Audit

The Independent Auditor, Part II

by Frank Stover, CPA/CFF/CGMA, CFE

Audit Manager at Atchley & Associates, LLP

DO’S AND DON’TS

What auditors do

The independent auditor is engaged to render an opinion on whether an entity’s financial statements are presented fairly, in all material respects, in accordance with a particular financial reporting framework (GAAP, GASB, FASB, regulatory basis, etc.) The audit provides users, such as the bond counsels and agents, regulatory bodies, and the general public, with a degree of confidence in the financial statements. An audit conducted in accordance with GAAS and relevant ethical requirements enables the auditor to form that opinion.

To form an opinion, the auditor gathers appropriate and sufficient evidence and observes, tests, compares and confirms until gaining reasonable assurance. The auditor then forms an opinion of whether the financial statements are free of material misstatement, whether due to fraud or error.

Some of the more important auditing procedures include:

  • Inquiring of management and others to gain an understanding of the organization itself, its operations, financial reporting, and known fraud and error
  • Evaluating and understanding the internal control system
  • Performing analytical procedures on expected and unexpected variances in account balances or classes of transactions
  • Testing documentation supporting account balances or classes of transactions
  • Observing the physical inventory count
  • Confirming bank accounts, receivables, and other accounts with a third party

At the completion of the audit, the auditor may also offer objective advice for improving financial reporting and internal controls to maximize a company’s performance and efficiency.

What auditors don’t do

For a clear picture of the role of independent auditors, it helps to understand what you should not expect auditors to do. Emphasis is placed on “independent.”

Firstly, your independent auditors do not take responsibility for the financial statements on which they form an opinion. The responsibility for financial statement presentation rests with management and those charged with governance of the entity being audited.

Auditors are not a part of management, which means the auditor will not:

  • Authorize, execute or consummate transactions on behalf of a client
  • Prepare or make changes to source documents
  • Assume custody of client assets, including maintenance of bank accounts
  • Establish or maintain internal controls, including the performance of ongoing monitoring activities for a client
  • Supervise client employees performing normal recurring activities
  • Report to the board of directors on behalf of management
  • Serve as a client’s bond or escrow agent or general counsel
  • Sign payroll tax returns on behalf of a client
  • Approve vendor invoices for payment
  • Design a client’s financial management system or make modifications to source code underlying that system
  • Hire or terminate employees

Stated briefly, the auditor may not assume the role and duties of management.

Speaking as a practical matter, there are a number of tasks you should not expect your independent auditor to perform:

  • Analyze or reconcile accounts
  • “Close the books”
  • Locate invoices, etc., for testing
  • Prepare confirmations for mailing
  • Select accounting policies or procedures
  • Prepare financial statements or footnote disclosures
  • Determine estimates included in financial statements
  • Determine restrictions of assets
  • Establish value of assets and liabilities
  • Maintain permanent records, including bond or loan documents, leases, contracts and other legal documents
  • Prepare or maintain minutes of the entity’s governance committee meetings
  • Establish account coding or classifications
  • Determine retirement plan contributions
  • Implement corrective action plans
  • Prepare an audit for audit

An audit is NOT a fraud examination, you may engage an audit firm to perform a forensic examination which is performed under different professional standards.

Your independent auditor may assist in the performance of some of these duties under some restrictive guidelines of the American Institute of CPAs, Department of Labor, Government Accountability Office, Securities and Exchange Commission or Public Company Accounting Oversight Board. However, these very same guidelines may also preclude the auditor from performing some of these functions.

The Independent Auditor, Part I

by Frank Stover, CPA/CFF/CGMA, CFE

Audit Manager at Atchley & Associates, LLP

 The Audit

au·dit /ôdət/noun

noun: audit; plural noun: audits

Audit: an official inspection of an individual’s or organization’s accounts, typically by an independent body.

Verb: conduct an official financial examination of (an individual’s or organization’s accounts). “companies must have their accounts audited”

Synonyms, common:  inspectexaminesurvey, go through, scrutinizecheckprobe, investigate, vet, inquire into, assessverifyappraiseevaluatereview, analyzestudy.

Origin: late Middle English: from Latin auditus ‘hearing,’ from audire ‘hear,’ in medieval Latin auditus (compoti ) ‘audit (of an account),’ an audit originally being presented orally.

 

There are different types of audits: external, single-audit, governmental, compliance, internal, and regulatory to name a few.

Description of more common audits:

1. Third Party Verification – An independent or external audit is carried out by a neutral third party, such as a professional accounting firm which is licensed to perform audits. The financial records of an entity including ledgers, bank statementspayroll, tax information, internal financial reports, official published reports, accounts payable, and accounts receivable, will be examined, among other documents.  Further, minutes of meetings of directors, committees, and commissioners’ court, inquiry of attorneys, public databases and internet searches are some of the other techniques used to gather entity information. Standards under which audits are conducted are established by various professional bodies and governmental agencies, such as: the AICPA, SEC, GASB, FASB, OMB, and State Public Accountancy Boards.

2. A Single Audit is an engagement to perform simultaneously three (3) examinations.  They are (1) an examination of the financial statements, (2) an examination of internal controls over financial reporting and compliance, and (3) an examination of an entity’s compliance with requirements that could have a direct and material effect on each major program (in accordance with OMB Circular A-133).  The Single Audit is conducted under standards and guidelines issued by the Office of Management and Budget (OMB) generally using Circular A-133, the Governmental Accounting Standards Board, the Financial Accounting Standards Board, and depending on the source of funds perhaps the State of Texas Single Audit Circular.

A Federal or State Single Audit is required if you expended (not received) $750,000 of grant funds.  A distinction should be made that not all Federal or State funds may be grants, should you have a contract for service these monies are not subject to the Single Audit requirement.  If you are unsure, contact your designated grant(s) administrator(s).

The threshold of expenditures requirement is $750,000 for fiscal years beginning on or after January 1, 2015, for fiscal years beginning before that date the threshold requirement for expenditures is $500,000.

3. A compliance audit is a comprehensive review of an organization’s adherence to regulatory guidelines. Independent accounting, security or IT consultants evaluate the strength and thoroughness of compliance preparations. Auditors review security polices, user access controls and risk management procedures over the course of a compliance audit.

What, precisely, is examined in a compliance audit will vary depending upon whether an organization is a governmental, public or private entity, what kind of data it handles and if it transmits or stores sensitive financial data. For instance, SOX requirements mean that any electronic communication must be backed up and secured with reasonable disaster recovery infrastructure.  Entities, such as healthcare providers that store or transmit e-health records, like personal health information, are subject to HIPAA requirements. Financial services companies that transmit credit card data are subject to PCI DSS requirements. In each case, the organization must be able to demonstrate compliance by producing an audit trail, often generated by data from event log management software.

4. Internal Audit as defined by the Institute of Internal Auditors (IIA), “Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.

Internal Auditors’ roles include monitoring, assessing, and analyzing organizational risk and controls; and reviewing and confirming information and compliance with policies, procedures, and laws. Working in partnership with management, internal auditors provide the board, the audit committee, and executive management assurance that risks are mitigated and that the organization’s corporate governance is strong and effective. And, when there is room for improvement, internal auditors make recommendations for enhancing processes, policies, and procedures.”

Part II. All the Do’s and Don’ts for Auditors [coming soon]

Accounting Systems and Chart of Accounts – Foundations for Financial Success

by Jeremy Myers

Audit Supervisor at Atchley & Associates, LLP

Accounting systems come in many shapes and sizes, from the simplest forms of QuickBooks to the more complex and robust forms of SAP and Oracle. The main objective of any accounting system is that it can store and produce meaningful accounting information for its users while being in line with your organizations’ vision, strategies, and needs. The correct accounting system can make the lives of its users better by minimizing the tasks needed to operate the books of any organization.

First your organization must identify the complexities of its operations to discover how the financial information will be used, i.e. provided to owners of the organization, lenders, donors, fundraisers, grantors, department heads, boards or those charged with governance, etc… Once it is determined who and how the financials of your organization will be used the second step is to select a system that fits those needs with potential room to grow or customize to best fit your needs.

Once the proper accounting system is selected, the next step to help achieve the goals of the accounting system is to set up a chart of accounts that is again useful to the users of the information. Setting up a consistent chart of accounting and using consistent numbering and naming convention is key. For example, if all cash accounting have the same starting numbers 1000, 1001, 1002 and the banks name, when it comes time to reconcile the bank accounts, it will be very easy to tell which cash account goes to which bank reconciliation and bank account. If all salary accounts are in the 5000s and all revenue for a certain product or funding source is 4100s then pulling information and grouping in a way that is useful to your organization will be faster. Always remember to use spacing between accounts as you never know when your organization will develop a new product or obtain a new funding source, this will allow you to keep the account numbering consistent, unique, and identifiable.

If your organization has multiple lines of business, be it funding sources, products, or services, setting up a fund code as a part of the account number will help track the performance, restricted assets, debt, revenues, and expenses related to each line of business. By simply adding a few digits to each of the account numbers, 01-1000 – “Bank Name” – maybe related to unrestricted activities, 02-1000 – “Bank Name” – maybe related to restricted activities, and 15-5000 – “Salaries” – would be related to specific program’s salaries.

Once your accounting system has been selected and chart of accounts setup and both are in line with the organization’s vision, strategies, and needs pulling out the revenue and expenses related to new products or projects or to see how division 15 is performing will only be a few keystrokes away. Leveraging your accounting system and chart of accounts to work for your organization is setting up a solid foundation for financial success, no matter how large or small your organization may be.

Flexible Budgets for Not-For-Profits

by Tyler Mosley

Audit Manager at Atchley & Associates, LLP

Many of the not-for-profit organizations we provide services for use budgets. For the most part, those budgets are static budgets that are set and approved by the board of directors at the beginning of the year and only modified if a significant event occurs during the year. I have seen a growing trend of companies moving towards flexible budgets which can be modified throughout the year based on updated information and current organizational conditions.

While static budgets are usually set at the beginning of a fiscal year and rarely modified, flexible budgets can be modified weekly, monthly or quarterly based on changing conditions. Most of the not-for-profit organizations that use a budget base their budget on projected cash inflows. While some not-for-profit organizations may have steady cash inflows and can reasonably project the fiscal year’s total revenues, many do not. Many not-for-profit organizations rely on donations from businesses and individuals which can vary in timing and magnitude. For these organizations a flexible budget would provide a more useful benchmark with which to manage program expenses. Program expenses could be budgeted for at the beginning of the year based on projected total cash inflow and then increased or decreased each month or quarter based on updated cash inflow information.

Updating the budget throughout the year will prevent surprises each period in which expenses may be under budget but exceed cash inflows. Alternatively, it would also prevent program expenses coming in well below cash inflows when the organization has a great fundraising year. When it is time for your organization to establish a budget, consider setting up so that it can be updated periodically throughout the year as you get more accurate information about your current cash flow situation.

Fraud Awareness and the Small Business

by Frank Stover, CPA/CFF/CGMA CFE

Audit Manager at Atchley & Associates, LLP

Fraud – a word we hear that many times is different than what our preconceptions may be. Someone may be a fraud or someone may commit a fraud or at times something physical may be a fraud.

For small business the fraud that owners will most often see committed against them or their company is “occupational fraud.” The Association of Certified Fraud Examiners defines occupational fraud “as the use of one’s occupation for personal enrichment through the deliberate misuse or misapplication of the employing organization’s resources or assets.” Occupational fraud can manifest itself in many ways. Nor is it limited by gender.

Based upon the statistics and information contained in the “Report to the Nations on Occupational Fraud and Abuse”, 2012 Global Fraud Study, published every two years by the Association of Certified Public Examiners, fraudulent activity cost United States organizations 5% of their annual revenues (based upon 2012 US GNP of $16.13 trillion this would be $806.5 billion in fraud losses).

Generally, occupational fraud categorized as financial statement fraud, misappropriation of assets, or corruption. Financial statement fraud will typically involve falsification of an organization’s financial statements or some form of regulatory or financial report. Examples include overstating assets and revenues, or understating liabilities or expenses to achieve personal gain. Misappropriation of assets is the theft or misuse of an organization’s assets, such as skimming revenues, stealing inventory or committing payroll fraud. Corruption involves fraudsters wrongfully use their influence in a business transaction to procure some benefit for themselves or another person(s), contradicting their duty to their employer or the rights of another, for instance by accepting kickbacks or engaging in conflicts of interest.

For Small businesses cash, inventory, payroll and misuse of organization assets are the most common areas of fraud occurrence. Cash is the most often pilfered from small business but because of its nature and importance to small businesses it is usually discovered within one month. Inventory fraud is usually not discovered until later because small organizations will be more focused on operation measures (for example, revenues run rates, billing cycle and accounts receivable information) in the short term and inventory will not be counted or reconciled against purchases and jobs in progress until quarter or year end. Payroll fraud is usually committed by persons who have some form of operational control and authorization such that they can add phantom employees to the payroll or in collusion with others falsified time records submitted to the payroll department, this type of fraud is most usually discovered when there is turnover in personnel, a “falling out” between conspirators, or some form of periodic management review and reconciliation of historical project costs against approved budgets. Misuse of organization assets many times occurs when a service company employee uses their employer’s assets on the weekend and holidays to run another business on the side, discovery of this type of fraud will usually occur when a disgruntled customer of the employee’s side business complains regarding defective work or makes a warranty claim, control of physical access to company operating assets during no business hours and mileage logs reconciliations are several ways to prevent or detect such abuse.

Generally, fraud will happen because someone has a perceived (i) financial problem that cannot be shared or discussed with another (such as an inability to pay debts, a personal financial failure, perceived mistreatment by their employer), an (ii) opportunity (the person believes that their problem can be solved in secret) to fix their problem without being caught, and (iii) a rationalization that allows them to view the situation as non-criminal and justified as part of a situation that they cannot control.

There are fraud policies and controls which can assist small businesses in deterring bad behavior. Some of these include having a clearly written and communicated fraud policy which described how and who handles fraud matters and investigations within the organization, what actions the organization considers to constitute fraud, reporting procedures (anonymous tip lines, a designated official, etc.), and what consequences the organization will take for such activity and the dedication to follow through with those stated consequences.

Atchley & Associates, LLP is a group of dedicated professionals, which include Certified Fraud Examiners, who can review, assess and make recommendations regarding small business systems of internal controls to decrease the likelihood of fraud being committed.

Fraud in the Cash Disbursements Accounting Cycle

By Tyler Mosley, CPA, CFE

Audit Supervisor at Atchley & Associates, LLP

In the Association of Certified Fraud Examiners (ACFE) 2014 edition of “Report to the Nations on Occupation Fraud and Abuse,”1 85% of fraud cases involve misappropriation of assets. In addition, 29% of all fraud cases occurred in companies with fewer than 100 employees and for those fraud cases the median loss was $154,000.

In our March 2014 blog, Robert Marchbanks, CPA/CGMA, discussed preventing fraud in nonprofit organizations and provided a good checklist of steps an organization can take to prevent and detect fraud. I am going to expand upon one of these items as it is the item I come across the most frequently when performing financial statement audits of nonprofit and for-profit organizations. Many smaller organizations do not have enough room in their budget to hire multiple staff members to perform accounting and financial reporting duties. Specifically we see that some smaller companies do not have adequate segregation of duties related to the check disbursement process. We stress with our clients that having proper segregation of duties is important to mitigate the risk of an employee committing fraud and detecting fraud that timely.

For the most effective segregation of duties, employees involved in purchasing functions (initiating requisitions and approving purchases) should not have disbursement related responsibilities. These employees should not be able to approve invoices for payment, record invoices, receive goods, or have access to the vendor master files. We frequently see in small organizations that the same staff member creates check runs, approves invoices, signs checks, and performs bank reconciliations. In the event that segregation of these functions is infeasible, we suggest that a member of management who is not responsible for any of the aforementioned duties be the sole signor on all checks. They should also periodically review all check disbursement activity to ensure that only authorized transactions have been processed.

A little extra time spent monitoring the check disbursement process could save the company significant amounts of money down the road.

1http://www.acfe.com/rttn/docs/2014-report-to-nations.pdf

Delegation, authority, responsibility, expectation/investigation

Concepts that many of us, in all phases of life and employment, can struggle with

By Frank H. Stover, CPA/CFF/CGMA, CFE

Audit Manager at Atchley & Associates, LLP

DELEGATION is a necessary function of our lives (no one is an island) in our interaction with our families, others, and our employment.  To be able to effectively delegate we must be able to define what needs to be accomplished (goal/result, etc.) and when.  We must be able to define the task(s) associated with attaining the goal(s) or result(s) desired, then match the tasks to the available resource (family member, friend, or personnel), determine availability of that resource, and then clearly communicate (remembering that effective communication is a two way process) the task(s) to be performed and the time within which it is to be finished.  We must always be conscious of not turning our crisis into someone else’s underserved emergency.

Many of us might stop there.  HOWEVER, we must remember that accomplishment of task(s) by others on our behalf require us to also delegate AUTHORITY, we must provide the person(s) assisting us with the accomplishment of our goal(s) the relevant amount of authority in dealing with others, or sources of information, or regulatory authorities the “authority resource(s)” that is needed to accomplish the assignment given.  It is incumbent upon us to clearly define that authority, and if use of it involves reference being made to us, how that reference is to be framed by the user.

RESPONSIBILITY, this is the tough one.  While we can pass on authority to those assigned with accomplishing something on our behalf, we cannot pass on OUR responsibility.  Yes, we can ask those assisting us to be responsible to us, their acceptance of the task(s) does not provide us with an out for not meeting what we have committed to or that has been assigned to us.  We must always guard against taking out our frustrations associated with not accomplishing what we are responsible for on those who have assisted us (whether they did so well or not – this may lead to a teaching or learning opportunity for us but that is for a different blog).

EXPECTATION / INVESTIGATION, these go together, how?  A mantra that I remember from my earlier days in the Navy that was drummed into us was “do not expect what you do not inspect”!  We have a responsibility as a delegator to specifically and clearly communicate our expectations regarding the task(s) assigned and affirm that the communication has been clearly received and understood.  We also have a duty to those we have assigned task(s). We need to determine that they are performing work necessary to achieve the requested results, guide them as necessary, and to communicate to them their accomplishment of our targeted goal(s).  Those assisting us might view this as their “insurance”.

Just keeping a few thoughts like I have mentioned above in mind when making assignments of any type can help avoid confusion and disappointment, which should help YOU attain your assignments.

Please remember Atchley & Associates, LLP and our wonderful team, and many services, in mind when you need assistance, we will be happy for you to delegate to us matters which you need assistance with and we will be glad to be responsible to you in accomplishing your goal(s).

Why backing up your data is important

By Tyler Mosley, CPA, CFE

Audit Supervisor at Atchley & Associates, LLP

Backing up company files is usually not at the forefront of our minds.  That is until we lose crucial data and wish we had been more diligent about backing up our files.  We rely on our computers everyday and sometimes take for granted what would happen if we lost access to them.  Ask yourself something; how much of my data would I lose if my computer’s hard drive failed right now?  How much data would my company lose if the servers crashed?  If your answer to either of these questions is more than twenty-four hours of data then you may not be backing up your computer systems frequently enough.

Backing up files can assist you with restoring data lost due to hardware failure, computer viruses, theft, accidental deletion, and natural disasters.  We recommend to our clients that they create backups of their computer systems every week at a minimum.  These backups should be kept on a separate system, i.e. a computer backup should not be kept on the same computer and a server backup should not be kept on the same server.  We also recommend that backups be kept in a fire and flood proof container or at an offsite location.  There have been many occasions when companies were diligent about backing up their files only to have their computer systems and backup files lost due to a fire or flood at their office.

You may also want to consider creating backups every twenty-four hours, especially if the cost to recreate lost data is high.  Backing up files can be done manually or by using a third party service.  Some third party services offer cloud storage which provides the benefit of having your backups readily accessible and at an offsite location.

When making the decision of how frequently to backup company files, remember to ask yourself; what would happen if I lost all of my data right now and how would that adversely affect my company?  You may find that backing up your files is now a top priority.

Preventing Fraud in Nonprofit Organizations

By Robert Marchbanks, CPA/CGMA

Audit Manager at Atchley & Associates, LLP

Most nonprofit organizations operate with limited staff and in a manner that assumes all employees are trustworthy. While the majority of employees are honest and believe in the organization’s mission, there are employees that may face financial hardship from a spouse losing a job, incurring medical bills, or sending a child to college. Other employees believe they are entitled to higher pay and will “justify” embezzling from the organization.

Donald Cressey’s hypothesis on why people commit fraud is referred to as the fraud triangle: Motivation, Rationalization, and Opportunity.

  • Motivation or pressure may include financial problems, addictions like gambling, shopping or drugs, pressure to show good performance or results, or just the thrill of being able to get away with something.
  • Rationalization is when individuals think they are justified because they are underpaid, or it’s for their family, or they need it now but they’ll pay it back before anyone notices.
  • Opportunity is created when there are weaknesses in controls. Individuals think they won’t get caught because nobody is looking, or reviewing, or performing reconciliations and reviews.

While an organization may not be able to prevent motivation or rationalization, there are certain steps the organization can take to minimize the opportunity and the risk of an employee committing fraud. These include:

  1. Set the tone at the top – Management should set the tone at the top for ethical behavior in the organization.
  2. Segregation of duties – No single person should be responsible for receiving, depositing, recording, and reconciling receipt of funds. No single person should be responsible for approving payments, disbursing funds, recording the disbursement transaction, and reconciling the bank statement.
  3. Reconcile accounts in a timely manner – Bank accounts should be reconciled timely by an individual not responsible for recording cash receipts and disbursements.
  4. Documentation and Authorization – You should have invoices to support cash disbursements and the expenditures should be approved by someone outside of accounting. The approval should be in the form of a signed purchase order or signed approval on the invoice. Maintain proper accounting records for all transactions.
  5. Written whistleblower and conflict of interest policies – The whistleblower policy should provide a phone number for the employee to call to report the fraud and remain anonymous. The conflict of interest policy should prevent private inurement.
  6. Look for employees living beyond their means – Be aware of the type of car the employee drives, the vacation destinations they travel to, and the jewelry that they wear.
  7. Carry insurance for employee theft – Even with the fraud policies and procedures in place, you should carry insurance to cover employee theft. This will minimize the risk of the financial hardship of the nonprofit organization.
  8. Keep check stock in a secure location accessed only by authorized personnel.

While the above list is not all-inclusive, hopefully it will encourage you to review your current policies and procedures at your nonprofit organization and implement procedures to deter and detect employee fraud. Please let us know if we can help in reviewing your risk assessment of your policies and procedures.

Efficiency and Time Management

By Jeremy Myers, CPA

Audit Senior at Atchley & Associates, LLP

Efficiency and time management are two buzz words that most professionals hear every day. How can we become more efficient or how can we manage our time better? After January, most of our clients here are happy to be done with year-end close and are starting on closing January’s activity. Which activity seems more time consuming, closing a month or closing the entire year? Honestly, they should be about the same. What is a year-end close, other than closing all the prior months’ activity out? By the time you make it to closing out the year, you should have already closed out 11 straight months of activity so that final month should not be any different.

Efficiencies are built by performing a task multiple times and increasing  your performance by decreasing your mistakes. Once you know your month end close activities, make a list, step-by-step of the process. This part is critical to gaining efficiencies and increasing time management. Once you have made your step-by-step list to close a month, you can start working on automating each step or removing/combining steps as necessary. By performing the same process in the same order, you will gain familiarity with each step and recognize the proper order and details you will need to complete the month-end close. Seems simple, now how many people approach their month-end closing in such an organized style?

Practical Application; how will this really build efficiency and time management? Imagine you are in an office setting where everyone has written procedures for the normal routine task they perform each day. If someone is sick or on vacation, another employee in that department can pull up the procedure and quickly get the task completed. Also, when it comes time to training new staff or cross training existing staff, you already have solid groundwork set up and after a few walkthroughs of the process and an outline, the new staff person will shortly master the procedure and then start to find their own efficiencies. Time management comes after, with staff properly trained and cross trained, you will have more time to take that much needed vacation and not have to worry that you will be coming back to even more work than when you left.