Professional Documents
Culture Documents
Contributors
Contributing Editor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Melisa Galasso, CPA
Kelen Camehl, CPA
Diane Edelstein, CPA
Lynn Fountain, CPA, CGMA, CRMA
Salvatore Collemi, CPA
Robert K. Minniti CPA, CFE, CrFA, CVA, CFF, MAFF, CGMA, PI, DBA
Technical Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Kelen Camehl, CPA
Lorraine Zecca, CPA
Production Coordinator . . . . . . . . . . . . . . Mariela de la Torre; Jennifer Schencker;
Gokiladevi Sashikumar
Production . . . . . . . . . . . . . . . . . . . . . . . . . . Sharon Sofinski; Anbarasu Anbumani
ISBN: 978-0-8080-5237-1
Do not send returns to the above address. If for any reason you are not satisfied
with your book purchase, it can easily be returned within 30 days of shipment.
Please go to support.cch.com/returns to initiate your return. If you require further
assistance with your return, please call: (800) 344-3734 M-F, 8 a.m. – 6 p.m CT.
iii
Introduction
Top Accounting and Auditing Issues for 2020 CPE Course helps CPAs stay abreast of the most
significant new accounting and auditing standards and important projects. It does so by
identifying the events of the past year that have developed into hot issues and reviewing the
opportunities and pitfalls presented by these changes. The topics reviewed in this course
were selected because of their impact on financial reporting and because of the role they play
in understanding the accounting and auditing landscape in the year ahead.
Module 1 of this course reviews top accounting issues.
Chapter 1 covers all of the Accounting Standards Updates (ASUs) issued by the
Financial Accounting Standards Board (FASB) during 2018. It discusses the main provisions
of each standard and who will be impacted by it.
Chapter 2 provides an overview of Accounting Standards Update (ASU) No. 2016-13,
Measurement of Credit Losses on Financial Instruments, issued by the Financial Accounting
Standards Board (FASB) in June 2016. The new standard will apply to nearly all entities, not
just those in the financial services industry, and will change how entities document and
account for credit impairment on their respective financial instruments. This new standard is
effective for public business entities for annual periods beginning after December 15, 2019,
and interim periods therein. As such, this means that calendar-year SEC filers will have to
apply the new requirements starting in first quarter 2020.
Chapter 3 discusses Financial Accounting Standards Board (FASB) Accounting Stan-
dards Update (ASU) 2016-14, Not-for-Profit Entities (Topic 958): Presentation of Financial
Statements of Not-for-Profit Entities, which will be effective for December 31, 2018, year ends.
Module 2 of this course reviews top auditing issues.
Chapter 4 provides an overview of important concepts identified in Auditing Standard
(AS) 3101, The Auditor’s Report on an Audit of Financial Statements When the Auditor
Expresses an Unqualified Opinion, as it relates to the development of critical audit matters
Chapter 5 reviews the important aspects of Statement on Standards for Attestation
Engagements No. 18 (SSAE 18). These attestation standards establish requirements and
provide application guidance to auditors for performing and reporting on examination,
review, and agreed-upon procedures engagements, including Service Organization Controls
(SOC) attestations. We will also review the variances between SSAE 16 (the previous
standard) and how and when the application of SSAE 18 requirements is appropriate.
Chapter 6 discusses the basic concepts, lexicon, technology, and potential applications
related to blockchain technology. It is designed to help CPAs, accountants, and practitioners
prepare for future conversations about blockchain with their clients, prospects, colleagues,
peers, and others.
Chapter 7 discusses the current state of audit quality and focuses on what CPA firm
leaders, quality control professionals, and others can do to strengthen both private and
public company audits.
Module 3 of this course provides an overview of fraud schemes and how to recognize
the red flags for detecting fraud.
Chapter 8 concentrates on various types of fraud including occupational frauds affecting
public companies, private companies, not-for-profits, and governmental entities.
Study Questions. Throughout the course you will find Study Questions to help you test
your knowledge, and comments that are vital to understanding a particular strategy or idea.
4
iv
Answers to the Study Questions with feedback on both correct and incorrect responses are
provided in a special section beginning at ¶ 10,100.
Final Exam. This course is divided into three Modules. Take your time and review all
course Modules. When you feel confident that you thoroughly understand the material, turn
to the Final Exam. Complete one or all three Final Exams for continuing professional
education credit.
Go to cchcpelink.com/printcpe to complete your Final Exam online for immediate results.
My Dashboard provides convenient storage for your CPE course Certificates. Further
information is provided in the CPE Final Exam instructions at ¶ 10,300. Please note,
manual grading is no longer available for Top Accounting and Auditing Issues. All
answer sheets must be submitted online for grading and processing.
August 2019
PLEDGE TO QUALITY
Thank you for choosing this CCH® CPELink product. We will continue to produce high
quality products that challenge your intellect and give you the best option for your Continu-
ing Education requirements. Should you have a concern about this or any other Wolters
Kluwer product, please call our Customer Service Department at 1-800-344-3734.
COURSE OBJECTIVES
This course provides an overview of important accounting and auditing developments. At the
completion of this course, the reader will be able to:
• Recognize and apply ASUs issued by FASB in 2018
• Identify who will be impacted and the main provisions of each standard
• Recognize ASU effective dates
• Identify the key provisions of ASU No. 2016-13
• Recognize the credit loss measurement requirements for assets measured at amortized
cost and available-for-sale debt securities
• Identify the incremental financial statement disclosure requirements as a result of ASU
No. 2016-13
• Identify the effective date and transition requirements
• Recognize recent developments affecting entities that are required to apply the amend-
ments in ASU No. 2016-13
• Recognize the effective dates of ASU 2016-14
• Identify the key areas of change in ASU 2016-14
• Differentiate between the two classes of net assets
• Explain how to prepare for the expanded disclosures needed under ASU 2016-14
• Identify key areas with respect to ASU 2016-14 for NPOs
• Describe ASU 2016-14’s new disclosure requirement with respect to liquidity
• Identify the requirements involving investment return
• Recognize which costs should be allocated to management and general expenses and
investment expense
5
v
• Identify the PCAOB definition of a critical audit matter (CAM) and apply that under-
standing to audit issues
• Apply the separate criteria identified by the PCAOB for determining CAM issues
• Identify the PCAOB purpose for identification of CAM issues
• Recognize the appropriate methods for reporting CAMs in the auditor’s report
• List the appropriate documentation requirements for identified CAM issues
• Understand and apply the concepts for proper disclosure of CAM issues
• Recognize appropriate interactions with the audit committee regarding CAMs
• Apply the proper concepts for explanatory concepts of CAMs
• Identify the variances between critical audit matters and key audit matters
• Evaluate, through a case scenario, the considerations for evaluating whether a CAM
applies to a particular company
• Summarize the history of Service Organization Control (SOC) reports
• Describe the transition of the accounting standards from Statement on Auditing
Standards (SAS) 70 to Statement on Standards for Attestation Engagements (SSAE) 16
and now SSAE 18
• Recognize the various types of service and subservice organizations
• Explore procedures to conduct a SOC 1 engagement, develop proper control objec-
tives, and determine specific reporting methods
• Examine the variance and procedural requirements that exist between a SOC 1 Type I
and SOC 1 Type II report
• Explore procedures to conduct and report on a SOC 2 engagement addressing
information security, availability, processing integrity, confidentiality, and privacy of
services
• Examine the variance and procedural requirements that exist between a SOC 2 Type I
and SOC 2 Type II report
• Recognize the requirements for SOC 3 reports
• Recognize the requirements to prepare for a SOC engagement and a readiness
assessment
• Identify specific changes related to monitoring controls at subservice organizations
• Explain the concept of a detailed risk assessment for subservice organizations
• Explain the concept and requirements of complementary controls
• Recognize the need for evidence provided by service organizations
• Describe the evolving world of blockchain technology
• Recognize the impact of blockchain on both the financial reporting process and the
audit approach
• Identify the latest blockchain software being utilized
• Identify realistic solutions regarding the challenges of maintaining a high-level of audit
quality with limited resources
6
vi
• Recognize how to address systemic deficiencies noted in many accounting and audit-
ing practices while at the same time balancing the needs of the public interest,
regulators, and standard-setters
• Recognize how to comply with applicable U.S. and international accounting and
auditing standards, quality control standards, corporate governance and risk manage-
ment practices, and independence and professional ethics rules
• Identify clients’ businesses and the environments in which they operate
• Understand theories as to why people commit fraud
• Recognize the different types of fraud, including occupational fraud, cyber fraud,
financial fraud, tax fraud, and identity theft
• Identify red flags for fraud
• Describe fraud schemes that affect businesses
vii
Contents
MODULE 1: TOP ACCOUNTING ISSUES
1 Overview of ASUs Issued by FASB in 2018
Welcome . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 101
Learning Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 102
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 103
ASU 2018-01 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 104
ASU 2018-02 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 105
ASU 2018-03 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 106
ASU 2018-04 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 107
ASU 2018-05 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 108
ASU 2018-06 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 109
ASU 2018-07 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 110
ASU 2018-08 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 111
ASU 2018-09 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 112
ASU 2018-10 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 113
ASU 2018-11 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 114
ASU 2018-12 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 115
ASU 2018-13 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 116
ASU 2018-14 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 117
ASU 2018-15 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 118
ASU 2018-16 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 119
ASU 2018-17 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 120
ASU 2018-18 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 121
ASU 2018-19 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 122
ASU 2018-20 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 123
2 Credit Losses on Financial Statements
Welcome . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 201
Learning Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 202
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 203
Main Provisions of the ASU . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 204
Assets Measured at Amortized Cost . . . . . . . . . . . . . . . . . . . . . ¶ 205
Initial Measurement of Expected Losses . . . . . . . . . . . . . . . . . . . ¶ 206
Subsequent Measurement of Expected Credit Losses . . . . . . . . . ¶ 207
Presentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 208
Financial Statement Disclosures . . . . . . . . . . . . . . . . . . . . . . . . ¶ 209
Available-for-Sale Debt Securities . . . . . . . . . . . . . . . . . . . . . . . ¶ 210
Subsequent Measurement . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 211
Financial Statement Disclosures . . . . . . . . . . . . . . . . . . . . . . . . ¶ 212
Transition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 213
Recent Developments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 214
3 The New NPO Reporting Model
Welcome . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ......... ¶ 301
Learning Objectives . . . . . . . . . . . . . . . . . . . . . . . . ......... ¶ 302
8
viii
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 303
Reporting of Net Assets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 304
Liquidity Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 305
Statement of Cash Flows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 306
The Operating Measure Information Provided by Some Not-for-
Profits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 307
Reporting of Expenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 308
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 309
MODULE 2: TOP AUDITING ISSUES
4 Critical Audit Matters
Welcome . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 401
Learning Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 402
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 403
Overview: Critical Audit Matters . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 404
Principle-Based Approach to Indentifying CAM . . . . . . . . . . . . . . ¶ 405
Audit Report Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 406
CAM Illustration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 407
Critical Audit Matters Versus Key Audit Matters . . . . . . . . . . . . . . ¶ 408
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 409
5 New Service Level of Engagement for Attestation Engagements (SSAE
18)
Welcome . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 501
Learning Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 502
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 503
Important Considerations for SSAE 18 . . . . . . . . . . . . . . . . . . . . ¶ 504
Subservice Organizations and SSAE 18 . . . . . . . . . . . . . . . . . . . ¶ 505
SSAE 18 Versus SSAE 16 . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 506
Physical Components of the SSAE 18 Report . . . . . . . . . . . . . . . ¶ 507
SSAE Deliverable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 508
Who Needs an SSAE Audit? . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 509
How to Prepare for a SOC Review . . . . . . . . . . . . . . . . . . . . . . . ¶ 510
Benefits of SOC Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 511
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 512
6 Understanding Blockchain: For CPAs, Accountants, and Practitioners
Welcome . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 601
Learning Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 602
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 603
What is Blockchain? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 604
How to Select a Blockchain . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 605
Realistic Applications in Practice . . . . . . . . . . . . . . . . . . . . . . . . ¶ 606
Blockchain Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 607
Next Steps in Evolution of your Practice . . . . . . . . . . . . . . . . . . . ¶ 608
7 Enhancing Audit Quality
Welcome . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 701
Learning Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 702
What is Audit Quality? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 703
9
ix
Root Causes of Failures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 704
Quality Control Elements Challenges . . . . . . . . . . . . . . . . . . . . . ¶ 705
Strategies to Increase Audit Quality . . . . . . . . . . . . . . . . . . . . . . ¶ 706
Common Deficiencies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 707
Preparing for Busy Season and Peer Review . . . . . . . . . . . . . . . ¶ 708
MODULE 3: FRAUD OVERVIEW
8 2019 Fraud Review
Welcome . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 801
Learning Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 802
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 803
Fraud Theories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 804
Occupational Frauds . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 805
Cyber Frauds . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 806
Financial Frauds . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 807
Identity Theft . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 808
Tax Frauds . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 809
Other Frauds . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 810
Government-Specific Frauds . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 811
Not-for-Profit Specific Frauds . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 812
Money Laundering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 813
Corruption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 814
Fraud Wrap-Up . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 815
Answers to Study Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 10,100
Module 1—Chapter 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 10,101
Module 1—Chapter 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 10,102
Module 1—Chapter 3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 10,103
Module 2—Chapter 4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 10,104
Module 2—Chapter 5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 10,105
Module 2—Chapter 6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 10,106
Module 2—Chapter 7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 10,107
Module 3—Chapter 8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 10,108
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Page
181
Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 10,200
Final Exam Instructions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 10,300
Final Exam Questions: Module 1 . . . . . . . . . . . . . . . . . . . . . . . . ¶ 10,301
Final Exam Questions: Module 2 . . . . . . . . . . . . . . . . . . . . . . . . ¶ 10,302
Final Exam Questions: Module 3 . . . . . . . . . . . . . . . . . . . . . . . . ¶ 10,303
Answer Sheets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 10,400
Module 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 10,401
Module 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 10,402
Module 3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 10,403
Evaluation Form . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 10,500
1
¶ 103 INTRODUCTION
FASB had a very busy year in 2018, issuing 20 ASUs covering a range of topics.
Although it was not quite a record year in terms of the number of ASUs released, a
great deal of new guidance was issued. An executive overview of each ASU is provided
in the following sections to help accountants determine which ASUs will affect them in
the future.
360, those land easements were already on the balance sheet and therefore there would
be little benefit to analyzing each of them under the new Topic 842 for leases to
determine whether they met the updated definition. It would be very costly to do so, and
for some entities, such as utilities or telecommunication companies, it would also be a
very complex undertaking.
In response, the FASB provided a practical expedient. Those who are not currently
following Topic 840, which is the extant lease standard, can continue to account for land
easements as they have been. They can continue to follow the old standard until either
the easement has expired and has to be renewed, or the easement is modified. On the
other hand, those who are currently using Topic 840 do not get a practical expedient.
They would continue to apply the current Topic 840 until they adopt Topic 842.
Effective date: ASU 2018-01 is effective with the transition for ASU 2016-02. Those who
early adopted Topic 842 should adopt this ASU upon issuance.
Under the new standard, there is something called instrument-specific credit risk, and
now when a company has a liability that has elected to be measured using the fair value
option, the instrument-specific credit risk would run through OCI, and the remaining
change in fair value would run through net income.
Questions were raised about whether how an entity elected the fair value option—
under financial instruments or under the derivatives—mattered. ASU 2016-03 clarified
that the topic would not impact the accounting treatment. It is applied regardless of
whether the fair value election was under derivatives and hedging or under the financial
instruments topic.
Other questions related to the fair value option relate to foreign currency. If a
company is separately electing the portion that is related to the instrument-specific
credit risk in OCI and the remaining running through net income, there were questions
about how one would determine the impact on the foreign currency. The FASB clarified
that the amount related to the instrument-specific credit risk is first measured in the
currency of denomination, and then the change in fair value would be remeasured in the
functional currency.
ASU 2016-03 also addresses another issue regarding fair value. If an entity was
going to use the new guidance for equity securities that did not have a readily
determinable fair value, the standard explicitly states that it can be used, adopted
prospectively. A question was raised about whether an entity could use the prospective
approach for all equity securities if they did not have a readily determinable fair value
but the entity was not electing the special measurement alternative. The answer is no.
The perspective method only applies if there is no readily determinable fair value and
the entity is using the measurement alternative.
Effective date: The effective date for ASU 2018-03 is the same as the effective date in
ASU 2016-01. All entities may early adopt these amendments for fiscal years beginning
after December 15, 2017, including interim periods within those fiscal years, as long as
they have adopted ASU 2016-01.
This ASU was issued in February, so public companies were already halfway
through their first quarter when it was issued. Consequently, the FASB gave such
entities a bit of extra time for adoption because they had already started the transition in
January for their first quarter. Public business entities with fiscal years beginning
between December 15, 2017, and June 15, 2018, are not required to adopt these
amendments until the interim period beginning after June 15, 2018.
other organizations, it is effective for annual reporting periods beginning after Decem-
ber 15, 2018, and interim periods within annual periods beginning after December 15,
2019.
1. Which of the following ASUs relates to the reclassification of certain tax effects from
accumulated other comprehensive income?
a. ASU 2018-01
b. ASU 2018-02
c. ASU 2018-03
d. ASU 2018-04
2. Each of the following identifies an area impacted by ASU 2018-03, except:
a. Backward-looking contracts
b. Equity securities without a readily determinable fair value
c. Presentation requirements for certain fair value option liabilities
d. Transition guidance for equity securities without a readily determinable fair
value
3. ASU 2018-06 made codification improvements to which of the following ASC Topics?
a. ASC 280
b. ASC 606
c. ASC 842
d. ASC 942
¶ 112
MODULE 1 - CHAPTER 1 - Overview of ASUs Issued by FASB in 2018 9
Effective date: ASU 2016-02 is not yet effective, but early adoption was permitted. For
entities that early adopted Topic 842, the amendments are effective upon issuance. For
entities that have not adopted Topic 842, the effective date and transition requirements
will be the same as the effective date and transition requirements in Topic 842.
ASU 2018-08 also clarifies that if an entity is combining a lease component with a
non-lease component, if the non-lease component is the predominant source, then Topic
606 should be used. If the lease component is the dominant source, the entity should
use Topic 842. Certain disclosures must be made related to adoption. An entity has to
disclose the fact that it is using the practical expedient. In addition, an entity must
indicate to which classes of assets it makes this election.
Effective date: Entities that have not yet adopted Topic 842 should follow the transition
for ASU 2016-02. For entities that have already adopted Topic 842, the effective date is
either the first reporting period following the issuance or at the original effective date.
The practical expedient may be applied either retrospectively or prospectively.
work Project, the FASB ran pensions through the new conceptual framework under
Chapter 8 for note disclosures and examined whether all the disclosures are needed.
The guidance removes the amount in AOCI expected to be recognized as a
component of net periodic benefit cost over the next year, the amount and timing of
plan assets expected to be returned to the employer, the disclosures related to the June
2001 amendments to the Japanese Welfare Pension Insurance Law, and some related-
party disclosures about the future annual benefits covered by insurance. For nonpublic
entities, it also removed the reconciliation of the opening and closing balance and
instead required only disclosure of transfers into and out of, and purchases of level 3
plan assets. Also eliminated is the sensitivity analysis for the assumed healthcare trends
rate.
However, the FASB also added some items, such as the weighted average interest
credit ratings for cash balance plans and explanation of the reasons for significant gains
and losses. In addition, it clarified certain disclosures regarding the projected benefit
obligation (PBO) and accumulated benefit obligation (ABO).
Effective date: ASU 2018-14 is effective for public business entities for fiscal years
ending after December 15, 2020 (calendar year 2021). For all other entities, it is
effective for fiscal years ending after December 15, 2021 (calendar year 2022). Early
adoption and retrospective application are permitted for all entities.
Effective date: If an entity has not adopted hedge accounting (ASU 2017-12), it would
adopt 2018-16 with 2017-12. However, if a public entity already adopted ASU 2017-02,
then it would follow it for 2019, which was the original date. Everyone else would follow
it for 2020. However, entities can also early adopt this ASU.
criterion and (2) the power criterion. Unfortunately, for private companies, evaluating
these criteria is very difficult, primarily because many agreements between related
parties are not in writing. Private companies will not necessarily have a formal agree-
ment that dictates all the different elements or has an official end date, so the cost and
complexity of trying to determine who is the primary beneficiary has been difficult.
In 2014, a PCC alternative was issued for variable interest entities, and private
companies that were under common control and had leasing arrangements, were given
an exception to VIE guidance. Under ASU 2018-17, if a legal entity meets all of the
following criteria, it would no longer have to be evaluated to determine if it is a VIE by a
private company. First, the reporting entity and the legal entity have to be under
common control. In addition, the reporting entity and the legal entity are not under
common control of a public business entity. In addition, the legal entity that is under
common control is not a public business entity. Finally, the VIE exception cannot be
used to overcome voting interest entity (VOE) guidance, so an entity cannot have either
a direct or indirect controlling financial interest when it goes to the voting guidance. If
an entity meets these requirements, it is effectively scoped out of VIE guidance.
ASU 2018-17 offers an accounting policy election, so it is not mandatory. However,
once an entity elects it, it must apply it to all legal entities; it cannot cherry-pick which
ones it does or does not want to consolidate.
There are several new disclosures under this guidance. Obviously, there are some
disclosures related to risks associated with the reporting entity, including their involve-
ment with the legal entity under common control, and any carry amounts that they have
related to assets and liabilities for the reporting entity. What is the reporting entity’s
maximum exposure to loss, and if it exceeds the carrying amount, what quantitative and
qualitative information allows us to understand what is going on in that excess
exposure?
In addition, ASU 2018-17 includes a change related to the treatment of decision-
making fees. When an entity is trying to determine whether a decision-making fee is a
variable interest, to consider indirect interest held through related parties under
common control, currently a direct interest must be used. Going forward, this can be
done on a proportional basis.
Effective date: For entities other than private companies, ASU 2018-17 is effective for
fiscal years beginning after December 15, 2019, and interim periods within those fiscal
years. For private companies, it is effective for fiscal years beginning after December 15,
2020, and interim periods within fiscal years beginning after December 15, 2021.
Transition is retrospective, and early adoption is permitted.
policy election where entities can exclude them from consideration. This guidance
represents a huge win for lessors who deal with multiple jurisdictions.
In addition, there were questions about the relationship between lessor costs and
whether they were being reimbursed by the lessee. The update basically states that the
lessor will exclude any variable payments paid by the lessee directly to a third party. For
example, if there is a cost that is really a lessor cost, and the lessee pays it directly to a
third party and does not pay it to the lessor, the lessor would exclude the amount from a
variable consideration. On the other hand, if there are lessor costs that are being paid
by the lessee but they are basically reimbursing the lessor, so the lessor makes the
payment and then the lessee reimburses them, that would be variable revenue. If the
lessor is making the payment and then charges the lessee for it, the lessor knows the
exact amount and would have to treat that as revenue.
Language in previous guidance seemed to imply that regardless of whether a
payment related to non-lease payments, there was explicit accounting. Under this new
guidance, a variable payment is to be allocated between lease and non-lease compo-
nents, and any amount that is allocated to the lease component would follow the
guidance in Topic 842. However, any amount that was allocated to the non-lease
component would follow the proper accounting under Topic 606.
Effective date: Not yet adopted; the effective date is the same as the effective date and
transition requirements in ASU 2016-02. Entities that have adopted Topic 842 should
apply changes at the original effective date of Topic 842 for the entity. There in an
option to adopt this guidance in either the first reporting period ending after the
issuance of this ASU or in the first reporting period beginning after the issuance of this
ASU.
STUDY QUESTIONS
¶ 123
17
¶ 203 INTRODUCTION
The FASB issued final guidance that significantly changes how entities will measure
credit losses for most financial assets and certain other instruments that are not
measured at fair value through net income. By issuing the new amendments outlined in
Accounting Standards Codification (ASC) Topic 326, the FASB responded to criticism
that current accounting and reporting guidance delays recognition of credit losses. As a
result, the new standard will replace the current “incurred loss approach with an
“expected loss model for instruments measured at amortized cost and require entities
to record allowances for available-for-sale debt securities rather than reduce the carry-
ing amount, as they do today under the other-than-temporary impairment (OTTI)
model. The new standard also simplifies the accounting model for purchased credit-
impaired debt securities and loans. For clarity, some of the text in this chapter reflects
the FASB’s wording.
1. The amendments within ASU No. 2016-13 included amendments for each of the
following financial instruments, except:
a. Assets measured at amortized cost
b. Fair value hedges
c. Available-for-sale debt securities
d. Purchased financial instruments with credit deterioration
2. Which of the following financial instruments are within the scope of ASC 326-20?
a. Financial assets measured at amortized costs
b. Available-for-sale debt securities
c. Loans made to participants by defined contribution employee benefit plans
d. Policy loan receivables of an insurance entity
¶ 206
20 TOP ACCOUNTING AND AUDITING ISSUES FOR 2020 CPE COURSE
The names used to describe the former and future models are fairly self-explana-
tory. However, the key principles of each model are worth reemphasizing. The incurred
model in the current day recognizes a loss only when an event has occurred that leads
the entity to conclude that a loss is probable. By contrast, the expected loss model
recognizes credit losses based on the expectation or anticipation of a certain future
event, or events, which will ultimately lead to a loss being recognized. This expected
loss model can be analogized to accounting for a customer’s accounts receivable where
an entity has set up an allowance for doubtful accounts.
In the end, the FASB ultimately concluded that the use of a current expected credit
loss, or CECL, model should be used for those assets that are measured at amortized
cost. It is important to note that the FASB considered, but ultimately rejected, various
alternatives to the CECL model when considering the feedback from stakeholders that
primarily advocated for the gross-up model and models that were an abbreviated
version of the CECL model (BC36).
Simply put, the allowance for expected credit losses represents the portion of the
amortized cost of a financial asset that an entity does not expect to collect. The FASB
prescribes its overall objective with respect to this allowance for credit losses through
ASC 326-20-30-1. Based on the paragraph, the FASB states that the allowance for credit
losses is a valuation account that is deducted from the amortized cost basis of the
financial asset(s) to present the net amount expected to be collected on the financial
asset. Furthermore, at the reporting date, an entity is required to record an allowance
for credit losses on financial assets. As a result, an entity is required to report in net
income (as a credit loss expense) the amount necessary to adjust the allowance for
credit losses for management’s current estimate of expected credit losses on financial
asset(s). In other words, the allowance for credit losses should represent the portion of
the amortized cost basis of a financial asset that an entity does not expect to collect.
Note that the FASB concluded that an entity should present the allowance for
credit losses as a contra-asset account to reduce the net amortized cost of the asset to
an amount that is expected to be collected. When the FASB considered truncated
models or other models that limited the measurement of credit losses to a specific time
period, it observed that the allowance for credit losses would not represent a complete
estimate of an entity’s expectations (BC42). The FASB also noted that if the measure-
ment objective is based on a trigger for recording expected credit losses, an added layer
of subjectivity and complexity would be added when identifying the assets that met a
particular trigger. As a result of those operability concerns for financial assets, the net
amortized cost basis (net of allowance) would be measured at an amount greater than
the amount expected to be collected (BC42).
Estimating the Credit Loss
The FASB notes that an allowance for credit losses may be determined using various
methods. In other words, it does not require a single method be used for estimating
credit losses. Acceptable methods outlined by the FASB include the following (ASC
326-20-30-3):
• Discounted cash flow methods
• Loss-rate methods
• Roll-rate methods
• Probability-of-default methods
• Methods that use an aging schedule
¶ 206
MODULE 1 - CHAPTER 2 - Credit Losses on Financial Statements 21
While the FASB does not prescribe a specific method be used by all entities, the
measurement requirements can vary depending on whether or not an entity elects to
use a discounted cash flow method. For example, if an entity estimates expected credit
losses using methods that project future principal and interest cash flows (i.e., a
discounted cash flow method), the entity should discount expected cash flows at the
financial asset’s effective interest rate (ASC 326-20-30-4). Furthermore, when a dis-
counted cash flow method is applied, the allowance for credit losses should reflect the
difference between the amortized cost basis and the present value of the expected cash
flows. If the financial asset’s contractual interest rate varies based on subsequent
changes in an independent factor, such as an index or rate—for example, the prime
rate, the London Interbank Offered Rate (LIBOR), or the U.S. Treasury bill weekly
average—that financial asset’s effective interest rate should be calculated based on the
factor as it changes over the life of the financial asset (ASC 326-20-30-4).
Alternatively, if an entity estimates expected credit losses using a method other
than a discounted cash flow method, the allowance for credit losses should reflect an
entity’s expected credit losses of the amortized cost basis of the financial asset(s) as of
the reporting date (ASC 326-20-30-5). For example, if an entity uses a loss-rate method,
the numerator would include the expected credit losses of the amortized cost basis (i.e.,
amounts that are not expected to be collected in cash or other consideration, or
recognized in income). In addition, when an entity expects to accrete a discount into
interest income, the discount should not offset the entity’s expectation of credit losses.
Note that an entity may develop its estimate of expected credit losses by measuring
components of the amortized cost basis on a combined basis or by separately measur-
ing the following components of the amortized cost basis, including both of the
following (ASC 326-20-30-5):
• Amortized cost basis, excluding premiums, discounts (including net deferred
fees and costs), foreign exchange, and fair value hedge accounting adjustments
(i.e., the face amount or unpaid principal balance)
• Premiums or discounts, including net deferred fees and costs, foreign exchange,
and fair value hedge accounting adjustments
Based on the requirements in the ASU, entities must estimate credit losses over
the contractual term of the financial asset. In the Board’s Basis for Conclusions BC, the
FASB acknowledged that estimating expected credit losses over longer periods of time
(such as the contractual term of financial assets) requires a significant amount of
professional judgment, especially when using discounted cash flow techniques. Al-
though an entity must estimate credit losses over the entire contractual term of the
financial assets (considering the effect of prepayments), the FASB recognized that as
the forecast horizon increases, the degree of judgment involved in estimating expected
credit losses also increases because the availability of detailed inputs to estimates for
periods in the future decreases. However, the FASB concluded that it is not useful to
assign a credit loss estimate of zero to certain periods merely because an entity is
unable to precisely estimate future economic conditions for those periods
environment in which the entity operates and are specific to the borrower(s). However,
when financial assets are evaluated on a collective or individual basis, an entity is not
required to search all possible information that is not reasonably available without
undue cost and effort. While an entity is not required to develop a hypothetical pool of
financial assets, it may find that using its internal information is sufficient in determin-
ing collectibility.
As previously noted, the amendments within the ASU do not prescribe a specific
methodology for developing an expectation about the collectibility of a financial asset.
However, the FASB does note that an entity’s expectations about the collectibility of a
financial asset should consider available information about past events, including histor-
ical loss experience with similar assets, current conditions, and reasonable and support-
able forecasts that inform the entity about the estimated collectibility of the asset
(BC47). With respect to historical loss information, ASC 326-20-55-6 notes that historical
loss information generally provides a basis for an entity’s assessment of expected credit
losses. As a result, an entity may use historical periods that represent management’s
expectations for future credit losses. The important point to note is that when determin-
ing historical loss information in estimating expected credit losses, the information
about historical credit loss data, after adjustments for current conditions and reasonable
and supportable forecasts, should be applied to pools that are defined in a manner that
is consistent with the pools for which the historical credit loss experience was observed
(ASC 326-20-55-3).
While the previous paragraph mentioned that historical loss can serve as a good
benchmark for estimating credit losses, it is important to note that historical loss
experience may not fully reflect an entity’s expectations about the future. An entity
should, as a consequence, adjust historical loss information to reflect the current
conditions using reasonable and supportable forecasts not already reflected in the
historical loss information (ASC 326-20-55-4).
Included within the implementation guidance to ASC 326-20 is a list of significant
factors an entity should consider depending on the nature of the asset. Note that not all
of these may be relevant to every situation. As a result, the following list of significant
factors is not exhaustive.
Examples of significant factors an entity may consider include the following (ASC
326-20-55-4):
• The borrower’s financial condition, credit rating, credit score, asset quality, or
business prospects
• The borrower’s ability to make scheduled interest or principal payments
• The remaining payment terms of the financial asset(s)
• The remaining time to maturity and the timing and extent of prepayments on
the financial asset(s)
• The nature and volume of the entity’s financial asset(s)
• The volume and severity of past due financial asset(s) and the volume and
severity of adversely classified or rated financial asset(s)
• The value of underlying collateral on financial assets in which the collateral-
dependent practical expedient has not been utilized
• The entity’s lending policies and procedures, including changes in lending
strategies, underwriting standards, collection, write-off, and recovery practices,
as well as knowledge of the borrower’s operations or the borrower’s standing in
the community
• The quality of the entity’s credit review system
¶ 206
MODULE 1 - CHAPTER 2 - Credit Losses on Financial Statements 23
• The experience, ability, and depth of the entity’s management, lending staff, and
other relevant staff
• The environmental factors of a borrower and the areas in which the entity’s
credit is concentrated, such as:
— Regulatory, legal, or technological environment to which the entity has
exposure
— Changes and expected changes in the general market condition of either the
geographical area or the industry to which the entity has exposure
— Changes and expected changes in international, national, regional, and local
economic and business conditions and developments in which the entity
operates, including the condition and expected condition of various market
segments
Using Pools
The new guidance for developing estimates on credit losses requires that entities
measure expected losses of financial assets on a collective, or pool, basis when similar
risk characteristics exist (ASC 326-20-30-2). If an entity determines that pooled assets do
not have similar risk characteristics, then they are to be evaluated on an individual
basis. This leads to the next obvious question: What is considered a pool?
Simply put, an entity should aggregate financial assets on the basis of similar risk
characteristics, which may include any one or a combination of the following (ASC
326-20-55-5):
• Internal or external (third-party) credit score or credit ratings
• Risk ratings or classification
¶ 206
24 TOP ACCOUNTING AND AUDITING ISSUES FOR 2020 CPE COURSE
¶ 206
MODULE 1 - CHAPTER 2 - Credit Losses on Financial Statements 25
STUDY QUESTION
3. If an entity estimates expected credit losses using a discounted cash flow method, it
should discount expected cash flows using which of the following?
a. Weighted average cost of capital
b. Effective interest rate
c. LIBOR rate
d. Cost of equity
¶ 208 PRESENTATION
Under the new amendments, the presentation of the estimate of expected credit losses
for recognized assets on the balance sheet differs from the estimate of expected credit
losses for off-balance-sheet exposures. To that end, the estimate of expected credit
losses for recognized financial assets is presented on the balance sheet as an allowance
that reduces the amortized cost basis of the asset. Alternatively, estimates of expected
credit losses for off-balance-sheet credit exposures should be presented as a liability.
EXAMPLE: Estimating Credit Losses for Trade Receivables Using an
Aging Schedule (ASC 326-20-55-37 through 40)
This example illustrates one way an entity may estimate expected credit losses
for trade receivables using an aging schedule.
Entity E manufactures and sells products to a broad range of customers,
primarily retail stores. Customers typically are provided with payment terms of 90
days with a 2 percent discount if payments are received within 60 days. Entity E
has tracked historical loss information for its trade receivables and compiled the
following historical credit loss percentages:
• 0.3 percent for receivables that are current
• 8 percent for receivables that are 1–30 days past due
• 26 percent for receivables that are 31–60 days past due
• 58 percent for receivables that are 61–90 days past due
• 82 percent for receivables that are more than 90 days past due
Entity E believes that this historical loss information is a reasonable base on
which to determine expected credit losses for trade receivables held at the
reporting date because the composition of the trade receivables at the reporting
date is consistent with that used in developing the historical credit-loss percent-
ages (that is, the similar risk characteristics of its customers and its lending
practices have not changed significantly over time). However, Entity E has deter-
mined that the current and reasonable and supportable forecasted economic
conditions have improved as compared with the economic conditions included in
the historical information. Specifically, Entity E has observed that unemployment
has decreased as of the current reporting date, and Entity E expects there will be
an additional decrease in unemployment over the next year. To adjust the histori-
cal loss rates to reflect the effects of those differences in current conditions and
forecasted changes, Entity E estimates the loss rate to decrease by approximately
10 percent in each age bucket. Entity E developed this estimate based on its
knowledge of past experience for which there were similar improvements in the
economy.
At the reporting date, Entity E develops the following aging schedule to
estimate expected credit losses.
¶ 208
MODULE 1 - CHAPTER 2 - Credit Losses on Financial Statements 27
¶ 209
28 TOP ACCOUNTING AND AUDITING ISSUES FOR 2020 CPE COURSE
• A discussion of the reversion method applied for periods beyond the reasonable
and supportable forecast period
• The amount of any significant purchases of financial assets during each report-
ing period
• The amount of any significant sales of financial assets or reclassifications of
loans held for sale during each reporting period
In addition to the previous disclosures, entities are now also required to present a
rollforward schedule of the allowance for credit losses. This is one of the key changes
brought about as a result of ASU No. 2016-13. This rollforward schedule helps to enable
users of an entity’s financial statement to understand the activity in the allowance for
credit losses for each period. Specifically, an entity is required to disclose the following
activity in a rollforward schedule (ASC 326-20-50-13):
• The beginning balance in the allowance for credit losses
• Current-period provision for expected credit losses
• The initial allowance for credit losses recognized on financial assets accounted
for as purchased financial assets with credit deterioration (including certain
beneficial interests), if applicable
• Write-offs charged against the allowance
• Recoveries of amounts previously written off, if applicable
• The ending balance in the allowance for credit losses
Past-Due Status
In addition to the previous disclosures discussed thus far, entities are also required to
disclose certain information with respect to financial assets that are past-due. Specifi-
cally, an entity is required to provide an aging analysis of the amortized cost basis for
financial assets that are past-due as of the reporting date, disaggregated by class of
financing receivable and major security type (ASC 326-20-50-14). This is not a new
requirement based on ASU No. 2016-13, however, what is new is that an entity is
required to disclose its policy for determining when a financial asset is past-due.
Included within the implementation guidance is an illustration of how an entity can
meet the past-due disclosure requirements prescribed above. Refer to the following
table from ASC 326-20-55-80.
¶ 209
MODULE 1 - CHAPTER 2 - Credit Losses on Financial Statements 31
Nonaccrual Status
There are also specific disclosure requirements prescribed for those financial assets
with a nonaccrual status. Specifically, an entity is required to disclose the following,
aggregated by class of financing receivable and major security type (ASC 326-20-50-16):
• The amortized cost basis of financial assets on nonaccrual status as of the
beginning of the reporting period and the end of the reporting period
• The amount of interest income recognized during the period on nonaccrual
financial assets
• The amortized cost basis of financial assets that are 90 days or more past due,
but are not on nonaccrual status as of the reporting date
• The amortized cost basis of financial assets on nonaccrual status for which there
is no related allowance for credit losses as of the reporting date.
STUDY QUESTIONS
Scope
The scope of the new amendments outlined within subtopic 30 are applicable to all debt
securities that are classified as available-for-sale securities including loans that meet this
definition.
The impairment loss noted above should be recorded at each reporting date. Note
that with the fact that an allowance is used to record impairment losses, changes in the
allowance account can go both ways. In other words, the allowance can be increased to
reflect additional credit losses. Alternatively, the allowance can also be reduced to
reflect reductions in credit losses. However, at the risk of stating the obvious, the
allowance account can only be reversed up to zero (i.e., the asset’s value cannot be
written up above its original value before the first allowance recorded). Specifically, the
FASB notes in ASC 326-30-35-12 that an entity should not reverse a previously recorded
allowance for credit losses to an amount below zero.
With respect to the unit of account, impairment should be assessed at the individ-
ual security level (ASC 326-30-35-4). To that end, ASC 326 defines individual security
level as the level and method of aggregation used by the reporting entity to measure
realized and unrealized gains and losses on its debt securities.
Factors to Consider
The previous section identified the overall principles with respect to how and when a
credit loss and related allowance is recorded with an available-for-sale debt security.
This section focuses more on the specific factors that an entity should assess to
determine if an actual credit loss exists.
The actual factors an entity should assess are prescribed within the implementation
guidance of subtopic 30. While the listing and related considerations may seem fairly
comprehensive below, it should be noted that the listing is not meant to be all inclusive.
To summarize, there are numerous factors that should be considered when determin-
ing whether a credit loss exists. For starters, they include the following (ASC
326-30-55-1):
• The extent to which the fair value is less than the amortized cost basis
• Adverse conditions specifically related to the security, an industry, or geo-
graphic area; for example, changes in the financial condition of the issuer of the
security, or in the case of an asset-backed debt security, changes in the financial
condition of the underlying loan obligors. Examples of those changes include
any of the following:
— Changes in technology
— The discontinuance of a segment of the business that may affect the future
earnings potential of the issuer or underlying loan obligors of the security
— Changes in the quality of the credit enhancement
• The payment structure of the debt security (e.g., nontraditional loan terms as
described in paragraphs 825-10-55-1 through 55-2) and the likelihood of the
issuer being able to make payments that increase in the future
• Failure of the issuer of the security to make scheduled interest or principal
payments
• Any changes to the rating of the security by a rating agency
Specific to developing the estimate of cash flows expected to be collected, an entity
should also consider certain information with respect to the collectibility of the security.
This includes information about past events, current conditions, as well as reasonable
and supportable forecasts. This information should include all of the following (ASC
326-30-55-2):
• The remaining payment terms of the security
• Prepayment speeds
• The financial condition of the issuer(s)
¶ 211
MODULE 1 - CHAPTER 2 - Credit Losses on Financial Statements 35
• Expected defaults
• The value of any underlying collateral
In addition to the above factors, an entity should also consider the following to the
extent they influence the estimate of cash flows of a security (ASC 326-30-55-3):
• Industry analyst reports and forecasts
• Credit ratings
• Other market data that are relevant to the collectibility of the security
Finally, an entity should also consider how other credit enhancements affect the
expected performance of the security, including the following (ASC 326-30-55-4):
• Consideration of the current financial condition of the guarantor of a security (if
the guarantee is not a separate contract)
• The willingness of the guarantor to pay
• Whether any subordinated interests are capable of absorbing estimated losses
on the loans underlying the security
Furthermore, it is important to note that the remaining payment terms of the
security could be significantly different from the payment terms in prior periods (such
as for some securities backed by nontraditional loans). As a result, an entity should
consider whether a security backed by currently performing loans will continue to
perform when required payments increase in the future (including balloon payments).
Finally, an entity should also consider how the value of any collateral would affect the
expected performance of the security. If the fair value of the collateral has declined, an
entity should assess the effect of that decline on its ability to collect the balloon payment
(ASC 326-30-55-4).
Future Cash Flow Considerations
The estimates of expected future cash flows should be the entity’s best estimate based
on past events, current conditions, and reasonable and supportable forecasts. Further-
more, available evidence should be considered in developing the estimate of expected
future cash flows with weight given to the information used in the assessment being
commensurate with the extent to which the evidence can be verified objectively (ASC
326-30-35-8). Examples of this available information include existing environmental
factors such as industry, geographical, economic, and political (ASC 326-30-35-9).
Another important point to note is that if an entity estimates a range for either the
amount or timing of possible cash flows, the likelihood of the possible outcomes should
be considered in determining the best estimate of expected future cash flows.
Finally, the ASC 326 offers flexibility to entities when utilizing a rate for discounting
future cash flows. For example, some debt securities contractual interest rate varies
based on subsequent changes in an independent factor, such as an index or rate, for
example, the prime rate, the LIBOR, or the U.S. Treasury bill weekly average (ASC
326-30-35-11). In these situations when there is variability in the interest rate, an entity
may conclude that the security’s effective interest rate used to discount expected cash
flows may be calculated based on the changing factor or may be fixed at the rate in
effect at the date an entity determines that the security has a credit loss (ASC
326-30-35-11). The important takeaway with respect to this choice point is that the entity
should consistently apply its conclusion on the effective interest rate to be used for all
securities whose contractual interest rate varies based on changes in an independent
factor. In other words, an entity cannot apply a different discount percentage among
different securities whose contractual rate interest rate varies based on subsequent
changes in an independent factor. As with many other accounting principles, this needs
to be consistently applied.
¶ 211
36 TOP ACCOUNTING AND AUDITING ISSUES FOR 2020 CPE COURSE
STUDY QUESTION
6. Which of the following financial instruments is included within the scope of ASC
326-30?
a. Financing receivables
b. Reinsurance recoverables
c. Receivables that relate to repurchase agreements
d. Available-for-sale debt securities
¶ 213 TRANSITION
This chapter has focused primarily in presenting the new recognition and measurement
amendments as a result of ASU No. 2016-13. At this point in the chapter, it is critical to
address the respective transition requirements for entities. This is not one of those
ASUs that will be a simple adoption for most entities. In other words, it certainly does
not fit within the bucket of the FASB’s routine simplification initiatives that can
generally be easily adopted by entities without significant effort. This ASU, instead,
encompasses significant changes to current GAAP that requires entities to evaluate
many aspects of their current accounting policies with respect to credit losses.
As previously noted, for public business entities that are U.S. Securities and
Exchange Commission (SEC) filers, the amendments in this ASU are effective for fiscal
years beginning after December 15, 2019, including interim periods within those fiscal
years. By contrast, for all other public business entities, the amendments in this update
are effective for fiscal years beginning after December 15, 2020, including interim
periods within those fiscal years. Still, for all other entities, including not-for-profit
entities and employee benefit plans within the scope of Topics 960 through 965 on plan
accounting, the amendments in this ASU are effective for fiscal years beginning after
December 15, 2021, and interim periods within fiscal years beginning after December
15, 2021. Entities are required to apply the amendments from this ASU through a
cumulative-effect adjustment to retained earnings as of the beginning of the first
reporting period in which the guidance is effective. In other words, they are required to
apply a modified-retrospective approach.
The FASB noted in BC126 that initially it was determined the effective dates to be
one year earlier than the respective dates mentioned above. However, the final issuance
of the ASU occurred later than the FASB expected because additional outreach was
performed. As a result, in consideration of the Private Company Decision-Making
Framework and the FASB’s reconsideration of the effective dates to the effective dates
mentioned above, the FASB decided that all entities may adopt the amendments in the
ASU as of fiscal years beginning after December 15, 2018, including interim periods
within those fiscal years. Note that earlier adoption is not permitted as a result of this
ASU.
The FASB also understands that some stakeholders are of the view that a require-
ment to record the full estimate of expected losses may inhibit lending, particularly to
less creditworthy borrowers or during an economically stressed environment (BC9).
However, the FASB notes that the amendments in this ASU do not change the
economics of lending. Said another way, the same loss ultimately will be recorded,
regardless of the accounting requirements. The critical aspect that is changing is the
¶ 213
40 TOP ACCOUNTING AND AUDITING ISSUES FOR 2020 CPE COURSE
accounting threshold for the recognition of credit losses, which affects only the timing
of when to record credit losses, not the ultimate amount realized on the financial assets.
On account of these changes, the FASB notes that the guidance on credit losses should
provide information that is useful in making business and economic decisions, and that
guidance on credit losses should provide information that faithfully reports the econom-
ics of a transaction, regardless of any perceived positive or negative impact of reporting
that information in the financial statements (that is, “neutrality) has on business and
policy decisions (BC9).
Similar to ASU No. 2014-09, Revenue from Contracts with Customers, which included
sweeping changes to the accounting principles with respect to revenue recognition and
drove the creation of a Revenue Recognition Transition Resource Group (TRG), so too
is the case for the ASU that is the subject of this chapter. As a result, a TRG was put in
place at the FASB with respect to implementation issues of the new credit loss
amendments. The purpose of this TRG is to do the following:
• To solicit, analyze, and discuss stakeholder issues arising from implementation
of the new guidance
• To inform the FASB about those implementation issues, which will help the
Board determine what, if any, action will be needed to address those issues
• To provide a forum for stakeholders to learn about the new guidance from
others involved with implementation
¶ 214
MODULE 1 - CHAPTER 2 - Credit Losses on Financial Statements 41
• Clarification That Reinsurance Recoverables Are Within the Scope of Subtopic
326-20
• Projections of Interest Rate Environments for Variable-Rate Financial
Instruments
• Consideration of Prepayments in Determining the Effective Interest Rate
• Consideration of Estimated Costs to Sell When Foreclosure Is Probable
STUDY QUESTION
¶ 214
43
¶ 303 INTRODUCTION
For the most part, the current not-for-profit organization (NPO) reporting requirements
came from FASB 117, Financial Statements of Not-for-Profits, which was issued in 1993.
In 2011, FASB initiated a project to review this standard. The result of that project is
ASU 2016-14, issued in August 2016.
The changes in ASU 2016-14 will affect substantially all NPOs. The effective date of
the guidance is fiscal years beginning after December 15, 2017 (December 2018 year
end). For entities with a June 30 fiscal year, the ASU is effective June 30, 2019. Entities
can early adopt the guidance if they so choose. In the year of adoption, they must apply
all the provisions for comparative presentation. However, if a NPO did not have to do a
statement of functional expenses in the past, it does not have to have one for the prior
year. Also, that NPO would not have to make a disclosure about liquidity and availability
of resources for the prior year; the disclosure can just be for the current year.
Under ASU 2016-14, entities must disclose the nature of any reclassifications on
restatements and their effects, if any, on changes in the net assets. They also must
include an emphasis of matter paragraph in the audit report if the adoption results in
changes that have a material impact.
The ASU includes key changes to five areas: reporting of net assets, liquidity
information provided by NPOs, the statement of cash flows, the operating measure
information provided, and the reporting of expenses. Some of these provisions are
robust, whereas others are much simpler. The guidance offers NPOs many ways to
emphasize and document items in their financial statements and footnotes.
¶ 303
44 TOP ACCOUNTING AND AUDITING ISSUES FOR 2020 CPE COURSE
Note that subsets can be included on the statement of financial position. Alterna-
tively, the total can be shown without donor restrictions and instead those details can be
included in a footnote. The following chart shows how the statement of activity would
appear if using a column approach without donor restrictions and with donor
restrictions.
Statement of Activity
¶ 304
MODULE 1 - CHAPTER 3 - The New NPO Reporting Model 45
Statement of Activity
Expenses:
Program Omega 97,068 97,068
Program Iota 83,012 83,012
Management and general 35,013 35,013
Fundraising 27,884 27,884
EXAMPLE: Net assets with donor restrictions at December 31, 2016, are
restricted for the following purpose or periods:
Subject to expenditure for a specified purpose (or purpose and
time):
Program #4 $ 4,410,000
Program #2 370,000
Education 320,000
5,100,000
Subject solely to the passage of time:
Future operations 1,570,000
¶ 304
MODULE 1 - CHAPTER 3 - The New NPO Reporting Model 47
As a result, if a NPO was estimating over the useful life and must now use the
placed-in-service approach, it will have a reclassification of net assets that will reflect a
decrease in net assets with donor restrictions and an increase in net assets without
donor restrictions.
Underwater Endowments
In prior GAAP, NPOs presented the aggregate amount by which endowments were
underwater in unrestricted net assets. Consider the following example.
EXAMPLE: Company A accepts a donation of $100,000 invested in stocks
from its client. The client says to Company A, ‘‘This donation is for your endow-
ment fund. This is in perpetuity. You can use the earnings. Company A retains
that investment, and that investment loses money. The investment is now worth
$90,000. In prior GAAP, Company A still has $100,000 of permanently restricted net
assets, yet only $90,000 in its investment account. That loss is negative unrestricted
net assets of $10,000 connected to this investment that has gone underwater. It is
less in value than what it was originally worth. Under the new guidance, the entire
investment is shown with donor restrictions. Even though Company A receives
$100,000, it only has $90,000, and it will show $90,000 with donor restrictions.
Previously, the term underwater endowment fund was not defined by FASB, but now
the following definition is included in the FASB Master Glossary: “a donor-restricted
endowment fund for which the fair value of the fund at the reporting date is less than
either the original gift amount or the amount required to be maintained by the donor or
by law that extends donor restrictions.
The new disclosure requirements include the following:
• Interpretation of the NPO’s ability to spend from underwater endowment funds
• The NPO’s policy, and any actions taken during the period, concerning appropri-
ation from underwater endowment funds
• Each of the following, in the aggregate, for all underwater endowment funds:
— The fair value of the underwater endowment funds
— The original endowment gift amounts (or level required to be maintained by
donor stipulations or by law that extend donor restrictions)
— The amount by which the original gift amount exceeds the fair value (the
deficiency = 2 less 1)
EXAMPLE: Examples of endowment disclosures include the following:
“From time to time, the fair value of assets associated with donor-restricted
endowment funds may fall below the level the Company is required to retain by
donor stipulation or law (underwater endowments). There were no underwater
endowments as of December 31, 2018.
or
“From time to time, the fair value of assets associated with donor-restricted
endowment funds may fall below the level the Company is required to retain by
donor stipulation or by law (underwater endowments). We have interpreted
UPMIFA to permit spending from underwater endowments in accordance with
prudent measures required under law. At December 31, 2018, funds with original
gift values of $4,189,234, fair values of $4,123,890, and deficiencies of $65,344 were
reported in net assets with donor restrictions. These amounts were fully recovered
during 2019 due to favorable market conditions.
¶ 304
48 TOP ACCOUNTING AND AUDITING ISSUES FOR 2020 CPE COURSE
STUDY QUESTIONS
1. Which of the following ASUs released in 2016 specifically impacts nearly all not-for-
profit entities?
a. ASU 2016-01
b. ASU 2016-04
c. ASU 2016-07
d. ASU 2016-14
2. Each of the following identifies a key area with respect to ASU 2016-14, except:
a. Reporting of net assets
b. Reporting of income
c. Liquidity information
d. Statement of cash flows
3. When was FASB 117, Financial Statements of Not-for-Profits, issued?
a. 1993
b. 1999
c. 2011
d. 2016
The footnote would read as follows: “The table below presents Not-for-Profit D’s
expenses by both their function and nature for the year ending 20X1. Program
activities are broken out into Program Omega, Program Iota, and then other programs.
Supporting activities include Management and General, Fundraising, and Supporting.
Remember that the client prepares the financial statements. If the client asks the
auditors to help it draft the financial statements, the client still has to make the key
decisions. Will the client show the functional expenses on the statement of activities, or
will it have a separate statement of functional expenses or include them in the foot-
notes? It is management’s decision.
¶ 309 SUMMARY
This chapter has discussed ASU 2016-14’s key changes in the following five areas: (1)
reporting of net assets, (2) liquidity information from NPOs, (3) the statement of cash
flows, (4) the operating measure information provided, and (5) the reporting of ex-
penses. These changes can be summarized as follows:
¶ 309
52 TOP ACCOUNTING AND AUDITING ISSUES FOR 2020 CPE COURSE
STUDY QUESTIONS
CPE NOTE: When you have completed your study and review of chapters 1-3, which
comprise Module 1, you may wish to take the Final Exam for this Module. Go to
cchcpelink.com/printcpe to take this Final Exam online.
¶ 309
53
¶ 403 INTRODUCTION
In a world where it seems things change daily, one constant in business has been the
independent auditor’s report. The purpose of an external audit is to enhance the
intended financial statement user’s degree of confidence. Considering all the scandals in
financial reporting that have occurred in the last 20 years, it is surprising that the
auditor’s report has not been subject to changes earlier. However, this issue has not
gone unrecognized, as changes to improve communication to financial statement users
have been encouraged for many years. Reports cited that recognized this need include
the Cohen Commission in 1974 and the Treadway Commission in 1985. However, even
through this urging, and amid all the scandals that occurred in the late 1990s and early
2000s, changes to the auditor’s report have been minimal.
If your organization is a publicly traded company, two changes have been cited to
the standard auditor’s report and are applicable to the majority of Securities and
Exchange Commission (SEC) issues since the 1980s. These changes include:
• Adoption of PCAOB Auditing Standard 1, and
• Establishment of requirements for auditors to report on internal control over
financial reporting (ICFR) as outlined by the Sarbanes-Oxley Act of 2002.
¶ 403
54 TOP ACCOUNTING AND AUDITING ISSUES FOR 2020 CPE COURSE
Nevertheless, after more than 80 years, auditors still follow the pass/fail model that
requires them to state whether their clients’ financial statements are presented fairly or
not. Financial statements considered as presented fairly would receive a “pass rating,
while those considered not to be presented fairly would receive a “fail rating. Auditors
may provide a “qualified opinion, meaning that they could not deliver a full opinion
because some aspects of a client’s accounting failed to adhere to generally accepted
accounting principles (GAAP) or contained incomplete information. But that has essen-
tially been the crux of the requirements.
If the accounting and business world were black-and-white, this model may still be
relevant. But as we have seen over the past 15 to 20 years, the emergence of global
business and the speed at which technology is advancing has introduced a new
spectrum of colors into our business world. SEC standards have long allowed auditor
communication of critical audit matters (CAMs) to be performed on a voluntary basis.
Since the inception of the standard that covers requirements for the auditor’s report, the
content has largely gone unchanged. It is only reasonable to expect evolution and
change in the independent auditor’s report. Hence the emergence of the requirement to
disclose critical audit matters.
AS 3101, The Auditor’s Report on an Audit of Financial Statements When the Auditor
Expresses an Unqualified Opinion, retains the pass/fail opinion of the existing auditor’s
report but significantly changes its form and content—most importantly, expanding it to
include CAMs.
The new standard was presented by the Public Company Accounting Oversight
Board (PCAOB) in June 2018 and approved by the SEC in October 2018. While the
standard becomes effective as of fiscal years ending on or after December 15, 2017, the
new requirements with respect to CAMs are effective for audits of fiscal years ending on
or after June 30, 2019, for large accelerated filers. For all other companies where the
requirement applies, the deadline is for fiscal years ending on or after December 15,
2020.
Since significant time has elapsed with minimal change to the auditor’s report,
some may ask, why now? In principle, the PCAOB identified the need to make the
auditor’s report more relevant for investors by requiring the auditor to communicate
additional information about the audit. This concept is not new. Many of the require-
ments associated with the Sarbanes-Oxley legislation seek to enhance transparency,
readability, and integrity of the information provided in financial statements. These
initiatives have come after long-sought actions by the investment community for more
complete information about an organization’s financial health. The new auditor report-
ing standard will require communication of CAMs for many audits conducted under
PCAOB standards, however, communication of CAMs will not be required for the
following:
• Audits of brokers and dealers reporting under the Securities Exchange Act of
1934 Rule 17a-5
• Investment companies other than business development companies
• Employee stock purchase, saving, and similar plans
• Emerging growth companies.
A simple way to think about a CAM is to consider the concept of “what keeps the
auditors up at night. The new standard requires auditors to disclose to the public
certain aspects of the audit that came to their attention and raised their level of concern
during the audit. The new standard retains the existing “pass/fail opinion but makes
significant changes to other aspects of the auditor’s report. This includes the inclusion
of CAMs.
¶ 403
MODULE 2 - CHAPTER 4 - Critical Audit Matters 55
STUDY QUESTION
STUDY QUESTION
2. Which of the following is included in the formal definition of a critical audit matter?
a. A matter resulting from the audit of financial statements that has been miti-
gated by management
b. A matter that includes certain required audit committee communications
c. A matter resulting from the audit of financial statements that relates to ac-
counts or disclosures that are material to the financial statements
d. A matter identified prior to the audit of financial statements
STUDY QUESTIONS
• Describe how the CAM was addressed in the audit. When describing CAMs
in the auditor’s report, the auditor is not expected to provide information about
the company that has not been made publicly available. However, if such
information is necessary to describe the principal considerations that led the
auditor to determine that a matter is a CAM or how the matter was addressed in
the audit, it must be disclosed.
If the auditor chooses to describe audit procedures, the descriptions are expected
to be at a level investors and other financial statement users can understand. Auditors
must be cognizant of using understandable language and ensure the message can be
understood by constituents. This may require limiting the use of technical accounting
and auditing terms in the description of the CAM. The objective is to provide a useful
summary, not to detail every aspect of how the matter was addressed in the audit.
Language that could be viewed as disclaiming, qualifying, or restricting, or that
minimizes the auditor’s responsibility for the CAMs or the auditor’s opinion on the
financial statements, is not appropriate and may not be used. The language used to
communicate a CAM should not imply that the auditor is providing a separate opinion
on the CAM or on the accounts or disclosures to which they relate.
The auditor’s report must also refer to the relevant financial statement accounts or
disclosures that related to the CAM. If the auditor determines there are no CAMs, the
auditor must state so in the auditor’s report.
When the auditor identifies a CAM in a report, he or she is essentially drawing
closer attention to the issue. This is important as management and the audit committee
must devote time and effort into properly addressing the issue. Unfortunately, the
standard does not provide a checklist of potential issues or even provide guidance as to
the requirements on the exact content of issues. It does not list required CAMs or set
an expectation that certain items will be CAMs in all cases (e.g., matters considered
significant risks may be CAMs in certain cases but not in others) See the illustrative
example. The determination is left to auditor judgment and will be executed on a case-
by-case basis.
• Refer to the relevant financial statement accounts or disclosures that
relate to the CAM. For each CAM communicated in the auditor’s report, the
auditor is required to refer to the relevant financial statement accounts or
disclosures.
Determination of CAMs cannot follow a checklist approach. CAMs will be unique
to each audit. A variety of factors influence an auditor’s consideration of which matters
involved especially challenging, subjective, or complex auditor judgment. Several con-
cepts are important in developing an approach to identifying and communicating CAMs.
Auditors, preparers, audit committees, and others should plan accordingly for the
time it will take to determine and draft CAMs. The process to determine CAMs is the
auditor’s responsibility. CAMs may be identified throughout the audit, and it is impor-
tant that auditors discuss draft CAM communications with management and the audit
committee well in advance of when the auditor’s report is to be issued.
The auditor must communicate with management and the audit committee on a
regular and timely bases. This communication will assist in avoiding surprises about
issues that have been identified as CAMs. During the communication process, auditors
should be open and transparent with management about the process they have followed
when identifying and drafting CAM communication. This can also be important in later
aspects of preparing appropriate financial statement disclosures.
¶ 406
MODULE 2 - CHAPTER 4 - Critical Audit Matters 61
STUDY QUESTION
• Including both the explanatory paragraph and the CAM communication sepa-
rately in the auditor’s report, with a cross-reference between the two sections.
When both an explanatory paragraph and a CAM communication are provided,
the CAM description should not include conditional language that would not be
permissible in the explanatory paragraph.
Interactions with the Audit Committee
Any matter that will be communicated as a CAM should already have been discussed
with the audit committee. The auditor is required to provide a draft of the auditor’s
report to the audit committee and discuss the draft with them. While the auditor should
determine how best to comply with these communication requirements, the auditor
may discuss with management and the audit committee the treatment of any sensitive
information.
¶ 407
MODULE 2 - CHAPTER 4 - Critical Audit Matters 63
Case Scenario Evaluation: Revenue Recognition CAM Considerations
Company A CAM Company B CAM
Assessment Area Company A Widgets determination Company B Utility Determination
The auditor’s Risk of material Revenue process is Commercial and Factors indicate
assessment of the misstatement is inherently high- industrial customer potential that
risks of material low. Price is risk; however, the usage is a large revenue estimation
misstatement. This known. Little to no risk of material percent of monthly could require
includes judgment is misstatement is revenue. The identification of a
assessment of involved in the significantly complex process of CAM. Commercial
significant risk. process. Standard mitigated by the estimation creates and industrial
contracts exist. company’s an inherent high customers are a
Orders have procedures. As risk of material significant portion
remained stable such, no CAM is misstatement. of the revenue
over 10 years. considered needed base. This area
relative to this would be
criteria. considered at high
risk for potential
material
misstatement.
Degree of auditor Little to no auditor Little to no auditor Estimating This area identifies
judgment/ judgment is judgment and no customer usage is as a potential CAM
estimation by required. The use of estimates complex and takes issue. This is
management. revenue process is creates a low level into account supported by its
Includes estimates straightforward and of management various factors complexity and use
with significant does not involve uncertainty. As such as weather, of judgment and
measurement significant such, no CAM is geography, rates, estimates.
uncertainty. management considered needed estimation, and
judgment. relative to this measurement
criteria. uncertainty.
Nature/timing of Transactions are No CAM based on Extent of audit This results in the
significant unusual normal. No this criteria. effort is significant. potential for a CAM
transactions and significant or This is due to the issue because audit
extent of audit unusual significance of effort requires not
effort/judgment transactions occur revenue estimation only extensive
related to these in this process. related to these procedures but also
transactions. transactions. auditor judgment
and assessment.
The degree of Auditor procedures No CAM based on Auditor subjectivity If auditor
auditor subjectivity are well designed, this criteria. is not considered subjectivity is held
in applying audit and the ability to high in this area. to a minimum in
procedures to apply the The estimation testing this area,
address the matter procedures to the procedures are well this may not
or in evaluating the revenue process is documented, and require a CAM
results of those transparent. audit tests can be identification.
procedures. designed to
validate
information.
The nature/extent The revenue No CAM identified The estimation The fact that
of audit effort process is based on this process requires a specialists are
required to address straightforward and criteria. strong knowledge required to
the matter. This does not require of the industry and evaluate the area
includes the extent specialized skill or the regulatory could point to the
of specialized skill outside requirements. The need for
needed or the consultants. external auditors identification of a
nature of are often required CAM.
consultations to call upon
outside the industry specialists
engagement team. to evaluate this
area.
¶ 407
64 TOP ACCOUNTING AND AUDITING ISSUES FOR 2020 CPE COURSE
¶ 408
66 TOP ACCOUNTING AND AUDITING ISSUES FOR 2020 CPE COURSE
¶ 408
MODULE 2 - CHAPTER 4 - Critical Audit Matters 67
PCAOB AS 3101 IIASB ISA 701 Variance
The degree of auditor ISA 701 does not reference
subjectivity in applying audit auditor subjectivity. PCAOB AS
procedures to address the matter 3101 acknowledges that given the
or in evaluating the results of nature of an audit, procedures
those procedures performed may often involve
subjectivity when evaluating
outcomes. This level of
subjectivity should be a
considering factor in determining
CAMs because it introduces
additional auditor judgment into
the process.
The nature and extent of audit Similar to the consideration of
effort required to address the auditor subjectivity in developing
matter, including the extend of audit procedures, AS 3101
specialized skill or knowledge includes the degree of audit effort
needed or the nature of and the need for specialized skill.
consultations outside the The key component that varies in
engagement team the two standards is the
identification of the need to
consider the requirement of
specialized skill.
The nature of audit evidence AS 3101 references the nature of
obtained regarding the matter audit evidence. This recognizes
the concept that not all evidence
is created equal. The auditor must
take into account how direct the
evidence is to the audit area and
the method in which the evidence
was obtained.
6. Which regulatory body prescribed rules with respect to key audit matters (KAMs)?
a. PCAOB
b. SEC
c. IIASB
d. ISO
¶ 409 SUMMARY
The overall impact of AS 3101 has yet to be realized. The standard has potential for both
positive and negative ramifications. The Center for Audit Quality indicates the new
standard “provide(s) additional information to investors and other stakeholders in an
increasingly complex and global business environment. However, this is just one
opinion. Others, including the U.S. Chamber of Commerce, feel the new requirements
“obfuscate disclosures for investors and make capital formation less efficient.
Time will tell as the new standard continues to roll out and be refined by
companies. It is important for both independent auditors as well as management to
become comfortable with this change and embrace the concepts outlined in applying a
principle-based approach to identification of CAMs.
¶ 409
69
¶ 502
70 TOP ACCOUNTING AND AUDITING ISSUES FOR 2020 CPE COURSE
¶ 503 INTRODUCTION
The increased use of outsource providers for multiple aspects of business has created a
whole new dimension of risk(s) to organizations. Outsourcing work extends from
financial tasks such as accounts payable and payroll process to information technology
management and even compliance services. Originally, the AICPA issued SAS 70 to
address control assurance on outsourced providers for financial reporting purposes.
You may be familiar with the SSAE 16 requirements and SOC reports. In April 2016, the
AICPA Auditing Standards Board (ASB) issued SSAE No. 18, Attestation Standards:
Clarification and Recodification.
A service auditor’s examination performed in accordance with SAS 70 represented
that the organization has undergone a complete in-depth examination of its control
objectives and control activities. This often included controls over information technol-
ogy and related processes. In today’s global economy, service organizations must
demonstrate they have adequate controls and safeguards when they host or process
data belonging to their customers. The requirements of Section 404 of the Sarbanes-
Oxley Act of 2002 make SAS 70 audit reports even more important to the process of
reporting on the effectiveness of internal control over financial reporting.
For nearly 18 years, SAS 70 was the authoritative guidance for service organiza-
tions to disclose their control activities and processes to their customers and their
customers’ auditors. SAS 70 provides guidance to enable an independent auditor to
issue an opinion on a service organization’s description of controls through a Service
Auditor’s Report SAS 70 but does not specify a predetermined set of control objectives
or control activities that service organizations must achieve.
SAS 70 was generally applicable when an independent auditor was planning the
financial statement audit of an entity that obtains services from another organization.
However, as outsourcing became more prevalent, the AICPA issued SSAE 16 to expand
upon the requirements of SAS 70. In 2011, SSAE 16 took effect and replaced SAS 70 as
the authoritative guidance for performing a service auditor’s examination. SSAE 16
established a new attestation standard (AT 801) to contain the professional guidance. At
the same time, the AICPA launched a new Service Organization Controls (SOC)
reporting framework designed to allow practitioners to provide different types of reports
depending on the needs of service organizations and their stakeholders.
SSAE 16 was drafted with the intention of updating the U.S. service organization
reporting standard to mirror and comply with the international service organization
reporting standard, ISAE 3402. The main variance between SAS 70 and SSAE 16 was
that the service company was required to provide a written assertion to the auditor that
its description of services accurately represented its organizational “system.
Following is a summary of the authoritative statements and pronouncements
relative to internal control, related to service organizations that have been made since
the first Statement on Auditing Procedure (SAP) in 1939.
History of Control Reports
Statement Issuance Date Title of Statement
SAP 29 October 1958 Scope of the Independent Auditor’s Review of
Internal Control
SAP 41 November 1971 Reports on Internal Control
SAP 54 November 1972 The Auditor’s Study and Evaluation of Internal
Control
SAP 3 December 1974 The Effects of EDP on the Auditor’s Study and
Evaluation of Internal Control
SAS 44 December 1982 Special-Purpose Reports on Internal Accounting
Control at Service Organizations
¶ 503
MODULE 2 - CHAPTER 5 - New Service Level of Engagement 71
Statement Issuance Date Title of Statement
SAS 48 July 1984 The Effects of Computer Processing on the Audit
of Financial Statements
SAS 55 April 1988 Consideration of Internal Control in a Financial
Statement Audit
SAS 70 April 1992 Service Organization
SAS 78 December 1995 Consideration of Internal Control in a Financial
Statement Audit: An Amendment to Statement on
Auditing Standards No. 55
SAS 88 December 1999 Service Organizations and Reporting on
Consistency
SAS 94 May 2001 The Effect of Information Technology on the
Auditor’s Consideration of Internal Control in a
Financial Statement Audit
PCAOB AS 2 May 2004 An Audit of Internal Control over Financial
Reporting in Conjunction with an Audit of
Financial Statements. Note: Appendix B refers to
Service Organizations.
PCAOB AS 5 May 2007 An Audit of Internal Control over Financial
Reporting That Is Integrated with an Audit of
Financial Statements. Note: Appendix B17-B17
covers Service Organization considerations.
ISAE No. 3402 December 2009 Assurance Reports on Controls at a Service
Organizations
SSAE 16 April 2010 Reporting on Controls at a Service Organization
SSAE 16 2011 Service Organization Control Reports
SSAE 18 2016 Supersedes SSAE 16
In 2011, SOC reports were introduced and were intended to help address data
security and compliance issues. Three types of SOC reports and two subtypes for SOC 1
and SOC 2 were identified. The following table outlines the various report types and
their focus and purpose.
SOC Report Types and Purpose
SOC Type Focus
SOC 1 Type 1 Addresses the design of control over financial
reporting services
SOC 1 Type 2 Addresses both the design and operating
effectiveness of controls over financial reporting
services
SOC 2 Type 1 Addresses the design of controls surrounding the
security, viability, processing integrity,
confidentiality, and privacy of services
SOC 2 Type 2 Addresses the design of and operating
effectiveness of controls around the security,
availability, processing, integrity, confidentiality,
and privacy of services
SOC 3 General Purpose Public-facing document that gives a high-level
overview of information in the SOC 2 report
Even with the identification of various SOC reports, SSAE 16 was intended to be
specific to SOC 1 reports (addressing financial reporting). However, service auditors
began stretching the interpretation of the SOC reports to address the increased use of
technology.
In an effort to standardize attestation criteria, the AICPA issued SSAE 18 in April
2016 to replace SSAE 10 through 17. As of May 1, 2017, the SSAE 18 standard
superseded SSAE 16. SSAE 18 provides more definitive guidance on controls surround-
¶ 503
72 TOP ACCOUNTING AND AUDITING ISSUES FOR 2020 CPE COURSE
ing information technology including focusing on the Trust Service Criteria of informa-
tion security, availability, processing integrity, confidentiality, and privacy. It also places
responsibility on the service organization to monitor any subservice organizations they
may utilize. More importantly, SSAE 18 refers to many different types of attestation
reports, not just SOC 1 reports. Major changes from SSAE 16 to SSAE 18 include:
Both service organization and service organization providers should ensure they
have a strong understanding of each type of SOC report and the elements required to
ensure the reports appropriately meet their intention.
The SSAE 18 requirements are expected to have the greatest impact in the
following areas:
STUDY QUESTIONS
1. Which of the following standard did SSAE 18 supersede and replace as the standard
for evaluating service organization controls?
a. SAS 70
b. SSAE 16
c. PCAOB AS 2
d. PCAOB AS 5
¶ 503
74 TOP ACCOUNTING AND AUDITING ISSUES FOR 2020 CPE COURSE
SOC 2 report. These reports are utilized for reporting on controls for IT-related
organizations, such as cloud computing, Software as a Service (SaaS), ad managed
¶ 504
76 TOP ACCOUNTING AND AUDITING ISSUES FOR 2020 CPE COURSE
services, along with data centers. These are just a few of the growing list of IT services.
SOC 2 reviews are an audit of a service organization’s nonfinancial reporting controls as
they relate to the Trust Service Criteria as defined by the AICPA. Those criteria include:
• Security. Information and systems are protected against unauthorized access,
unauthorized disclosure of information, and damage to systems that could
compromise the availability, integrity, confidentiality, and privacy of information
or systems and affect the entity’s ability to meet its objectives. Security refers to
the protection of:
— Information during its collection or creation, use, processing, transmission,
and storage
— Systems that use electronic information to process, transmit or transfer, and
store information to enable the entity to meet its objectives
OBSERVATION: Controls over security prevent or detect the breakdown
and circumvention of segregation of duties, system failure, incorrect processing,
theft, or other unauthorized removal of information or system resources; misuse of
software; and improper access to or use of, alteration, destruction, or disclosure of
information.
• Availability. Availability refers to the accessibility of information used by
the entity’s systems, as well as the products or services provided to its
customers. The availability objective does not, in itself, set a minimum
acceptable performance level. It does not address system functionality (the
specific functions a system performs) or usability (the ability of users to
apply system functions to the performance of specific tasks or problems).
However, it does address whether systems include controls to support
accessibility for operation, monitoring, and maintenance.
• Processing integrity. Processing integrity refers to the completeness, valid-
ity, accuracy, timeliness, and authorization of system processing. It ad-
dresses whether systems achieve the aim or purpose for which they exist
and whether they perform their intended functions in an unimpaired man-
ner, free from error, delay, omission, and unauthorized or inadvertent
manipulation. Because of the number of systems used by an entity, process-
ing integrity is usually addressed only at the system or functional level of
an entity.
• Confidentiality. Confidentiality addresses the entity’s ability to protect infor-
mation designated as confidential from its collection or creation through its
final disposition and removal from the entity’s control in accordance with
management’s objectives. Information designated as confidential is pro-
tected to meet the entity’s objectives. Information is confidential if the
custodian of the information is required to limit its access, use, and
retention and restrict its disclosure to defined parties. Confidentiality re-
quirements may be contained in laws or regulations or in contracts or
agreements that contain commitments made to customers or others. The
need for information to be confidential may arise for many different rea-
sons. For example, the information may be proprietary, intended only for
entity personnel.
OBSERVATION: Confidentiality is distinguished from privacy in that privacy
applies only to personal information, whereas confidentiality applies to various
types of sensitive information. In addition, the privacy objective addresses require-
ments regarding collection, use, retention, disclosure, and disposal of personal
information. Confidential information may include personal information as well as
other in- formation, such as trade secrets and intellectual property.
¶ 504
MODULE 2 - CHAPTER 5 - New Service Level of Engagement 77
• Privacy. Personal information is collected, used, retained, disclosed, and dis-
posed to meet the entity’s objectives. Although confidentiality applies to various
types of sensitive information; privacy applies only to personal information. The
privacy criteria are organized as follows:
— Notice and communication of objectives. The entity provides notice to data
subjects about its objectives related to privacy.
— Choice and consent. The entity communicates choices available regarding the
collection, use, retention, disclosure, and disposal of personal information to
data subjects.
— Collection. The entity collects personal information to meet its objectives
related to privacy.
— Use, retention, and disposal. The entity limits the use, retention, and disposal
of personal information to meet its objectives related to privacy.
— Access. The entity provides data subjects with access to their personal
information for review and correction (including updates) to meet its objec-
tives related to privacy.
— Disclosure and notification. The entity discloses personal information, with
the consent of the data subjects, to meet its objectives related to privacy.
Notification of breaches and incidents is provided to affected data subjects,
regulators, and others to meet its objectives related to privacy.
— Quality. The entity collects and maintains accurate, up-to- date, complete,
and relevant personal information to meet its objectives related to privacy.
— Monitoring and enforcement. The entity monitors compliance to meet its
objectives related to privacy, including procedures to address privacy-related
inquiries, complaints, and disputes.
The AICPA designed the Trust Services Criteria to provide flexibility in application
and use for a variety of different subject matters. Specifically, the following are areas
where the Trust Service Criteria may be utilized. The following are the types of subject
matters a practitioner may be engaged to report on using the Trust Services Criteria:
• When evaluating the suitability of the design and operating effectiveness of
controls relevant to the security, availability, or processing integrity of informa-
tion and systems, or the confidentiality or privacy of the information processed
by the entity.
• When evaluating the effectiveness of controls within an entity’s cybersecurity
risk management program to achieve the entity’s cybersecurity objectives using
the Trust Services Criteria relevant to security.
• When evaluating the suitability of design and operating effectiveness of controls
included in management’s description of a service organization’s system rele-
vant to one or more of the Trust Services Criteria throughout a specified period
to meet those criteria in a type.
• A Type II SOC 2.
• A SOC 3 engagement related to the design and operating effectiveness of a
service organization’s controls over a system relevant to one or more of the
Trust Services Criteria.
Practitioners generally do not use the Trust Services Criteria when engaged to
report on an entity’s compliance, or on an entity’s internal control over compliance with
laws, regulations, rules, contracts, or grant agreements. If the practitioner is engaged to
report on compliance with laws, regulations, rules, contracts, or grant agreements in
connection with an examination of the design and operating effectiveness of an entity’s
¶ 504
78 TOP ACCOUNTING AND AUDITING ISSUES FOR 2020 CPE COURSE
3. What are the specific components addressed within a SOC 2 Type II report?
a. The design of and operating effectiveness of controls around the security,
availability, processing, integrity, confidentiality, and privacy of services
b. The design of controls surrounding the security, viability, processing integrity,
confidentiality, and privacy of services
c. The design of controls around internal controls over financial reporting
d. The design and operating effectiveness of internal control over financial
reporting
4. In relation to a SOC 2 Type II, one of the components addressed involves the privacy
principles. Which of the following are representative of the privacy principle concept?
a. Notice and communication of objectives, choice and consent, collection of
personal information, use, retention, and disposal, access, quality
b. Quantity of information, availability of information, type of information, authori-
zation of personal information
c. Collection of personal information, quantity of information collected, authoriza-
tion of personal information, availability of information
d. Description of individuals authorized to use information, availability of informa-
tion retention, cloud storage, server storage
¶ 504
80 TOP ACCOUNTING AND AUDITING ISSUES FOR 2020 CPE COURSE
A subservice organization goes one level deeper than a simple service organization.
Organizations that provide services to a service organization that are not considered
subservice organizations are referred to as vendors. These services do not impact the
controls of the primary service organization. Under SSAE 18, a service organization
should:
• Identify all subservice organizations used in providing services to its users.
• Include a description of any subservice organization controls (Complementary
Subservice Organization Controls) that the service organization relies on to
provide the primary services to its customers.
In addition to the control-based changes, SOC reports should also contain two
additional sections describing the risk assessment process, as well as the subservice
organizations that play a role in the overall operation. Also included is a description of
the system and the corresponding controls the subservice organization may impact or
have complete ownership of. These two components were previously present in SOC 2
¶ 505
MODULE 2 - CHAPTER 5 - New Service Level of Engagement 81
reports but not formally required. Now, this concept is being formalized and extended
to all SOC reports moving forward.
In the case of organizations that have not previously undergone a SOC 1 audit due
to their service and or operations not being financially significant, SSAE 18 expands the
definition of what is allowed to be reported on. It includes an entity’s compliance with
certain laws or regulations, contractual arrangements, or another set of defined agreed-
upon procedures. This now allows for an official, independent review of a wide range of
operations under a trusted and consistent set of auditing and reporting guidelines.
must understand that monitoring processes are not the sole responsibility of IA or a
third-party independent verification source. Management monitoring is often cited as
the second level of defense for internal controls. Management must establish processes
that are efficient to identify when controls are not working or have become ineffective.
They must then promptly address the deficiencies with actions. It is not acceptable to
“wait until the auditors come in.
Risk Assessment
As defined by COSO, risk assessment is an iterative process, not a one and done. With
the continuing changes in the business risk landscape, it is imperative organizations
have procedures in place to effectively execute timely risk assessments as well as
monitor emerging risks and consider them within their risk assessment processes.
SSAE 18 has specific requirements for risk assessments as opposed to existing
general considerations of risk in SSAE 16. Several places in the SOC 1 standard include
strong language around risk identification and risk management. Service auditors must
obtain a more in-depth understanding of the development of the subject matter than
currently required.
The SOC 1 standard previously stated the need for a “formal or informal risk
assessment process. The new standard for SOC 1 is asking auditors to understand
management’s process and assess if it is complete and correct. Auditors must evaluate
the linkage of controls identified in management’s description of the service organiza-
tion’s system with risks and determine that controls have been implemented. SSAE 18
requires a formal risk assessment process, which according to the AICPA, “may include
estimating the significance of identified risks, assessing the likelihood of their occur-
rence, and deciding about actions to address them.
The approach used to perform the risk assessment is left to the discretion of the
organization. The auditor will be determining whether the company risk assessment is
accurate and complete. The auditor is also required to obtain evidence that the
information provided for the risk assessment is reliable. This should lead to an im-
proved linkage between assessed risks and the nature, timing, and extent of attestation
procedures performed in response to those risks.
There are many approaches to performing a risk assessment. Those approaches
can include multiple facilitation methods as well as execution methodologies (inter-
views, questionnaires, checklists, evaluation of process area risk assessments, and
strength/weakness/opportunities/threat [SWOT] analysis).
From the execution perspective, organizations can consider whether their needs
are best met by performing a qualitative or quantitative risk analysis. Another option is
to combine the approaches to ensure proper risk coverage. Quantitative risk assess-
ments are sometimes viewed as more beneficial because they can provide more
concrete measurement. The utilization of an approach that includes quantitative factors
can bring several benefits to organizations that issue SOC reports. Such benefits include
the following:
• Improves the organization’s overall risk posture. In any risk assessment, a
key element is to ensure the data considered and risks analyzed support the
rationale related to the control in place to mitigate the risks. When using
quantification methods in financial terms, the organization can add rigor to the
risks identified and appropriately map the risks to the related control objectives
identified in the SOC report.
• Enhances reliability of information. The quality of a service organization’s
risk assessment process will ultimately influence the nature, timing, and extent
¶ 507
MODULE 2 - CHAPTER 5 - New Service Level of Engagement 83
of audit procedures required. As such, it is important the results of the risk
assessment are reliable. Reliance allows the auditor to place emphasis on
supporting documentation and less time on extensive evaluations. By quanti-
fying risk in financial terms, the organization provides a greater degree of
objectivity in risk analysis. This can increase the extent to which the service
auditor can rely on this information.
• Builds assurance. The objective of a SOC report is to instill trust and assur-
ance in the service organization’s processes. Trust and assurance are built
through the knowledge that the service organization has sufficient controls in
place over its environment. Taking a quantitative approach to risk assessment
could increase the confidence that the service organization has taken the
appropriate steps to manage its highest risks and allocate the appropriate
controls to mitigate those risks.
• Streamlined process. The ability to have well-documented rationale on the
risk assessment process should help streamline efforts service auditors may
need to spend on their work.
Complimentary Control
The new standard introduces the concept of “complementary subservice organization
controls. This concept establishes and defines the controls for which user entities must
now assume in the design of the system description.
Complimentary subservice organization controls is a new term used to reference
subservice organization controls that service organizations rely on to meet the expected
control objective. Under these circumstances, management and the service auditor
need to consider the subservice organization controls assumed in the design of the
service organization’s own system and how the service organization ensures that
control objectives were met. Complementary controls are considered necessary for the
achievement of control objectives in the report.
Service organizations may outsource functions such as data center hosting or
transaction processing to outside vendors. These are referred to as subservice organiza-
tions. User entities may require information about the controls that are in place at these
subservice organizations to mitigate the risk presented by the service they are provid-
ing to the service organization. If controls at the subservice organization are used in
combination with controls at the service organization to provide assurance for a SOC
control objective, the controls performed by the subservice organization are referred to
as complementary subservice organization controls (CSOCs). When this occurs, service
organizations must incorporate complimentary subservice organization controls into
their SOC reports. The CSOCs must be specific to the services provided by the service
organization’s system. The description of the service organization’s system should
describe the subservice organization’s responsibility for implementing CSOCs. Exam-
ples that have been cited as types of CSOCs a subservice organization is assumed to
have implemented include the following:
• Controls relevant to the completeness and accuracy of transaction processing on
behalf of the service organization.
• Controls relevant to the completeness and accuracy of specified reports pro-
vided to and used by the service organization.
• General IT controls relevant to the processing performed for the service organi-
zation. Service organization management may request the service auditor’s
assistance when determining how to present the CSOCs in the description.
¶ 507
84 TOP ACCOUNTING AND AUDITING ISSUES FOR 2020 CPE COURSE
Assertion Modification
While always a part of SSAE 16, SSAE 18 requires a disclosure of the relationship
between the service organization and its relevant subservice organizations. Questions
the auditor should consider include, but are not limited to, the following:
• Has the service performed by the service organization been included or carved-
out?
• Is such disclosure made apparent in reporting?
SSAE 18 requires the service auditor to obtain a written assertion. An assertion is
the statement found within the SOC report where the service organization asserts the
system description provided is essentially true and complete. This statement has always
been within SOC 1 reporting, but the requirement for the service organization to sign
the document was optional.
Evidence
Historically speaking, auditing best practices have always included obtaining reliable,
current, relevant, and accurate data from a service organization. While almost every
previous auditing standard (SAS 70, SSAE 16, etc.) has discussed the concept of
evidence, it is now defined with more clarity under SSAE 18.
Evidence is considered documentation that provides evidence of the operating
effectiveness of controls. SSAE No. 18 provides a list of information that may require
additional assessment procedures. The list includes:
• Population lists for sample tests
• Exception reports
• Lists of data with specific characteristics
• Transaction reconciliations
• System-generated reports
• Other system-generated data (e.g., configurations, parameters, etc.)
¶ 510
86 TOP ACCOUNTING AND AUDITING ISSUES FOR 2020 CPE COURSE
If you are a service organization where you handle a client’s financial information,
then a SOC 1 may apply.
2. Evaluate whether specific SOC constraints may exist. Organizations that
believe they may need a SOC 2 or a SOC 3 must ensure they are in sync with
their auditor as to the areas that may need to be evaluated. This may include:
— What are the boundaries for the system being reviewed?
— Are there boundaries for cloud services?
— Are their criteria under certain principles that can be ignored given the
nature of your business?
— What is the minimum period of controls (6 months, 9 months, etc.) that
are required for an audit?
— Can your current IT operations meet change management requirements
that may be identified?
3. Choose SOC elements. This step assists the user organization in identifying
the elements of what it is looking at for a SOC report. For instance:
— What report type is needed? Type 1 or Type 2?
— What system is being evaluated? A system is typically organized to achieve
a specific business objective and has components of infrastructure,
software, people, procedures, and data.
— Which principles apply? Do five of the Trust Service Principles apply, or
only one?
— What criteria applies? In a SOC report, the service organization must
report on all criteria under the chosen principle.
4. Understand management commitments and customer standards that
must be met. Management typically will set out their commitments to the
customers in written service-level agreements. These serve as controls for the
various principles. For a SOC, management must have a list of their commit-
ments and must make sure their system is designed and operating to meet
those commitments.
5. Evaluate controls and gaps that can be readily identified. To perform an
effective gap analysis, a close review of the system and comparison against
the principles and criteria must be performed. If your organization is well
organized with strong procedures, this process can be easily executed. How-
ever, if policy, risk management and operations do not have mature
processes, gaps make take longer to mitigate.
6. Remediate identified gaps. This is an area that management must strongly
consider. If gaps are identified in the readiness assessment and management
wants an unqualified SOC report, the gaps must be remediated. This can
become involved and time consuming resulting in process redesign, training,
documentation, personnel changes, etc.
7. Develop systems description. This requirement for a SOC is one that
management must fulfill. Management should provide the auditor the full
description of the system. This is what the auditor will use as the basis of the
audit. The full list of what should be in the description is set out in four pages
of “AICPA Information for Management of a Service Organization 2011.
Some of the areas included are:
— A narrative explaining your services and the components of the system
— A completed Trust Services Criteria matrix for the principles that will be
addressed
¶ 510
MODULE 2 - CHAPTER 5 - New Service Level of Engagement 87
— Explanations of why any relevant criteria are not addressed by a control
and whether the system has changed over the period of audit
— All necessary information about subservice organizations
— Specific, comprehensive privacy information for organizations addressing
the privacy principle
It is important to reiterate that the systems description is a product that should be
prepared by management. In many cases, auditors will work with management to
prepare the description in order to ensure all of the proper components are included.
However, the service auditor should use caution in taking responsibility for preparing
the narrative. The narrative must be such that management can fully agree to and
explain the information.
8. Build an effective audit period. The organization must have an operating
period under which the SOC report is based. This period can be three to six
months or a year. If the organization is looking for Type 2 report, the auditor
must have the requisite amount of time to ensure processes are operating
effectively and the auditor can adequately test the processes (i.e., three
months is not sufficient).
9. Prepare and undergo an audit. Essential elements for being properly
prepared to undergo an audit is to ensure you have prepared relevant walk-
throughs and have appropriate documentation of the process.
10. Distribute reports according to need and use. As we have previously
discussed, SOC 1, SOC 2, and SOC 3 reports have different structures and are
intended for different audiences. A SOC 1 report will focus on financial
aspects whereas a SOC 2 report focuses on information systems integrity. A
SOC 3 report is more general in nature, concise, and less detailed. Many
organizations use a SOC 3 to display on their website.
The following graphic depicts the steps and drivers of executing a readiness
assessment for a SOC 2 engagement:
¶ 510
88 TOP ACCOUNTING AND AUDITING ISSUES FOR 2020 CPE COURSE
STUDY QUESTION
¶ 512 SUMMARY
The move to SSAE 18 helps to ensure service auditors avoid taking shortcuts when
performing audits. Service organizations typically vet the subservice organization ini-
tially when evaluating which subservice organization to partner with. However, it is just
as important to ensure subservice organizations are monitored on an ongoing basis
using the methods outlined in SSAE 18.
The language in SSAE 18 around third-party vendor management is extremely
clear. The primary difference relates to how service organizations will manage and
monitor the review of the subservice company. A service organization will now need to
implement a robust third-party vendor management policy.
¶ 512
91
¶ 603 INTRODUCTION
Many say the accounting profession is set to play a key role in driving the adoption of
blockchain to both privately held and publicly traded companies. But what exactly is
blockchain? In short, blockchain is a global digital ledger of economic transactions that
is transparent, continually updated by countless users, and considered by many as
almost impossible to corrupt or hack. Blockchain has the potential to significantly
disrupt the business sector and the public accounting industry in the next three to five
years.
of blockchain was Bitcoin, which allows the transfer of digital tokens without dealing
with an intermediary. The second was the Ethereum network, and the third was the
Factom network. These will be discussed in more detail later in the chapter.
OBSERVATION: Blockchain is a class of software, whereas Bitcoin is a
specific cryptocurrency from that software. Bitcoin cannot stand on its own; it
needs the blockchain software in order to make digital tokens. Blockchain, on the
other hand, does not need Bitcoin, or any other cryptocurrency, to function.
Overview
Blockchain presents a novel way to deal with data. Recognized as the “fifth evolution of
computing, it is a distributed database that a group of individuals control to store and
share information. Blockchain is a data structure that creates a digital ledger of data
that can be shared in a network of independent third-party participants. It uses cryptog-
raphy to allow each participant on any given network to manage the ledger in a secure
way without the need for a central authority. The goal of blockchain is to create data
integrity by ensuring that sensitive information is viewed only by those parties that are
assigned access to it in the network.
Blockchain offers many advantages. It enables impeccable recordkeeping because
it creates permanent and reliable records and histories of transactions in a digital
format. To change any information, large portions of a blockchain community would all
have to agree to the change, and they are incentivized not to change information. When
users want to add a record (i.e., a transaction or entry), they must enter a validation
code. Because the data is very difficult to change or remove, blockchain creates trust in
digital data.
The computer code in the blockchain becomes law, and rules are executed as they
are written and interpreted by the blockchain network. This eliminates social biases and
behaviors. It also creates a clear timeline of who did what and when. Another advantage
of blockchain is the “proof of work concept. A proof of work is a confirmation of
transaction and plays an important role in making sure that the information remains
reliable and effective.
As mentioned earlier, blockchain is a peer-to-peer system with no central authority
to manage the flow of information. There is no regulator or standard-setter involved; the
software itself is the arbitrator. Central authority can be removed if there is a large
distributed network of independent users.
To prevent network corruption, two ingredients are necessary: (1) decentralization
of the structure of the software and (2) utilization of cryptocurrency. The likelihood that
a blockchain software network can be corrupted is very slim. To date, there have been
no instances of hacking a blockchain. Cryptocurrency is a form of currency that exists
only digitally. Although the most popular type is Bitcoin, other types of software create
other types of cryptocurrency. Each work in the blockchain gets paid different values,
depending on the complexity of the software involved. Because the software itself pays
the hardware to operate, integrity can be maintained. No third party pays to maintain
the environment.
There are many different types of blockchains and blockchain technology in the
marketplace. Each blockchain has unique functions and is used with different types of
transactions. Most, however, are involved in moving money or other forms of value
quickly and affordably (trading public company stock, foreign currency exchange,
paying foreign employees, etc.).
¶ 604
MODULE 2 - CHAPTER 6 - Understanding Blockchain 93
Blockchain Components
A blockchain is made up of three parts:
• Block: A list of transactions recorded onto a ledger over a period of time. The
size, period, and trigger events are different.
• Chain: The hash—or the “glue —that links one block to another, mathemati-
cally joining them together.
• Network: Composed of “full nodes —a computer running an algorithm that is
securing the network. Each node contains a complete record of all transactions
that were recorded in the blockchain.
The trigger events for blocks differ for every blockchain. Each block contains a
cryptographic hash that is unique to that block and chains it to the immediately
preceding block of information. Not all blockchains record and secure a record of the
movement of their cryptocurrency as their primary objectives, but blockchains do
record the movement of the cryptocurrency, the tokens that are being used. For such
transactions, information is recorded and then assigned a value. For a financial transac-
tion, the block interprets what the data means.
The chain in the blockchain is created from the data that was given from the
previous block. It acts like a fingerprint and puts the blocks together in order. Hashing
creates the mathematical algorithm that maps out the data, resulting in a one-way
function that cannot be decrypted. The chain creates trustworthy data.
As previously mentioned, the network is the arbitrator of the blockchain. The full
nodes, or individuals or organizations, run the algorithm that secures the network to
maintain the network’s integrity.
The process of creating honest, trustworthy and self-corrected blockchain systems
can be broken down into several steps.
1. A user requests a transaction.
2. The request is transmitted to the network.
3. The network validates or rejects the transaction.
4. If validated, the transaction is added to the current block of transactions.
5. The block of transactions is then chained to the previous block of transactions.
6. The transaction is confirmed.
The degree of trust the network has that all of its nodes are operating in the
blockchain will determine the type of consensus algorithm it uses to settle its ledgers.
STUDY QUESTIONS
3. Which of the following identifies something that mathematically links one block to
another?
a. Block
b. Chain
c. Node
d. Cryptocurrency
Ethereum
Ethereum (www.ethereum.org) was first described in 2013 in a white paper written by
Vitalik Buterin and went live in July 2015. In his paper, Buterin indicated he wanted to
expand the utility of Bitcoin beyond its trading of tokens. Ethereum is one of the most
complex blockchains ever built, and its features include excellent documentation and
user-friendly interfaces. It also offers good security for small applications.
This software is ideal for smart contracts, negotiating agreements, charters, wills,
and fund transfers. It is the best place to build decentralized applications.
Ripple
Ripple (https://ripple.com) was developed in 2004, before Bitcoin, by Ryan Fugger in
Canada. One of the most interesting of the blockchains, it is a global financial settle-
ment solution between banks and consumers. It is available at a very low cost, offers
exceptional security, and is on a distributed open-source Internet protocol. Ripple’s
native currency is called ripples.
Ripple enables users to send real-time international payments across its networks.
It is known for enabling cross-border payments and exchanging value between two
unlike items. The financial users of the system participate in the network by issuing,
accepting, and trading assets to facilitate payments. The operators participate in the
network by keeping track of the transactions and then coming to a consensus about the
validity and the ordering of those transactions with other nodes in the network.
Ripple provides two critical functions. It acts as a common ledger to connect banks
and payment networks, allowing them to clear transactions in literally a few seconds. It
constantly monitors the flow of transactions across the network. It acts as a neutral
transaction protocol in which it deals with the same type of value across different
currency transactions. Banking institutions are excited about this technology because it
allows them to move away from intermediaries and clearinghouses, and complete
transactions more quickly with less risk. Features include real-time payments, compre-
hensive transaction traceability, and the ability to convert almost any type of currency
and commodity or token.
Factom
Factom (www.factom.com), known as the “publishing engine, is a platform that is used
to minimize the volume and complexity of complicated legal transactions workpapers. It
is a powerful tool that publishes for data streams and security systems. Factom
integrates and links other blockchains to improve the security and data of the systems
involved.
Authentication of documents comes into play with this software, which has applica-
tion program interfaces. The network pays for itself and has its own cryptocurrency
called factoids. Factom is built on layers and chains that determine how the data is to be
structured. The chains allow applications to pull only the data that they are interested in
without needing to download the full data that is being sent to them. This type of system
allows a user to be separated from the tradable tokens and maintains a fixed cost for
consumers while allowing the free market to set the price of the factoids.
¶ 607
98 TOP ACCOUNTING AND AUDITING ISSUES FOR 2020 CPE COURSE
Harmony was the first commercial service Factom product. dLoc is one of the first
practical document authentication systems dealing with data integrity in the physical-
digital world. Organizations that deal with authentication of digital integrity may want to
consider using Factom.
Hyperledger
As mentioned earlier, Hyperledger (https://github.io/composer/) is an open-source
blockchain platform. As opposed to other blockchains, it is a distributed ledger (Saw-
tooth Lake by Intel) and does not operate with a cryptocurrency. Hyperledger offers a
graphic user interface (GUI), making it a user-friendly option for building blockchain
models for nontechnical users. Hyperledger is supported by the Linux Foundation, and
its transactions are secure, private, and confidential.
Multichain
Multichain (www.multichain.com) is an open-source, off-the-shelf platform typically
used for private blockchains (internal or shared). Focusing on privacy and control, it is
designed for permissioned participants and only includes events that relate to those
participants. Multichain is customizable and offers flexible security. It can run on
Windows, Mac, and Linux systems and, like Hyperledger, is user-friendly.
STUDY QUESTIONS
¶ 608
101
auditor’s report (or whatever report is issued) and the auditor’s workpapers. In terms of
quality control, these must be handled in a consistent manner, all the time.
Partners and professionals also must have a deep and broad understanding of their
clients’ businesses and their environments. Because auditors and accountants advise
clients not only on accounting matters but also on operational matters, they should live
and breathe the client’s industry, amassing a great deal of knowledge about it. Every-
body in the firm should have that same depth of understanding of the client’s busi-
nesses at the same time. A process and methodology should be in place in the practice
to ensure this consistency on both the technical side and the business side.
Accountants and auditors should consistently raise, and then timely resolve, any
issues that relate to an engagement. If a firm has five teams, each team should come to
the same conclusion on a particular issue.
Finally, professional skepticism must be exercised at all times. To be independent
and objective, an auditor must have a healthy level of professional skepticism. All of the
professionals involved in providing an attest function must have this skill. For example,
if an auditor believes his client is dishonest, he must remain neutral and focus on
including enough corroborative evidence in the workpapers to support the client’s
transactions and reduce his risk to an acceptable level. To ensure all staff apply
professional skepticism, this topic should be addressed in staff training. And although
the firm must provide sufficient training and guidance on professional skepticism to
staff members, the staff themselves are responsible for maintaining that professional
skepticism to ensure they are conducting engagements in accordance with the
standards.
By performing the four actions outlined above, a firm can ensure its staff will have
the correct documentation in their workpaper files, deliver high-quality products, and be
able to handle challenging and difficult assignments.
Leadership Responsibilities
In some cases, a breakdown in quality control can be traced to the leaders of a firm—or
the “tone at the top. Failures have occurred when firm partners have not carried out
their responsibilities or neglected to create an environment that thrives on quality.
Many firms place the client first in their quality control initiatives, but instead the
firm should be first. The firm must give its professionals comprehensive training and
the right tools to protect the firm’s autonomy, brand, and reputation. The firm comes
first, not the client. The second priority when providing attest services is protecting the
public interest. After all, the CPA profession is charged with protecting the public
interest, being objective, and providing reasonable assurance that financial information
is reported correctly. The client is next in importance. A firm’s leadership must
communicate these priorities—firm, public interest, and client—to its professional staff.
ing conferences, and strengthening soft skills (research skills, branding, marketing,
public speaking, writing, etc.).
Professional Skepticism
As mentioned earlier in this chapter, auditors must have enough healthy professional
skepticism to perform responsibly. When auditors exercise professional skepticism in
all aspects of their work, they enhance overall audit quality.
Ethical Dilemmas
Ethical dilemmas often arise from a poor understanding of the ethics and independence
rules and regulations. The good news is that with proper knowledge and the right
mechanisms in place, professionals who encounter red flags are better able take swift
action to mitigate or eliminate the risk and in turn ensure audit quality.
Competence
Lack of competency in a certain area can have a major effect on audit quality. An
engagement team or firm that takes on an engagement for which it does not have
sufficient expertise or properly trained staff will not be able to successfully service the
client, understand all the financial reporting challenges, or comply with the applicable
standards.
When exploring new areas or opportunities, firms should consult experts in that
field for advice. If in-house staff do not have sufficient technical expertise and industry
knowledge in a particular area, audit quality might be affected. When it comes to
auditing versus consulting, the firm must make a business decision about whether it
can ensure quality work for both. Firm leadership should convey this message to staff
and emphasize the importance of following the appropriate rules for the engagement.
Assignment of Personnel
Doling out the correct assignments to the right personnel also contributes to audit
quality. If the right people are not assigned to the engagement team, problems will
arise. Staff need to have the competency, experience, and capabilities to successfully
complete their assigned engagements.
¶ 704
MODULE 2 - CHAPTER 7 - Enhancing Audit Quality 105
Disciplinary Actions
When someone violates a firm policy or a professional standard, in some cases the firm
takes no disciplinary action. With no repercussions, those responsible for the violation
might be likely to repeat it, or to commit other offenses. The effect on audit quality is
obvious. The firm must have policies in place explaining that there are repercussions for
those who fail to follow rules and standards. It needs to convey the message that
upholding its quality, its reputation, and its brand is essential. Depending on the
violation, discipline can range from a letter of reprimand in a person’s HR file to his or
her termination.
Leadership Responsibilities
The following matters were cited with respect to a firm’s “tone at the top.
• The firm emphasizes meeting time budgets. Schedules set by leadership are
unrealistic or expectations are not feasible.
• Repeat matters and findings are present. Certain matters keep reoccurring and
are not corrected.
• The firm fails to take appropriate action when events, subsequent to the issu-
ance of the engagement, determine the engagement to be nonconforming. The
firm makes no effort to correct this.
¶ 705
106 TOP ACCOUNTING AND AUDITING ISSUES FOR 2020 CPE COURSE
• The firm allows engagement partners to deviate from firm policies and proce-
dures. Partners are allowed to “do their own thing yet expect staff to follow
procedure.
Ethical Requirements
The following ethical issues posed challenges to audit quality.
• Lack of independence; unpaid prior year’s fees. Before starting on the new
engagement for a client, the firm did not ensure that the fees in the prior year
had been collected. This violates requirements of the AICPA’s Code of Profes-
sional Conduct.
• Impairment of independence is not identified. This highlights the importance of
understanding the independence and ethics rules.
• The firm did not complete its annual independence affirmations of its profes-
sional staff.
• The firm co-signs checks for clients. This action violates one of the basic
principles of independence.
• The firm performed account coding for one of its compilation clients and
approved invoices for payment. A compilation report can still be issued in this
situation, but it must state the lack of independence.
• The firm does not meet the General Requirements when performing non-attest
services for an audit client. Certain types of requirements must be met before
providing, for example, permissible tax, bookkeeping, or financial statement
preparation services.
Human Resources
With respect to the human resources element of quality control, the following issues
can affect audit quality:
• Recent professional standards were not considered.
• Continuing education credit, for one or more personnel, was inadequate.
• Government auditing standards and employee benefit plan audit quality center
CPE was inadequate.
• Engagement team members were not aware of the recent changes under
professional standards.
¶ 705
MODULE 2 - CHAPTER 7 - Enhancing Audit Quality 107
Monitoring
The last element of quality control is monitoring, which observes the other four
elements. Monitoring includes conducting an internal inspection, performing post-
issuance reviews, or having a peer review done. These procedures allow a firm to do a
self-analysis of its quality control system. The firm analyzes its engagements and
practice during the past year to uncover any areas that need to be corrected so it will be
ready for the following busy season. The list below includes common problems associ-
ated with monitoring that can contribute to poor audit quality.
• Departures from standards are not identified and corrected on a timely basis.
• Results of monitoring were not summarized. The firm might conduct an internal
inspection but not document and summarize the results.
• The inspection did not detect certain engagement findings and deficiencies. As a
result, undetected issues are likely to resurface.
• Specialized industry considerations (employee benefit plans, Yellow Book en-
gagements, broker-dealers, etc.) were not considered in the inspection.
• The inspection was not performed in a timely manner.
• Post-issuance monitoring findings are not communicated to responsible firm
personnel. Those who are responsible for making adjustments and corrections
cannot do so if they never receive the findings.
• Inspection findings are identified, but there is no “closing the loop with a
recommended corrective action plan. That plan must detail who will be responsi-
ble for its implementation.
STUDY QUESTIONS
¶ 705
108 TOP ACCOUNTING AND AUDITING ISSUES FOR 2020 CPE COURSE
Increase Specialization
CPA firms should consider specializing in a specific industry or niche so they can focus
their attention and build efficiencies to increase quality. For example, a public account-
ing firm that has expert knowledge of a certain industry can create specific methodolo-
gies for handling clients by building best practices, and master files and templates, that
its staff can follow. With this type of system in place, the firm can complete low-risk jobs
quickly and spend most of its time on more complicated engagements.
Other Strategies
Additional strategies for enhancing audit quality include the following:
• Individual professional commitment. This means each individual taking owner-
ship of their career—devoting time to learning and understanding clients’
industries, understanding technical and professional standards, enhancing their
soft skills, taking quality CPE, and making a commitment to honing their
professional skills to become the go-to person in their industry and area of
expertise.
• Set pride aside. Accounting and auditing professionals must acknowledge when
they do not know something, and either consult with someone or take the
initiative to research and learn on their own.
• Know the rules. Professionals must take the time to learn about and truly
understand the applicable standards and regulations.
• Increase technical presence and relationships with standard-setters and regula-
tors, such as the AICPA and FASB. Having these relationships can play an
important part in understanding why rules and standards were created and
further enhance the audit quality of the practice.
• Develop necessary soft skills. These include public speaking and writing, brand-
ing, marketing, and communication. Soft skills play a huge role in one’s career,
and also will help strengthen audit quality and practice.
• Communicate with academics to reform curriculum. Make sure that academics
look to strengthen their curriculum—investing time in teaching additional audit
skills and critical thinking, soft skills, and industry knowledge at the university
level.
• Deal with changes in corporate governance and risk management practices.
Successfully handling such changes plays a tremendous role in making sure
that audit quality is promoted. Sound practices include ensuring that people are
making the right decisions and bringing the right top-quality engagements into
the practice.
• Failure to review loan covenants when the related debt is significant to the
financial statements
• Failure to perform cut-off procedures
• Failure to perform or document communications between predecessor and
successor auditors
• Failure to perform a review of subsequent events
• Outdated audit programs and checklists
• Failure to extrapolate results from sampling applications
• Dating discrepancies between the management representation letter and the
audit report date
• Failure to document communication with those charged with governance
• Stale attorney letters
• Failure to evaluate audit differences, individually and in the aggregate
Common SSARS Review Deficiencies
Accountant’s Report
• Failure to modify report for scope limitation or departure from GAAP
• Missing report elements
• Issuance of report when accountant is not independent
• Failure to disclose the omission of substantially all disclosures
• Omitted statement of cash flows
• SSARS 21: Failure to appropriately modify the report when financial statements
are prepared under SPF
• SSARS 21 preparation engagements: Failure to issue disclaimer on each finan-
cial statement (no assurance provided)
SSARS Procedures and Documentation
• Failure to establish an understanding with management regarding the services
to be performed
• Failure to document communications regarding identified fraud
• Failure to document significant findings or issues
• Failure to perform analytical and inquiry procedures for review engagements
• Failure to document matters covered by analytical and inquiry procedures in a
review engagement
• Failure to obtain a management representation letter for a review engagement,
or the letter does not substantially meet the representation requirements
• Failure to document significant unusual matters and their disposition
• Failure to document accountant expectations when performing analytical review
Common Compilations Deficiencies
Accountant’s Report
• Failure to update report language and to include the three-paragraph format for
compilations and four-paragraph format for reviews
• Failure to include a separate paragraph for departures from the financial report-
ing framework, including dollar amounts or a statement that impact was not
determined
• Failure to include all the reasons the accountant is not independent on a
compilation
¶ 707
MODULE 2 - CHAPTER 7 - Enhancing Audit Quality 113
Compilation Procedures and Documentation
• Failure to “read compiled financial statements for obvious or material errors
• Failure to obtain an engagement letter when engaged to prepare engagements
under SSARS 21
• For SSARS 21 engagements, failure to obtain all required signatures on the
engagement letter (or other suitable written agreement)
¶ 708
114 TOP ACCOUNTING AND AUDITING ISSUES FOR 2020 CPE COURSE
STUDY QUESTIONS
4. Which of the following is a strategy to increase audit quality as it relates to the client
acceptance and continuance process?
a. Ensure that all staff have sufficient time and resources to solve engagement
issues.
b. Only associate with highly ethical clients.
c. Offer a blended training package to increase competency from a technical and
soft skills standpoint.
d. Establish and regularly communicate a formal code of conduct.
5. Which of the following identifies a common audit deficiency as it relates to the
auditor’s report?
a. Failure to disclose the omission of the statement of cash flows
b. Improper classifications between current and long-term assets and liabilities
c. Intangible assets are not assessed for impairment
d. Failure to document the consideration of internal control
6. Which of the following identifies a common compilation deficiency related to the
accountant’s report?
a. Failure to read compiled financial statements for obvious or material errors
b. Failure to document accountant expectations when performing analytical
review
c. Failure to include all the reasons the accountant is not independent
d. Failure to obtain an engagement letter when engaged to prepare engagements
under SSARS 21
CPE NOTE: When you have completed your study and review of chapters 4-7, which
comprise Module 2, you may wish to take the Final Exam for this Module. Go to
cchcpelink.com/printcpe to take this Final Exam online.
¶ 708
115
¶ 803 INTRODUCTION
Fraud is a white-color crime; therefore, the theories as to why people commit crime will
apply to why they commit various types of frauds. Organizations can limit the opportu-
nity criminals have to commit fraud by establishing effective anti-fraud internal controls.
This course will concentrate on various types of fraud including occupational frauds
affecting public companies, private companies, not-for-profits, and governmental enti-
ties. To study fraud, we have to start with a definition:
An intentional perversion of truth for the purpose of inducing another in
reliance upon it to part with some valuable thing belonging to him or to
surrender a legal right. A false representation of a matter of fact, whether by
words or conduct, by false or misleading allegations, or by concealment of
that which should have been disclosed, which deceives and is intended to
deceive another so that he shall act upon it to his legal injury. Anything
calculated to deceive, whether by a single act or combination, or by suppres-
sion of the truth, or suggestion of what is false, whether it be by direct
falsehood or innuendo, by speech or silence, word of mouth, or look or
gesture. A generic term, embracing all multifarious means which human
ingenuity can devise, and which are resorted to by one individual to get
advantage over another by false suggestions or by suppression of truth, and
includes all surprise, trick, cunning, dissembling, and any unfair way by
which another is cheated.1
¶ 803
116 TOP ACCOUNTING AND AUDITING ISSUES FOR 2020 CPE COURSE
White-collar crimes, like fraud, are illegal and or unethical actions taken by
employees or other agents of an organization.2 The term white-collar crime is attributed
to Dr. Edwin Sutherland, who first used the term in 1939. He pointed out the difference
between crimes of trust, such as fraud, and blue-collar crimes such as murder and
robbery. Dr. Sutherland was one of the early criminologists in the United States and his
works are widely accepted.3 White-collar crimes are often viewed as being less severe
than violent crimes despite the financial damage done by white-collar criminals.4 Dr.
Sutherland went on to note that the penalties for white-collar criminals tend to be less
severe than the penalties imposed on violent criminals.5 Court ordered restitution and
voluntary restitution agreements are common punishments for white-collar criminals.6
However, a study by the Association of Certified Fraud Examiners (ACFE) indicated 53
percent of victims recover nothing after a fraud and 32 percent make a partial recovery,
while only 15 percent make a full recovery of losses.7
2 Vadera, A., and Aguilera, R. (2015). The evolu- 6 Faichney, D. (2014). Aurocorrect? A proposal
tion of vocabularies and its relation to investiga- to encourage voluntary restitution through the
tion of white-collar crimes: An institutional work white-collar sentencing calculus. Journal of Crimi-
perspective. Journal of Business Ethics, 128, 21–23.
3 Alalehto, T., and Persson, O. (2013). The Suth-
nal Law and Criminology, 104, 389–420.
7
erland tradition in criminology: A bibliometric Association of Certified Fraud Examiners 2018
story. Criminal Justice Studies: A Critical Journal Report to the Nation on Occupational Fraud and
of Crime, Law and Society, 26, 1–18. Abuse.
4 Leshem, E., and Ne’eman-Haviv, V. (2013). 8 Durrant, R., and Ward, T. (2012). The role of
Perception of white-collar crime among immi- evolutionary explanations in criminology. Journal
grants from the former Soviet Union in Israel. of Theoretical and Philosophical Criminology, 4(1),
Crime, Law & Social Change, 59, 555–576.
5 Dorminey, J., Fleming, A. S., Kranacher, M., 1–37.
9
and Riley, Jr., R. (2012). The evolution of fraud Moore, M. (2011). Psychological theories of
theory. Issues in Accounting Education, 27, 555– crime and delinquency. Journal of Human Behav-
579. ior in the Social Environment, 21, 226–239.
¶ 804
MODULE 3 - CHAPTER 8 - 2019 Fraud Review 117
Fraud researchers categorize fraudsters into one of three criminal categories:
situational offenders, routine offenders, and professional offenders. Situational offenders
are individuals who happen upon the opportunity and commit the crime. Routine
offenders look for and take advantage of opportunities as a type of continuous criminal
enterprise. Unlike most street criminals, professional fraudsters learn their trade from
research and participation in the legitimate and illegitimate economy and from associa-
tion with other criminal offenders.10
10 Vieraitis, L., Copes, H., Powell, Z., and Pike, self-control: Assessing the moderating potential of
A. (2015). A little information goes a long way: criminal propensity. International Journal of Of-
Expertise and identity theft. Aggression and Violent fender Therapy and Comparative Criminology, 56,
Behavior, 20, 10–18. 191–202.
11 Akers, R. L. (1998). Social learning and social 16 Megens, K., and Weerman, F. (2012). The
structure: A general theory of crime and deviance. social transmission of delinquency: Effects of peer
Boston, MA: Northeastern University Press. attitudes and behavior revisited. Journal of Re-
12 Holt, T., Bossler, A., and May, D. (2012). Low search in Crime and Delinquency, 49, 420–443.
self-control, deviant peer associations, and juvenile 17 Moore, M. (2011). Psychological theories of
cyberdeviance. American Journal of Criminal Jus- crime and delinquency. Journal of Human Behav-
tice, 17, 378–395. ior in the Social Environment, 21, 226–239.
13 Allen, A., and Jacques, S. (2013). Police of- 18 Cressey, D. (1952). Application and verifica-
ficer’s theories of crime. American Journal of tion of the differential association theory. Journal
Criminal Justice, 39, 206-227. of Criminal Law, Criminology and Police Science,
doi:10.107/s12103-013-9219-1 43(1), 43–52.
14 Miller, B., and Morris, R. (2014). Virtual peer 19 Capece, M., and Lanza-Kaduce, L. (2013).
effects in social learning theory. Crime and Delin- Binge drinking among college students: A partial
quency, 1–27. test of Akers’ social-structure-social learning the-
15 Yarbrough, A., Jones, S., Sullivan, C., Sellers, ory. American Journal of Criminal Justice, 38, 503–
C., and Cochran, J. (2012). Social learning and 519.
¶ 804
118 TOP ACCOUNTING AND AUDITING ISSUES FOR 2020 CPE COURSE
Dr. Akers indicated that the probability persons will engage in criminal and deviant
behavior increases (and the probability of conforming to the norm decreases) when
they:
• Differentially associate with others who commit criminal behavior and espouse
definitions favorable to it,
• Are relatively more exposed in-person or symbolically to salient criminal/
deviant models,
• Define it as desirable or justified in a situation discriminative for the behavior,
and
• Have received in the past and anticipate in current or future situations a
relatively greater reward than punishment for the behavior.
Akers’s social learning theory has received significant empirical support in explain-
ing criminal behavior and is regarded as one of the leading theories in criminology.20
According to the social learning theory, it is possible that when fraudsters perceive
that the potential benefits outweigh the risk of punishment associated with the criminal
act of fraud, they will commit the crime.21 The benefits received by the fraudsters
include employment, health care, social status, purchasing power, and access to credit
facilities. Because individuals with similar demographics and perhaps geographic loca-
tions can be grouped together, it is possible that individuals observing others in the
same demographic or geographic group receiving benefits from fraud would want to
learn the skill from those who were successfully committing the crime.
STUDY QUESTION
20 Tittle, C. R., Antonaccio, O., and Botchkovar, 21 Maskaly, J., and Donner, C. (2015). A theoret-
E. (2012). Social learning, reinforcement and ical integration of social learning theory with ter-
crime: Evidence from three European cities. So- ror management theory: Towards an explanation
cial Forces, 90, 863–890. of police shootings of unarmed suspects. Ameri-
can Journal of Criminal Justice, 40, 205–224.
¶ 804
MODULE 3 - CHAPTER 8 - 2019 Fraud Review 119
money rather than stealing the money. Finally, opportunity occurs when the victim
allows the fraudster access to the victim’s assets. Kassem and Higson proposed a new
fraud triangle theory adding a new dimension: (a) motivation, (b) capability, (c)
opportunity, and (d) personal integrity.22 There is currently insufficient research to
support this expansion of the fraud triangle theory.
While Dr. Donald Cressey originally developed what researchers came to call the
fraud triangle, the first use of the term fraud triangle to describe the idea came from the
ACFE instead of Cressey.23 The American Institute of Certified Public Accountants
(AICPA) integrated the fraud triangle into the Statement on Auditing Standards Num-
ber 99.
Studies such as Dellaportas’s 2013 study on why accountants commit fraud have
continued to show the validity of Dr. Cressey’s fraud triangle theory.24 The cognitive
dissonance theory indicates fraudsters commit the crime then rationalize their behavior
to improve their own self-worth.25 I believe the cognitive dissonance theory supports the
rationalization component of the fraud triangle theory. Other researchers have claimed
the professional development of the fraud triangle as a criminology theory concentrates
on limiting opportunity and an individual’s lack of ethics to the exclusion of other factors
such as the role of society and political agendas in combatting crimes such as fraud.26
Sykes and Matza studied how perpetrators of crimes rationalized their behavior by
using neutralizing language.27 There are five basic ways to use neutralizing language to
rationalize criminal behavior:
• Denial of responsibility
• Denial of victim
• Denial of injury
• Condemnation of the condemners
• Appeal to higher loyalties28
By rationalizing their behavior, most white-collar criminals do not consider them-
selves to be criminals and deny they had intent when committing their crimes.29 Except
for their ability to rationalize their behavior and resistance to considering their activities
as crimes, white-collar criminals have been assumed to be basically normal people.30
Historically, white-collar crime, including identity theft, was considered to be a civil
dispute under common law rather than a criminal act.31
22 Kassem, R., and Higson, A. (2012). The new of the fraud triangle. Accounting, Organizations
fraud triangle model. Journal of Emerging Trends and Society, 39, 170–194.
in Economics and Management Sciences, 3(3), 27 Sykes, G., and Matza, D. (1957). Techniques
191–195. of neutralization: A theory of delinquency. Ameri-
23 Morales, J., Gendron, Y., and Guenin-
can Sociological Review, 22, 664–670.
Paracini, H. (2014). The construction of the risky 28 Klenowski, P. (2012). “Learning the good
individual and vigilant organization: A genealogy
with the bad: Are occupational white-collar of-
of the fraud triangle. Accounting, Organizations
fenders taught how to neutralize their crimes?
and Society, 39, 170–194.
24 Dellaportas, S. (2013). Conversations with in- Criminal Justice Review, 37, 461–477.
29 Stadler, W., and Benson, M. (2012). Revisit-
mate accountants: Motivation, opportunity and the
fraud triangle. Accounting Forum, 37(1), 29–39. ing the guilty mind: The neutralization of white-
25 Trompeter, G., Carpenter, T., Jones, K., and collar crime. Criminal Justice Review, 37, 494–511.
30 Benson, M. (2013). Editor’s introduction –
Riley, R. (2014). Insights for research and prac-
tice: What we learned about fraud from other White-collar crime: bringing the offender back in.
disciplines. Accounting Horizons, 28, 769–804. Journal of Contemporary Criminal Justice, 29, 324–
26 Morales, J., Gendron, Y., and Guenin- 330.
31 Bennett, R., LoCicero, H., and Hanner, B.
Paracini, H. (2014). The construction of the risky
individual and vigilant organization: A genealogy (2013). From regulation to prosecution to coopera-
¶ 804
120 TOP ACCOUNTING AND AUDITING ISSUES FOR 2020 CPE COURSE
Predication of Fraud
It is necessary to determine if there is a predication of fraud before starting a fraud
investigation. Sometimes red flags for fraud, upon examination, are nothing more than
human error, with no intent to deceive or commit fraud. Predication of fraud is the total
of the direct and circumstantial evidence that would lead a reasonable person, trained in
law enforcement or fraud investigations, to believe that a fraud has occurred, is
occurring, or will occur in the future. Suspicion, alone without any objective direct or
circumstantial evidence, is an insufficient basis for conducting a fraud investigation.
Because fraud investigations can be costly it is necessary to determine that a predica-
tion of fraud exists prior to commencing a fraud investigation.
This should not be taken to indicate that suspicions of fraud should not be
reported. Employees who suspect fraud should report their concerns to their supervi-
sors, managers, human resources, or the company’s audit committee. The ACFE’s 2018
Report to the Nations on Occupational Fraud and Abuse indicated that a majority of
frauds are discovered by receiving tips and over half the tips reporting fraud come from
employees.
(Footnote Continued)
33 Power, M. (2013). The apparatus of fraud.
tion: Trends in corporate white collar crime en-
forcement and evolving role of the white collar Accounting, Organizations and Society, 38, 525–
criminal defense attorney. Business Lawyer, 68(2), 543.
411. 34 Power, M. (2013). The apparatus of fraud.
32 Dorminey, J., Fleming, A. S., Kranacher, M., Accounting, Organizations and Society, 38, 525–
and Riley, Jr., R. (2012). The evolution of fraud 543.
theory. Issues in Accounting Education, 27, 555– 35 Dorminey, J., Fleming, A. S., Kranacher, M.,
579. and Riley, Jr., R. (2012). The evolution of fraud
theory. Issues in Accounting Education, 27, 555–
579.
¶ 804
MODULE 3 - CHAPTER 8 - 2019 Fraud Review 121
36 Available at www.acfe.com.
¶ 805
122 TOP ACCOUNTING AND AUDITING ISSUES FOR 2020 CPE COURSE
points. Many businesses post signs at the cash registers asking customers to report to
management anytime they don’t receive a receipt for their transaction. Often customers
are offered a reward such as a free coffee or gift card for taking the time to make the
report. This brings the customer into the internal control process and makes it difficult
for employees to process transactions without receipts.
Employees can also use coupons and discounts to conduct skimming schemes. An
example of this would be ringing up a customer who doesn’t have a coupon at the cash
register and then voiding the transaction after the customer leaves and reinputting the
transaction with the coupon. The employee can then pocket the cash. The explanation
for the transaction is that the customer remembered the coupon or discount after the
original transaction was processed and asked to have the coupon or discount applied.
Skimming is also done by business owners in order to reduce their tax burden. By
removing receipts from the business, they can reduce both their sales tax and income
tax liabilities. A common red flag for owner skimming is owners offering discounts for
cash payments. The owners pocket the cash payments and don’t include them in the
company financials or on their tax returns. This type of fraud can be difficult to detect
and is usually discovered during a tax audit when the auditors do a lifestyle audit to
show the business owner is living well beyond their means based on the reported tax
income. Receipts skimming is also done to reduce alimony and child support payments,
which are based on income. Another common reason for owner skimming is to qualify
for government benefits or to qualify for needs-based scholarships and government
backed student loans for their children’s college education.
STUDY QUESTION
Lapping
Lapping is a fraud scheme where employees “rob Peter to pay Paul. Lapping most
commonly occurs in organizations that have many customers who have similar pay-
ments. A typical lapping plan works in the following pattern. An employee steals a
payment from Customer A and pockets the money. Before Customer A gets a late
notice or late fee, the employee steals a payment from Customer B and posts it to
Customer A’s account. Then the employee steals funds from Customer C to cover the
theft from Customer B. At this point Customer A and Customer B are current on their
payments and the employee only needs to worry about covering the payment for
Customer C. It can be difficult for employees to track all the payments they have stolen
and to cover them before they become past due, making lapping one of the easier
frauds to detect.
Counterfeit Currency
Counterfeit currency is another fraud that organizations have to consider in their risk
assessment. Counterfeit currency schemes can be perpetrated by customers or employ-
ees. Customers can use counterfeit currency to pay for transactions, and employees can
swap counterfeit currency for real bills in their cash drawer, which leaves the employer
¶ 805
MODULE 3 - CHAPTER 8 - 2019 Fraud Review 123
holding the counterfeit currency. Individuals can make counterfeit currency using a
color copier, or they can purchase it on the Internet. (Just Google “Buy Fake Dollars
and you will get over 22K hits).
Common internal controls to detect counterfeit currency include using black lights,
counterfeit detection pens, and counterfeit detection machines. Black lights allow
employees to view the color of the security threads in modern U.S. currency. Under a
black light the security thread in a $100 bill is pink, a $50 bill is yellow, a $20 bill is
green, a $10 bill is orange, and a $5 bill is blue. If the color of the security thread under
a black light doesn’t match the denomination of the bill, then it is a counterfeit.
Counterfeit detection pens are iodine-based pens that are used to detect standard wood-
based paper used in copiers and printers. U.S. currency is printed on a cloth-based
paper. The iodine in the counterfeit detection pen leaves a permanent black mark on
wood-based paper while leaving a temporary brown mark on cloth-based paper. Remem-
ber, it is illegal to use or possess counterfeit U.S. currency. The simple possession of
the currency is punishable with a prison term of up to 20 years. You should not attempt
to deposit or pass off counterfeit currency to another company. Federal statute 18 USC
Section 471 criminalizes making copies of U.S. currency, unless they are much larger or
much smaller than real U.S. currency (a minimum of 50 percent larger or 25 percent
smaller) or unless they are ‘‘rendered in black and white,’’ with up to 15 years in prison.
Should you receive a counterfeit bill, you are required to forward it to the U.S. Secret
Service (http://www.secretservice.gov/forms/ssf1604.pdf).
STUDY QUESTION
3. The security thread in a $20 bill glows ______ under a black light.
a. Blue
b. Green
c. Yellow
d. Pink
Asset Misappropriations
Asset misappropriation is usually tied to items of value that can be easily monetized.
Cash is one of the most frequently stolen assets because once the criminal has the cash
in their possession, it is difficult to prove they stole the cash and it wasn’t theirs to start
with. This is another reason to have cameras as part of your internal controls. Cash can
be stolen from cash registers, from safes and vaults, from the mail room, and from
deposits. I am still amazed that in today’s world people still send cash through the mail.
Asset misappropriation can also include the theft of inventory and fixed assets.
Criminals are usually trying to steal small, expensive items that are easily converted into
cash. An organization missing inventory or fixed assets should search online sales sites,
such as EBay and Craig’s List, as the thieves often try to sell the items they have stolen.
Intangible assets such as trade secrets, research and development, customer informa-
tion, employee information, and other data are also misappropriated by criminals.
Organizations have to make sure they have good internal controls in place to protect
both tangible and intangible assets.
extra invoice will be sent with a different invoice number or a slightly altered invoice,
such as a “-A at the end, to attempt to circumvent the automated controls in the victims
accounting software. Sometimes statements are generated by the criminal after a
payment is received but before it is posted to the system in order to obtain a duplicate
payment. If the victim questions the statement, they are told it “crossed in the mail.
Criminals will also generate fake invoices, or documents that look like invoices in
order to obtain payments. The classic example of this was invoices for the “Yellow
Book, which were made to look like invoices for yellow pages ads. Today we see fake
invoices for website optimization and SEO optimization, services that were never
ordered or provided, but the fraudsters hope the victim will process the invoice. There
was an interesting fake invoice scheme in Arizona a few years ago. The fraudsters sent
out fake invoices for $300 to limited liability companies in Arizona claiming that had not
filed their annual corporate reports. It should be noted that limited liability companies in
Arizona are not required to file corporate reports. The invoices contained the logo for
the Arizona Corporation Commission and were written to look like official correspon-
dence from the Corporation Commission. The Attorney General for the State of Arizona
put out a warning because thousands of businesses fell victim to this fake invoice
scheme.
Another type of accounts payable fraud is payment splitting. Payment splitting
occurs when an employee gets an invoice, either real or fake, that is over their approval
limit. In order to avoid review by a supervisor, the employee splits the invoice into two
payments, both of which fall into the employee’s approval limit. Sometimes employees
collude with vendors to have them reissue multiple invoices when the original payment
is over their approval limit.
Shell companies are often created in order to create and submit fake invoices. A
shell company is a company in name only. It is properly registered with the state, has an
EIN, P.O. Box address, and usually has a bank account, but it provides no actual goods
or services and has no operations other than generating invoices and receiving pay-
ments. W-9s are generated and the shell companies are set up as vendors in the victim’s
accounting system. Fake invoices are sent out and the payments are processed through
the shell company’s bank account.
It isn’t always necessary to go to all the trouble of setting up a shell company in
order to commit a disbursement fraud. Employees can find a stale vendor (a vendor that
hasn’t been used in a while) and process a change of address for that vendor. Since the
vendor is already in the system and approved, there is no need for a new W-9 or
approval. The employee then creates and approves invoices for the vendor and misap-
propriates and cashes the checks.
Altering a check is also a common type of disbursement fraud. Accounting person-
nel can print a check and then alter the payee in the accounting system. It is also
possible to steal a check from the check run and then to negotiate the check, making it
look like a legitimate cashed check on the bank reconciliation. The ACFE report
indicated the average loss to a company that is a victim of check and payment
tampering is $150,000.
Escheated funds are another area that are ripe for disbursement fraud. Sometimes
recipients fail to cash the checks they are sent. These checks have been issued but they
are variances on the bank reconciliation. At a certain point, depending on the state, the
funds should be turned over to the government. Employees can reissue the checks,
usually having them sent to a new address controlled by the employee, and then cash
the checks. From the company’s perspective, it appears that the check was reissued and
cashed by the intended recipient.
¶ 805
MODULE 3 - CHAPTER 8 - 2019 Fraud Review 125
STUDY QUESTION
Revenue Frauds
The Public Company Accounting Oversight Board (PCAOB) reported the most com-
mon reason for having to restate financial statements was for improper revenue recogni-
tion. Companies recognize revenue before it is earned in order to increase profitability
in the current period and drive up stock prices. Companies can also record revenue
from fake sales. They create a sale using accounts receivable to increase revenue in the
¶ 805
126 TOP ACCOUNTING AND AUDITING ISSUES FOR 2020 CPE COURSE
current period and then either carry the receivable indefinitely or write it off in a future
period. The ACFE report notes that the average loss for a billing fraud scheme is
$100,000.
Recording revenue on conditional sales is done to manipulate a business’s revenue.
Conditional sales occur when the buyer has the right to return some or all of the
merchandise being purchased. Under U.S. GAAP, the revenue should not be recorded
until the return period has lapsed and the sale is complete. At a minimum, it is
necessary to set up an allowance for any potential returns.
Bill and hold frauds are another way to manipulate revenue in a company. With a
bill and hold scheme, the company sends an invoice to a customer for goods that were
never ordered by the customer, nor sent by the company. If the customer pays the
invoice, the company sends the goods; otherwise, the invoice is reversed or written off.
Sometimes the receivable is offset with a credit memo to avoid a direct write-off.
Improper sales cut-offs are a way to manipulate revenue in a company. There is a
high risk of cutoff issues for any company that has commissioned sales people or that
pays bonuses based on sales. Salespeople are known to manage their commissions by
sandbagging sales into future periods or by backdating sales in order to receive
commissions sooner.
Channel stuffing is another fraud scheme that can be used to manipulate revenue.
Channel stuffing occurs when a business ships more merchandise to a distributer than
they can reasonably be expected to sell. The distributer accepts the merchandise
knowing they can return any unsold items for credit. The company prematurely records
the revenue for this transaction as if the sale was final.
STUDY QUESTION
5. Which type of revenue fraud involves billing for goods without receiving an order or
shipping anything?
a. Bill and hold
b. Improper sales cut-off
c. Fake sales
d. Channel stuffing
¶ 805
128 TOP ACCOUNTING AND AUDITING ISSUES FOR 2020 CPE COURSE
Inventory Frauds
Businesses that maintain inventory are susceptible to various types of inventory frauds.
The most common issue with inventory is the theft of inventory, either by employees or
by shoplifters, using the old “five-fingered discount. Inventory is stolen and the
criminals either use the items themselves or sell them for cash or virtual currencies.
The stolen inventory can also be bartered for drugs, prostitutes, or other illegal items. It
is important to have good internal controls in place to keep the inventory secure. This
can include using barcodes, Radio Frequency Identification (RFID) chips, cameras,
locked display cases, and alarm systems.
One type of inventory theft scheme involves having an employee who works at a
cash register collude with an outside party. The accomplice brings several items to the
checkout point, including one high-priced item. The employee rings up the items but
places his hand over the barcode of the high-priced item while passing it over the
scanner, thus preventing it from being recorded. The accomplice then pays for the
lower priced items and walks out with all of the items, including the items not recorded
by the cash register. If a supervisor is watching, or even if cameras are present, this can
look like a legitimate sale and no red flags are raised—until the inventory is counted,
and shortages are detected.
Another inventory fraud scheme starts with an employee removing inventory from
the store or warehouse and passing it off to an accomplice. The accomplice brings the
item back to the store and requests a refund. There is usually an excuse for not having
an original receipt, such as “it was a gift. The employee then processes a refund by
paying the accomplice and returning the stolen item into the store’s inventory.
Criminals also commit inventory fraud in manufacturing companies. In addition to
stealing finished goods, they also steal scrap. A classic example occurs at home
builders. Subcontractors order more materials, such as drywall, counter tops, wiring,
etc., and they cut the items down to size or keep the extra. We have caught subcontrac-
tors using stolen goods to fix up the properties they purchased to flip. You have a good
profit margin when all or the majority of your materials are free.
Failing to remove inventory from the books once it is sold is another classic
inventory fraud scheme. This was easier to do when companies used periodic inventory
tracking rather than perpetual inventory tracking. Since the inventory isn’t removed
from the books, the cost of goods sold is lower and the profits are higher. The Phar-Mor
fraud is a classic case study for this type of fraud. Phar-Mor even moved inventory from
store to store, so every day when the auditors arrived to count the inventory, the stores
were full of inventory. The auditors didn’t know they were counting the same inventory
over and over again.
Shell companies without any actual operations are also used in inventory frauds. In
this fraud the purchasing manager orders inventory from a shell that he or she set up or
had a relative or friend set up. The shell company then orders the merchandise from
legitimate vendors and repackages it and sends it to the victim company. The shell
company will then invoice the victim, typically for 10 percent to 20 percent over what
they purchased the merchandise for from the legitimate vendor, and the difference is all
profit. A good internal control to prevent this type of inventory fraud is to do periodic
Internet price checks on all the goods and services purchased to make sure the prices
being paid are in line with the market.
¶ 805
MODULE 3 - CHAPTER 8 - 2019 Fraud Review 129
It is not uncommon for owners, managers, and employees to temporarily use items
from inventory for personal purposes. The items are removed from the packaging and
used by the fraudsters. The items are then repackaged and sold as new. The unsuspect-
ing customer believes they are purchasing a new product when in fact they are
purchasing a used product.
Merchandise inventory fraud also occurs through short shipping. This fraud can be
conducted by either management or employees. When a customer places an order for
100 items, the company short ships 98 items, hoping the victim doesn’t count the items
upon receipt. Should the customer count the items, the company claims it is an error
and immediately offers to ship the missing items or to issue a credit memo. Employees
commit this type of fraud by stealing items prior to shipping, and if a shortage is
reported, they will claim it was simply an error.
Manufacturers can commit inventory fraud by incorrectly recording overhead and
other indirect costs as direct inventory costs that are then capitalized with the inventory
rather than being expensed in the period in which the expense was made. For large
construction projects like buildings or airplanes, these companies can manipulate the
percentage of completion in order to manipulate the costs of construction.
It is always necessary to commit financial statement fraud to explain the inventory
shortages when a physical inventory count is done. Commonly, transactions are entered
to record the stolen inventory as breakage, shrinkage, spoilage, or obsolescence. Other
ways to conceal inventory frauds include altering inventory counts, altering inventory
values, recording phantom inventory, recording intercompany sales as final sales, failing
to record inventory at the lower of cost or market, and using improper cut-offs for
recording inventory purchases and sales.
STUDY QUESTION
sales and income taxes the business owner would otherwise have to pay. There are far
more small businesses in the country than there are large businesses, which is why this
is a more common fraud. Don’t be dismayed, however, because when it comes time to
sell the business, these criminals are more than willing to cook the books to make the
company appear more profitable for the buyer.
The easiest way to commit financial statement fraud is to record fictitious transac-
tions on the books. This includes recording fake sales in order to increase revenue or
recording fake expenses in order to reduce taxable income. Many times, fraudulent
entries are input into the accounting system using top-sided or other journal entries.
Businesses using the accrual method can also prematurely recognize revenue in order
to manipulate the financial statements.
It is also possible to manipulate the financial statements by overstating the value of
assets such as inventory, although intangible asset values are easy to manipulate.
Failing to record or miss recording depreciation and amortization is another way to
manipulate asset values. Companies have also been known to record consignment
goods as part of the company’s inventory. Understating liabilities or failing to disclose
liabilities in the financial statements is another example of financial statement fraud.
Manipulating reserve accounts, such as the allowance for doubtful accounts, war-
ranty, and repair allowances, environmental cleanup funds and returns and allowances
is another way to commit fraud. It is often common to see unrecorded liabilities,
especially in small businesses where the owners are funding the business with personal
loans or by using their personal credit cards. Failure to disclose contingent liabilities
can also be an issue. Improperly recording transactions in the wrong period, either
holding transactions for a future period before recording them, or backdating transac-
tions into past periods, it is also an example of financial statement fraud.
Financial statement frauds can be undertaken to alter the balance sheet, income
statement, or the statement of cash flows. Failure to provide proper financial statement
disclosures or filing misleading financial statement disclosures is also a type of financial
statement fraud.
Payroll Frauds
The ACFE report notes that the average cost to an organization that is the victim of a
payroll scheme is $63,000. There are numerous types of payroll fraud schemes. Payroll
fraud schemes can be conducted by employees, the accounting department, or by
owners and managers. The most basic payroll fraud scheme conducted by employees is
to improperly record hours on a time sheet, thereby getting paid for hours that are not
worked. Workers have been known to ask their fellow employees to “clock me out
because they need to leave early, or to ask someone to “punch me in if they know they
are going to be late. The unwritten agreement is a quid pro quo that if you help me out
now, I will do the same for you in the future. This is an example of combining asset
misappropriation and corruption into one fraud scheme. Another common employee
fraud scheme is slow work for overtime. This works because the employee deliberately
works slowly, knowing the work needs to be done by a certain deadline, and then the
employee works overtime to get the job done.
Employees have another scheme that applies to fire departments, police depart-
ments, and other essential service personnel. Employees usually have sick days or
personal time off that they can use, and they take those days when friends who need
some extra cash are on call. They get the day off and the friend gets overtime for the
shift. There is an understanding that the favor will be returned when the employee who
took the day off needs some overtime. Paperwork requirements can also be used to
create overtime. One example is leaving all of the paperwork until the end of the shift
and then working overtime to get caught up. Audits of government entities show many
first responders receive half of their W-2 income from overtime. This is a difficult area to
control because the work needs to be done and many times there are legitimate reasons
for the overtime.
Many payroll frauds can be conducted by employees in the accounting department.
Accounting personnel can enter ghost employees or ghost independent contractors into
the accounting system. Accounting personnel can also give unapproved raises to related
employees or sometimes give an employee an unapproved raise and then split the raise
with the employee by getting a kickback every payday. One case I investigated involved
a property management company where the husband was the maintenance manager
and the wife was the bookkeeper. She slowly raised her husband’s monthly salary from
$2000 per month to $4500 per month without the knowledge or permission of the
business owner. Red flags for ghost employees include no deductions for insurance or
retirement accounts, no use of sick time or vacation time, and multiple direct deposits
being made to one account.
Managers and owners can also commit payroll fraud. Owners can misclassify
employees as independent contractors in order to avoid paying payroll taxes on the
employee’s wages. Non-exempt employees can also be misclassified as exempt employ-
ees in order to avoid paying overtime. Some business owners and managers hire
undocumented immigrants to work in their businesses because they can pay them off
the record, usually in cash, and pay them less than the legally mandated federal
minimum wage.
the hour to use in their illicit schemes. There are also pay-for-play malware programs
available for purchase on the darknet in addition to an active market for zero-day
exploits.37
Data Breaches
The theft of information, also known as a data breach, is a crime that was virtually
unknown two decades ago but is flourishing in the 21st century. A data breach is
defined as the theft of personal information including names, Social Security numbers,
birth dates, medical information, driver’s license numbers, user names and passwords,
and financial account information such as credit or debit card numbers. With an ever-
increasing reliance on computers and information technology, organizations are in-
creasingly susceptible to this type of fraud. Information thieves are misappropriating
data and selling the stolen information on the darknet. A data breach occurs when
someone gains access to information that contains confidential information. Confidential
information includes personally identifying information (PII) and personal health infor-
mation (PHI). This can occur because of a lack of security, the bypassing of security, or
the elimination of security. Data breaches occur when information is stolen from
computers and other electronic devices. Data breaches can also occur when devices
containing information are lost or misplaced. Because an organization is considered to
be negligent in its duties to safeguard the information provided to it by employees,
customers, and others, there is a significant cost to being a victim of a data breach.
Criminals breach the IT security of companies, not-for-profit organizations, and even
governmental units and steal information from their computers. Often, the Human
Resources department of an entity is targeted for payroll information, which includes
Social Security numbers. Retail outlets are also targeted because they store customer
information, including credit card numbers, on their computers. Not all data breaches
are aimed at large organizations. Small businesses are also targeted, including tax
providers, attorneys, medical offices, and insurance agents, because these professionals
often have their clients’ personal information stored on their computers.
One of the main reasons for stealing data is to profit from the data breach.
Criminals can sell stolen user IDs and passwords for $5 to $20 each on the dark net.
Criminals are aware that many people use the same passwords for multiple websites
and computer systems. The purchased IDs and passwords are input into software that
searches the Internet for websites where the stolen IDs and passwords work and then
notifies a human operator that access has been gained so they can determine if there is
any value in the website that was illegally accessed. This is known as credential stuffing.
Another large market for information on the dark net is the sale of stolen credit card
numbers. There are thousands of dark net sites selling stolen credit and debit card
numbers. Prices range from $2 to $100 per credit or debit card number, depending on
the validity of the numbers. Some card brokers even offer guarantees that if you
purchase a minimum number of credit or debit card numbers, should any of these
numbers prove to be invalid, they will replace them for free; sort of a money-back
guarantee for criminals.
In addition to credit card, debit card, and Social Security numbers, criminals also
purchase names, addresses, dates of birth, phone numbers, driver’s license numbers,
health insurance ID numbers, union numbers, and other personal identifying informa-
tion (PII) on the dark net. These purchases are usually done with virtual currencies,
such as BitCoin. There are even resources on the Internet for up-and-coming criminals,
including books and videos on how to profit from stolen credit cards and how to do
credential cramming. Stolen personal information is often used to commit identity theft.
37 See www.knowbe4.com.
¶ 806
MODULE 3 - CHAPTER 8 - 2019 Fraud Review 133
Over the years, the theft of data has become a very profitable crime. In today’s
modern economy, businesses offer goods and services on credit to strangers based on
the data in the buyer’s credit history or through electronic means of payment such as
credit and debit cards. With telecommunications and Internet technology, buyers and
sellers do not need to meet in person to consummate their transaction. The Internet has
made access to information almost instantaneous. Additionally, people’s willingness to
share personal information about themselves on social media has increased the risk of
that information being misappropriated. Increased access to data on the Internet has
provided criminals easier access to personal information from both inside and outside
the United States. Identity thieves can use the Internet to gather an individual’s
identifying information without ever coming into personal contact with the victim.
Retail outlets are also targets of data breaches because they store customer
information, including credit and debit card numbers on their computers. The
cyberthieves targeted the point-of-sale (POS) cash registers in the Home Depot data
breach, allowing them to obtain the credit and debit card information of evey customer
making a purchase at the stores. Data breaches allow criminals to obtain a substantial
amount of information with a minimum risk of being caught. Many data breaches are
initiated through a phishing or other social networking attack wherein the criminals
email or otherwise contact an individual in the target company and include a virus or
other form of malware in the communication.
One of the most well-known data breaches occurred in November and December
of 2013, and the victim was Target. It was estimated that 70,000,000 debit and credit
card numbers were stolen from Target’s computers. In addition to the debit and credit
card numbers, the criminals also misappropriated the customer’s PINs, CVV codes, Zip
codes and other personal information. The initial estimates of the costs to Target for
this data breach were $3.6 billion. The Target data breach is important because of the
litigation that followed. The banks that had to replace the 70 million stolen credit cards
filed litigation against Target to recover their costs. The Federal District Court ruled in
favor of the banks, and Target appealed the ruling. The Federal Appellate Court
reaffirmed the lower court’s ruling, and Target appealed to the Supreme Court. The
Supreme Court declined to review the case, leaving the Appellate Court’s ruling in
place.
The courts have determined that companies have strict liability for lost information.
In other words, the victims do not need to prove the stolen information was used in an
identity theft. The fact that they need to pay to monitor their credit or take other actions
to protect their identity creates sufficient grounds for damage awards. Businesses must
use reasonable procedures to secure data in their possession. The procedures must be
documented in writing and be tested or audited on a periodic basis. There is no way to
guarantee that an organization will not become a victim of a data breach, but good
internal controls can reduce the risk of becoming a victim of this type of fraud.
STUDY QUESTION
¶ 806
134 TOP ACCOUNTING AND AUDITING ISSUES FOR 2020 CPE COURSE
Credential Stuffing
When I am speaking or conducting seminars on internal controls, I always stress the
importance of having complex passwords and updating them on a regular basis. In fact,
it is much better to use a complex pass phrase consisting of a minimum of twenty-four
characters, including uppercase letters, lowercase letters, numbers, and special sym-
bols. It is much harder for a criminal to hack a passphrase than to hack a short six-
character password. The fact that many individuals use the same user ID and password
for multiple sites is well known to criminals.
Credential stuffing is one of the ways criminals gain access to various systems.
When the criminals obtain user IDs and passwords through data breaches, phishing, or
other means, the criminal uses software to test the acquired user IDs and passwords on
various websites and computer systems. The criminal will attempt to access financial,
social media, email, and other sites using the stolen information. Company and govern-
ment websites are vulnerable because employees are not diligent in changing and
protecting their passwords and often use the same password on multiple systems.
One common software for conducting credential stuffing is known as Sentry MBA.
Less than 1 percent of these attempts are successful, but the successful attempts are
very profitable for the criminals as they gain access to the victim’s information and
accounts. Remember that credential hacking is done at computer speeds, so a criminal
can test the credentials millions of times an hour. If criminals are able to obtain 1 million
credentials by purchasing them in bulk on the darknet, they would be able to access
approximately 10,000 accounts. Also, since a user ID and password is only attempted
once per website, the user ID is not locked when it does not work, so the victim is
unaware their information has been tested. The criminals also use botnets (hijacked
computers) so that the requests all come from different IP addresses to prevent the
tested website from recognizing the access attempt is coming from a single source.
Organizations need to monitor login failure rates as a detective control to deter-
mine if they are targets of a credential stuffing attack. Adding two-factor authentication
to a website is a good preventive control to limit credential hacking. Another good
internal control is requiring complex passwords that contain an uppercase letter, a
lowercase letter, a number, and a symbol, and requiring users to update passwords
every 90 days and prohibiting the reuse of passwords.
One way to determine if your organization is being attacked by a criminal using
Sentry MBA is to Google “sentry mba your company name. You can also search your
web logs for some of the common user agent strings associated with Sentry MBA:
• Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; .NET CLR 1.1.4322; .NET
CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
• Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; .NET CLR 1.1.4322; .NET
CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
• Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.11)
Gecko/2009060215 Firefox/3.0.11
• Mozilla/5.0 (Windows; U; Windows NT 5.1; en) AppleWebKit/522.11.3
(KHTML, like Gecko) Version/3.0 Safari/522.11.3
• Opera/9.80 (Windows NT 6.0; U; en) Presto/2.2.0 Version/10.00
¶ 806
MODULE 3 - CHAPTER 8 - 2019 Fraud Review 135
STUDY QUESTION
9. Which type of cyber fraud involves using stolen user IDs and passwords to try to
access multiple IT systems?
a. Data breaches
b. Credential stuffing
c. Ransomware
d. Phishing
Ransomware
Another type of cyber fraud that has been growing in the last year is ransomware.
Ransomware is a type of malware that is placed on a computer and then encrypts all of
the files on the computer. The criminals then require that the victim pay a ransom in
order to obtain the decryption key and have access to their files. The most well-known
example of ransomware is CryptoLocker. Cryptowall 2.0 is a newer version of ran-
somware being used by cybercriminals.
The FBI estimates that ransomware is a $1 billion a year fraud. A new type of
ransomware, called Reveton, installs itself onto the computer without the user’s knowl-
edge. Then, the computer freezes. A bogus message from the FBI pops up on the
screen, saying the user violated federal law. To unlock their computer, the user must
make a payment to the criminals.
¶ 806
136 TOP ACCOUNTING AND AUDITING ISSUES FOR 2020 CPE COURSE
For a single computer, the cybercriminals will initially request a ransom ranging
from $300 to $500. Larger ransoms are demanded when more computers are infected
with the ransomware. Once the deadline for the payment has passed, the criminals up
the ransom demand to around $1000 per infected computer.38 Unfortunately, criminals
are not always honest. When a victim makes a payment, sometimes the criminal gives
them the decryption code, sometimes the criminal asks for more money, and some-
times the decryption code doesn’t work and they refer the victim to a 900 number help
desk where the victim pays by the minute for help decrypting his information. Govern-
ments have also been victims of ransomware. In the spring of 2018, the City of Atlanta
was infected with ransomware that shut down city services for weeks.39
Typical ransomware software uses RSA 2048 encryption to encrypt files. Just to
give you an idea of how strong this is, an average desktop computer is estimated to take
around 6.4 quadrillion years to crack an RSA 2048 key.40 One issue with ransomware is
that it is a franchise-type criminal activity. Criminals with no programing experience can
contact ransomware developers on the darknet. The criminals pay an initial fee to get
access to the ransomware, and the developer provides them with a link to send out to all
of their contacts. If victims click on the link, infect their systems with ransomware, and
pay the ransom, the criminal gets 80 percent of the ransom and the developer gets 20
percent.
38 40
https://www.knowbe4.com/ https://www.knowbe4.com/
39 https://www.cnn.com/2018/03/27/us/at-
lanta-ransomware-computers/index.html
¶ 806
MODULE 3 - CHAPTER 8 - 2019 Fraud Review 137
STUDY QUESTION
10. Which of the following cyber frauds encrypts the data on your computer?
a. Phishing
b. Ransomware
c. Spoofing
d. Spyware
Phishing
Phishing is a cybercrime in which the criminals contact the victim through email
messages that appear to come from legitimate business or government sources. Social
networking through phishing schemes is a common way to get around an organization’s
IT security. Often, the email headers are spoofed to make them look legitimate. One
purpose of the phishing email is to obtain information such as names, addresses, Social
Security numbers, phone numbers, dates of birth, credit card numbers, EIN numbers,
and other personal information from the victims. When the victims supply the informa-
tion, the criminals are able to use the information to steal the victim’s identity and
assets. Criminals also send phishing emails containing links with the hope that the
victim will click on the link and download the criminal’s malware onto the victim’s
computer.
This email was sent out during tax season to tax preparers and at first glance
appears to be a request for assistance with personal taxes. If the recipient clicks on the
link to download the tax data, their computer will be infected with malware. Be alert for
phishing emails that include poor grammar in the text of the message and that provide
no contact information, such as a phone number or address. Also note that most
phishing emails come from outside the United States or use free services like Gmail and
AOL.
¶ 806
138 TOP ACCOUNTING AND AUDITING ISSUES FOR 2020 CPE COURSE
In this phishing example, the fraudster is trying to get the victim to click on a link
for a ShareFile attachment, and if the victim clicks on the link, their computer is
infected with malware. DropBox and other file service providers have also been used for
this fraud.
¶ 806
MODULE 3 - CHAPTER 8 - 2019 Fraud Review 139
With this example, you can see the fraudsters spoofed my daughter’s email in
order to make it look like the email was coming from her. The criminals get the names
of your friends, relatives, and associates from your social media accounts and then send
you phishing emails containing links that will download malware onto your computer
that look like they are coming from someone you trust.
Phishing Email Example 4
Criminals will often try to make you think a phishing email is coming from your
bank, credit card company, or other financial institution. They may indicate there is a
problem with your account or that your password is expiring. Either way, they ask you
to click on the link in the email and enter your user ID and password. Once they have
that information, they can use your user ID and password to access your real accounts
and misappropriate all of your funds.
¶ 806
140 TOP ACCOUNTING AND AUDITING ISSUES FOR 2020 CPE COURSE
Criminals also use phishing emails to try to convince you there is an issue with
your social media accounts, or that your accounts need to be updated. They will stress
the fact that you will lose all your posts on Facebook, Twitter, LinkedIn, etc., if you don’t
immediately log in through the link in the email and update your account.
Some criminals actually do their research before sending out a phishing email.
This is known as spear phishing. They gather information on the prospective victim and
tailor a phishing email directly at them. These emails can include the victim’s name, and
the names of people the victim knows. This phishing email proports that I failed to pay
my ASCPA dues in a timely manner. It even includes information for Cindie Hubiak,
who really is the president of the Arizona Society of CPAs. The criminals went to some
effort to make this look like a legitimate email. Once again, note the lack of contact
¶ 806
MODULE 3 - CHAPTER 8 - 2019 Fraud Review 141
information in the body of the email. Also, the email came from a outlook.com email
address rather than the society’s normal ascpa.com address.
Vishing
Vishing is similar to phishing except the criminals use phones instead of emails. The
criminals will call a new employee or newly promoted employee (they get the informa-
tion from social media) pretending to be from the IT department, and tell the employee
they need to finish setting up their computer for the access they will need. The
criminals tell the employee they need to remote into their computer, and then once
inside the system set up a backdoor so they have continued access to the company’s
computer systems.
Vishing calls are also made to alert individuals or businesses that fraud has been
detected on their credit cards. The criminals use spoofed phone numbers to make it
appear that the call is coming from a bank or financial institution. The criminals then
ask the victim to verify information on the credit card, such as the account number,
billing zip code, security code, or expiration date, in order to gain access to information
that will allow them to use the credit card.
Other common vishing calls include calls that claim to be from the Internal
Revenue Service (IRS) trying to collect past due taxes, calls from collection agencies
trying to collect past due bills, and calls from law enforcement or regulatory agencies
trying to collect fines. A red flag for vishing calls is a request that payment be made with
gift cards, with virtual currencies, or by sending money through a money transfer
service. They will also stress the urgency to pay immediately in order to avoid jail time
or other penalties.
Brand Hacking
Brand hacking occurs when criminals post false or misleading information on websites
about a company’s products or services or about the company itself. This is usually
done via social media websites, rating websites such as Trip Advisor, or individual
blogs. The criminal’s purpose when brand hacking is to tarnish or damage the reputa-
tion of the brand being hacked. Negative ratings on the Internet can steer customers
away from a product or business. A twist on the concept of brand hacking occurred
when a hotel chain paid its employees to rate their “roach motel as a four-star resort on
various travel sites, enticing customers with fictitious reviews to get them to stay there.
For businesses in the service industry, the hackers can also go after the personal brand
or the reputation of the organization’s employees, often implying sloppy or unethical
work. Brand hacking is often linked to unsatisfied customers, disgruntled current or
former employees, and a business’s competition.
Spoofing
Spoofing is a term used to describe activity that makes a fraudulent website or email
look legitimate. Criminals can also spoof phone numbers and social media accounts.
The purpose of spoofing is to make the victim believe they are communicating with
someone they know, when, in fact, they are providing information to the criminals.
The CEO invoice spoof is a common type of email spoofing fraud directed at
companies. The typical CEO email spoof occurs when criminals send an email to an
accounting clerk, bookkeeper, or payables manager that appears to have originated
from the CEO, CFO, or other senior executive of the company. There is usually an
invoice attached with instructions to wire or ACH the funds to the vendor as soon as
possible. There is usually a tone of urgency applied such as, “Don’t leave work until this
is done or “We will have to pay a large penalty if the payment isn’t received today to
¶ 806
142 TOP ACCOUNTING AND AUDITING ISSUES FOR 2020 CPE COURSE
spur the employee into processing the transaction quickly. The bank account receiving
the funds is usually overseas, or, if it is in the United States, the funds are immediately
transferred overseas when they are deposited. Another version of this cybercrime
requires the request for copies of payroll records or W-2 and other tax records, giving
the criminals access to personal information of the company’s employees. In 2018, for
the 2017 tax season, there were a large number of spoofing emails that appeared to
come from a company’s auditors requesting payroll information and claiming the
information was needed to complete the audit.
Pharming
Pharming occurs when a virus or other malicious software is placed on the victim’s
computer. The malware hijacks the victim’s web browser and causes it to divert the
user to the criminal’s websites. When the victim types in the website for a legitimate
company, usually a bank or financial institution, the malware directs the victim’s
browser to a fictitious copy of the website set up by the criminal. The fraudsters often
copy the legitimate website, so it can be difficult to recognize that you have been
diverted. The criminal is hoping to capture the victim’s user ID and password or other
useful information. Pharming can also be done by exploiting vulnerabilities on an
organization’s website to allow the criminals to redirect legitimate customers to a
spoofed fraudulent website. It is important to always verify the website address before
entering any confidential information, such as a user ID or password, onto the site.
Often the change will be minor, such as “BanksofAmerica instead of “BankofAmerica.
Hacking
Virtually everyone has heard of hacking. Hacking is commonly done by placing
malware on a computer system in order to allow the criminals to gain control of the
victim’s computer or to gain access to information stored on the computer or other
electronic device. Hacking is usually done over the Internet, and any device connected
to the Internet with either a wired or wireless connection is at risk of being hacked.
cert.gov/ncas/tips/ST04-015.
¶ 806
MODULE 3 - CHAPTER 8 - 2019 Fraud Review 143
Computers, cell phones, tablets, webcams, IoT devices, and other electronic equipment
connected to the Internet are the main targets of cybercriminals. As the world is
becoming more automated, cybercriminals are increasingly attacking robots and auto-
mated production systems in addition to computer information systems. Gaining control
of a robot such as a self-driving truck transporting goods would allow the criminals to
hijack the shipment. Locking up the robots in a factory and halting production allows
the criminals to extort a payment from the company to release their automated systems.
A common tool used by cybercriminals in a computer hack is a computer virus. A
computer virus is a segment of computer code that attaches itself to a program, such as
Microsoft Office, that is already loaded on the victim’s computer. A computer virus can
cause the infected program to delete, email, or copy files on the computer or to perform
other actions such as altering files or destroying data. A computer virus creates copies
of itself that it inserts in data files thus when employees share files they also share the
computer virus allowing the virus to spread throughout the company’s system and to
customers, vendors, and others with whom files have been shared.
Another common type of malware is known as a Trojan or Trojan Horse. A Trojan
is a stand-alone malware program that is disguised as something else, usually a
program or application that the user wanted such as a computer game. Trojans, unlike
viruses, are stand-alone programs and do not need to infect a program already installed
on the computer but instead act on their own. Typical types of trojans include spyware,
keystroke loggers, and other software designed to compromise a system or to gather
data from a system. Malware can also be used to make an individual device or system
part of a botnet. A common use is to infect computers to create a network of slave
computers that is then used to mine crypto currencies like BitCoin. Trojans are often
disguised by piggy-backing on them on a free program or application downloaded by
the unsuspecting user of the device.
A computer worm is a type of malware that transmits itself over networks and the
Internet and infects any computer connecting with an infected source such as an
infected website. Computer worms can be transferred by linking to or visiting infected
websites. A computer worm is a stand-alone program that does not need to attach itself
to an existing program on the computer. A computer worm can carry a payload such as
a ransomware program. The most common payload is a program that installs a
backdoor on the infected computer. You are probably aware of how websites install
“Cookies on your computer when you visit the website. You could consider a worm to
be a bad cookie.
A rootkit is specifically designed to modify the operating system of an infected
computer. Legitimate uses for rootkits include installing updates and patches to a
computers operating system. However, criminals use rootkit programs to hide other
malware from the user of the computer. Because a rootkit program has administrator
access, it is not only able to modify the operating system but can also modify any other
software installed on the computer. Rootkits can be used to hide malware that the
criminals placed on a victim’s computers, so the victim can’t find or remove the
malware. Often the only fix when this is done is to wipe the computer and reload
everything from a backup.
A very dangerous type of malware is known as a backdoor. A backdoor allows the
cybercriminal unimpeded access to the infected computer, allowing the criminal to
bypass the normal authentication processes. A backdoor usually provides the hacker
with administrative access to the infected computer. A backdoor is the equivalent of the
criminal having their own user ID and password to gain access to the system whenever
they want.
¶ 806
144 TOP ACCOUNTING AND AUDITING ISSUES FOR 2020 CPE COURSE
It’s a common misconception that hackers are geniuses that dropped out of MIT
and are working on supercomputers in their basements. Although there are a number
of hackers who can bypass an organization’s firewalls and other cybersecurity defenses
to gain access to a system, a majority of hacking attacks are done using social
engineering. An organization’s employees are the weakest link in the organization’s
cybersecurity defenses. The hackers know this and attack the employees with phishing
and vishing attacks, or by friending them on social media websites and then sending
them infected links.
A common method for infecting mobile devices with malware is through a charg-
ing station. Cybercriminals load malware onto charging stations located in public places
like airports, malls, sports arenas, and subways. Unsuspecting users whose batteries are
running low, use their USB ports to connect to the charging stations to recharge
batteries in their devices. While they are connected, the data on their devices is copied,
and malware is installed. Employees should be required to use USB condoms whenever
recharging a company mobile device at a non-company location. The USB condom
blocks the data ports and prevents any transfer of data while allowing the battery to be
recharged. An alternative is to only charge devices through a standard electrical outlet.
42 https://www.cdkpay.com/fraud-risk-manage- 43 http://www.nasdaq.com/article/credit-card-
ment/credit-card-fraud-detection/ fraud-and-id-theft-statistics-cm520388
¶ 807
MODULE 3 - CHAPTER 8 - 2019 Fraud Review 145
appropriate logo on the card, instead of using a blank white card to make a purchase.
Some larger credit card fraud rings actually order credit and debit card blanks that are
printed with the appropriate logos and contain all the security features of the cards
issued by the banks.
STUDY QUESTION
devices, and gas pumps, just to name a few. When customers use credit or debit cards
on these payment systems, the information is copied for the criminals. The criminals
often put cameras up around ATMs and other places cards are run to record Personal
identification numbers (PINs) and billing zip codes to make it easier to use the cards
they create with the skimmed information. Another common method for gathering
credit and debit card information is to stand behind someone in line at a retail store and
use a cell phone to record the information on a card when the person in front of them in
line presents it to the clerk.
Once the criminal has obtained the information on the credit or debit card, they
can then use a credit card duplicating device to create a copy of the card. I was able to
purchase a copy of a credit card duplicator on the Internet for $150 and was able to
purchase blank cards for a few cents each. The chip cards cost a little more, around 20
cents when purchased in bulk. I did a test run and copied one of my own credit cards. I
then went to a local retail store and made a purchase using a plain white card by swiping
the card through the magnetic reader at the retailer. The cashier never asked to see the
card nor did she ask for identification. I was able to make a purchase exceeding $250
with a plain white card and a copied magnetic strip. Based on the ease of this
transaction, I am sure you can see why criminals find this to be a very profitable
endeavor.
Investment Frauds
When discussing investment scams, the first one to come to mind is churning. Invest-
ment advisors buy and sell securities in a customer’s account not to benefit the
customer but to generate commissions for the investment advisors. Selling inappropri-
ate investments to generate commissions is another type of investment fraud. In one
case the investment advisor was visiting elder care centers. He convinced a 94-year-old
victim to cash out her certificates of deposit and purchase a 40-year annuity with an 18
percent front load and a 12 percent early termination fee. The victim would have had to
live to be 134 to break even on this investment.
Pump and dumps are another type of investment fraud. The criminals purchase a
non-performing stock, usually a penny stock, and then hype the stock on the Internet or
at investor luncheons. As the victims buy in, the criminals’ cash out and take their
profits. One version of the pump and dump is done by leaving messages on voice mail
that sound like the caller got the wrong number. For example, “Bill, don’t tell anyone,
but the law firm I’m working with is working on a deal for Google to purchase XYZ
Corp, buy the stock now if you want to make a bundle.
Ponzi Schemes
A Ponzi scheme is an investment fraud in which the fraudster promises high financial
returns or dividends that are not available through traditional investments. Instead of
investing the victims’ funds, the fraudster pays returns to the initial investors using the
principal amounts provided by subsequent investors. The scheme generally falls apart
when the fraudster flees with all of the proceeds, or when a sufficient number of new
investors cannot be found to allow the continued payment of investment returns.
Pyramid Schemes
Pyramid schemes, which are also called franchise fraud, are marketing and investment
frauds in which a victim is offered a distributorship or franchise to market a particular
product or service. The real profit is earned not by the sale of the product or service, but
by the sale of new distributorships or signing up new members. The emphasis in a
pyramid scheme is on selling franchises and recruiting new members, rather than on
selling the product. Eventually this leads to a point where the supply of potential
¶ 807
MODULE 3 - CHAPTER 8 - 2019 Fraud Review 147
investors is exhausted and the pyramid collapses. At the heart of each pyramid scheme
is the claim that new participants can recoup their original investments by inducing two
or more new prospects to make the same investment. Promoters fail to tell prospective
participants that this is mathematically impossible for everyone to do, as eventually you
run out of new victims to con.
Advance-Fee Scams
An advance-fee scam is a confidence trick in which the victim is persuaded to advance
sums of money in the hope of realizing a future benefit. Current versions of this scam
used against consumers include getting advance payments from victims for credit
repair, employment opportunities, mortgage modification, debt consolidation, and for
obtaining a loan. For businesses, the fraudsters promise business loans and credit lines,
contacts with foreign buyers, introductions to decision makers, inside information on
projects and bids, etc. Fraudsters often use official-sounding corporate names to help
gain the confidence of the victim. Once the fees are paid, the fraudster absconds with
the money and no services are performed.
Bankruptcy Fraud
One classic example of bankruptcy fraud is the “bust out. This scheme starts with the
criminals creating a corporation and a great sales pitch. The criminals bring in investors
and secure loans for the new business. The criminals use all the funds to pay them-
selves, and to pay for lavish business trips for the founders. When they have pulled all of
the money out of the company, they file for bankruptcy, leaving the creditors and equity
investors with the losses.
It is also common for individuals and business that are going through a legitimate
bankruptcy to commit bankruptcy fraud. This can be done by hiding assets from
creditors and the bankruptcy court. I’ve always found it interesting that a bankruptcy
debtor can remember every debt they have, even that they borrowed two dollars from a
college friend to buy a beer, but they can’t remember what happened to their assets. In
one case an individual claimed to have misplaced $500,000 in gold coins that were
collateral for a loan and couldn’t find them. The amazing thing was she never reported
the loss to her insurance company or filed a claim for the missing coins.
In addition to transferring assets, another scam used to protect assets is to file
fraudulent liens on the property. Related entities and shell companies can also be used
to file fraudulent liens. This is commonly done with real property and registered
personal property. The fraudulent liens are filed in the name of friends or relatives, but
no loan took place. The liens are put in place to eliminate any equity in the property.
Obtain proof of a transfer of funds for any liens from friends, related entities, and
relatives.
The bankruptcy courts can be used by criminals to forestall a foreclosure on real
property. This was fairly common after the real estate bust. When a house is in
foreclosure, it is put up for sale at an auction on the courthouse steps. The fraudster
goes to the bankruptcy court to find an individual who is in bankruptcy. This is easy to
do since all bankruptcy court records are a matter of public record. Once they get the
name and case number of the victim, a day or two before the foreclosure sale the
fraudster files a quit claim deed with the county recorder to make the bankruptcy
debtor a one percent owner of the real property. This triggers the automatic stay, and
the property can’t be sold without the permission of the bankruptcy court. The lender
has to schedule a debtor’s hearing with the court. The debtor testifies they know
nothing about the property, do not have and never had an interest in the property, and
also note they never signed the quit claim deed. The creditor then gets to start the
foreclosure over again, and a day or two before the foreclosure sale another quit claim
deed is filed, giving a one percent interest in the property to a different bankruptcy
debtor.
¶ 807
148 TOP ACCOUNTING AND AUDITING ISSUES FOR 2020 CPE COURSE
Over the years, identity theft has become a more profitable crime. This is because
in the modern economy, businesses offer goods and services on credit to strangers
based on the data in the buyer’s credit history. With telecommunications and Internet
technology, buyers and sellers do not need to meet in person to consummate their
transaction. The Internet has made access to information almost instantaneous. In-
creased access to data on the Internet has provided identity thieves easier access to an
individual’s personal information from both inside and outside the United States.
Identity thieves can use the Internet as a means to gather an individual’s identification
without ever coming into personal contact with the individual.
Identity theft is broadly defined as the use of one person’s identity or personally
identifying information by another person without his or her permission. Identity theft
is a type of fraud and can be committed against an individual or an organization. Fraud
is defined as making a false statement, omission, or action that someone else relies
upon and based on that reliance gives up something of value. By using false information
to obtain items of value, identity thieves are committing fraud.
Until 1996, identity theft was not recognized as a crime at the state level. Arizona
was the first state in the United States to pass laws against identity theft. Arizona made
taking the identity of another person or entity or knowingly accepting the identity of
another person a class 4 felony.45 Aggravated identity theft of another person or entity is
classified as a class 3 felony.46 Aggravated identity theft includes taking the identity of
three or more persons by purchasing, manufacturing, or possessing any identifying
information or where the economic loss from the identity theft exceeds $3000. Arizona
also identifies trafficking in the identity of another person or entity as a class 2 felony.47
Trafficking in the identity of another person or entity includes any sale, transfer, or
transmission of any personal identifying information to obtain or continue employment
or for any unlawful purpose whether or not an actual loss is suffered by the victim.
Other states have followed Arizona’s lead by adopting laws criminalizing identity theft.
44 46
18 USC § 1028(a)(7). Arizona Revised Statutes § 13-2009.
45 47
Arizona Revised Statutes § 13-2008. Arizona Revised Statutes § 13-1010.
¶ 808
MODULE 3 - CHAPTER 8 - 2019 Fraud Review 149
Because identity theft is changing by adapting to new technology and thieves are
finding new ways to obtain identifying information and new ways to benefit from its
fraudulent use, state laws have not kept up with the changes in the methods used to
commit identity theft.
Identity theft has become a major problem on both national and international
levels. On May 10, 2006, President Bush issued Executive Order 13402, which estab-
lished the Identity Theft Task Force. Seventeen federal agencies and departments were
appointed to create a national strategy to combat identity theft.
To cushion businesses from the effects of identity theft, the Federal Trade Com-
mission has taken several steps. For example, in 2008, the Federal Trade Commission
adopted the “Red Flags Rule, which requires organizations identified in the rule to
develop and implement written identity theft protection programs. The Red Flags Rule
applies to all businesses that allow a consumer to pay for a product or service after the
product has been received or the service is performed.
victim’s name and Social Security number are listed on the shell company and bank
account, that person becomes the prime suspect for law enforcement investigating the
stolen funds. Usually, the victims of criminal identity theft don’t know they have a
problem until law enforcement officers show up at their home or place of business with
an arrest warrant and a search warrant. This puts you in a difficult position because you
get to do a perp walk and spend time being interrogated by law enforcement, who
usually don’t believe it when you tell them you are innocent. You have to give them
proof you didn’t do it.
As you can see, criminal identity theft can cause a person serious embarrassment
and cost a significant amount in legal fees to clear their name. Unfortunately, using a
credit monitoring service usually won’t alert you that you are a victim of criminal
identity theft. In addition to reviewing your credit report on a regular basis, it is also
necessary to run a background check on yourself to find out if you are listed as an
owner or statutory agent on any businesses you don’t recognize, and to find out if there
are any warrants out for you or if any litigation has been started listing you as a plaintiff.
Running a regular Google or other search on your name can also be helpful in detecting
criminal identity theft. Unfortunately, just like with financial identity theft, there is no
way to guarantee you won’t be a victim, so you need to take proactive steps to protect
your personal information and carry identity theft insurance to cover the expenses of
clearing your name.
STUDY QUESTION
12. Which of the following types of fraud involves opening bank accounts using false
information?
a. Cash drawer loans
b. Skimming
c. Criminal identity theft
d. Refund fraud
Sockpuppets
Is your personal information safe on your social media sites? Unfortunately, many
people will accept any friend requests they receive, putting them at greater risk for
identity theft. In the increasingly active world of identity theft, criminals have to find
ways to gather information on their victims. One common way of gathering information
is to set up fake social media accounts, known as sockpuppets, and use the fake
accounts to “friend people. Obviously, the criminals don’t want to use their real names
or social media accounts because these would be easy to trace in an identity theft
investigation.
The criminals start by getting fake personal information on websites like
fakenamegenerator.com. This website produces a fake name, address, birthdate, phone
number, mother’s maiden name, etc. It also gives you the opportunity to validate the
fake Social Security number you help generate. To further backstop the fake identity,
the criminal is provided with an email address, employment information, height, weight,
blood type, and a credit card number with an expiration date and CVV number.
Once the criminals have the fictitious identity information, they open accounts on
social media websites, dating websites, etc., in order to gather information. They send
out multitudes of friend requests to everyone they can find on the sites. Similar to a
¶ 808
MODULE 3 - CHAPTER 8 - 2019 Fraud Review 151
phishing email, they are hoping you will accept their friend request. Once you accept,
they have access to your information and the information of your other friends.
To protect yourself, take a little extra time to look at the profile of the person
sending you a friend request, unless of course you know them already. To spot a
sockpuppet, look for few, if any, postings; few pictures; only one or two employers; no
group membership; one or two schools; one or two addresses; etc. Another giveaway is
few, if any, recommendations. Usually, the criminals don’t take the time to fully develop
the sockpuppet profile. There could be major gaps in their employment history or their
profile shows they have worked for 20+ years in the same entry-level job.
48 http://medidfraud.org/wp-content/ 49 http://www.nbcnews.com/tech/security/sto-
uploads/2015/02/2014_Medical_ID_Theft_Study1.pdflen-identity-2-3-million-americans-suffer-medical-
id-theft-n311006
¶ 808
152 TOP ACCOUNTING AND AUDITING ISSUES FOR 2020 CPE COURSE
In addition to the financial costs, the costs of medical identity theft could be life-
threatening. Cases of individuals being administered drugs that they were allergic to
and even being given the wrong blood type in emergency situations have resulted in
death because the wrong information was entered into the computer when the identity
thief used their medical ID and the hospital relied on the medical records in the
computer. In another case, a woman used a stolen medical ID to cover the costs of the
birth of her child. The identity thief’s drug test came back as positive for illegal drugs,
so child protective services removed the victim’s children from her care because she
was a drug addict. The victim then had to go to court to get her children back.
STUDY QUESTION
13. A situation in which a fraudster uses the professional license of another person is
considered:
a. Business identity theft
b. Financial identity theft
c. Professional identity theft
d. Employment identity theft
opposite direction. Small and midsized businesses reduce revenue and inflate expenses
in order to make the company look less profitable, thereby reducing the tax burden on
the business owners. This is particularly common for sole proprietorships and pass-
through entities. The ultimate goal is to reduce the income and sales taxes paid by the
owners to allow them to keep more money in their pockets. Business owners do this by
skimming revenue out of the business. They might even offer customers discounts for
paying in cash so they don’t have to record the transaction on the books or deposit the
funds in a bank, which leaves a paper trail. Business owners can also record personal
expenses as business expenses to reduce the taxable income of the business. The new
big-screen TV for the house is recorded as a computer monitor for the business, or the
family vacation is recorded as a business trip.
Not recording sales in the accounting system also allows the business owner to
avoid paying sales and use taxes on those transactions. Business owners can also
misuse their sales tax exemption certificates, which allow the business to avoid paying
sales taxes on items the business purchases for resale in the business, to make personal
purchases. The most common place I have seen this done is in restaurants, where the
owners purchase the family groceries at a restaurant supply store and use the busi-
ness’s sales tax exemption certificate to avoid paying sales taxes on those purchases.
Many businesses make purchases on the Internet or from out of state and fail to report
and pay the use taxes on those transactions. The recent Wayfair decision by the
Supreme Court that overturned the previous Quill decision will probably make it harder
to avoid paying sales and use taxes on Internet and out-of-state purchases.
Business owners have been known to borrow money from payroll withholdings,
including an employee’s payroll tax withholdings, 401(4) withholdings, or other items
withheld from the employee’s paycheck. These monies are often used to fund opera-
tions or to pay the owners. Businesses sometimes misclassify employees as indepen-
dent contractors in order to avoid paying the business’s half of the employees’ payroll
taxes.
Additionally, failure to report tips, or to under-report tips, is another type of tax
fraud. Employees believe it is harmless and that they have a low chance of getting
caught. Historically that may have been correct, but with data analytics software, it is
possible to compare tips by employee, that were paid by credit card or check, to
transactions paid in cash. If there is a material discrepancy, the taxing authority can
access taxes on those tips as under-reported income. The IRS can also assess the
business for failure to collect and remit payroll taxes on the tips.
STUDY QUESTION
14. Which of the following types of identity theft usually involves tax refunds?
a. Stolen identity refund fraud
b. Medical identity theft
c. Government benefits fraud
d. Identity cloning
50 http://quickbooks.intuit.com/r/trends-stats/
fraud-statistics-every-business-should-know/
¶ 810
156 TOP ACCOUNTING AND AUDITING ISSUES FOR 2020 CPE COURSE
Charity Frauds
Fraudsters set up fake websites for nonexistent charities and then spam for victims.
Stories of victims of the California wildfires, Hurricane Katrina, and other natural
disasters are posted on the website to get people to donate to help the victims. Once the
money is received, the fraudsters take the money and none of it ever gets to the victims
of the national disaster.
Employment Fraud
In this type of fraud, the fraudster uses the name and Social Security number of the
victim to obtain employment. This is often done because the perpetrator of the fraud is
in the country illegally and needs legitimate documentation to obtain employment. In
1986, Congress enacted the Immigration Reform and Control Act of 1986. The act
prohibits employers from hiring individuals who are in the country illegally and
requires that employers verify individuals’ identity and eligibility to work in the United
States prior to presenting an employment offer.51
Resume Fraud
Fraudsters are able to get away with resume fraud because many organizations do not
do a thorough background check on new hires. Fraudsters who are committing resume
fraud list unearned college degrees and professional certifications on their resume to
make them look better to the prospective employer. They might also list exaggerated
titles or positions they never held. I asked one individual I caught doing this why he did
it, and he replied, “Nobody would be willing to pay me what I want to make if I told the
truth.
¶ 810
158 TOP ACCOUNTING AND AUDITING ISSUES FOR 2020 CPE COURSE
The e-mail will indicate that a formal offer can only be made once the paperwork is filled
out and the right to work in the United States has been verified. The fraudster attaches
a link to a W-4 and I-9 form, and sometimes a benefit form requesting names and Social
Security numbers of the victim’s spouse and dependents, to the e-mail asking the victim
to complete the forms online. The government forms provide a sense of legitimacy, so
the victim completes and returns the forms. The forms provide the fraudster with the
information necessary to steal the victim’s identity.
Long-Lost Relative
In this scam, the fraudsters pose as a barrister from England or another country and
claim the victim is the sole surviving relative of their deceased client. They will tell the
victim that he or she is inheriting a large sum of money as the only surviving heir of a
rich relative. Usually the claim that follows is that the estate taxes need to be paid
before the victim can receive his or her large inheritance. Once the victim sends money
or bank account information, the victim’s funds are promptly stolen from the account.
52 http://www.bcbsm.com/health-care-fraud/ 53 https://oig.hhs.gov/fraud/strike-force/
fraud-statistics.html
¶ 811
MODULE 3 - CHAPTER 8 - 2019 Fraud Review 159
¶ 813
160 TOP ACCOUNTING AND AUDITING ISSUES FOR 2020 CPE COURSE
58 https://www.treasury.gov/resource-center/ 59 http://www.irs.gov/businesses/small/
terrorist-illicit-finance/Documents/ article/0,,id=154555,00.html
National%20Money%20Laundering%20Risk%20Assessment%20%E2%80%93%2006-12-2015.pdf
¶ 813
MODULE 3 - CHAPTER 8 - 2019 Fraud Review 161
an account enables the respondent bank’s clients within the country where the bank is
registered to write checks that are drawn directly on the respondent bank’s correspon-
dent account in the United States, thus disguising the source of the funds.
Shell banks are usually high-risk banks that exist without any physical presence in
any legal jurisdiction. Often shell banks only exist on the Internet. Shell banks will have
a legal banking license in a specific country, but they are unlikely to have staff and may
be operated as part of another business or operated out of an individual’s personal
residence. Shell banks are not subjected to any scrutiny by local banking regulators in
the country they are licensed in. Shell banks should not be considered to be a branch
bank without a physical presence in the country.
Offshore banks are different than shell banks, although the characterization is not
mutually exclusive. An offshore banking license prevents the bank from transacting
banking activities with any citizens of the licensing country or transacting business
using the local currency. Offshore banking operations solely exist to conduct interna-
tional financial transactions.
STUDY QUESTION
15. Which of the following is one of the three steps of money laundering?
a. Layering
b. Opportunity
c. Conversion
d. Rationalization
¶ 814 CORRUPTION
Corruption occurs when individuals use their position in their company, with a not-for-
profit, or with a governmental entity for their own personal gain. Anyone in a position of
power can be tempted to cross the line. As the saying goes, “Power corrupts, and
absolute power corrupts absolutely. Corruption involves unethical behavior by those in
positions of power. It can be as simple as dishonesty or it can be an elaborate fraud
scheme. The basic tenet of corruption is that the individual is doing it for personal gain.
Corruption has been uncovered in politics, sports, academics, unions, governments, not-
for-profits, and businesses. According to the ACFE 2018 Report, the average cost of a
corruption scheme is around $250,000. You are also more likely to find corruption in
larger organizations, those with over 100 employees, than you are to find corruption in
smaller organizations. However, you shouldn’t assume that small organizations are free
from the risk of corruption. Instead, they just have a lower risk. Tips play a big role in
discovering corruption, with tips resulting in the detection of 50 percent of all corruption
schemes.
There are many forms of corruption. Petty corruption involves the exchange of
small gifts or the use of personal property or connections in exchange for favors, or for
speedy approvals from governments. Bribery is the paying or receiving of something of
value (it doesn’t have to be money) in exchange for preferential treatment or special
favors. Kickbacks and bid rigging are two examples of bribery. An illegal gratuity
occurs when someone provides a gift, or something of value, after favorable actions
have been completed. Unlike a bribe, an illegal gratuity isn’t usually arranged in
advance of the action, and you don’t have to prove an intent to influence the person who
received the gift.
¶ 814
162 TOP ACCOUNTING AND AUDITING ISSUES FOR 2020 CPE COURSE
Extortion and blackmail are other examples of corrupt behavior. This occurs when
someone is threatened with actions, such as violence against themselves or their loved
ones, or is threatened with the release or publication of information that could harm the
person’s reputation. Basically, if you don’t want something bad to happen to you or
someone you love, you better do as you are told.
Abuse of discretion occurs when an individual misuses their power or authority for
personal gain; for example, a board member who favors a vendor owned by a friend and
presses the company to select that vendor. Other abuses of authority include favoritism,
cronyism, and nepotism when people in positions of authority provide special treatment
or favors to friends, associates, or family members.
One type of corruption that is often overlooked is an undisclosed conflict of
interest. A conflict of interest impairs an individual’s ability to make a fair and impartial
decision. These conflicts usually result in the person acting to benefit themselves
instead of meeting their fiduciary responsibilities to the organization or individuals they
are representing.
Graft is the use of a political office, either an elected or appointed position, for
personal gain. Taking a position on a political issue in exchange for campaign contribu-
tions is one example of graft. Accepting an all-expenses-paid vacation in exchange for
voting a certain way is another example of graft.
Bid rigging is another type of corruption. Government entities and many large
companies put projects and product requests out for bid. The contract is supposed to go
to the company that provides the lowest price or bid while meeting the contract
requirements. Bid rigging occurs when somebody at the purchasing organization
provides information to one of the bidders to give them an inside track. This is done for
personal gain, and kickbacks are usually involved. With the inside information, the
criminals can adjust their bid to make sure they come in as the lowest bidder, usually
just barely beating the next lowest bid.
For corruption to occur, someone has to have the power to make or influence a
decision. They have to exercise that power to provide preferential treatment based on
their relationship, or on receiving something of value, and there has to be a beneficiary
of that preference.
Many people consider corruption to include a monetary payment, but money isn’t
the only thing that can be used to influence people. Debt forgiveness, loans, sexual
favors, access to decision makers, keeping secrets, and the free or discounted use of
assets are all examples of methods of payments used in corruption schemes.
STUDY QUESTION
16. According to the 2018 ACFE Report, which of the following is the most common
way to conceal a fraud?
a. Creating fraudulent transactions in the accounting system
b. Creating fraudulent journal entries
c. Destroying physical documents
d. Creating fraudulent physical documents
CPE NOTE: When you have completed your study and review of chapter 8, which
comprises Module 3, you may wish to take the Final Exam for this Module. Go to
cchcpelink.com/printcpe to take this Final Exam online.
¶ 815
165
3. a. Incorrect. ASU 2018-06 did not make codification improvements to this ASC
Topic 280. This ASC topic relates to segment reporting.
b. Incorrect. ASU 2018-06 did not make codification improvements to this ASC Topic.
This ASC topic relates to revenue from contracts with customers. It was created
through the issuance of ASU 2014-09.
c. Incorrect. ASU 2018-06 did not make codification improvements to this ASC Topic.
This ASC topic relates to leases. It was created through the issuance of ASU 2016-02.
d. Correct. ASU 2018-06 did make codification improvements to this ASC
Topic. This ASC topic relates to financial services specifically around depository
and lending. The amendments are effective upon issuance.
4. a. Correct. In 2013, the FASB issued Proposed ASU for a new topic related to
Insurance Contracts (Topic 834). However, the feedback supported making
targeted improvements to the existing insurance accounting model instead.
b. Incorrect. ASU 2018-07 included improvements to nonemployee share-based pay-
ment accounting. Early adoption is permitted, but no earlier than an entity’s adoption
date of Topic 606.
¶ 10,101
166 TOP ACCOUNTING AND AUDITING ISSUES FOR 2020 CPE COURSE
5. a. Incorrect. ASU 2018-13 did not impact disclosure requirements with respect to
leases. Instead, ASU 2016-02 was the ASU that significantly changed the accounting and
disclosure requirements with respect to leases.
b. Incorrect. ASU 2018-13 did not impact disclosure requirements with respect to
revenue recognition. Instead, ASU 2014-09 was the ASU that significantly changed the
accounting and disclosure requirements with respect to revenue recognition.
c. Correct. This ASU was issued in August 2018 as a part of the Disclosure
Framework Project. It amends disclosure requirements using the concepts in
Chapter 8 and also removes and adds various disclosures.
d. Incorrect. ASU 2018-13 did not impact disclosure requirements with respect to
defined benefit plans. Instead, ASU 2018-14 made changes to the disclosure require-
ments with respect to defined benefit plans.
6. a. Incorrect. ASU 2018-17 did not include codification improvements to the account-
ing for credit losses on financial instruments. Instead, this ASU included targeted
improvements to related party guidance for variable interest entities.
b. Incorrect. ASU 2018-18 did not include codification improvements to the accounting
for credit losses on financial instruments. Instead, this ASU clarified the Interaction
between Topic 808 and Topic 606.
c. Correct. This ASU was issued in November 2018 and included amendments
to Topic 326. This Topic was created through the issuance of ASU 2016-13.
Specifically, this ASU established the CECL model which replaces the incurred
loss model.
d. Incorrect. ASU 2018-17 did not include codification improvements to the accounting
for credit losses on financial instruments. Instead, this ASU prescribed narrow-scope
improvements for lessors.
2. a. Correct. Financial assets measured at amortized costs are within the scope
of ASC 326-20. Also included in the scope is off balance-sheet credit exposures
not accounted for as insurance.
b. Incorrect. Available-for-sale debt securities is not included in the scope of ASC
326-20. Instead, these are within the scope of ASC 326-30.
c. Incorrect. Loans made to participants by defined contribution employee benefit
plans are not included in the scope of ASC 326-20. An additional item not included in the
scope of ASC 326-20 include promises to give (pledges receivable) of a not-for-profit
entity.
d. Incorrect. Policy loan receivables of an insurance entity are not included in the
scope of ASC 326-20. Additional items not included in the scope of ASC 326-20 include
loans and receivables between entities under common control.
4. a. Incorrect. Entities are not allowed a practical expedient with respect to measur-
ing credit losses for purchased financial assets with credit deterioration.
b. Incorrect. Entities are not allowed a practical expedient with respect to measuring
credit losses for available-for-sale debt securities.
c. Correct. For collateral-dependent financial assets, an entity is permitted to
estimate credit losses on certain collateral-dependent financial assets as the
difference between the collateral’s fair value and the amortized cost basis of the
financial asset. However, entities are only allowed to use this practical expedient
if repayment is expected to be provided substantially through the operation or
sale of the collateral when the borrower is experiencing financial difficulty based
on the entity’s assessment as of the reporting date.
d. Incorrect. Entities are not allowed a practical expedient with respect to measuring
credit losses for held-to-maturity securities.
¶ 10,102
168 TOP ACCOUNTING AND AUDITING ISSUES FOR 2020 CPE COURSE
6. a. Incorrect. Financing receivables are not within the scope of ASC 326-30. Instead,
these instruments are within the scope of ASC 326-20.
b. Incorrect. Reinsurance recoverables are not within the scope of ASC 326-30.
Instead, these instruments are within the scope of ASC 326-20.
c. Incorrect. Receivables that relate to repurchase agreements are not within the scope
of ASC 326-30. Instead, these instruments are within the scope of ASC 326-20.
d. Correct. The scope of the new amendments outlined within subtopic 30 are
applicable to all debt securities that are classified as available-for-sale securities
including loans that meet this definition. An available-for-sale security is a type
of investment that is not classified as either a trading security or as held-to-
maturity security.
2. a. Incorrect. This is one of the five key areas identified that were impacted by this
ASU. An additional area identified is the operating measure information provided.
b. Correct. The reporting of income is not one of the five key areas identified that
were impacted by this ASU. Instead, the reporting of expenses is one of the key
areas noted.
c. Incorrect. This is one of the five key areas identified that were impacted by this
ASU. The FASB’s Not-for-Profit Advisory Committee (NAC) and other stakeholders
indicated that existing standards for financial statements of not-for-profits are sound but
could be improved to provide more useful information to donors, grantors, creditors,
and other users of financial statements.
d. Incorrect. This is one of the five key areas identified that were impacted by this
ASU. An additional area noted is the reporting of expenses.
3. a. Correct. FASB 117 was issued in 1993; the current not-for-profit organiza-
tion reporting requirements came from that guidance.
b. Incorrect. FASB 117 was issued in a year other than 1999.
c. Incorrect. Although the FASB started a project to review FASB 117 in 2011, the
guidance was issued prior to that year.
d. Incorrect. FASB 117 was issued well before ASU 2016-14 was issued in 2016.
2. a. Incorrect. A matter resulting from the audit of financial statements that has been
mitigated by management is not part of the definition of a CAM.
b. Incorrect. Although the words appear close, the standard indicates that a matter
that includes certain audit committee communications is not a CAM.
c. Correct. According to the standard, a CAM is defined as any matter arising
from the audit of the financial statements that has been communicated or was
required to be communicated to the audit committee; relates to accounts or
disclosures that are material to the financial statements; and involved especially
challenging, subjective, or complex auditor judgment.
¶ 10,104
ANSWERS TO STUDY QUESTIONS - Module 2 - Chapter 4 171
d. Incorrect. A matter identified prior to the audit of the financial statement is not
considered part of the definition of a CAM.
3. a. Incorrect. The considerations for the first criterion of communication with the
audit committee do not include significant management discussions identified by the
auditor.
b. Correct. The considerations are: significant risks identified by the auditor;
certain matters regarding the company’s accounting policies, practices, and
estimates; significant unusual transactions; certain matters regarding the audi-
tor’s evaluation of the company’s relationships and transactions with related
parties; and other matters arising from the audit that are significant to the
oversight of the company’s financial reporting process.
c. Incorrect. Relationships with board members is not one of the considerations of the
criteria related to communication with the audit committee.
d. Incorrect. Considerations related to the company’s cyber risk management process
are not relevant to communication with the audit committee.
4. a. Correct. The standard lists six considerations: (1) the auditor’s assessment
of the risks of material misstatement, including significant risks; (2) the degree
of auditor judgment related to areas in the financial statements that involved the
application of significant judgment or estimation by management, including
estimates with significant measurement uncertainty; (3) the nature and timing of
significant unusual transactions and the extent of audit effort and judgment
related to these transactions; (4) the degree of auditor subjectivity in applying
audit procedures to address the matter or in evaluating the results of these
procedures; (5) the nature and extent of audit effort required to address the
matter, including the extent of specialized skill or knowledge needed or the
nature of consultations outside the engagement team regarding the matter; and
(6) the nature of audit evidence obtained regarding the matter.
b. Incorrect. The extent of audit effort related to normal transactions is not a consider-
ation related to matters that involved especially challenging, subjective, or complex
auditor judgment.
c. Incorrect. The auditor’s degree of objectivity is not among the considerations
relevant to the third criterion.
d. Incorrect. The time period evaluated is not among the six considerations listed in
the standard.
5. a. Correct. According to the standard, the disclosure requirements include:
describe the CAM, describe the principal considerations that led the auditor to
determine the matter is a CAM, describe how the CAM was included in the audit,
and refer to the relevant financial statement accounts or disclosures that related
to the CAM.
b. Incorrect. Identifying the person responsible for the CAM is not one of the CAM
disclosure requirements according to the standard.
c. Incorrect. The disclosure requirements do not require reference to the relevant
financial statement accounts or disclosures that do not relate to the CAM.
d. Incorrect. There is no requirement to reference who is responsible for mitigating
the CAM.
¶ 10,104
172 TOP ACCOUNTING AND AUDITING ISSUES FOR 2020 CPE COURSE
2. a. Incorrect. A SOC 2 report addresses more than simply the design of controls
surrounding the security, viability, processing integrity, confidentiality and privacy of
services. As such, this is not the correct answer.
b. Incorrect. A public-facing document that gives a high-level overview of information
in the SOC 2 report is called a SOC 3 report.
c. Correct. A SOC 1 Type II report addresses both the design and operating
effectiveness of controls over financial reporting services.
d. Incorrect. A SOC 2 Type II report addresses the design of and operating effective-
ness of controls around the security, availability, processing, integrity, confidentiality,
and privacy of services.
6. a. Incorrect. Ethereum is one of the most complex blockchains that have been built.
It is Ideal for smart contracts, charters, wills, and fund transfers.
b. Correct. Factom is the platform that is used to minimize volume and complex-
ity of complicated legal transactions workpapers. Harmony is its first commer-
cial service product.
c. Incorrect. Ripple was developed before Bitcoin in 2004. It is a global financial
settlement solution between banks and consumers. It enables users to send real-time
international payments across its networks.
d. Incorrect. Hyperledger is an open source blockchain platform. It has a graphic user
interface (GUI) that is user-friendly in building blockchain models for nontechnical
users. It also has a modular architecture.
¶ 10,106
ANSWERS TO STUDY QUESTIONS - Module 2 - Chapter 7 175
3. a. Incorrect. Human resources quality control challenges include, but are not
limited to, engagement team members not being aware of the recent changes under the
standards and requirements of recently effective professional standards not being
appropriately identified.
b. Incorrect. An example of a quality control challenge related to acceptance and
continuance of clients is numerous engagement matters related to the unique nature of
the engagement or the client’s industry and the firm had no prior experience.
c. Incorrect. An example of a quality control challenge related to relevant ethical
requirements is if the firm performed account coding for one of its compilation clients
and approved invoices for payment.
d. Correct. Other quality control challenges related to monitoring include, but
are not limited to, departures from standards not identified and corrected on a
timely basis and the results of monitoring not being appropriately summarized.
3. a. Incorrect. The security thread in a $5 bill glows blue under a black light.
b. Correct. The security thread in a $20 bill is green when viewed with a black
light.
c. Incorrect. A black light will show a yellow security thread in a $50 bill.
d. Incorrect. Pink is the color of a security thread in a $100 bill.
5. a. Correct. Bill and hold frauds involve billing for goods without receiving an
order or shipping anything. If the customer pays the invoice, the company sends
the goods; otherwise, the invoice is reversed or written off. Sometimes the
receivable is offset with a credit memo to avoid a direct write-off.
b. Incorrect. An improper cut-off fraud involves posting transactions in the wrong
period.
c. Incorrect. Fake sales are entered into the accounting system, but invoices are not
sent.
d. Incorrect. Channel stuffing occurs when a business ships more merchandise to a
distributer than it can sell, with a promise to buy back unsold items, while recording the
entire sale as revenue.
6. a. Incorrect. Expensing items and then selling them on the Internet is a way that
employees commit expense reimbursement fraud.
b. Incorrect. Purchasing and canceling extended warranties is a way that employees
commit expense reimbursement fraud.
c. Correct. Entertaining customers is not fraud. Instead, an example of a way an
employee commits expense reimbursement fraud is to expense items and then
sell them on the Internet.
d. Incorrect. Shell companies are a way that employees commit expense reimburse-
ment fraud.
¶ 10,108
178 TOP ACCOUNTING AND AUDITING ISSUES FOR 2020 CPE COURSE
7. a. Incorrect. A bill and hold scheme is a revenue scheme, not a type of inventory
fraud.
b. Incorrect. Lapping is an accounts receivable fraud, not a type of inventory fraud.
c. Incorrect. Cooking the books is financial statement fraud, not a specific type of
inventory fraud.
d. Correct. Short shipping is a type of inventory fraud. This fraud can be
conducted by either management or employees.
10. a. Incorrect. Phishing uses email to obtain personal information or to get you to
download malware by clicking on a link.
b. Correct. Ransomware encrypts the information on your computer. The
criminals then require that the victim pay a ransom in order to obtain the
decryption key and have access to their files.
c. Incorrect. Spoofing hides the true origin of an email or website to make it look
legitimate.
d. Incorrect. Spyware tracks your information; it doesn’t encrypt it.
11. a. Incorrect. There are 407 million credit cards issued in the United States, not
worldwide.
b. Incorrect. There are more than a billion credit cards issued worldwide.
c. Correct. There are approximately 1.5 billion credit cards issued worldwide.
d. Incorrect. There are 1.9 billion debit cards issued worldwide, versus 1.5 billion
credit cards.
12. a. Incorrect. Cash drawer loans involve postdated checks from an employee’s
bank account.
b. Incorrect. Skimming is taking funds before they are entered into the cash register
or accounting system.
c. Correct. Criminal identity theft involves opening bank accounts using false
information. The typical pattern for criminal identity theft is for the criminal to
first misappropriate your Social Security number and personal information.
There are various ways to do this, including data breaches, mail fraud, phishing,
vishing, etc.
¶ 10,108
ANSWERS TO STUDY QUESTIONS - Module 3 - Chapter 8 179
d. Incorrect. Refund frauds are committed by entering false returns into the cash
register.
13. a. Incorrect. During a typical business identity theft scheme, the fraudsters use
the business name to obtain loans or credit.
b. Incorrect. During a typical financial identity theft scheme, the fraudsters use the
personal information to obtain financial benefits.
d. Incorrect. During a typical employment fraud scheme, the fraudster uses the name
and Social Security number of the victim to obtain employment.
14. a. Correct. Stolen identity refund fraud involves filing false returns to receive
tax refunds.
b. Incorrect. Opportunity is part of the fraud triangle, not one of the three steps of
money laundering.
c. Incorrect. Conversion is an element of fraud, not one of the three steps of money
laundering.
d. Incorrect. Rationalization is part of the fraud triangle, not one of the three steps of
money laundering.
b. Incorrect. Creating fraudulent journal entries is the least likely way to conceal a
fraud.
Index
References are to paragraph (¶ ) numbers.
AICPA Code of Professional Conduct . . . . . . 703, 705, 708 ASU 2018-07, Compensation—Stock Compensation
(Topic 718): Improvements to Nonemployee Share-Based
American Institute of Certified Public Accountants
Payment Accounting . . . . . . . . . . . . . . . . . . . 110
(AICPA) . . . . . . . . . . . . . . . . . . . . . . . . . . . 804
ASU 2018-08, Not-for-Profit Entities (Topic 958):
Amortized costs, assets measured at . . . . . . . . . . . 205 Clarifying the Scope and the Accounting Guidance for
AS 1215, Audit Documentation . . . . . . . . . . . . . . . 406 Contributions Received and Contributions Made . . . 111
AS 1301, Communications with Audit Committees . . . . 405 ASU 2018-09, Codification Improvements . . . . . . . . . 112
AS 3101, The Auditor’s Report on an Audit of ASU 2018-10, Codification Improvements to Topic
Financial Statements When the Auditor Expresses an 842, Leases . . . . . . . . . . . . . . . . . . . . . . . . . 113
Unqualified Opinion . . . . . . . . . . . . . . . . . . 403–409 ASU 2018-11, Leases (Topic 842): Targeted
Asset misappropriations . . . . . . . . . . . . . . . . . . . 805 Improvements . . . . . . . . . . . . . . . . . . . . . . . 114
Association of Certified Fraud Examiners (ACFE) . 803–805, ASU 2018-12, Financial Services—Insurance (Topic
814–815 944): Targeted Improvements to the Accounting for Long-
Duration Contracts . . . . . . . . . . . . . . . . . . . . 115
ASU 2010-20, Receivables (Topic 310): Disclosures
about the Credit Quality of Financing Receivables and the ASU 2018-13, Fair Value Measurement (Topic 820):
Allowance for Credit Losses . . . . . . . . . . . . . . . 209 Disclosure Framework—Changes to the Disclosure
Requirements for Fair Value Measurement . . . . . . 116
ASU 2014-09, Revenue from Contracts with
Customers . . . . . . . . . . . . . . . . . . . . . . . 213, 214 ASU 2018-14, Compensation—Retirement
Benefits—Defined Benefit Plans—General (Subtopic
ASU 2016-01, Financial Instruments—Overall 715-20): Disclosure Framework—Changes to the
(Subtopic 825-10): Recognition and Measurement of Disclosure Requirements for Defined Benefit Plans . 117
Financial Assets and Financial Liabilities . . . . . . . 106
ASU 2018-15, Intangibles—Goodwill and
ASU 2016-02, Leases (Topic 842) Section A—Leases: Other—Internal-Use Software (Subtopic 350-40):
Amendments to the FASB Accounting Standards Customer’s Accounting for Implementation Costs
Codification . . . . . . . . . . . . . . . . . . . . . . . 104, 114 Incurred in a Cloud Computing Arrangement That Is a
ASU 2016-13, Measurement of Credit Losses on Financial Service Contract . . . . . . . . . . . . . . . . . . . . . . 118
Instruments ASU 2018-16, Derivatives and Hedging (Topic 815):
. assets measured at amortized cost . . . . . . . . . . . . 205 Inclusion of the Secured Overnight Financing Rate (SOFR)
. disclosures . . . . . . . . . . . . . . . . . . . . . . . . . . 209 Overnight Index Swap (OIS) Rate as a Benchmark Interest
. estimating . . . . . . . . . . . . . . . . . . . . . . . . . . 206 Rate for Hedge Accounting Purposes . . . . . . . . . 119
. main provisions . . . . . . . . . . . . . . . . . . . . . . . 204
ASU 2018-17, Consolidation (Topic 810): Targeted
. presentation of . . . . . . . . . . . . . . . . . . . . . . . . 208
Improvements to Related Party Guidance for Variable
ASU 2016-14, Not-for-Profit Entities (Topic 958): Presentation Interest Entities . . . . . . . . . . . . . . . . . . . . . . 120
of Financial Statements of Not-for-Profit Entities
ASU 2018-18, Collaborative Arrangements (Topic
. cash flows, statement of . . . . . . . . . . . . . . . . . . 306
808): Clarifying the Interaction between Topic 808 and
. expenses, reporting of . . . . . . . . . . . . . . . . . . . 308
Topic 606 . . . . . . . . . . . . . . . . . . . . . . . . . . 121
. liquidity information . . . . . . . . . . . . . . . . . . . . . 305
. operating measure information . . . . . . . . . . . . . . . 307 ASU 2018-19, Codification Improvements to Topic
. reporting of net assets . . . . . . . . . . . . . . . . . . . . 304 326, Financial Instruments—Credit Losses . . . . 122, 214
ASU 2018-01, Land Easement Practical Expedient for ASU 2018-20, Leases (Topic 842): Narrow-Scope
Transition to Topic 842 . . . . . . . . . . . . . . . . . . 104 Improvements for Lessors . . . . . . . . . . . . . . . . 123
AUD
182 INDEX
B Cybercrime . . . . . . . . . . . . . . . . . . . . . . . . . . . 806
Cyber fraud . . . . . . . . . . . . . . . . . . . . . . . . . . . 806
Bankruptcy fraud . . . . . . . . . . . . . . . . . . . . . . . 807
Cybersecurity . . . . . . . . . . . . . . . . . . . . . . . . . 504
Bid rigging . . . . . . . . . . . . . . . . . . . . . . . . . . . 814
Bitcoin . . . . . . . . . . . . . . . . . . . . . . . . . . . 604–607 D
Blackmail . . . . . . . . . . . . . . . . . . . . . . . . . . . . 814
Data breaches . . . . . . . . . . . . . . . . . . . . . . . . . 806
Blockchain . . . . . . . . . . . . . . . . . . . . . . . . . 601–607
Debit card fraud . . . . . . . . . . . . . . . . . . . . . . . . 807
. Applications . . . . . . . . . . . . . . . . . . . . . . . . . 606
. best practices . . . . . . . . . . . . . . . . . . . . . . . . 607 Debt securities, available-for-sale . . . . . . . . 106, 210, 212
. components of . . . . . . . . . . . . . . . . . . . . . . . . 604 Defined benefit plans . . . . . . . . . . . . . . . . . . . . . 117
. history of . . . . . . . . . . . . . . . . . . . . . . . . . . . 604
Denial of service (DoS) attacks . . . . . . . . . . . . . . . 806
. software . . . . . . . . . . . . . . . . . . . . . . . . . . . 607
. types of . . . . . . . . . . . . . . . . . . . . . . . . . . . . 605 Derivatives and hedging . . . . . . . . . . . . . . . . . . . 119
Double-cashed checks . . . . . . . . . . . . . . . . . . . . 805
C
E
CECL model. See Current expected credit loss (CECL) model
Employment fraud . . . . . . . . . . . . . . . . . . . . . . . 810
Charity fraud . . . . . . . . . . . . . . . . . . . . . . . . . . 800
EMV card fraud . . . . . . . . . . . . . . . . . . . . . . . . 807
Checks
. accounts payable fraud . . . . . . . . . . . . . . . . . . . 805 Endowments, underwater . . . . . . . . . . . . . . . . . . 304
. accounts receivable fraud . . . . . . . . . . . . . . . . . . 806 Enron . . . . . . . . . . . . . . . . . . . . . . . . . . . . 805, 809
. business identity theft . . . . . . . . . . . . . . . . . . . . 808
Ethereum . . . . . . . . . . . . . . . . . . . . . . . . . . . . 607
. criminal identity theft . . . . . . . . . . . . . . . . . . . . 808
. double-cashed . . . . . . . . . . . . . . . . . . . . . . . . 805 Expense reimbursement fraud . . . . . . . . . . . . . . . 805
. skimming . . . . . . . . . . . . . . . . . . . . . . . . . . . 805 Explanatory paragraphs . . . . . . . . . . . . . . . . . . . 406
Circular 202 . . . . . . . . . . . . . . . . . . . . . . . . . . 109 Extortion . . . . . . . . . . . . . . . . . . . . . . . . . . . . 814
Cloud computing arrangements . . . . . . . . . . . . . . 118
F
Cohen Commission . . . . . . . . . . . . . . . . . . . . . . 403
Collaborative arrangements . . . . . . . . . . . . . . . . . 121 Factom . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 607
Collateral-dependent financial assets . . . . . . . . . . . 209 Fair value measurement . . . . . . . . . . . . . . . . . 106, 116
Commensurate value . . . . . . . . . . . . . . . . . . . . . 111 Financial Accounting Standards Board (FASB)
. ASUs issued in 2018 . . . . . . . . . . . . . . . . . . 103–123
Committee of Sponsoring Organizations (COSO) . . 507, 804
Financial assets
Conflict of interest . . . . . . . . . . . . . . . . . . . . 805, 814
. Recognition of . . . . . . . . . . . . . . . . . . . . . . . . 106
Continuing professional education (CPE) . . . . . . . 704, 706
Financial fraud . . . . . . . . . . . . . . . . . . . . . . . . . 807
Contribution accounting . . . . . . . . . . . . . . . . . . . 111
Financial instruments . . . . . . . . . . . . . . . . . . . 106, 122
Corruption . . . . . . . . . . . . . . . . . . . . . . . . . . . 814
Financial liabilities
Counterfeit currency . . . . . . . . . . . . . . . . . . . . . 805 . Recognition of . . . . . . . . . . . . . . . . . . . . . . . . 106
Credential stuffing . . . . . . . . . . . . . . . . . . . . . . 806 Financial statement fraud . . . . . . . . . . . . . . . . . . 807
Credit card fraud . . . . . . . . . . . . . . . . . . . . . . . 806 Fraud . . . . . . . . . . . . . . . . . . . . . . . . . . . . 803–815
. Corruption . . . . . . . . . . . . . . . . . . . . . . . . . . 814
Credit losses . . . . . . . . . . . . . . . . . . . . . . . . . . 122
. Cyber . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 806
. allowance for . . . . . . . . . . . . . . . . . . . . . . . . . 212
. Financial . . . . . . . . . . . . . . . . . . . . . . . . . . . 807
. disclosures . . . . . . . . . . . . . . . . . . . . . . . . . . 209
. government-specific . . . . . . . . . . . . . . . . . . . . . 811
. estimating . . . . . . . . . . . . . . . . . . . . . . . . . . 206
. identity theft . . . . . . . . . . . . . . . . . . . . . . . . . 808
. pool basis for measuring . . . . . . . . . . . . . . . . . . 206
. money laundering . . . . . . . . . . . . . . . . . . . . . . 813
. presentation of . . . . . . . . . . . . . . . . . . . . . . . . 208
. not-for-profit . . . . . . . . . . . . . . . . . . . . . . . . . 812
Cressey, Donald . . . . . . . . . . . . . . . . . . . . . . . . 804 . occupational . . . . . . . . . . . . . . . . . . . . . . . . . 805
AUD
INDEX 183
Fraud—continued N
. tax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 809
. theories . . . . . . . . . . . . . . . . . . . . . . . . . . . . 804 National Health Care Anti-Fraud Association . . . . . . . 811
. triangle . . . . . . . . . . . . . . . . . . . . . . . . . . . . 804
Nonprofits. See Not-for-profit (NPO) entities
Fraud theories . . . . . . . . . . . . . . . . . . . . . . . . . 804
Not-for-profit (NPO) entities
Fraud triangle . . . . . . . . . . . . . . . . . . . . . . . . . 804 . ASU 2016-14 guidance . . . . . . . . . . . . . . . . . 303–309
. ASU 2018-08 guidance . . . . . . . . . . . . . . . . . . . 111
G . board-designated net assets . . . . . . . . . . . . . . . . 304
. cash flows, statement of . . . . . . . . . . . . . . . . . . 306
Generally Accepted Accounting Principles (GAAP) 105, 110, . expenses, reporting of . . . . . . . . . . . . . . . . . . . 308
112, 119, 204, 213, 304, 307, 403, 703, 805, 812 . fraud specific to . . . . . . . . . . . . . . . . . . . . . . . 812
Government Accountability Office . . . . . . . . . . . . . 703 . liquidity information . . . . . . . . . . . . . . . . . . . . . 305
. management and general expenses . . . . . . . . . . . . 308
Government-specific fraud . . . . . . . . . . . . . . . . . 811
. operating measure information . . . . . . . . . . . . . . . 307
. reporting of net assets . . . . . . . . . . . . . . . . . . . . 304
H . underwater endowments . . . . . . . . . . . . . . . . . . 304
Hacking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 806
O
Hedge accounting . . . . . . . . . . . . . . . . . . . . . . . 103
Hyperledger . . . . . . . . . . . . . . . . . . . . . . . . . . 607 Off-balance-sheet credit exposures . . . . . . . . . . . . 209
Other comprehensive income (OCI) . . . . . . . . . . 105, 115
I Other-than-temporary impairment (OTTI) model . . . . . 203
Internal control over financial reporting (ICFR) . 403, 405, 504 Peer review . . . . . . . . . . . . . . . . . . . . . . . . . . . 708
International Auditing and Assurance Standards Personal health information (PHI) . . . . . . . . . . . . . . 806
Board (IAASB) . . . . . . . . . . . . . . . . . . . . . . . 408 Personally identifying information (PII) . . . . . . . . . . 806
ISA 701, Communicating Key Audit Matters in the Pharming . . . . . . . . . . . . . . . . . . . . . . . . . . . . 806
Independent Auditor’s Report . . . . . . . . . . . . . . 408
Phishing . . . . . . . . . . . . . . . . . . . . . . . . . . . . 806
SAR
184 INDEX
SEC
185
¶ 10,200 Glossary
AAA: American Accounting Association.
ABV: Accredited in Business Valuation.
Accounting Standard Update (ASU): Issued by the Financial Accounting Standards
Board (FASB) to communicate changes to the FASB codification, including changes to
non-authoritative Securities and Exchange Commission content.
Accounting Standards Codification (ASC): The source of U.S. Generally Accepted
Accounting Principles (GAAP) that is organized and maintained by the Financial
Accounting Standards Board (FASB).
Accounts payable: Amounts due to vendors for products and services received.
Accounts receivable: Amounts due from customers for products or services provided.
ACFE: Association of Certified Fraud Examiners.
ACFEI: American College of Forensic Examiners International.
Ad hoc: For a single or special purpose.
Advance fee fraud: Fraudulently obtaining a fee in advance for services that are never
done.
Amicus curiae: Also known as “Friend of the Court; a third party who is not directly
involved in the litigation or dispute is allowed to file a brief on behalf of one of the
parties to the litigation.
Amortized cost basis: The amount at which an investment is acquired, adjusted for
accretion, amortization, collection of cash, previous other-than-temporary impairments
recognized in earnings (less any cumulative-effect adjustments), foreign exchange, and
fair value hedge accounting adjustments.
Arbitration: In lieu of litigation the dispute is heard before a third party that renders a
decision. Arbitrations can be binding or nonbinding.
Auditing Standards Board (ASB): A committee of the American Institute of Certified
Public Accountants (AICPA) that develops, updates, and communicates standards and
guidance for auditing, attestation, and quality control.
Authentication: The process of making a written document admissible as evidence in a
court of law.
Automated controls: Automated controls are controls that are built into the computer
software. Automated controls can be either preventive or detective.
Available-for-sale securities: Investments that are not classified as either trading
securities or as held-to-maturity securities.
Backdoor: A route into a computer that circumvents the user authentication process
and allows hackers open access to the system once it is installed.
Balance: Summarizes a company’s assets, liabilities and shareholders’ equity at a
specific point in time.
Bank reconciliation: The process of matching the balances in an entity’s accounting
records for a cash account to the corresponding information on a bank statement.
Bankruptcy: A legal way to discharge or reorganize debt.
¶ 10,200
186 TOP ACCOUNTING AND AUDITING ISSUES FOR 2020 CPE COURSE
Best evidence rule: (also referred to as the original writing rule), to prove the contents
of a writing, recording, or photograph, the original writing, recording, or photograph
usually must be presented.
Bitcoin: A decentralized cryptocurrency that allows the transfer of digital tokens
without dealing with an intermediary.
Block: A list of transactions recorded onto a ledger over a period of time. It is one of the
three components of blockchain.
Blockchain: A data structure that creates a digital ledger of data that can be shared in a
network of independent third-party participants. It uses cryptography to allow each
participant on any given network to manage the ledger in a secure way without the need
for a central authority.
Board-designated assets: Net assets without donor restrictions that are subject to
self-imposed limits by action of a not-for-profit organization’s governing board.
Board-designated restriction: An action by a not-for-profit organization’s board of
directors to earmark an asset for a specified purpose.
Bookkeeping: The process of recording all of the accounting information for a
business.
Bribery: Illicit payments for information or actions paid to corrupt employees or
officials.
Budget: A forecast of the financial results and financial position of a company for one or
more future periods.
Business calculation: A business calculation is less extensive than a business valua-
tion and uses an agreed upon methodology. Business calculations cannot be presented
in court.
Bustout: A preplanned bankruptcy used to misappropriate assets from creditors.
CECL model: The current expected credit losses model for estimating allowances for
credit losses.
CFE: Certified Fraud Examiner.
CFF: Certified in Financial Forensics.
CFIP: Certified Forensic Investigative Professional.
Chaffing: A method for sending hidden messages over the Internet.
Chain: In blockchain, the hash—or the “glue—that links one block to another,
mathematically joining them together.
Chain of custody: The process for verifying who had care, custody and control of
evidence from the time it is collected until it is submitted to the court.
Chart of accounts: A list of all accounts used in a business.
Check tampering: Altering information on a check.
CIA: Certified Internal Auditor.
Circumstantial evidence: Indirect evidence from which the validity or truth of an
issue can be derived.
Collaborative arrangement: As defined by the guidance in Topic 808, a contractual
arrangement under which two or more parties actively participate in a joint operating
activity and are exposed to significant risks and rewards that depend on the activity’s
commercial success.
¶ 10,200
GLOSSARY 187
Common costs: Costs that are not directly tied to making and selling a product or
service.
Common law: Consists of the usages and customs of a society as interpreted by the
courts, it is also referred to as case law.
Compilation engagement: A procedure whereby an accountant is hired for the
purpose of using his or her professional expertise versus his or her knowledge in the
area of auditing in the overall summarization of a company’s financial details.
Complaint: The plaintiff’s formal written pleading filed with the court expressing a
claim for relief and initiating court action.
Complimentary subservice organization control: A subservice organization control
that service organizations rely on to meet the expected control objective.
Computer crime: An illegal act conducted using a computer or electronic device.
Computer forensics: Procedures applied to computers and electronic equipment to
gather evidence that can be used in a court of law.
Computer virus: A computer virus is usually hidden in a computer program and
performs functions such as copying or deleting data files. A computer virus creates
copies of itself that it inserts in data files or other programs.
Computer worms: A type of malware that transmits itself over networks and the
Internet to infect more computers with the malware.
Conflict of interest: Occurs when an employee, manager, or executive has an undis-
closed economic or personal interest in a transaction that adversely affects that person’s
employer.
Continuing professional education (CPE): The means by which people maintain
their knowledge and skills related to their professional lives.
Control activities: Approvals, segregation of duties, reconciliations, reviews, proce-
dures, etc. that ensure that processes are followed and that the opportunities for errors
or fraud have been minimized.
Control environment: Often referred to as the “Tone at the Top, the ethical values of
the organization and relies on the strength of corporate governance.
Control risk: The risk that a control does not prevent or detect a material misstatement
in an account balance.
CPA: Certified Public Accountant.
Credit quality indicator: A statistic about the credit quality of financing receivables.
Credit report: A report maintained by independent organizations containing informa-
tion on an individual’s credit history.
CrFA: Certified Forensic Accountant.
Critical audit matters: Matters arising from the audit of the financial statements that
have been communicated or were required to be communicated to the audit committee,
that are related to auditing accounts or disclosures that are material to the financial
statements.
Cross-examination: Questioning of witnesses in court by the other party’s attorney.
Cryptocurrency: A digital currency in which encryption techniques are used to regu-
late the generation of units of currency and verify the transfer of funds, operating
independently of a central bank.
¶ 10,200
188 TOP ACCOUNTING AND AUDITING ISSUES FOR 2020 CPE COURSE
Habeas corpus: A writ asking the court to release a prisoner from unlawful
imprisonment.
Hacker: Someone attempting to gain access to a computer for malicious or illegal
purposes.
Hearsay: An out-of-court statement of an individual offered in court to prove the truth of
the issue under litigation.
Horizontal analysis: A technique for analyzing the percentage change in individual
financial statement items from one year to the next.
Hyperledger: An open-source ledger blockchain platform.
Identifying information: Information such as a name, phone number, address or
Social Security number that can be used to identify an individual.
Identity theft: Broadly defined as the use of one person’s identity or personally
identifying information by another person without his or her permission. Identity theft
is a type of fraud and can be committed against an individual or organization.
IIA: Institute of Internal Auditors.
IMA: Institute of Management Accountants.
Impairment: An other than temporary decline in value of an asset where the market
value of the asset is lower than the book value of the asset.
Indirect method (cash flow): A method of creating the cash flow statement in which
an entity uses accrual accounting information to present the cash flows from the
operations section on its cash flow statement.
Individual security level: As defined by Accounting Standards Codification Topic 326,
the level and method of aggregation used by a reporting entity to measure realized and
unrealized gains and losses on its debt securities.
Internal controls: A process, effected by an entity’s board of directors, management,
and other personnel, designed to provide reasonable assurance regarding the achieve-
ment of objectives relating to operations, reporting, and compliance.
Interrogation: The process of questioning an individual suspected to be involved in a
crime.
Interrogatories: Questions that are submitted to an opposing party in a lawsuit.
Interview: The informal questioning of an individual.
Judicial precedent: Case law; using a prior court decision to settle a current case with
the same or similar facts.
Jurisdiction: Authority of a court to hear a particular type of case.
Key audit matters: Matters that, in the auditor’s professional judgment, were of most
significance in the audit of the financial statements of the current period.
Kickback: The giving or receiving anything of value to influence a business decision.
Larceny: Theft.
Liquidity: The degree to which an asset or security can be quickly bought or sold in
the market without affecting the asset’s price.
Litigation: Engaging in legal proceedings, a lawsuit.
Litigation services: According to the AICPA, services that involve pending or potential
formal legal or regulatory proceedings before a trier of fact in conjunction with the
resolution of a dispute between two or more parties.
¶ 10,200
GLOSSARY 191
MAFF: Master Analyst in Financial Forensics.
Mala prohibita: An act or omission that is by statute criminal regardless of intent
(mens rea).
Malware: Software that is placed on computers or cell phones to hijack the computers,
steal data, or encrypt the data for ransom.
Management and general activities: With regard to not-for-profit organizations, sup-
porting activities that are not directly identifiable with one or more programs, fundrais-
ing, or membership development.
Manual controls: Controls that are that are done by individuals. Manual controls can
be either preventive or detective.
Means of identification: Any type of information that can identify a particular individ-
ual such as Social Security numbers, credit card numbers or the like.
Mediation: Process whereby an impartial third-person assists the parties in reaching a
resolution of the dispute.
Mens rea: A person’s state of mind; intent.
Misappropriation: Obtaining something of value, or avoiding an obligation by decep-
tion or false statements; a type of fraud.
Mitigate: To act to minimize damages.
Money laundering: Taking funds from an illegal source, hiding the source of funds,
and making the funds available for use without legal restrictions or penalties.
Motion in limine: A motion requesting the court to exclude certain evidence from
being presented at trial.
Multichain: An open-source private blockchain platform used by many businesses for
multiple purposes.
NACVA: National Association of Certified Valuation Analysts.
Net worth: The amount by which assets exceed liabilities.
Niche: Denoting or relating to products, services, or interests that appeal to a small,
specialized section of the population.
Node: A point in a network or diagram at which lines or pathways intersect or branch.
Nolo contendere: A plea wherein the defendant agrees not to contest the charges, but
does not admit to, or deny the charges.
Not for profit (NPO): A type of organization that does not earn profits for its owners.
Occupational fraud: Fraud occurring in the workplace or relating to employment.
Parol evidence: Oral evidence.
Pharming: A virus or malicious software is secretly loaded onto the victim’s computer
and hijacks the web browser.
Phishing: A technique used by fraudsters to obtain personal information for purposes
of identity theft. This theft can include sending illegitimate emails asking for personal
information.
Portfolio segment: The level at which an entity develops and documents a systematic
methodology to determine its allowance for credit losses.
Predication of fraud: Circumstances, when taken as a whole, will lead a reasonably
prudent professional to believe a fraud is occurring, or has occurred, or will occur.
¶ 10,200
192 TOP ACCOUNTING AND AUDITING ISSUES FOR 2020 CPE COURSE
Preventive controls: Policies and procedures that are put in place to help prevent
errors or fraud from occurring.
Pro se: Representing oneself in court.
Process level controls: Internal controls designed to provide reasonable assurance
that the entity’s processes are followed, applications are working, and transactions are
properly completed and recorded. Process level controls relate to a single activity.
Professional skepticism: An attitude that includes a questioning mind, being alert to
conditions that may indicate possible misstatement due to error or fraud, and a critical
assessment of audit evidence.
Purchased financial assets with credit deterioration: Acquired individual financial
assets (or acquired groups of financial assets with similar risk characteristics) that as of
the date of acquisition have experienced a more-than-insignificant deterioration in credit
quality since origination, as determined by an acquirer’s assessment.
Pyramid scheme: A scheme in which a buyer or participant is promised a payment for
each additional buyer or participant recruited by that person.
Qui tam suit: Litigation filed by a whistle-blower under the Federal False Claims Act
against a contractor or company on behalf of the federal government.
Ratio analysis: A means of measuring the relationship between two different financial
statement amounts.
Real evidence: Refers to physical objects which may be introduced as evidence at a
legal proceeding.
Reinsurance recoverable: All amounts recoverable from reinsurers for paid and
unpaid claims and claim settlement expenses, including estimated amounts receivable
for unsettled claims, claims incurred but not reported, or policy benefits.
Residuum rule: The rule is that no finding may be supported solely by hearsay
evidence.
Ripple: Blockchain software that is designed for financial and currency transactions.
Risk assessment: An assessment conducted to determine where key controls need to
be in the processes of the organization. Controls should be put in place in high risk
areas, but it is necessary to consider the cost/benefit of each control because excessive
controls can reduce an organizations efficiency.
Rootkits: Software that modifies the operating system to hide malware from the
computer users. Some rootkits contain code that prevents the malware from being
removed from the computer.
Rules of evidence: The rules governing the admissibility of evidence in court.
Shell companies: Legal business entities created for the purpose of committing fraud.
There is no actual business, just the paperwork.
Skimming: Removal of cash from a victim entity prior to its entry in an accounting
system.
Spoofing: Term used to describe fraudulent e-mail activity in which the sender’s
address or other parts of the e-mail header are altered to appear as though the e-mail
originated from a different source.
Staff Accounting Bulletin (SAB): A summarization of the views of the Securities and
Exchange Commission’s staff regarding how Generally Accepted Accounting Principles
are to be applied.
¶ 10,200
GLOSSARY 193
Statement on Standards for Attestation Engagements (SSAE): Guidance on attesta-
tion engagements that is promulgated by the Accounting Standards Board (ASB) of the
American Institute of Certified Public Accountants (AICPA).
Subpoena: A court order requiring a witness to appear at a specified time and place in
order to testify.
Subpoena duces tecum: A court order to produce specified documents, or other items
for the court.
Subservice organization: An organization utilized by the original service organization
to provide a component of services to the user entity.
System and Organization Controls (SOC): A suite of service offerings CPAs may
provide in connection with system-level controls of a service organization or entity-level
controls of other organizations.
Tax Cuts and Jobs Act of 2017: A congressional revenue act originally introduced in
Congress that amended the Internal Revenue Code of 1986. Major elements of the
changes include reducing tax rates for businesses and individuals, and a personal tax
simplification by increasing the standard deduction and family tax credits but eliminat-
ing personal exemptions and making it less beneficial to itemize deductions.
Tone at the top: A term that is used to define management’s leadership and commit-
ment toward openness, honesty, integrity, and ethical behavior.
Trojan horse: A malware program that is disguised as something else. Users assume it
is a beneficial program when it fact it is not. Trojans horses are often used to insert
spyware onto computers.
Troubled debt restructuring: A restructuring of a debt constitutes a troubled debt
restructuring if the creditor for economic or legal reasons related to the debtor’s
financial difficulties grants a concession to the debtor that it would not otherwise
consider.
Underwater endowment fund: A donor-restricted endowment fund for which the fair
value of the fund at the reporting date is less than either the original gift amount or the
amount required to be maintained by the donor or by law that extends donor
restrictions.
Venue: The place where the court has jurisdiction and will hear the case.
Vertical analysis: A technique for analyzing the relationships between the items on an
income statement, balance sheet, or statement of cash flows by expressing components
as percentages.
Virtual currency: A currency that only exists in cyber space. There is no physical or
tangible item to represent the currency.
Whistleblower: An employee who reports illegal or unethical conduct of the employer.
¶ 10,200
195
Instructions for purchasing your CPE Tests and accessing them after purchase are
provided on the cchcpelink.com/printcpe website. Please note, manual grading is
no longer available for Top Accounting and Auditing Issues. All answer sheets
must be submitted online for grading and processing.
Evaluation: To help us provide you with the best possible products, please take a
moment to fill out the course Evaluation located after your Final Exam.
¶ 10,300
197
1. ASU 2018-02, related to the reclassification of certain tax effects from accumulated
other comprehensive income, is effective for all entities for fiscal years beginning after:
a. December 15, 2017
b. December 15, 2018
c. December 15, 2019
d. December 15, 2020
2. Outdated guidance related to the Office of the Comptroller of the Currency’s
Banking Circular 202 resulted in the issuance of which of the following ASUs?
a. ASU 2018-06
b. ASU 2018-07
c. ASU 2018-01
d. ASU 2018-03
3. The amendments prescribed by ASU 2018-07 include improvements related to:
a. Subsequent measurement of goodwill
b. Fair value measurement disclosures
c. Defined benefit pension plans
d. Nonemployee share-based payment accounting
4. ASU 2018-18 included amendments that clarified the interaction between Topic 808
and which of the following topics?
a. Topic 450
b. Topic 606
c. Topic 842
d. Topic 978
5. Training costs (post-implementation phase) related to a hosting agreement that is a
service contract should be:
a. Expensed as incurred
b. Capitalized separately
c. Capitalized with the hosting costs
d. Not recognized
6. Which of the following is not an indicator of a barrier according to ASU 2018-08?
a. Measurable performance-related barriers
b. The extent to which a stipulation limits discretion by the recipient on the
conduct of an activity
c. The probability of the condition is greater than remote
d. Whether a stipulation is related to the purpose of the agreement
7. ASU 2018-02 was issued due to the passage of which of the following laws?
a. Tax Cuts and Job Act
b. Sarbanes-Oxley Act
c. Affordable Care Act
d. Civil Rights Act
¶ 10,301
198 TOP ACCOUNTING AND AUDITING ISSUES FOR 2020 CPE COURSE
8. ASU 2018-11 provides a new practical expedient for lessors to use which transition
approach?
a. Full retrospective
b. Modified retrospective
c. Cumulative effect adjustment
d. Prospective
9. ASU 2018-16 adds which interest rate to the permitted benchmark list?
a. SIFMA
b. LIBOR
c. SOFR
d. UST
10. Which of the following is not a requirement to be within the scope exception in
ASU 2018-17?
a. The reporting entity and the legal entity are under common control.
b. The reporting entity and the legal entity are not under common control of a
public business entity.
c. The legal entity under common control is not a public business entity.
d. The reporting entry directly has a controlling financial interest in the legal
entity.
11. The requirements prescribed by ASU No. 2016-13 are effective for public business
entities for annual periods beginning after:
a. December 15, 2017
b. December 15, 2018
c. December 15, 2019
d. December 15, 2020
12. The amendments within ASU No. 2016-13 require a financial asset (or a group of
financial assets) measured at amortized cost basis to be presented at which of the
following?
a. Net amount expected to be collected
b. Net book value
c. Fair value
d. Fair value less costs to sell
13. Prior to the amendments within ASU No. 2016-13, credit losses on available-for-sale
debt securities are required to be measured and presented as which of the following?
a. Write-downs
b. Valuation allowances
c. Contra-assets
d. Other comprehensive income
14. Which of the following financial instruments are not included in the scope of ASC
326-20?
a. Financial assets measured at amortized cost basis
b. Net investments in leases
c. Off-balance sheet credit exposures
d. Policy loan receivables of an insurance entity
¶ 10,301
FINAL EXAM QUESTIONS: MODULE 1 199
15. The FASB provided for two practical expedients as a result of ASU No. 2016-13 for
which of the following types of financial instruments?
a. Financial assets secured by collateral
b. Financial assets measured at fair value through net income
c. Available-for-sale securities
d. Loans made to participants by defined contribution employee benefit plans
16. Which of the following is a required disclosure as it relates to credit quality
information?
a. Management’s method for developing its allowance for credit losses
b. The information that management used in developing its current estimate of
expected credit losses
c. The amortized cost basis by credit quality indicator (public business entities
only)
d. The amortized cost basis of financial assets on nonaccrual status as of the
beginning of the reporting period and the end of the reporting period
17. Which of the following statements is correct with respect to the available-for-sale
debt security impairment model?
a. There is no allowance recognition threshold.
b. The unit of measurement is the individual available-for-sale debt security.
c. There are several acceptable methods for measuring credit losses.
d. The measurement of credit losses is the expected credit loss that reflects the
loss even if that risk is remote.
18. Which of the following disclosures with respect to credit losses on available-for-
sale debt securities is required to be presented in tabular form?
a. Nonaccrual status
b. Available-for-sale debt securities that are in unrealized loss positions
c. Purchased financial assets with credit deterioration
d. Collateral-dependent financial assets
19. Which of the following ASUs included codification improvements to ASC Topic 326
related to areas such as accrued interest and recoveries?
a. ASU No. 2018-15
b. ASU No. 2018-17
c. ASU No. 2019-03
d. ASU No. 2019-04
20. Entities are required to apply the amendments in ASU No. 2016-13 through a
cumulative-effect adjustment to:
a. Retained earnings
b. Net income
c. Other comprehensive income
d. Other assets
¶ 10,301
200 TOP ACCOUNTING AND AUDITING ISSUES FOR 2020 CPE COURSE
21. Current not-for-profit reporting requirements primarily come from which of the
following FASB statements?
a. FASB 112
b. FASB 114
c. FASB 117
d. FASB 123
22. The amendments of ASU 2016-14 are effective for fiscal years beginning after:
a. December 15, 2015
b. December 15, 2016
c. December 15, 2017
d. December 15, 2018
23. In the year of adoption, a(n) ________ paragraph should be included in the
auditor’s report if the adoption results in changes that have a material impact on the
financial statements.
a. Other matter
b. Emphasis of matter
c. Consistency
d. Adoption
24. ASU 2016-14 made key changes in the five areas: (1) reporting of net assets, (2)
liquidity information from NPOs, (3) the statement of cash flows, (4) the operating
measure information provided, and (5) _________.
a. The reporting of expenses
b. The measurement of credit losses
c. Revenue from contracts with customers
d. Derivatives
25. Not-for-profits will continue to provide information about the nature and amounts
of different types of donor-imposed restrictions either by reporting their amounts on the
face of the statement of financial position or ________________.
a. As a supplement to the annual report
b. Within the audit report
c. As a disclosure within the profit and loss statement
d. Including relevant details in the notes to the financial statements
26. Which of the following statements is correct regarding reporting expiration of
restriction of gifts related to long-lived assets?
a. GAAP requires recognition when the asset is acquired and placed in service.
b. GAAP permits recognition of ratable amounts over the asset’s estimated useful
life if that is part of the donor’s restriction.
c. Entities are allowed to choose between the placed-in-service approach or
ratable amounts over the asset’s estimated life.
d. Both A and B
¶ 10,301
FINAL EXAM QUESTIONS: MODULE 1 201
27. Which of the following identifies funds for which the fair value of the fund at the
reporting date is less than either the original gift amount or the amount required to be
maintained by the donor or by law that extends donor restrictions?
a. Impaired funds
b. Underwater endowments
c. Negative carrying value funds
d. Reduced endowments
28. Regarding liquidity information, under ASU 2016-14, a not-for-profit entity is re-
quired to disclose qualitative information on how it manages its liquid resources
available to meet cash needs for general expenditures within ____ year(s) of the balance
sheet date.
a. One
b. Two
c. Three
d. Five
29. Currently, not-for-profits are ____________ a self-defined operating measure on the
statement of activities.
a. Encouraged to have
b. Required to have
c. Allowed to have
d. Prohibited from having
30. Which of the following types of costs would be allocated fully to management and
general (M&G) expenses?
a. CFO
b. CEO
c. IT
d. HR
¶ 10,301
202 TOP ACCOUNTING AND AUDITING ISSUES FOR 2020 CPE COURSE
11. What was the first standard that addressed service organization control reports?
a. SSAE 16
b. SSAE 18
c. SAS 70
d. PCAOB 5
12. What was the primary purpose for the transition from an SSAE 16 to an SSAE 18
report?
a. To address subservice organizations and properly address controls surround-
ing information technology
b. To better address controls surrounding internal controls over financial
reporting
c. To enhance the reporting process for service organizations
d. To eliminate the possibility of cybersecurity risks
13. A SOC 2 Type I report addresses:
a. The design of control over financial reporting services
b. Both the design and operating effectiveness of controls over financial reporting
services
c. The design of controls surrounding the security, viability, processing integrity,
confidentiality, and privacy of services
d. The design and operating effectiveness of controls around the security, availa-
bility, processing, integrity, confidentiality, and privacy of services
14. When conducting a SOC 2 engagement, one of the issues the auditor would focus
on is information security. What does security refer to in this context?
a. Security for systems that use electronic information to process, transmit or
transfer, and store information to enable the entity to meet its objectives
b. The physical security of documents
c. The security for individuals who managed IT resources
d. The alarm system for the facility’s entrance and exit doors
15. What is the primary difference between a SOC 2 Type I report and a SOC 2 Type II
report?
a. A Type II report only evaluates the design of the controls.
b. A Type I report only evaluates the design of the controls.
c. A Type II report only evaluates the operating effectiveness of controls.
d. A Type I report only evaluates the operating effectiveness of controls.
16. What is the main difference between a SOC 3 report and a SOC 2 report?
a. A SOC 3 report is intended for reporting of internal controls over financial
reporting.
b. A SOC 3 report only reports on the operating effectiveness of controls.
c. A SOC 3 report is intended for a general audience.
d. A SOC 3 report evaluates internal control over financial reporting design and
operating effectiveness.
¶ 10,302
FINAL EXAM QUESTIONS: MODULE 2 205
17. What is the primary purpose for performing a readiness assessment?
a. To ensure management has the processes, policies, and structures in place
that will be evaluated within a SOC engagement
b. To inform management of what will happen in a SOC engagement
c. To obtain assurance that the organization will be able to get a clean SOC
opinion
d. To eliminate the need for a SOC engagement
18. What changes did SSAE 18 make in regard to subservice organizations?
a. Management of the user company must take responsibility for controls in place
at the subservice organization.
b. Management of the service organization must ensure that the controls utilized
by the subservice organization that impact their service to the user organiza-
tion are adequate.
c. Subservice organizations are scoped out of SSAE 18.
d. Subservice organizations must obtain their own SOC report separate from
service organizations.
19. What should most appropriately be included in a detailed risk assessment of a
service organization?
a. Facilitation of appropriate risk identification and risk management
b. Identification of all fraud risk within the service organization
c. Identification of all risk that falls outside the responsibility of the service
organization
d. Evaluation of specific information technology controls
20. Which of the following statements is correct with respect to the impacts of SSAE
18 on complimentary controls?
a. Complimentary controls are considered controls implemented by the subser-
vice organization as a secondary control for those at the service organization.
b. Complimentary controls are not a requirement of the subservice organization;
they are only required by the service organization.
c. The user organization must identify what complimentary controls it expects to
be in place.
d. Management and the service auditor must consider the subservice organiza-
tion controls in the design of the service organization’s own system and how
the service organization ensures that control objectives were met.
21. Which of the following identifies a data structure that creates a digital ledger of
data that can be shared in a network of independent third-party participants?
a. Cryptobase
b. Ripple
c. Blockchain
d. Node
22. Which of the following identifies the two ingredients to prevent network
corruption?
a. Decentralization and utilization of cryptocurrency
b. Centralization and utilization of cryptocurrency
c. Decentralization and utilization of nodes
d. Centralization and utilization of nodes
¶ 10,302
206 TOP ACCOUNTING AND AUDITING ISSUES FOR 2020 CPE COURSE
23. Blockchain is widely regarded as being born in ______ amid the global financial
crisis.
a. 2005
b. 2008
c. 2010
d. 2014
24. The Ethereum network is considered to be the _______ evolution of blockchain.
a. First
b. Second
c. Third
d. Fourth
25. Which of the following identifies a list of transactions recorded onto a ledger over a
period of time?
a. Blocks
b. Bits
c. Nodes
d. Hashes
26. Which of the following identifies a characteristic of private blockchains?
a. Has large distributed networks that run through a native token.
b. Is open to anyone at any level.
c. Has open-source code maintained by its community.
d. Has closely controlled membership.
27. A public blockchain is used to trade value between _______ things and to derive
more value between _______ parties.
a. Similar, Mistrusting
b. Similar, Trusted
c. Dissimilar, Mistrusting
d. Dissimilar, Trusted
28. Which of the following types of blockchain software specializes in smart contracts?
a. Ripple
b. Factom
c. Ethereum
d. Hyperledger
29. Which of the following identifies an open-source private blockchain platform used
by many businesses for multiple purposes?
a. Hyperledger
b. Multichain
c. Factom
d. Ripple
¶ 10,302
FINAL EXAM QUESTIONS: MODULE 2 207
30. Each of the following identifies a blockchain best practice, except:
a. Simplify your contracts.
b. Use trusted Wi-Fi networks.
c. Hire a reputable blockchain developer.
d. Back up your digital nodes.
31. While there is no formal definition of audit quality, the focus is on __________ of
the audited financial statements.
a. Credibility
b. Materiality
c. Consistency
d. Delivery
32. One of the key elements of audit quality is exercising professional __________ in
all aspects of the audit.
a. Judgment
b. Skepticism
c. Testing
d. Cynicism
33. Auditing versus consulting, client acceptance decisions, and assignment of person-
nel are examples of which of the following as it relates to audit quality impacts?
a. Processes and procedures
b. Materiality
c. Root causes of poor audit quality
d. Critical matters
34. Which of the following identifies a quality control element challenge as it relates to
relevant ethical requirements?
a. Leadership emphasizes meeting time budgets.
b. Repeat matters and findings are present.
c. Firm allows engagement partners to deviate from its own policies and
procedures.
d. Impairment of independence is not identified.
35. When a firm is asked to complete an audit engagement in an unreasonable
timeframe, this represents a quality control element challenge related to:
a. Acceptance and continuance of clients
b. Human resources
c. Leadership
d. Relevant ethical requirements
¶ 10,302
208 TOP ACCOUNTING AND AUDITING ISSUES FOR 2020 CPE COURSE
36. In order to strengthen the ____________, firm leadership should align appropriate
culture and mindset and ensure that all staff have sufficient time and resources to solve
engagement issues.
a. Public interest
b. Tone at the top
c. Diversity
d. Monitoring process
37. One strategy to increase audit quality is to offer quality continuing education and
training. In doing this, professionals should most appropriately focus on each of the
following topics, except:
a. Independence and ethics
b. Applying professional judgment and skepticism
c. Time management
d. Firm policies and procedures
38. Which of the following identifies a common audit deficiency related to financial
statement recognition and measurement, presentation, and disclosure?
a. Misclassifications of activities between investing and financing activities
b. Failure to disclose the omission of the statement of cash flows
c. Lack of a written audit program
d. Failure to assess the level of materiality and control risk
39. Which of the following identifies a common audit deficiency related to audit
procedures and documentation?
a. Lack of applicable disclosures related to variable interest entities
b. Missing significant accounting policies
c. Failure to perform or document significant audit areas
d. Cash overdrafts shown as negative assets
40. Which of the following identifies a common deficiency related to SSARS proce-
dures and documentation related to a review engagement?
a. Failure to include a separate report for departures from GAAP
b. Failure to document significant unusual matters and their disposition
c. Failure to read compiled financial statements for obvious or material errors
d. Failure to obtain an engagement letter
¶ 10,302
FINAL EXAM QUESTIONS: MODULE 3 209
1. Which of the following types of cyber fraud is used to hide the origin of an email?
a. Phishing
b. Pharming
c. Whaling
d. Spoofing
2. Which of the following identifies the most common way to pay for stolen credit card
numbers purchased over the Internet?
a. Cash
b. BitCoin
c. Credit card
d. Check
3. Bid rigging normally falls under which type of corruption?
a. Conflicts of interest
b. Bribery
c. Illegal gratuities
d. Economic extortion
4. Which of the following types of corruption primarily involves the misuse of political
office?
a. Nepotism
b. Graft
c. Bribery
d. Illegal gratuities
5. Which of the following types of corruption payment is most likely to be associated
with economic extortion?
a. Gifts
b. Hospitality
c. Access to decision makers
d. Keeping a secret
6. Counterfeit detection pens are used to detect:
a. Wood-based paper
b. Rag-based paper
c. Hemp-based paper
d. Inferior ink
7. Possession of counterfeit currency is punishable by up to ____ years in jail.
a. 5
b. 10
c. 15
d. 20
¶ 10,303
210 TOP ACCOUNTING AND AUDITING ISSUES FOR 2020 CPE COURSE
¶ 10,303
212 TOP ACCOUNTING AND AUDITING ISSUES FOR 2020 CPE COURSE
¶ 10,303
213
4. 13. 22.
5. 14. 23.
6. 15. 24.
7. 16. 25.
8. 17. 26.
9. 18. 27.
Please complete the Evaluation Form (located after the Module 3 Answer Sheet).
Thank you.
MODULE 2 - ANSWER SHEET 215
Please complete the Evaluation Form (located after the Module 3 Answer Sheet).
Thank you.
MODULE 3 - ANSWER SHEET 217
1. 11. 21.
2. 12. 22.
3. 13. 23.
4. 14. 24.
5. 15. 25.
6. 16. 26.
7. 17. 27.
8. 18. 28.
9. 19. 29.
Please complete the Evaluation Form (located after the Module 3 Answer Sheet).
Thank you.
219