Fraud happens! Maybe it is accomplished by someone in the accounting department making a journal entry to affect revenue recognition for certain transactions. Or, perhaps it occurs when someone enters transactions for fictitious customers or vendors, or alters timecards. While auditors do not have a specific requirement to detect all fraud, we can turn to the auditing standards for guidance.
Statement on Auditing Standards (SAS) No. 99, Consideration of Fraud in a Financial Statement Audit requires that auditors ordinarily presume there is a risk of material misstatement due to fraud relating to revenue recognition and management override of controls. The revenue recognition issue may include shifting future revenues to the current period or current revenues to a later period. Management override of controls is one of the risks that should be considered during audit planning meetings.
How I Found Fraud
Long before SAS 99 was issued in November 2002, I found that performing audits using Computer Assisted Auditing Tools and Techniques (CAATTs) was often much more efficient because I was able to scan the entire data set quickly and more effectively – quickly identifying unusual items.
In one case, I was able to uncover fraud at a construction company. The company was in the middle of many projects and needed the audit to satisfy its bonding company. The audit team brought me on to help them download the data files from the company’s accounting system.
The company had an older, internally developed system, and this was prior to Y2K, so it was not as easy to get the download as it is today with more modern applications. However, I was able to get the data and import it into the analysis tool we used. I typically try to get the entire database rather than just the details of the transactions open at the end of the year. As I was going through the data, I noticed there was a field for “transaction type,” and asked the client what each code was for. I expected codes for invoices, payments and credits, but did not expect a code for “transfers.” The transfer code was used to take improperly posted transactions to one project and shift them to the proper project. This made sense.
I inquired as to how often the transfer code was used and was told there should be approximately 50 transfers a month between projects. The client had dozens of open projects, so it did not seem unusual that occasionally a cost was mis-posted. Since I had the entire database, I quickly extracted the transfer transactions and was surprised when I saw there were many more than 50 each month. I plotted the transactions by month and noted that in each of the first 11 months, approximately 50 transactions occurred each month. However, in the final month of the year, there were more than 5,000 transfers.
This was not expected.
The company was busy transferring costs around between different projects during this last month, but was not as creative as they should have been! They dated most of these transactions on the last day of the year. While you and I were celebrating New Year’s Eve, this client was shifting costs from the projects that were losing money to projects that were just starting out – all in an effort to avoid having to recognize the losses on a percentage-of-completion accounting basis. Unfortunately, the company kept shifting costs until getting to a figure it felt would be acceptable to the bonding company. The company ended up making so many transfers that the process was detectable.
Had the audit team scanned through extensive computer printouts, I do not know if the team would have picked up on the anomaly. But, since we used CAATTs, the pattern was easy to pick up. The entire process took less than two hours to download the files, import them into the analysis tool, perform the analysis and find the issue. Efficient and effective!
Planning Audit Procedures: Nature, Timing and Extent
SAS 99, paragraph 54, specifically discusses using computer-assisted audit techniques as a way to identify unusual or unexpected revenue relationships or transactions. In addition, in situations for which revenue transactions are electronically initiated, processed and recorded, the auditor could consider testing controls to determine whether the controls provided assurance that recorded revenue transactions occurred and were properly recorded.
Auditors should be aware of the possibility of management override of controls, and that good CAATTs can help the auditor detect these overrides. Many auditors regularly review adjusting journal entries for unusual items. If you can download a complete file of the journal entries recorded by the company, you should be able to sort and extract duplicate journal entries, and those that may contain certain unique characteristics. These characteristics may include transactions posted to unusual, unrelated or seldom-used accounts, along with those made by people who typically do not make entries. They also may include transactions that are very near the end of the period, and contain weak or no descriptions. Sometimes, these entries are top-sided and do not correlate to any specific accounts, contain round numbers, are just below authorization thresholds, or outside the normal course of business.
Although fraud can never be eliminated, effectively using CAATTs during audit engagements can help auditors reduce the risk that a fraud would go undetected. Later this year, I will be presenting an AICPA Web Seminar in which I will explore these concepts in much greater detail. Stay tuned.
Contact Mark Mayberry at mmayberry@bdo.com.
Return to Table of Contents