|EXECUTIVE SUMMARY |
The top-side journal entry is most susceptible to fraud by management override. It’s possible to make adjustments in subledgers, but this requires collusion with other organizational departments, which is much harder to accomplish.
The most frequent types of management fraud involve fictitious or premature revenue recognition. One way this can occur is through management override of internal controls.
SAS no. 99 requires external auditors to test journal entries; internal auditors and forensic examiners may find it helpful in designing their procedures to test journal entries. AICPA Practice Alert 2003-02 provides additional guidance for implementing SAS no. 99 and discusses using computer- assisted audit tools to improve test effectiveness.
Data analysis is a critical component for testing journal entries. Testing exclusively by manual means is probably not the most effective approach.
Tests should use the Who, What, When, Where and Why methodology. Like any tool, computer-assisted testing has its limitations. It does not replace a skilled auditor or fraud examiner. But rather, automation allows the auditor or fraud examiner to focus his or her energy on the highest-risk journal entries culled from a full set of entries rather than on a random sample.
Richard B. Lanza , CPA, CITP, CFE, PMP, is president of Audit Software Professionals, and Scott Gilbert is an independent consultant. Their e-mail addresses are firstname.lastname@example.org and email@example.com , respectively.
In recent large-scale frauds, such as WorldCom, management override around the journal entry process was the key contributing factor. Sure, it’s possible to make adjustments in the subledgers, but this requires collusion with other organizational departments. Thus, the top-side entry is a favored method for committing financial statement fraud.
WHY CONTROLS ARE NOT ALWAYS EFFECTIVE
An effective system of internal control will help prevent material misstatements, whether due to error or fraud, from occurring in a company’s financial statements. Much recent work has gone into ensuring that controls are in place, documented and tested to provide evidence that they are designed and operating effectively. However, all this work is for naught if employees are able to circumvent the control structure. A recent study by the Association of Certified Fraud Examiners (ACFE) documented the limitations of internal controls for fraud detection when it found that internal controls were not the first but the fourth most common way to detect fraud.
Companies unfortunately become too comfortable with their internal controls and hardly ever think beyond “what can go wrong” in an effort to break the control. Walk-throughs that focus on “what controls are there” miss the potential for circumvention of such controls. It’s best to focus testing not on the controls in place, but rather on the expected circumvention of such controls. Unfortunately, employees, including senior management, are too intelligent for their own good and can quickly develop ways to work around a control. For example, in journal entries, employees can post numerous smaller entries to various departmental general ledgers in an effort to circumvent approval processes, as well as to make it more difficult for auditors to detect the malfeasance.
A Review for Audit Committees
Given the high risk of management override, a health check should be taken of the company’s audit procedures around the journal entry process. The following questions should help form a conclusion on the effectiveness of existing automated journal entry tests:
What internal procedures are currently executed to test not only the controls in the journal entry process but also the circumvention of controls in this process?
Do the tests comply with the specific tests promulgated in SAS no. 99 and Practice Alert 2003-02?
How are the tests executed? Are they done on a sample basis, or are they automated so that 100% of the data is analyzed?
How closely do the automated tests align to the list presented in this document?
If we are not currently executing automated journal entry tests, what steps will we take as a company to bring in the consultative resources or software products/training to complete these tests going forward?
Given the ability of journal entries to efficie ntly undermine a financial statement audit, journal entry testing has become a requirement for external auditors. Proactive audit committees and internal audit departments can also benefit from the guidance provided in GAAS. Statement of Auditing Standard (SAS) no. 99, Consideration of Fraud in a Financial Statement Audit, states “the auditor should design procedures to test the appropriateness of journal entries recorded in the general ledger and other adjustments.” More specifically, SAS no. 99 requires the auditor, in all audits, to (a) obtain an understanding of the entity’s financial reporting process and controls over journal entries and other adjustments; (b) identify and select journal entries and other adjustments for testing; (c) determine the timing of the testing; and (d) inquire of individuals involved in the financial reporting process about inappropriate or unusual activity relating to the processing of journal entries or other adjustments.
Internal Auditor Used Computer Tool to Detect WorldCom Fraud
A round $500 million debit to a PP&E account was the red flag that caught Gene Morse’s attention one Wednesday afternoon. The WorldCom scandal is a familiar one, but most coverage didn’t focus on the techniques that uncovered the WorldCom fraud. Five years after his monumental discoveries, Morse spoke with the JofA about his experience—and what other auditors can learn from it.
Morse was an internal auditor who had developed a knack for technology. “I got pegged with being the go-to person for pulling information out of systems,” says Morse. As a Chartered Financial Analyst and accounting student, Morse also had a strong sense of how transactions could impact the company’s financial statements and of the motivating factors of what Wall Street analysts like to see.
As an internal auditor, Morse was supposed to have full access to all company systems, but, according to Morse, he was denied access to the company’s financial reporting system at the consolidation level. “Information is power,” says Morse. “It’s ridiculous for the auditor or external auditor to not have complete access to the raw data.”
So Morse says he developed database queries at the transactional level using an Excel add-in that interfaced with Essbase, a consolidation database. “Essbase is an extremely user-friendly tool,” says Morse. “You just click on the accounts that you want and they open up.”
But because of access restrictions, Morse says he could only see one side of the transaction. A friend in the financial management reporting system support group wrote a small program that Morse says allowed him to follow an entry anywhere in the system. “I was in an account in PP&E called ‘Furniture, Fixtures and Other’ when I saw a $500 million entry,” says Morse. “I had to follow it through four or five different accounts. I finally got back to where it came over from the income statement in December. It was part of a $1.7 billion entry associated with the capitalization of line costs from the third and fourth quarters of 2001.”
At one point, the queries that Morse was running were slowing down the whole financial reporting system, so he says he had to start working at night. “Then I would download an account into Access so I could analyze it during the day.”
Morse is a firm believer in using technology in auditing. “Computers are a wonderful thing and you can use tools as simple as Excel and Access,” he says. “You dig—you get to the raw data. You look for anomalous things. Once you get there, your own eyes are your best tool.”
SAS no. 99 was followed by AICPA Practice Alert 2003-02, which provides auditors additional guidance regarding the design and performance of journal entry audit procedures to fulfill the responsibilities outlined in SAS no. 99. More importantly, this practice alert provided actual tests to be completed and a specific note for the use of computer-assisted audit tools (CAATs) to improve test effectiveness.
Auditors and fraud examiners could use manual means to review the general ledger, however this generally proves ineffective given the breadth of the ledger and the limitations of the human eye. This is not to say that manual means are ineffective because a person’s judgment when reviewing entries is still very valuable; but relying exclusively on manual means may not be the most effective approach. As highlighted in Practice Alert 2003-02, “Journal entries and other adjustments oftentimes exist only in electronic form, which requires extraction of the desired data for any quality analysis. In an IT environment, it may be necessary for the auditor to employ CAATs (for example, report writers, software or data extraction tools, or other systems based techniques) to identify the journal entries and other adjustments to be tested.” The Practice Alert goes on to explain various journal entry tests that would be difficult or impossible to complete without a computer.
The practical reality is that financial statement fraud occurs in 1% of digital transactions, so improved tools for detection are needed beyond manual review. This is an area where more transaction testing using data analysis can provide a superb defense against management override by performing a more extensive search for unusual ledger activity. Today, software options range from high-end enterprise data mining software costing $250,000, down to easy-to-learn individual laptop tools for $200 or less. CAAT tools such as ACL, IDEA, ActiveData for Excel, Microsoft Access or even Microsoft Excel can be effective entry-level tools for analyzing accounting system data. Consultants can also perform these tests if the company is unable or unwilling to develop its own data analysis competencies.
Benefits of Automated Testing
Mitigates one of the top risks affecting financial statement audits: the fraudulent top-side journal entry.
T ests not only internal controls but also the circumvention of controls.
Provides a better chance of detecting any issue due to fraud in the journal entry process, since it analyzes 100% of data.
Frees up auditors and examiners for more rewarding tasks such as gaining a better understanding of the organization’s business (thereby allowing for improved future tests).
Supports audit findings and recommendations with substantial quantitative data rather than sample selections.
According to SAS no. 99, fraudulent adjustments often have certain unique identifying characteristics. Such characteristics may include entries (a) made to unrelated, unusual or seldom-used accounts; (b) made by individuals who typically do not make journal entries; (c) recorded at the end of the period or as post-closing entries that have little or no explanation or description; (d) made either before or during the preparation of the financial statements that do not have account numbers; (e) containing round numbers or a consistent ending number; (f) applied to accounts that contain transactions that are complex or unusual in nature, contain significant estimates and period-end adjustments, have been prone to errors in the past, have not been reconciled in a timely basis or contain unreconciled differences, contain intercompany transactions, or are otherwise associated with an identified risk of material misstatement due to fraud.
While the above is helpful guidance, a more precise list of computerized journal entry tests is provided below and organized into the five Ws. The level of sophistication with which these tests are applied will depend on your technical skill and the capabilities of the software that you choose.
Summarize journal entries by the persons entering to determine if they’re authorized.
Extract nonstandard or manual journal entries (versus system entries such as an accounts payable ledger posting) for further analysis.
Stratify size of journal entries based on amount (using the debit side of the transaction).
Summarize journal entries by general ledger account to identify repetitive and unique account sequences used in the journal entry (based on the first five debit and credit account postings).
Summarize general ledger activity on the amount field (absolute value of debit or credit) to identify the top occurring amounts.
Scatter-graph general ledger account (debit and credit amounts separately) and numbers of transactions.
Extract journal entries posted on weekends and holidays.
Extract journal entries relating to the prior year that were made just immediately following a fiscal year-end.
Summarize journal entry credits and debits processing by day, month and year.
Extract journal entries made to suspense accounts and summarize by the person entering and corresponding account numbers.
Extract journal entries to general ledger accounts known to be problems or complex based on past issues (errors of accounting in journal subsequently corrected by accounting staff or auditors) at the company or the industry in general.
Extract debits in revenue and summarize by general ledger account.
Why (Unusual Activity)
Extract general ledger transaction amounts (debit or credit) that exceed the average amounts for that general ledger account by a specified percentage. (Five times the average is a good starting point.)
Extract journal entries that equate to round multiples of 10,000, 100,000 and 1,000,000.
Extract journal entries with key texts such as “plug” and “net to zero” anywhere in the record.
Extract journal entries that are made below set accounting department approval limits, especially multiple entries of amounts below such limits.
Extract journal entries that don’t net to zero (debits less credits).
Although it is beyond the scope of this article to provide detailed instructions for how to accomplish all the above tests using specific tools, the following are two examples using Microsoft Excel.
Weekend entries. Auditors can use Excel to analyze the time-stamp field or to obtain a date field by using the WEEKDAY() function. From the “Insert” drop-down menu, select “Function,” and search for WEEKDAY within the “Insert Function Window.” For instance, WEEKDAY(A1) will convert date field cell A1 into the day of the week, using 1 for Monday, 2 for Tuesday, and so on. By selecting the top of the column containing the WEEKDAY() functions, the “Auto Filter” feature, located under the “Data” menu item in Excel, can be used to filter all WEEKDAY(Date_Field) values that are equal to the program’s default values of 6 or 7 (see screenshot below).
Round multiples. To extract journal entries that equate to round multiples of 10,000, 100,000 and 1,000,000, use the Excel MOD() function, which provides the remainder after the auditor divides a number by a divisor. For example, say that $10,422 is in cell A1 and the function MOD(A1,1000) is placed in cell B1. The result in B1 would be $422, because this would be the remainder of dividing $10,422 by $1,000. Or, if cell A2 had $100,000 in it, then MOD(A1,1000) would result in a zero value, which would indicate a round number. Once the auditor uses the MOD() function for every amount posted in the journal entry, he or she can filter all zero items using the “AutoFilter” feature. Notice: The function would be written as MOD(A2,1000) for round multiples of $1,000 (see screenshot below).
Like any tool, computer-assisted journal entry testing has its limitations. It does not replace a skilled auditor or fraud examiner. But rather, computer tools allow the auditor or fraud examiner to focus his or her energy on the highest-risk journal entries culled from a full set of entries rather than on a random sample. To be effective, auditors and fraud examiners have to invest time in learning how to use the tools. But the efficiencies they will gain far outweigh the time and expense of learning new tools that can dramatically extend the users’ ability to opine on the fairness of a set of financial statements.