Proactive journal entry testing

The ACFE's "2006 Report to the Nation" pins the median financial statement misstatement at $2 million, which occurred in 10.6 percent of the study's reported cases. When looking at some of the recent large-scale frauds, such as WorldCom, management override around the journal entry process was the key contributing factor.¹ This is to be expected because the easiest route to changing the books and records is for executive management to post a top-side journal entry. Though it's always possible to make the adjustments in the sub-ledgers (for example, fixed assets, sales journals, etc.), this requires more collusion with other organizational departments. So the top-side entry is still the best way to commit the financial statement fraud.   

Companies have spent much time documenting, testing, and otherwise fine-tuning their journal entry processes for Sarbanes-Oxley. Standard-setters like the AICPA have even issued guidance to companies on ways to prevent management override. (See www.aicpa.org/audcommctr/spotlight/achilles_heel.htm.) However, none of this documentation, testing, or standards can prevent the one-off entry in the middle of the night. Executive management can beat the system with a few keystrokes.

Therefore, journal entry testing requirements have been specifically promulgated for external auditors with the AICPA's Statement of Auditing Standard (SAS) 99 - Consideration of Fraud in a Financial Statement Audit. The standard states that "the auditor should design procedures to test the appropriateness of journal entries recorded in the general ledger and other adjustments (for example, entries posted directly to financial statement drafts) made in the preparation of the financial statements." More specifically, SAS 99 requires the auditor, in all audits, to (a) obtain an understanding of the entity's financial reporting process and controls over journal entries and other adjustments, (b) identify and select journal entries and other adjustments for testing, (c) determine the timing of the testing, and (d) inquire of individuals involved in the financial reporting process about inappropriate or unusual activity relating to the processing of journal entries or other adjustments.

This SAS was followed by the AICPA's Practice Alert 2003-02 (http://media.cpa2biz.com/Publication/pralert _03_02.pdf) with the purpose of providing auditors additional guidance regarding the design and performance of journal entry audit procedures to fulfill the responsibilities outlined in SAS 99. Rightly or wrongly, the auditor is still perceived as a valid line of defense against fraud, material and immaterial, and therefore, needs to detect as much fraud as possible.