A Risk-Based Approach to Journal Entry Testing
How software can help auditors detect fraud, by Richard B. Lanza and Scott Gilbert
July 2007In recent large-scale frauds, such as WorldCom, management override around the journal entry process was the key contributing factor. Sure, it's possible to make adjustments in the subledgers, but this requires collusion with other organizational departments. Thus, the top-side entry is a favored method for committing financial statement fraud.
Why controls are not always effective
An effective system of internal control will help prevent material misstatements, whether due to error or fraud, from occurring in a company's financial statements. Much recent work has gone into ensuring that controls are in place, documented and tested to provide evidence that they are designed and operating effectively. However, all this work is for naught if employees are able to circumvent the control structure. A recent study by the Association of Certified Fraud Examiners (ACFE) documented the limitations of internal controls for fraud detection when it found that internal controls were not the first but the fourth most common way to detect fraud.
Companies unfortunately become too comfortable with their internal controls and hardly ever think beyond "what can go wrong" in an effort to break the control. Walk-throughs that focus on "what controls are there" miss the potential for circumvention of such controls. It's best to focus testing not on the controls in place, but rather on the expected circumvention of such controls. Unfortunately, employees, including senior management, are too intelligent for their own good and can quickly develop ways to work around a control. For example, in journal entries, employees can post numerous smaller entries to various departmental general ledgers in an effort to circumvent approval processes, as well as to make it more difficult for auditors to detect the malfeasance.
Journal entry testing required
Given the ability of journal entries to efficiently undermine a financial statement audit, journal entry testing has become a requirement for external auditors. Proactive audit committees and internal audit departments can also benefit from the guidance provided in GAAS. Statement of Auditing Standard (SAS) no. 99, Consideration of Fraud in a Financial Statement Audit, states "the auditor should design procedures to test the appropriateness of journal entries recorded in the general ledger and other adjustments." More specifically, SAS no. 99 requires the auditor, in all audits, to (a) obtain an understanding of the entity's financial reporting process and controls over journal entries and other adjustments; (b) identify and select journal entries and other adjustments for testing; (c) determine the timing of the testing; and (d) inquire of individuals involved in the financial reporting process about inappropriate or unusual activity relating to the processing of journal entries or other adjustments.
SAS no. 99 was followed by AICPA Practice Alert 2003-02, which provides auditors additional guidance regarding the design and performance of journal entry audit procedures to fulfill the responsibilities outlined in SAS no. 99. More importantly, this practice alert provided actual tests to be completed and a specific note for the use of computer-assisted audit tools (CAATs) to improve test effectiveness.
Data analysis key
Auditors and fraud examiners could use manual means to review the general ledger, however this generally proves ineffective given the breadth of the ledger and the limitations of the human eye. This is not to say that manual means are ineffective because a person's judgment when reviewing entries is still very valuable; but relying exclusively on manual means may not be the most effective approach. As highlighted in Practice Alert 2003-02, "Journal entries and other adjustments oftentimes exist only in electronic form, which requires extraction of the desired data for any quality analysis. In an IT environment, it may be necessary for the auditor to employ CAATs (for example, report writers, software or data extraction tools, or other systems based techniques) to identify the journal entries and other adjustments to be tested." The Practice Alert goes on to explain various journal entry tests that would be difficult or impossible to complete without a computer.
The practical reality is that financial statement fraud occurs in 1% of digital transactions, so improved tools for detection are needed beyond manual review. This is an area where more transaction testing using data analysis can provide a superb defense against management override by performing a more extensive search for unusual ledger activity. Today, software options range from high-end enterprise data mining software costing $250,000, down to easy-to-learn individual laptop tools for $200 or less. CAAT tools such as ACL, IDEA, ActiveData for Excel, Microsoft Access or even Microsoft Excel can be effective entry-level tools for analyzing accounting system data. Consultants can also perform these tests if the company is unable or unwilling to develop its own data analysis competencies.
Tests to perform
According to SAS no. 99, fraudulent adjustments often have certain unique identifying characteristics. Such characteristics may include entries (a) made to unrelated, unusual or seldom-used accounts; (b) made by individuals who typically do not make journal entries; (c) recorded at the end of the period or as post-closing entries that have little or no explanation or description; (d) made either before or during the preparation of the financial statements that do not have account numbers; (e) containing round numbers or a consistent ending number; (f) applied to accounts that contain transactions that are complex or unusual in nature, contain significant estimates and period-end adjustments, have been prone to errors in the past, have not been reconciled in a timely basis or contain unreconciled differences, contain intercompany transactions, or are otherwise associated with an identified risk of material misstatement due to fraud.
While the above is helpful guidance, a more precise list of computerized journal entry tests is provided below and organized into the five Ws. The level of sophistication with which these tests are applied will depend on your technical skill and the capabilities of the software that you choose.
Why (Unusual Activity)
Using Excel to analyze journal entries
Although it is beyond the scope of this article to provide detailed instructions for how to accomplish all the above tests using specific tools, the following are two examples using Microsoft Excel.
Weekend entries. Auditors can use Excel to analyze the time-stamp field or to obtain a date field by using the WEEKDAY() function. From the "Insert" drop-down menu, select "Function," and search for WEEKDAY within the "Insert Function Window." For instance, WEEKDAY(A1) will convert date field cell A1 into the day of the week, using 1 for Monday, 2 for Tuesday, and so on. By selecting the top of the column containing the WEEKDAY() functions, the "Auto Filter" feature, located under the "Data" menu item in Excel, can be used to filter all WEEKDAY(Date_Field) values that are equal to the program's default values of 6 or 7 (see screenshot below).
Like any tool, computer-assisted journal entry testing has its limitations. It does not replace a skilled auditor or fraud examiner. But rather, computer tools allow the auditor or fraud examiner to focus his or her energy on the highest-risk journal entries culled from a full set of entries rather than on a random sample. To be effective, auditors and fraud examiners have to invest time in learning how to use the tools. But the efficiencies they will gain far outweigh the time and expense of learning new tools that can dramatically extend the users' ability to opine on the fairness of a set of financial statements.
RICH LANZA, CPA, CFE, PMP, is president of Audit Software Professionals, and SCOTT GILBERT is an independent consultant. Their email addresses are email@example.com and firstname.lastname@example.org, respectively.2007 Journal of Accountancy. Used with permission.