5509 Journal Entries

Sep-2022

OAG Guidance

If management is committed to creating fraudulent financial statements, it can design journal entries to, among other things:

• Mask the appropriation or diversion of funds.

• Adjust a general ledger account balance to agree to a fraudulent account reconciliation.

• Improperly increase revenue or decrease expenses.

• Improperly adjust segment reporting.

• Improperly reverse purchase accounting reserves.

• Improperly capitalize costs as fixed assets or construction in progress instead of expensing those costs as incurred.

• Improperly record adjustments to estimates such as allowances or those used in percentage of completion accounting.

• Improperly reduce operating expenses to meet budgets.

• Record improper cash activity from a “hidden” manual check system.

• Fraudulently change data fields associated with a manual journal entry such that it appears to be a standard journal entry.

Types of Journal Entries

Standard journal entries: are used on a recurring basis to record transactions such as monthly sales, purchases, and cash disbursements, or to record recurring periodic accounting estimates. Standard journal entries are generally system generated and may be subject to the ITGCs and other system controls to the extent the controls can be directly linked to the journal entry process and flow of transactions. See OAG Audit 2051 Using system generated reports for guidance on testing reliability of source data.

Non‑standard journal entries: are those that are made outside the ordinary course of business, and might be made outside the company’s normal processing. Examples of such entries include consolidating adjustments and entries for a business combination or disposal or non‑recurring estimates such as the impairment of an asset. In manual general ledger systems, non‑standard journal entries may be identified through inspection of ledgers, journals, and supporting documentation. When automated procedures are used to maintain the general ledger and prepare financial statements, such entries may exist only in electronic form and may therefore be more easily identified through the use of computer‑assisted audit techniques. Non‑standard journal entries may pose increased risk of material misstatement in that they might represent attempts by management to manage earnings and could be recorded in any general ledger account.

Other adjustments: such as consolidating adjustments, report combinations, and reclassifications generally are not reflected in formal journal entries and might not be subject to the entity’s internal controls.

OAG Guidance

Fraudulent financial reporting often involves the recording of fraudulent journal entries, particularly those involving post‑closing adjustments and other types of non‑standard journal entries. As a result, our audit responsibility with respect to fraud requires us to presume that fraud risk of management override of controls is always present and to test journal entries and other adjustments to address the risk of material misstatements due to fraud.

Because fraud involves intentional deceit, fraudulent schemes can be very difficult to detect. Depending on an entity’s internal control, employees may create fraudulent transactions of varying degrees of sophistication. To help detect fraudulent journal entries, we use our professional skepticism, auditing experience, knowledge of the entity’s business and accounting processes, and knowledge of accounting.

When designing a plan for testing journal entries, audit evidence about journal entries can come from a broad range of testing procedures:

• Substantive audit procedures on account balances. Consider whether substantive testing performed (or to be performed) to address the risk of material misstatement due to error, includes testing of journal entries that also provides evidence addressing the specific fraud risk criteria. See the block below Step 2: Determine the entity specific characteristics of fraudulent journal entries for additional information.

• Tests of journal entries made in consolidation or directly to the financial statements (top‑side entries). For example, the entity may adjust account balances for information related to estimates in the financial statements such as reserves for loss contingencies, reserves for accounts receivable or other commitments or contingencies. We need to understand the impact of such journal entries made in consolidation or directly to the financial statements and need to perform audit procedures if we determine they have a significant impact to the financial statements.

• Audit procedures designed to address the fraud risk. When planning our testing of journal entries designed to address the risk of material misstatement due to fraud from management override, we may take into account the journal entry testing already done such as the journal entry testing described in the two preceding categories.

Ultimately, professional judgment is required to determine the nature, timing and extent of testing of journal entries and other adjustments. However, because fraudulent journal entries are often recorded at the end of a reporting period, CASs require us to select and test journal entries and adjustments recorded at the end of the period. Further, because a fraud may be perpetrated throughout the period and involve extensive efforts to conceal the fraud, we also need to consider whether testing is necessary for journal entries and other adjustments recorded throughout the period.

Guidance on testing journal entries and other adjustments responsive to the risks related to management override of controls:

CAS 240 paragraph 33 (a) requires the auditor, irrespective of the assessment of the risks of management override of controls, to design and perform audit procedures to:

• Test the appropriateness of journal entries recorded in the general ledger and other adjustments made in the preparation of the financial statements. In designing and performing audit procedures for such tests, the auditor shall:

  • Make inquiries of individuals involved in the financial reporting process about inappropriate or unusual activity relating to the processing of journal entries and other adjustments;
  • Select journal entries and other adjustments made at the end of a reporting period; and
  • Consider the need to test journal entries and other adjustments throughout the period.

Testing journal entries and other adjustments to satisfy the requirements of Canadian Auditing Standard 240 ‘The Auditor’s Responsibilities Relating to Fraud in An Audit of Financial Statements’ is generally a 5 Step process:

1. Obtain an understanding of the client’s process for creating and posting journal entries and other adjustments
2. Determine the entity specific characteristics of fraudulent journal entries
3. Obtain a complete listing of journal entries and other adjustments for testing
4. Identify the entries that have characteristics noted in Step 2
5. Test or dispose of all the journal entries identified in Step 4 to an appropriate source

This process is the same whether you are using Computer assisted auditing techniques (CAATs) or a manual process.

OAG Guidance

CAS 240 requires engagement teams to obtain an understanding of all relevant processes relevant to financial reporting including but not limited to, the information systems and the controls surrounding journal entries and other adjustments.

This process involves understanding:

• Non‑standard vs standard journal entries (both manual and automated) vs other adjustments (e.g. consolidation or top‑side adjustments): Understand the types of entries that are processed and by which systems. Understand the nature, accounts impacted and expected account combinations.

• Opportunities for the manipulation of accounting records: Understand who can initiate, approve and post journal entries. Consider whether the segregation of duties is appropriate. This should include inquiries of individuals involved in financial reporting about inappropriate or unusual activity relating to the processing of journal entries and other adjustments.

• Information systems. Understand whether or not the accounting software is off‑the‑shelf and how entries are generated. Consider who has access to the source code and what controls are in place.

Obtaining this understanding will assist engagement teams in identifying characteristics that would constitute an unusual entry for further investigation.

We should understand the process for posting journals to the general ledger (GL to trial balance) for all cycles both at closing and throughout the year (trial balance to financial statements). This helps us identify journal entries and other adjustments and eliminate those we are not interested in – for example, entries that were posted through a sales module.

Methods for obtaining evidence may include:

1. Inquiry of entity personnel (Inquiry alone, however, is not sufficient for such purposes.)
2. Observing the application of specific controls
3. Inspecting documents and reports
4. Tracing transactions through the information system to relevant financial reporting functions. (walk‑through)
5. Include an element of unpredictability in the selection process by varying the types of journal entries to be tested in a recurring audit.

Group engagement

Manage group audit planning, if applicable, for testing journal entries and other adjustments by including the following in instruction letters:

• The group engagement team’s assessment of risk of material misstatement due to fraud.

• If appropriate, identification of any specific classes of journal entries for testing and the extent of testing (or provide a list of journal entries to test if selections are made by the group engagement team).

• A person on the group engagement team for component auditors to contact for fraud related questions

Audit procedures in relation to fraud risk & control deficiencies

In considering audit procedures in response to the fraud risk we need to understand controls in place for the processing of journal entries. Where deficiencies in journal entry controls exist, such as the ability to create and post journal entries by the same individual, we may take a substantive approach to testing journal entries. The existence of such control deficiencies does not create the presumption of a significant deficiency in internal controls, but rather they are a factor considered in our assessment of the risk of fraud and need to be evaluated to consider any impact on our audit. The classification of journal entry control deficiencies is evaluated considering the nature and complexity of the entity. For example, in smaller entities with few individuals in the finance function, sufficient resources may not exist to facilitate segregation of duties and therefore management and those charged with governance would not expect those controls to exist. The lack of these controls is contemplated in the substantive tests of account balances and journal entries made in consolidation or directly to the financial statements (top‑side entries). In designing our journal entry tests directed at fraud, we understand that segregation of duties control deficiencies increase the risk of fraud.

Automated and manual journal entries

CAS 240 does not distinguish between manual or automated journal entries, so we need to consider both, but first we need to consider the risks associated with both categories of journal entries and what evidence we may already have:

1. Consider the respective risks of manual and automated journal entries. Manual journal entries, by their nature, are more likely to be susceptible to management override, but consider whether/how controls over automated journal entries could also be overridden by management. For example, in some systems users may have the ability to change the source identifier (designation of manual or automatic entry) when creating or posting journal entries. In such circumstances it is possible that journals can be labelled or categorized as “automated” when in reality they were posted with significant manual intervention.

2. Evaluate internal controls in place over both manual and automated journal entries, and to what extent we have tested those controls.

3. Understand the type of the automated journal entries—are they posting routine transactions which we have substantively tested as part of the FSLIs to which they relate?

4. As part of the financial statements closing process, CAS 330 requires us to examine material journal entries posted by the entity during the course of preparing the financial statements—these journal entries are more likely to include manual journal entries.

When, based on the evaluation of the factors above, we determine that the automated journal entries are only used to record routine transactions, related controls are not likely to be overridden by management, and therefore automated journal entries do not represent a risk of material misstatement due to fraud, we may exclude automated journal entries from the substantive testing plan. In these circumstances, we need to determine that the internal controls related to automated journal entries are properly designed and implemented (and, if we plan to test them, are operating effectively). Consider whether for journal entries that are classified as ‘automated’ there is a risk of manual user intervention and evaluate the impact this may have on our testing procedures. For example, if we identified manual intervention in the automated journal entries posting process, consider whether some of the journal entries labelled as ‘automated’ may need to be included in our risk‑based journal entry testing. If we assess such risk as low (e.g., the entity uses an off‑the‑shelf accounting package and based on our understanding of that system and related internal controls we conclude there is little or no risk of manual intervention in journal entries labelled as ‘automated’) , it may be appropriate to exclude the automated journal entries from our risk‑based journal entry testing. Maintain professional skepticism when making these decisions and document the related rationale in the engagement file.

Testing journal entries in a multi‑location audit

Testing journal entries occurs at four levels:

Overall Planning Considerations

Assessing fraud risk, the specific fraud schemes and selecting journal entries for testing involves significant judgment by the auditor. At the one extreme, consider a start‑up business with little or no revenue and its activities are primarily related to raising capital for research and development. In this case, our audit includes tests of details of substantially all account balances and transactions (e.g., substantively testing all equity or debt raising transactions and research and development expenses). In these cases, the transparency of financial information and our overall assessment of the risk of fraud, including consideration of the opportunities and incentives, may lead to the conclusion there are no additional journal entries to test because our substantive tests have addressed the risk of material misstatement due to fraud in the financial statements (see related guidance in the subsection “Leveraging other testing performed” below). At the other extreme, consider a large business with global operations, complex systems and multiple locations where the incentives, pressures and opportunities for fraud can be much higher. While we consider all of the factors discussed above in developing the journal entry plan, together with planned tests of controls and substantive tests of account balances and transactions, in deciding on journal entries to select for testing in both cases, in the second scenario it is more likely that additional journal entry procedures will be warranted.

Leveraging other testing performed

When considering whether we can leverage other testing performed, consider the fraud risk criteria we define to address the risk of fraud (see guidance in Step 2 section below).

By leveraging the testing performed in other areas of the audit, the journal entry testing concerning complex accounts and areas susceptible to fraud, such as revenue, may be limited to journal entries with the fraud risk characteristics identified that were not already sufficiently tested in substantive testing procedures. Consideration of the remaining population of journal entries is based on fraud risk characteristics and not on a monetary amount, although the untested monetary amount of journal entries with relevant fraud risk characteristics needs to be considered.

Controls testing

Effective controls over the preparation and posting of journal entries and other adjustments may reduce the extent of substantive testing necessary when testing of journal entries to address the risk of error, provided that we have tested the operating effectiveness of the controls. However, controls over the preparation and posting of journal entries cannot entirely address the fraud risk management override of controls. Therefore we still need to perform substantive testing of journal entries and other adjustments to address the risk of material misstatement due to management override.

OAG Guidance

Step 2a – Assessment of the risk of management override of controls using the fraud triangle

Inquire with key management personnel, including the Audit Committee or Board of Directors and others within the entity to understand their view on risks of fraud and measures/controls in place to mitigate this risk. Teams should leverage other fraud risk identification procedures and may find it helpful to complete this evaluation using the fraud triangle. Some of the key considerations are included below and see OAG Audit 5504 for related guidance.

Incentives/Pressures

• Who are the users of the financial statements and what are the key metrics that they are interested in? For public companies this may include taking into consideration the key metrics used by analysts or other market participants. For non‑financial metrics consider how these could be manipulated through the financial statements.

• What are the inputs into the compensation structure for senior executives?

• Are there any debt covenants or other regulatory requirements that the entity is required to comply with? Are they close to violating any of these requirements?

• Does the entity have a pending transaction such as a sale of a portion of the business or pending IPO?

• What are the periods that are more susceptible to manipulation and why? Do they have a formal close process each month that doesn’t permit back dating?

An understanding of the incentives and pressures can be used to identify if there are any specific accounts or groups of accounts that may be at greater risk for fraudulent journal entries as well as the periods which are at greatest risk.

Attitudes/Rationalization

• Are senior management and others within the entity fairly compensated at market rates? Is there any indication that employees are unhappy with current compensation which could create a sense of entitlement?

• Is there a strong tone at the top?

• Does the organization have a fraud prevention hotline? As part of our understanding of the monitoring controls have we validated that the hotline is implemented and considered whether there is evidence to support employees are aware and it is operating effectively?

Opportunities

• For any specific accounts or group of accounts identified, assess whether opportunities exist taking into consideration our understanding of the client’s process and related controls obtained in Step 1. Remember that the existence of controls may reduce the risk (i.e. less opportunity) but does not eliminate it, as such; you still need to perform substantive testing to address the risk associated with management override of controls.

Step 2b – Consideration of the risk of fraud related to each relevant FSLI

Based on the analysis performed in Step 2a, identify the "at risk" FSLIs. Journal entries may come from a number of different sources, e.g., subledgers, third party systems, Electronic Data Interchanges, manual journal entries. We need to understand the nature, source, and volume of journal entries posted to the FSLI. For example, our client may have automated and manual transactions processed in the subledger and these transactions are entered into the general ledger through automated and/or manual interfaces and they may also have manual journal entries processed directly into the general ledger. Considering this example, if we designed our detailed revenue testing only at the subledger level, the detailed revenue testing does not cover all the journal entries, consequently, we cannot conclude that by performing tests of details only at the subledger level we have effectively audited all the journal entries that may have been posted to the revenue account. Additionally, for us to determine that the substantive testing performed for an FSLI is sufficient to address the risk of fraud, the substantive testing needs to address all relevant journal entries and both sides of the journal entries. For example, when performing testing over a year‑end accrual balance where the journal entry(ies) recorded are included in the ending balance, we may not need to perform additional procedures over a journal entry selected (because it meets our risk criteria) if it is part of that accrual account balance and we have already tested both sides of the entry with audit procedures we performed over the accrual balance and related expense. In this case we may document this in our journal entry testing through cross reference to the testing of the ending account balance.

Step 2c – Determine the characteristics of specific entries that are susceptible to override risk

Based on your understanding and inquiries performed in Step 1 and Step 2 you should have enough information to identify client‑specific characteristics of potentially inappropriate journal entries and other adjustments.

Defining the risk criteria requires experience and knowledge to effectively identify a journal entry which is unusual or indicative of potential fraud (i.e., nature of specific journal entries). As such, this needs to be undertaken by experienced members of the audit team. In higher risk situations, engagement teams may consider involving the Internal Specialist for Fraud to assist them in making these judgments. See OAG Audit 5513 for related guidance on forensic specialists.

For example, characteristics of potentially inappropriate journal entries and other adjustments may include journal entries or other adjustments:

• made to unusual combinations of debits and credits, or seldom used accounts

• made by individuals who typically do not make journal entries and other adjustments

• recorded at the end of the period or as post‑closing entries that have little or no explanation or description

• made either before or during the preparation of the financial statements but that do not have account numbers

• containing round numbers or consistent ending numbers

• recorded and approved by the same person, or not approved

• recorded at an unusual time for the entity

• recorded outside of the normal course of business

• dated outside of the regular recording period; for example, beyond the number of days included in the client’s standard closing process

• applied to accounts that:

  • contain transactions that are complex or unusual in nature
  • contain significant estimates and period‑end adjustments
  • have been prone to misstatements in the past
  • have not been reconciled on a timely basis or contain unreconciled differences
  • contain inter‑company transactions, or
  • are otherwise associated with an identified risk of material misstatement due to fraud (e.g., assumption of fraud risk in revenue recognition)

The characteristics that result in an increased risk of material misstatement due to fraudulent journal entries will vary from entity to entity. For example, if the entity’s accounting staff regularly works on evenings and weekends, this may not be considered an unusual time for recording journal entries and other adjustments; therefore, this may not be a characteristic of potentially inappropriate journal entries or other adjustments. If management regularly makes accruals with round numbers you may not consider this as a characteristic of potentially inappropriate journal entries.

Key considerations in finalizing your selection criteria:

• Consider whether the criteria identified will be looked at for period end only or whether it will be reviewed throughout the year. For example, if you identified a risk associated with certain account combinations to manipulate the entities compliance with debt covenants you may determine that it is only necessary to review these account combinations at the end of the reporting period. Whereas, if the criteria relates to inappropriate access or approvals you will likely want to consider the entire period.
  
  When journal entries are selected from throughout the period, this testing can be performed during year end and/or the interim audit fieldwork; consider the most efficient approach specific to the entity. When testing has been performed in advance of year end, we still need to test the journal entries at the end of the reporting period and also consider the continued appropriateness of the assessed risk criteria.


• Dollar thresholds are not a fraud characteristic.
  • For example, if you determine that the CEO is not expected to initiate, post or approve any journal entries then you would identify all such entries and test them to the extent necessary to reduce the risk of material misstatement to a reasonable level. It would not be appropriate to ignore all entries below a threshold without understanding the impact both individually and in aggregate.
  • Generally, dollar thresholds can be applied to filtered entries as a testing strategy, however, the untested entries must be individually and in aggregate immaterial.
  • When considering the untested balance related to journal entry testing, the untested balance is considered on a test by test basis and is not aggregated across multiple tests. For example, if an engagement team selected two unusual account combination tests – (1) for credits to revenue with debits to accounts other than cash and accounts receivable and (2) for credits to cost of sales with debits to accounts below the line such as amortization – we would consider the untested balance for each of test (1) and test (2) separately – and would not aggregate the results of the two tests for evaluation. However, entries related to a specific fraud risk criterion should be aggregated (i.e. overstatement of revenues was identified as a fraud risk and the unusual account combinations identified were Dr. Accounts Payable Cr. Revenue and Dr. Expenses Cr. Revenue). In this example, you would aggregate the entries related to revenues. 

OAG Guidance

Before selecting any journal entries or other adjustments to test, procedures need to be performed to obtain comfort over the completeness of the population. For teams using an Assurance Software Tool, it may be more efficient to test the completeness of all entries. Alternatively, if you are testing completeness manually and depending on the assessments made by the engagement team, it is possible to perform completeness testing for all GL accounts identified as "at risk" as part of Step 2 above.

Testing for completeness for a list including all GL accounts

• Review the listing received from the client and verify the sequential numbers of the entries. Understanding how the client assigns a numbering system to the entries will be critical in assessing whether this can be practically done, or

• Performing a roll forward of the GL accounts, such as take the opening retained earnings balance (per prior year audited financial statements), add the sum of all the journal entries per the client listing, and compare the total to the ending retained earnings balance which should agree to the current trial balance.

• Use accept‑reject to agree the trial balance to the general ledger and from the general ledger to the financial statements. This is required to be performed for both the opening and closing trial balance.

Note that we may not need to test the completeness of all journal entries in the general ledger, when the risk for some of the populations is considered low, based on our judgment and consideration of the factors explained below. For example, if revenue transactions recorded during the fourth quarter have been identified as higher risk of fraud and are targeted for testing, completeness may only need to be tested on the fourth quarter journal entry transactions. It is often more efficient to perform completeness testing procedures for all journal entries rather than specific period/FSLI journal entries, use your judgment to design the journal entries completeness testing procedures and develop the most effective and efficient audit plan.

Testing for completeness for a list including ‘at risk’ GL accounts

This approach is based on the team’s assessment of fraud risk (Step 2) and the identification of specific "at risk" accounts due to incentive, opportunity or both. The procedures performed will be similar to the above, except they are only performed on the "at risk" accounts identified.

Using the rationale from Step1 above (Obtain an understanding), Auditors should also consider testing the completeness of journal entries for particular period(s) and/or FSLI(s) based on the defined risk criteria (Step 2c above), if the team’s fraud risk assessment demonstrate that a potential risk of fraud exists and could have an impact at the assertion level and/or at the financial statement level.

Determine method to test journal entries population for completeness

The method used to test completeness needs to consider the risk of material misstatement due to fraud and our understanding of the period‑end financial reporting process. Factors to consider when designing the completeness test may include the complexity of the system(s), our understanding of posting source codes and coding of standard versus non‑standard journal entries, consideration of journal entries processed throughout the entity (i.e., several ledgers, number of components we are testing, etc.), and other considerations. The following questions may assist in assessing the completeness of the journal entry population:

• Do we understand and have we accumulated all journal entry sources including sub ledgers, as appropriate?

• Do we understand how journal entry types (e.g. automated vs. manual) are coded in the system and whether the coding can be overridden by users?

• Are we considering all journal entries processed throughout the entity? For example, are we including those processed at non‑significant components where we are performing substantive testing?

While obtaining the population of journal entries electronically is the preferred method of ascertaining completeness when auditing journal entries, it is also acceptable to use other manual auditing procedures for completeness of targeted risk populations.

The following are examples of completeness testing procedures that could be performed considering the risk of material misstatement due to fraud, our understanding of the period end financial reporting process, including posting source codes and coding of standard versus non‑standard journal entries:

Complex IT Environments

The engagement team or the Data Analytics specialist can electronically test the completeness of journal entries by using electronic files. Once the data files have been obtained, with the assistance of a Data Analytics specialist, queries are designed to test that the beginning balance, adjusted by the population of journal entries, agrees to the amount in the ending GL by entity, division, and account number (or other level of detail, as appropriate).

The final Step in the test of completeness is to create a query using (a) the general ledger, (b) any consolidation or other adjustment data, and (c) the mapping of the data to the financial statements. When these amounts agree to the financial statements, this provides evidence that all entries have been included in the population identified for testing. If the amounts do not agree, we will need to ask the client to reconcile the difference and/or design tests to identify why the amounts are different. This testing of completeness is highly effective at identifying top‑side journal entries that may be potentially fraudulent.

Moderately and non‑complex IT environments

In moderately and non‑complex environments, the engagement team may use CAATs as above or manual testing to determine completeness, examples of which are detailed below:

• Obtain full general ledger detail (all debits and credits) for all accounts or accounts identified as having a higher risk of fraud, including all journal entries, and perform a rollforward of the balance (or activity) by totaling the net debits and credits by account in order to rollforward from the prior period financial statement balances to the ending financial statement balances. Typically we use Excel to perform this type of rollforward or IDEA. We may also use Access (but generally only in situations where the volume of data, including journal entries is not easily entered into Excel).

• Test the sequential numbering of journal entries (either as a test of control or a substantive test) and perform the following procedures:

  • Agree balances on reconciliation of significant system generated accounts (reconciliations tested during the audit) for the report total and the general ledger total to the system subsidiary ledger and GL, respectively, and test mathematical accuracy of the reconciliation.
  • Agree the financial statement account balances to the GL to identify other adjustments recorded outside of the GL. Generally this testing would be performed in connection with other audit procedures related to the reconciliation of the audited accounting records to the financial statements.
  • Agree the opening balances to the prior period financial statement balances.

Where other manual methods are used to ascertain completeness of population(s), determine that critical testing elements are not left to the entity without independent verification. For example, it would be ineffective for us to ask the entity to extract all manual journal entries, without independently verifying the completeness and accuracy of the data provided. Without independent verification, it also could be easy for the entity to omit fraudulent entries from the extract.

Data Integrity:

Before proceeding to journal entry testing, it’s important to check the integrity of the data (data lineage), i.e., whether data has been altered in some way from its original source as it moved from one system to another or over time. This provides visibility while simplifying the ability to trace errors back to the root cause. Audit teams should consider whether the need of an IT Audit and/or Data Analytics specialist is required in this instance.

OAG Guidance

Testing journal entries is considered a risk‑based target test. Once the characteristics have been determined, the team should use those characteristics to identify the entries that require further testing. The team should dispose of all journal entries identified because those journal entries represent those meeting the defined criteria (i.e. representing a higher risk of fraud). It is not appropriate to sample this subpopulation of journal entries using accept‑reject or any other sampling technique.

The method of selecting the journal entries and other adjustments reflecting the defined client‑specific characteristics of potentially inappropriate journal entries and other adjustments will depend on the entity’s information system. The method of selection could be manual or using CAATs.

In a manual environment, an experienced team with a good understanding of the entity might scan the journal entries and other adjustments to identify the journal entries and other adjustments having the characteristics of potentially inappropriate journal entries for testing.

It is possible that even with the criteria defined above the sample results in a very high sample size. In these cases, it is likely that you should refine your understanding of the client’s business processes and journal entries. Engagement teams should consider if there are entries included in the population that actually represent standard entries that were not identified as part of your understanding. For example, we may consider that recurring journal entries – such as a monthly amortization entry – do not represent a high risk of fraud. We could then "sort down" and remove these entries from the population that we will select our testing sample from and the understanding and criteria should be updated to take into account this understanding going forward.

"Sorting down" is an iterative process until concluding the remaining population represents the risk of material misstatement due to fraud. Excluding a group of transactions from the original population on the basis that it does not reflect the targeted fraud risk should be supported by a plausible explanation and validation, such as accept‑reject testing. If you sorted‑down certain entries in the prior year, you can exclude these entries from your risk criteria in the next year. There is no requirement to apply sorting‑down procedures (i.e. accept‑reject or target testing) to the same group of transactions again in the current year.

In some cases, substantive testing may allow you to eliminate certain entries from further testing. For example, if an account balance has been fully tested using substantive target testing to bring the balance to below PM, you may conclude that the risk of fraudulent journal entries has been appropriately addressed and no further incremental testing is necessary. Audit sampling or accept‑reject substantive testing would typically not be appropriate for this purpose as they rely on sampling techniques and homogeneous populations which may not be valid in the event of fraud.

OAG Guidance

Is management’s explanation sufficient?

No – remember this is a substantive test, and that one of our objectives is to address the risk of management override of controls and, hence, fraud. Consequently, our procedures include examination of the related supporting documentation giving special attention to the appropriateness and authorization of journal entries. These tests are performed to confirm that entries are appropriately approved by management, are adequately supported by appropriate audit evidence and reflect the underlying events and transactions. Likewise, the procedures are designed to detect inappropriate entries.

In situations where management does not authorize journal entries we would typically expect this to be raised as a management letter point, however, a lack of authorization may not preclude us from concluding on the appropriateness of the journal entries selected.

How do I know the support provided is appropriate?

Teams are expected to exercise professional judgment in reviewing the supporting documents provided by management and therefore experienced team members are encouraged to perform this review. Items to consider for teams to ensure they are exercising appropriate professional scepticism include:

• Are documents supporting the journal entries or other adjustments missing?
• Do the supporting documents appear to have been altered?
• Were the journal entries and other adjustments approved by the appropriate person?
• Are you denied access to records or to employees or others from whom audit evidence might be sought?
• Are there valid business purposes for the journal entries and other adjustments?
• Why are you only provided with photocopied documents when documents in original form are expected to exist?

Documentation

The results of procedures performed on the entity’s journal entries and other adjustments are documented in the appropriate section of the engagement file.

This documentation includes:

• Our understanding of the entity’s financial reporting process and the controls over journal entries and other adjustments.

• The rationale and procedures used by the engagement team to assess and test the completeness of the population(s) of journal entries and other adjustments subject to review and testing.

• The journal entries and other adjustments that were selected for testing and the rationale for selection, including the relationship of these criteria to our fraud risk assessment. This would include the rationale for sorting down of the initial results.

• Where some (or possibly all) of the journal entries we identify for testing have already been tested we cross refer to that work if both sides of the journal entry have been explicitly tested in the linked audit work. For example, when performing testing over a year‑end accrual balance where the journal entry(ies) recorded was examined and tested as part of our substantive testing of the accrual balance and the same journal entry is selected for testing to address the risk of misstatement due to fraud, we may not need to perform additional procedures over that journal entry, if both sides of the entry have already been addressed by audit procedures performed over the accrual balance and related expense.

• When we use scanning analytics, how we applied the 5‑Step process still needs to be documented

• The procedures performed to audit the journal entries and other adjustments.

• The conclusions reached, including consideration of any untested journal entries as a result of applying a monetary threshold.

Use of CAATs

CAATs are an effective method of testing non‑standard journal entries. CAATs are available for all types of accounting systems. Teams are encouraged to contact Data Analytics Specialists to discuss the costs and benefits of using CAATs on a recurring basis.

OAG Guidance

Note: The following example illustrates an approach to journal entries testing that may be appropriate in the circumstances explained below. This example is for illustrative purposes only. To the extent that facts and circumstances of a particular audit engagement differ from those in the illustrative example, including additional facts and circumstances, the appropriate judgments of the engagement team may differ from those applied in this illustration. For each engagement, we determine the most effective and efficient journal entry testing strategy, considering the results of our fraud risk assessment and all other engagement specific facts and circumstances. Our audit documentation needs to reflect the specific engagement circumstances and the rationale for the judgments made.

This example illustrates a smaller, less complex entity that is owner‑managed where we determine that the incentives to commit fraud are limited. Where relevant risk factors differ from those set out below, and where the incentive to commit fraud, the complexity of operations and financial reporting are greater or the entity is not owner‑managed, the engagement team is likely to reach a different conclusion regarding the nature, timing and extent of journals testing necessary.

This example solely focuses on the journal entry testing strategy and is not intended to illustrate a comprehensive strategy for responding to the risk of management override of controls. Therefore, even in the circumstances illustrated in this example, further audit procedures would be necessary to address the requirements of CAS 240.

Background circumstances

The entity is a small, owner‑managed industrial consumables wholesale business, whose principal objective is to return profits both for reinvestment in the business and for occasional withdrawal of funds via dividend by the owner‑manager.

Personnel, including the finance team, receive incentive remuneration based on annual revenue targets. There are no incentives linked to interim targets throughout the period, and while operating results are monitored on a monthly basis, the owner‑manager evaluates the performance of the entity and rewards his staff, based solely on annual reported revenue.

While the entity has a line of credit from a bank, it is secured by a personal guarantee of the owner‑manager and does not include any debt covenants with which the entity must comply.

The entity has a small finance team comprising a controller and a finance clerk. While the owner‑manager has oversight of the financial statements and monitors monthly performance against budget, he is not involved in the day to day bookkeeping activities of the entity, other than approval of manual payments.

Note: If some of the background circumstances above were different, this would affect our risk assessment and journal entries testing strategy. For example, if the entity had a remuneration scheme based on profit (rather than revenue), we would address the incentive for manipulation of financial records related to additional accounts (i.e., not just revenue) and plan any corresponding audit responses. We need to consider which fraud schemes may occur based on our understanding of the entity and consideration of the underlying components of fraud (i.e., incentive, opportunity and rationalization).

Understanding internal controls

The entity uses a non‑complex system that includes accounting and reporting modules for which there have been no customizations or modifications of standard reports. The entity uses no other IT systems and therefore no system interfaces exist. This non‑complex system corresponds to the straightforward nature of the entity’s business model, wherein the entity purchases and resells finished consumables.

Based on our prior audit experience, the majority of journal entries are automated and post routine transactions into the general ledger from the applicable subledger. Based on the inquiries, inspection and other procedures we performed to understand  the IT environment  and  controls around journal entries (OAG Audit 5034, OAG Audit 5035.1 and OAG Audit 5509), we determined that the standard system configuration does not permit manual intervention in posting of automated journal entries and this configuration remained unchanged throughout the audit period. We also note that historically there have only been a limited number of manual journal entries posted outside of the year end close process.

The owner‑manager does not have system access rights to create or approve journal entries. The finance clerk is able to create manual journal entries, which are approved by the controller who is able to both create and approve journals without the involvement/approval of another individual.

Note: Our understanding of the internal control system is important for our consideration of potential fraud schemes and fraud risk assessment. For example, if the owner‑manager had access rights to the IT application, we would need to further assess the risk of fraudulent journal entries that may be created by the owner‑manager. Likewise, our understanding of the IT environment as it relates to controls over journal entries and whether manual intervention in journal entries can occur is an important consideration in the design of the audit response in this scenario. Therefore, if the engagement team does not have sufficient knowledge and experience to make these determinations, we involve a Data Analytics specialist.

Fraud risk assessment and journal entries testing approach

The nature of the entity’s inventory (comprising low value industrial consumables) does not create an incentive for theft. The entity often relies on its line of credit to fund working capital needs and maintains only a small cash balance as it seeks to limit its borrowings and related interest expense. We therefore consider the risk of material misstatement from misappropriation of these assets to be low. While both members of the finance team have the ability to make manual payments, and could therefore misappropriate funds by making inappropriate payments, the bank requires two signatories on every manual payment, one of which must be the owner‑manager. Furthermore, we address this risk through our other planned substantive procedures on balance sheet and income statement accounts, including detailed tests of the year end bank reconciliation and detailed testing of accounts payable, inventories and certain operating expenses. We do not therefore plan to perform additional journal entry tests to address this specific fraud risk.

Based on our understanding of the entity and other engagement circumstances, we have identified that the risk of material misstatement due to fraud relates to the posting of manual journal entries into the general ledger by members of the finance team to create fictitious revenue as part of the year end closing process if they may not otherwise meet annual revenue targets. We conclude that such journal entries would likely credit revenue and debit an account other than cash or accounts receivable.

In addition to the posting of fictitious revenue journal entries, we conclude that there is a risk of management override related to the financial controller attempting to exploit her ability to create and post journal entries without approval.

In order to address these identified fraud risk criteria, we will obtain a population of manual journals posted to the general ledger in the period during which the financial statements are prepared (e.g., ‘period 13’ adjustments) and also the last month of the reporting period, verify the completeness of this population and execute the following tests using CAATs or reports generated from the entity’s system (which we have tested for reliability):

• Unusual account combinations: To identify credit postings to revenue whose corresponding debit is not to cash or accounts receivable.
• Create and approve: To identify journals created and approved by the financial controller. Based on experience from prior audits, we understand that the controller does not post high volumes of journals because of her preference to maintain segregation of duties whenever possible.
• Unexpected users: While our understanding is that only the controller and clerk can post journals, we will run this test to verify that there has been no circumvention of the intended access rights.

We have performed risk assessment analytics, comparing monthly revenue and profit before tax to the prior year results, and have not noted any unusual trends that indicate a need to focus audit procedures on other periods throughout the year.

Having considered the risk that fraudulent journal entries might be posted throughout the year, and having identified no specific incentives or pressures for management or others to do so, other than the revenue‑based incentive compensation, we have concluded that our journals testing will focus on manual entries made during the last month of the year and any manual entries made during the closing process, including topside entries.

However, our substantive testing will include testing of revenue transactions throughout the entire year and we will perform testing of the year end reconciliation between the sales subledger and general ledger, as well as the accounts receivable subledger and general ledger, including tests of details for any significant reconciling items, i.e., manual journal entries and other reconciling items. In light of the risk of the controller creating and approving journal entries, we will also consider the substantive testing performed over other in‑scope FSLIs and will perform testing of the year end reconciliation between the relevant subledgers and general ledger, including tests of details for any significant reconciling items, i.e., manual journal entries and other reconciling items. When performing this testing, we will remain alert to any additional indicators of fraud or fraud risks.

Note: If in the example above we identify individually significant manual journal entries posted throughout the period that represent a risk of material misstatement due to fraud, we would perform procedures to test those journal entries throughout the year. Also, if our testing of transactions during the period indicated potential fraud risks, we would need to assess those risks and develop appropriate audit responses.