paying attention to what they do. In other words, when there are no internal controls and no oversight.
Ironically, when religious bodies place too much trust in people, they tempt those pastors, priests, deacons, and others. Religious people usually don’t plan to steal but realize–after years of being in a position–they can. After all, no one is watching because trust is over-abundant. And since we can rationalize our actions, we do things we know we should not. No different than any other temptation.
Don’t Tempt Your People
Religious bodies do their people a favor by creating and maintaining proper internal controls. Yes, a favor. Temptation goes down because there are multiple eyes on the processes, as there should be.
I sometimes hear people say that a church is not a business, but a ministry, as though sound business practices are not necessary in a religious environment. My rejoinder is we need to be good stewards of the funds entrusted to us (funds that can be used for wonderful purposes). Ministries lose the trust of their contributors when theft occurs. So, churches need to institute sound internal controls.
Church theft is common due to the nature of cash flowing into a place of worship.
The Church Cash Problem
Most religious institutions receive cash contributions to support their missions. And that’s wonderful, but if you’re a fraud prevention guy like me, that’s problematic. Cash, especially physical currencies (like that received during church services), is easily stolen. So, all religious bodies need to review how cash comes into a church body to see if there are internal controls all along the way.
Monies coming in during church services, mail, or any other way need to make it to the bank account safely. So, consider how funds come into your places of worship or support organizations. And make sure multiple people are involved in the collection and deposit process, what we commonly refer to as segregation of duties.
For instance, multiple people (e.g., ushers or deacons) should count funds collected during a church service, and a count sheet should be signed by those present. Later, someone other than the count team should compare the count sheet to the bank deposit. Enter all contributions in the accounting software and periodically provide statements to those persons. The person making these bookkeeping entries should not be on the count team or have any access to cash. Why? The church bookkeeper could steal money but still make entries to the contributions software. Then, the contributor receives a periodic statement reflecting the amount given, but the money doesn’t make it into the church bank account.
In addition to considering regular church services receipts, think about those that are outside your normal processes. For instance, people might drop by the church during the week and provide a contribution to the bookkeeper.
Church Cash Outflows
While theft of cash inflows is more common, funds can be stolen as they are disbursed. So, be sure you review your payment controls. Again, you want multiple people involved in the process. For example, the persons signing the checks should not be the person entering those transactions in the bookkeeping system. And it’s preferable for the person reconciling the bank account to not sign checks. Then, the person reconciling the bank statement can review the cleared checks for appropriate payees.
Additionally, make sure your controls over credit cards are strong as well. Support (e.g., receipts) should be provided for each credit card charge, and the person using the card should not be the same person reviewing transactions for appropriateness.
Obviously, religious bodies also need appropriate payroll controls to ensure those funds are paid to the right persons and in the correct amount.
In summary, religious bodies need internal controls, just like any entity that receives and spends money. Placing too much trust in religious people is a mistake and can increase church theft. So, protect your church and your people by implementing sound internal controls for funds flowing into and out of your place of worship.
Auditors often fail to capture and communicate internal control weaknesses, even though such communications are required by the audit standards.
But making our clients aware of control weaknesses can help them. How? It allows them to improve their accounting system. The result: prevention of future fraud and errors.
In this article, I’ll show you how to capture and communicate internal control deficiencies. By doing so, you’ll add value to your audit servicesand you’ll help your client protect their business.
At the end of the post, you’ll also see a video that summarizes this information.
A Common End-of-Audit Problem
You are concluding another audit, and it’s time to consider whether you will issue a letter communicating internal control deficiencies. A month ago you noticed some control issues in accounts payable, but presently you’re not sure how to describe them. You hesitate to call the client to rehash the now-cold walkthrough. After all, the client thinks you’re done. But you know that boiler-plate language will not clearly communicate the weakness or tell the client how to fix the problem. Now you’re kicking yourself for not taking more time to document the control weakness (back when you initially saw it).
Here’s a post to help you capture and document internal control issues as you audit.
Capture and Communicate Internal Control Deficiencies
Today, we’ll take a look at the following control weakness objectives:
How to discover them
How to capture them
How to communicate them
As we begin, let’s define three types of weaknesses:
Material weaknesses – A deficiency, or a combination of deficiencies, in internal control, such that there is a reasonable possibility that a material misstatement of the entity’s financial statements will not be prevented, or detected and corrected, on a timely basis.
Significant deficiencies – A deficiency, or a combination of deficiencies, in internal control that is less severe than a material weakness yet important enough to merit attention by those charged with governance.
Other deficiencies – For purposes of this blog post, we’ll define other deficiencies as those less than material weaknesses or significant deficiencies.
Now let’s take a look at discovering, capturing, and communicating control weaknesses.
1. Discover Control Weaknesses
Capture control weaknesses as you perform the audit. You might identify control weaknesses in the following audit stages:
Planning – Risk assessment and walkthroughs
Fieldwork – Transaction-level work
Conclusion – Wrapping up
A. Planning Stage
You will discover deficiencies as you perform walkthroughs which are carried out in the early stages of the engagement. Correctly performed walkthroughs allow you to see process shortcomings and where duties are overly concentrated (what auditors refer to as a lack of segregation of duties).
Notice the first letters of these words spell CRAB (I know it’s cheesy, but it helps me remember).
Auditors often make statements such as, “Segregation of duties is not possible due to the limited number of employees.”
I fear such statements are made only to protect the auditor (should fraud occur in the future). It is better that we be specific about the control weakness and what the potential impact might be. For example:
The accounts payable clerk can add new vendors to the vendor file. Since checks are signed electronically as they are printed, there is a possibility that fictitious vendors could be added and funds stolen. Such amounts could be material.
Such a statement tells the client what the problem is, where it is, and the potential damage.
Fraud: A Cause of Misstatements
While I just described how a lack of segregation of duties can open the door to theft, the same idea applies to financial statement fraud (or cooking the books). When one person controls the reporting process, there is a higher risk of financial statement fraud.Appropriate segregation lessens the chance that someone will manipulate the numbers.
Within each transaction cycle, accounting duties need to be performed by different people. Doing so lessens the possibility of theft. If one person performs multiple duties, ask yourself, “Is there any way this person could steal funds?” If yes, then the client should add a control in the form of a second-person review.
If possible, the client should have a second person examine reports or other supporting documentation. How often should the review be performed? Daily, if possible. If not daily, as often as possible. Regardless, a company should not allow someone with the ability to steal to work alone without review. The fear of detection lessens fraud.
If a transaction cycle lacks segregation of duties, then consider the potential impact from the control weakness. Three possible impacts exist:
Theft that is material (material weakness)
Theft that is not material but which deserves the attention of management and the board anyway (significant deficiency)
Theft of insignificant amounts (other deficiency)
My experience has been that if any potential theft area exists, the board wants to know about it. But this is a decision you will make as the auditor.
Errors: Another Cause of Misstatements
While auditors should consider control weaknesses that allow fraud, we should also consider whether errors can lead to potential misstatements. So, ask questions such as:
Do the monthly financial statements ever contain errors?
Are invoices mistakenly omitted from the payable system?
Do employees forget to obtain purchase order numbers prior to buying goods?
Do bookkeepers fail to reconcile the bank statements on a timely basis?
B. Fieldwork Stage
While it is more likely you will discover process control weaknesses in the planning stage of an audit, the results of control deficiencies sometimes surface during fieldwork. How? Audit journal entries. What are audit entries but corrections? And corrections imply a weakness in the accounting system.
When an auditor makes a material journal entry, it’s difficult to argue that a material weakness does not exist. We know the error is “reasonably possible” (it happened). We also know that prevention did not occur on a timely basis.
C. Conclusion Stage
When concluding the audit, review all of the audit entries to see if any are indicators of control weaknesses. Also, review your internal control deficiency work papers (more on this in a moment). If you have not already done so, discuss the noted control weaknesses with management.
Your firm may desire to have a policy that only managers or partners make these communications. Why? Management can see the auditor’s comments as a criticism of their own work. After all, they designed the accounting system (or at least they oversee it). So, these discussions can be a little challenging.
Now let’s discuss how to capture control weaknesses.
2. Capture Internal Control Weaknesses
So, how do you capture the control deficiencies?
First, and most importantly, document internal control deficiencies as you see them.
Why should you document control weaknesses when you initially see them?
You may not be on the engagement when it concludes (because you are working elsewhere) or
You may not remember the issue (weeks later).
Second, create a standard form (if you don’t already have one) to capture control weaknesses.
Internal Control Capture Form
What should be in the internal control form? At a minimum include the following:
Check-mark boxes for:
Other control deficiency
Other issues (e.g., violations of laws or regulations)
Whether the probability of occurrence is at least reasonably possible and whether the magnitude of the potential misstatement is material
Description of the deficiency and the verbal or written communications to the client; also the client’s response
The cause of the condition
The potential effect of the condition
Recommendation to correct the issue
Person identifying the issue and the date of discovery
Whether the issue is a repeat from the prior year
An area for the partner to sign off that he or she agrees with the description of the deficiency and the category assigned to it (e.g., material weakness)
Reference to related documentation in the audit file
After capturing the weaknesses, it’s time to communicate them.
3. Communicate Control Weaknesses
Material weaknesses and significant deficiencies must be communicated in writing to management and those charged with governance. Other deficiencies can be given verbally to management, but you must document those discussions in your work papers.
Provide a draft of any written communications to management before issuing your final letter. That way if something is incorrect (your client will let you know), you can make it right–before it’s too late. Additionally, discuss the control weakness with relevant personnel when you initially discover it. You don’t want to surprise the client with adverse communications in the written internal control letter.
Internal Control Video Summary
Here’s a video that summarizes the information above.
The main points in capturing and communicating internal control deficiencies are:
Capture control weaknesses as soon as you see them
Develop a form to document the control weaknesses
Communicate significant deficiencies and material weaknesses in writing
These communications can be somewhat challenging since you’re telling management they need to make improvements. So make sure all information is correct and let your senior personnel do the communicating.
How Do You Capture and Report Control Deficiencies?
Whew! We’ve covered a lot of ground today. How do you capture and report control deficiencies? I’m always looking for new ideas: Please share.
Are you looking for payment fraud tests? Ways to detect fraudulent payments and create unpredictable tests. Here’s your article.
You are leading the audit team discussion concerning disbursements, and a staff member asks, “Why don’t we ever perform fraud tests? It seems like we never introduce elements of unpredictability.”
You respond by saying, “Yes, I know the audit standards require unpredictable tests, but I’m not sure what else to do. Any fresh ideas?”
The staff member sheepishly responds, “I’m not sure.”
And you are thinking, “What can we do?”
Five Payment Fraud Tests
Here are five payment fraud tests that you can perform in most any audit.
1. Test for duplicate payments
Why test for duplicate payments?
Theft may occur as the accounts payable clerk generates the same check twice, stealing and converting the second check to cash. The second check may be created in a separate check batch, a week or two later. This threat increases if (1) checks are signed electronically or (2) the check-signer does not normally examine supporting documentation and the payee name.
How can you test for duplicate payments?
Obtain a download of the full check register in Excel. Sort by dollar amount and vendor name. Then investigate same-dollar payments with same-vendor names above a certain threshold (e.g., $25,000).
2. Review the accounts payable vendor file for similar names
Why test for similar vendor names?
Fictitious vendor names may mimic real vendor names (e.g., ABC Company is the real vendor name while the fictitious name is ABC Co.). Additionally, the home address of the accounts payable clerk is assigned to the fake vendor (alternatively, P.O. boxes might be used).
The check-signer will probably not recognize the payee name as fictitious.
How can you test for similar vendor names?
Obtain a download of all vendor names in Excel. Sort by name and visually compare any vendors with similar names. Investigate any near-matches.
3. Check for fictitious vendors
Why test for fictitious vendors?
The accounts payable clerk may add a fictitious vendor. What address will be entered for the fictitious vendor? You guessed it: the payable clerk’s home address (or P.O. Box).
Pay particular attention to new vendors that provide services (e.g., consulting) rather than physical products (e.g., inventory). Physical products leave audit trails; services, less so.
How can you test for fictitious vendors?
Obtain a download in Excel of new vendors and their addresses for a period of time (e.g., month or quarter). Google the business addresses to check for validity. If necessary, call the vendor. Or ask someone familiar with vendors to review the list (preferably someone without vendor set-up capabilities).
4. Compare vendor and payroll addresses
Why compare vendor and payroll addresses?
Those with vendor-setup ability can create fictitious vendors associated with their own home address. If you compare all addresses in the vendor file with addresses in the payroll file, you may find a match. (Careful – sometimes the match is legitimate, such as travel checks being processed through accounts payable.) Investigate any suspicious matches.
How can you test for the same vendor and payroll addresses?
Obtain a download in Excel of (1) vendor names and addresses and (2) payroll names and addresses. Merge the two files; sort the addresses and visually inspect for matches.
5. Scan all checks for proper signatures and payees
Why test checks for proper signatures and payees?
Fraudsters will forge signatures or complete checks with improper payees such as themselves.
How can you test for proper signatures and payees?
Pick a period of time (e.g., two months), obtain the related bank statements, and scan the checks for appropriate signatures and payees. Also, consider scanning endorsements (if available).
Your Payment Fraud Tests
Those are a few of my payment fraud tests. Please share yours.
My fraud book provides more insights into why fraud occurs, how to detect it, and–most importantly–how to prevent it. Check it out on Amazon by clicking here. The book focuses on local government fraud, but most of the information is equally applicable to small businesses.
Below I provide useful summary of governmental internal controls.
Why am I providing this list of useful controls? Most small governments struggle with establishing sound internal controls. So, the list provides a beginning point for preventing theft in your government. While not a comprehensive list, it will help.
Many of the internal controls listed below are also pertinent to nonprofits and small businesses as well. You will find this same checklist in The Little Book of Local Government Fraud Prevention (available on Amazon) which provides many more fraud prevention ideas.
I am providing general fraud prevention controls and then transaction-level controls for:
Cash receipts and billing
Cash payments and purchasing
General Governmental Internal Controls
Here are some general governmental internal controls.
Have bank statements mailed directly to someone outside of accounting; recipient should peruse bank statement activity before providing it to accounting
Perform surprise audits (use outside CPA if possible)
Elected officials and management should review the monthly budget to actual reports (and other pertinent financial reports)
Map internal control processes by transaction cycle (preferably done by a seasoned CPA); once complete, provide the map to all employees involved in the cycle; when control weaknesses exist, institute additional controls (see 11. below)
Use a whistleblower program (preferably use an outside whistleblower company)
Reconcile bank statements monthly (have a second person review and initial the reconciliation)
Purchase fidelity bond coverage (based on risk exposure)
Periodically request from the government’s bank a list of all bank accounts in the name of the government or with the government’s federal tax I.D. number; compare the list to bank accounts set up in the general ledger
Do not allow the electronic transmission (e.g., email) of sensitive data (e.g., social security numbers) without the use of protected transmission technology (e.g. Sharefile); create policy and train staff
Where possible, segregate who (1) authorizes transactions, (2) records transactions, (3) reconciles records, and (4) has custody of assets; when segregation of duties is not possible, require documented second-person review and/or surprise audits
Transaction Governmental Internal Controls
Here are transaction level governmental internal controls.