TAIBK - 2020 - Top Accounting and Auditing Issues

1
Top Accounting and

Auditing Issues
for 2020 ⏐ CPE Course
Melisa Galasso, CPA

Kelen Camehl, CPA
Diane Edelstein, CPA
Lynn Fountain, CPA, CGMA, CRMA
Salvatore Collemi, CPA
Robert K. Minniti, CPA, CFE, CrFA, CVA,CFF, MAFF, CGMA, PI, DBA
2
Contributors
Contributing Editor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Melisa Galasso, CPA
Kelen Camehl, CPA
Diane Edelstein, CPA
Lynn Fountain, CPA, CGMA, CRMA
Salvatore Collemi, CPA
Robert K. Minniti CPA, CFE, CrFA, CVA, CFF, MAFF, CGMA, PI, DBA
Technical Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Kelen Camehl, CPA
Lorraine Zecca, CPA
Production Coordinator . . . . . . . . . . . . . . Mariela de la Torre; Jennifer Schencker;
Gokiladevi Sashikumar
Production . . . . . . . . . . . . . . . . . . . . . . . . . . Sharon Sofinski; Anbarasu Anbumani
This publication is designed to provide accurate and authoritative information in

regard to the subject matter covered. It is sold with the understanding that the
publisher is not engaged in rendering legal, accounting, or other professional
service. If legal advice or other expert assistance is required, the services of a
competent professional person should be sought.
ISBN: 978-0-8080-5237-1
© 2019 CCH Incorporated and its affiliates. All rights reserved.

2700 Lake Cook Road
Riverwoods, IL 60015
800 344 3734
CCHCPELink.com
No claim is made to original government works; however, within this Product or

Publication, the following are subject to CCH Incorporated’s copyright: (1) the
gathering, compilation, and arrangement of such government materials; (2) the
magnetic translation and digital conversion of data, if applicable; (3) the historical,
statutory and other notes and references; and (4) the commentary and other
materials.
Do not send returns to the above address. If for any reason you are not satisfied
with your book purchase, it can easily be returned within 30 days of shipment.
Please go to support.cch.com/returns to initiate your return. If you require further
assistance with your return, please call: (800) 344-3734 M-F, 8 a.m. – 6 p.m CT.
Printed in the United States of America

3
iii
Introduction
Top Accounting and Auditing Issues for 2020 CPE Course helps CPAs stay abreast of the most
significant new accounting and auditing standards and important projects. It does so by
identifying the events of the past year that have developed into hot issues and reviewing the
opportunities and pitfalls presented by these changes. The topics reviewed in this course
were selected because of their impact on financial reporting and because of the role they play
in understanding the accounting and auditing landscape in the year ahead.
Module 1 of this course reviews top accounting issues.
Chapter 1 covers all of the Accounting Standards Updates (ASUs) issued by the
Financial Accounting Standards Board (FASB) during 2018. It discusses the main provisions
of each standard and who will be impacted by it.
Chapter 2 provides an overview of Accounting Standards Update (ASU) No. 2016-13,
Measurement of Credit Losses on Financial Instruments, issued by the Financial Accounting
Standards Board (FASB) in June 2016. The new standard will apply to nearly all entities, not
just those in the financial services industry, and will change how entities document and
account for credit impairment on their respective financial instruments. This new standard is
effective for public business entities for annual periods beginning after December 15, 2019,
and interim periods therein. As such, this means that calendar-year SEC filers will have to
apply the new requirements starting in first quarter 2020.
Chapter 3 discusses Financial Accounting Standards Board (FASB) Accounting Stan-
dards Update (ASU) 2016-14, Not-for-Profit Entities (Topic 958): Presentation of Financial
Statements of Not-for-Profit Entities, which will be effective for December 31, 2018, year ends.
Module 2 of this course reviews top auditing issues.
Chapter 4 provides an overview of important concepts identified in Auditing Standard
(AS) 3101, The Auditor’s Report on an Audit of Financial Statements When the Auditor
Expresses an Unqualified Opinion, as it relates to the development of critical audit matters
Chapter 5 reviews the important aspects of Statement on Standards for Attestation
Engagements No. 18 (SSAE 18). These attestation standards establish requirements and
provide application guidance to auditors for performing and reporting on examination,
review, and agreed-upon procedures engagements, including Service Organization Controls
(SOC) attestations. We will also review the variances between SSAE 16 (the previous
standard) and how and when the application of SSAE 18 requirements is appropriate.
Chapter 6 discusses the basic concepts, lexicon, technology, and potential applications
related to blockchain technology. It is designed to help CPAs, accountants, and practitioners
prepare for future conversations about blockchain with their clients, prospects, colleagues,
peers, and others.
Chapter 7 discusses the current state of audit quality and focuses on what CPA firm
leaders, quality control professionals, and others can do to strengthen both private and
public company audits.
Module 3 of this course provides an overview of fraud schemes and how to recognize
the red flags for detecting fraud.
Chapter 8 concentrates on various types of fraud including occupational frauds affecting
public companies, private companies, not-for-profits, and governmental entities.
Study Questions. Throughout the course you will find Study Questions to help you test
your knowledge, and comments that are vital to understanding a particular strategy or idea.
4
iv
Answers to the Study Questions with feedback on both correct and incorrect responses are
provided in a special section beginning at ¶ 10,100.
Final Exam. This course is divided into three Modules. Take your time and review all
course Modules. When you feel confident that you thoroughly understand the material, turn
to the Final Exam. Complete one or all three Final Exams for continuing professional
education credit.
Go to cchcpelink.com/printcpe to complete your Final Exam online for immediate results.
My Dashboard provides convenient storage for your CPE course Certificates. Further
information is provided in the CPE Final Exam instructions at ¶ 10,300. Please note,
manual grading is no longer available for Top Accounting and Auditing Issues. All
answer sheets must be submitted online for grading and processing.
August 2019
PLEDGE TO QUALITY
Thank you for choosing this CCH® CPELink product. We will continue to produce high
quality products that challenge your intellect and give you the best option for your Continu-
ing Education requirements. Should you have a concern about this or any other Wolters
Kluwer product, please call our Customer Service Department at 1-800-344-3734.
COURSE OBJECTIVES
This course provides an overview of important accounting and auditing developments. At the
completion of this course, the reader will be able to:
• Recognize and apply ASUs issued by FASB in 2018
• Identify who will be impacted and the main provisions of each standard
• Recognize ASU effective dates
• Identify the key provisions of ASU No. 2016-13
• Recognize the credit loss measurement requirements for assets measured at amortized
cost and available-for-sale debt securities
• Identify the incremental financial statement disclosure requirements as a result of ASU
No. 2016-13
• Identify the effective date and transition requirements
• Recognize recent developments affecting entities that are required to apply the amend-
ments in ASU No. 2016-13
• Recognize the effective dates of ASU 2016-14
• Identify the key areas of change in ASU 2016-14
• Differentiate between the two classes of net assets
• Explain how to prepare for the expanded disclosures needed under ASU 2016-14
• Identify key areas with respect to ASU 2016-14 for NPOs
• Describe ASU 2016-14’s new disclosure requirement with respect to liquidity
• Identify the requirements involving investment return
• Recognize which costs should be allocated to management and general expenses and
investment expense
5
v
• Identify the PCAOB definition of a critical audit matter (CAM) and apply that under-
standing to audit issues
• Apply the separate criteria identified by the PCAOB for determining CAM issues
• Identify the PCAOB purpose for identification of CAM issues
• Recognize the appropriate methods for reporting CAMs in the auditor’s report
• List the appropriate documentation requirements for identified CAM issues
• Understand and apply the concepts for proper disclosure of CAM issues
• Recognize appropriate interactions with the audit committee regarding CAMs
• Apply the proper concepts for explanatory concepts of CAMs
• Identify the variances between critical audit matters and key audit matters
• Evaluate, through a case scenario, the considerations for evaluating whether a CAM
applies to a particular company
• Summarize the history of Service Organization Control (SOC) reports
• Describe the transition of the accounting standards from Statement on Auditing
Standards (SAS) 70 to Statement on Standards for Attestation Engagements (SSAE) 16
and now SSAE 18
• Recognize the various types of service and subservice organizations
• Explore procedures to conduct a SOC 1 engagement, develop proper control objec-
tives, and determine specific reporting methods
• Examine the variance and procedural requirements that exist between a SOC 1 Type I
and SOC 1 Type II report
• Explore procedures to conduct and report on a SOC 2 engagement addressing
information security, availability, processing integrity, confidentiality, and privacy of
services
• Examine the variance and procedural requirements that exist between a SOC 2 Type I
and SOC 2 Type II report
• Recognize the requirements for SOC 3 reports
• Recognize the requirements to prepare for a SOC engagement and a readiness
assessment
• Identify specific changes related to monitoring controls at subservice organizations
• Explain the concept of a detailed risk assessment for subservice organizations
• Explain the concept and requirements of complementary controls
• Recognize the need for evidence provided by service organizations
• Describe the evolving world of blockchain technology
• Recognize the impact of blockchain on both the financial reporting process and the
audit approach
• Identify the latest blockchain software being utilized
• Identify realistic solutions regarding the challenges of maintaining a high-level of audit
quality with limited resources
6
vi
• Recognize how to address systemic deficiencies noted in many accounting and audit-
ing practices while at the same time balancing the needs of the public interest,
regulators, and standard-setters
• Recognize how to comply with applicable U.S. and international accounting and
auditing standards, quality control standards, corporate governance and risk manage-
ment practices, and independence and professional ethics rules
• Identify clients’ businesses and the environments in which they operate
• Understand theories as to why people commit fraud
• Recognize the different types of fraud, including occupational fraud, cyber fraud,
financial fraud, tax fraud, and identity theft
• Identify red flags for fraud
• Describe fraud schemes that affect businesses
Additional copies of this course may be downloaded from cchcpelink.com/printcpe.

Printed copies of the course are available for $3.99 by calling 1-800-344-3734 (ask for product
10024493-0007).
7
vii
Contents
MODULE 1: TOP ACCOUNTING ISSUES
1 Overview of ASUs Issued by FASB in 2018
Welcome . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 101
Learning Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 102
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 103
ASU 2018-01 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 104
ASU 2018-02 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 105
ASU 2018-03 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 106
ASU 2018-04 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 107
ASU 2018-05 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 108
ASU 2018-06 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 109
ASU 2018-07 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 110
ASU 2018-08 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 111
ASU 2018-09 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 112
ASU 2018-10 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 113
ASU 2018-11 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 114
ASU 2018-12 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 115
ASU 2018-13 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 116
ASU 2018-14 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 117
ASU 2018-15 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 118
ASU 2018-16 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 119
ASU 2018-17 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 120
ASU 2018-18 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 121
ASU 2018-19 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 122
ASU 2018-20 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 123
2 Credit Losses on Financial Statements
Welcome . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 201
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 203
Main Provisions of the ASU . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 204
Assets Measured at Amortized Cost . . . . . . . . . . . . . . . . . . . . . ¶ 205
Initial Measurement of Expected Losses . . . . . . . . . . . . . . . . . . . ¶ 206
Subsequent Measurement of Expected Credit Losses . . . . . . . . . ¶ 207
Presentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 208
Financial Statement Disclosures . . . . . . . . . . . . . . . . . . . . . . . . ¶ 209
Available-for-Sale Debt Securities . . . . . . . . . . . . . . . . . . . . . . . ¶ 210
Subsequent Measurement . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 211
Financial Statement Disclosures . . . . . . . . . . . . . . . . . . . . . . . . ¶ 212
Transition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 213
Recent Developments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 214
3 The New NPO Reporting Model
Welcome . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ......... ¶ 301
Learning Objectives . . . . . . . . . . . . . . . . . . . . . . . . ......... ¶ 302
8
viii
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 303
Reporting of Net Assets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 304
Liquidity Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 305
Statement of Cash Flows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 306
The Operating Measure Information Provided by Some Not-for-
Profits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 307
Reporting of Expenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 308
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 309
MODULE 2: TOP AUDITING ISSUES
4 Critical Audit Matters
Welcome . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 401
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 403
Overview: Critical Audit Matters . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 404
Principle-Based Approach to Indentifying CAM . . . . . . . . . . . . . . ¶ 405
Audit Report Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 406
CAM Illustration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 407
Critical Audit Matters Versus Key Audit Matters . . . . . . . . . . . . . . ¶ 408
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 409
5 New Service Level of Engagement for Attestation Engagements (SSAE
18)
Welcome . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 501
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 503
Important Considerations for SSAE 18 . . . . . . . . . . . . . . . . . . . . ¶ 504
Subservice Organizations and SSAE 18 . . . . . . . . . . . . . . . . . . . ¶ 505
SSAE 18 Versus SSAE 16 . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 506
Physical Components of the SSAE 18 Report . . . . . . . . . . . . . . . ¶ 507
SSAE Deliverable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 508
Who Needs an SSAE Audit? . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 509
How to Prepare for a SOC Review . . . . . . . . . . . . . . . . . . . . . . . ¶ 510
Benefits of SOC Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 511
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 512
6 Understanding Blockchain: For CPAs, Accountants, and Practitioners
Welcome . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 601
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 603
What is Blockchain? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 604
How to Select a Blockchain . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 605
Realistic Applications in Practice . . . . . . . . . . . . . . . . . . . . . . . . ¶ 606
Blockchain Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 607
Next Steps in Evolution of your Practice . . . . . . . . . . . . . . . . . . . ¶ 608
7 Enhancing Audit Quality
Welcome . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 701
What is Audit Quality? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 703
9
ix
Root Causes of Failures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 704
Quality Control Elements Challenges . . . . . . . . . . . . . . . . . . . . . ¶ 705
Strategies to Increase Audit Quality . . . . . . . . . . . . . . . . . . . . . . ¶ 706
Common Deficiencies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 707
Preparing for Busy Season and Peer Review . . . . . . . . . . . . . . . ¶ 708
MODULE 3: FRAUD OVERVIEW
8 2019 Fraud Review
Welcome . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 801
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 803
Fraud Theories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 804
Occupational Frauds . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 805
Cyber Frauds . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 806
Financial Frauds . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 807
Identity Theft . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 808
Tax Frauds . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 809
Other Frauds . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 810
Government-Specific Frauds . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 811
Not-for-Profit Specific Frauds . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 812
Money Laundering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 813
Corruption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 814
Fraud Wrap-Up . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 815
Answers to Study Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 10,100
Module 1—Chapter 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 10,101
Module 1—Chapter 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 10,102
Module 1—Chapter 3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 10,103
Module 2—Chapter 4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 10,104
Module 2—Chapter 5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 10,105
Module 2—Chapter 6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 10,106
Module 2—Chapter 7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 10,107
Module 3—Chapter 8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 10,108
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Page
181
Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 10,200
Final Exam Instructions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 10,300
Final Exam Questions: Module 1 . . . . . . . . . . . . . . . . . . . . . . . . ¶ 10,301
Answer Sheets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 10,400
Module 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 10,401
Module 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 10,402
Module 3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 10,403
Evaluation Form . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ¶ 10,500
1
MODULE 1: TOP ACCOUNTING ISSUES—

CHAPTER 1: Overview of ASUs Issued by
FASB in 2018
¶ 101 WELCOME
This chapter covers all of the Accounting Standards Updates (ASUs) issued by the
Financial Accounting Standards Board (FASB) during 2018. It discusses the main
provisions of each standard and who will be impacted by it.
¶ 102 LEARNING OBJECTIVES
Upon completion of this chapter, you will be able to:

• Recognize and apply ASUs issued by FASB in 2018
• Identify who will be impacted and the main provisions of each standard
• Recognize ASU effective dates
¶ 103 INTRODUCTION
FASB had a very busy year in 2018, issuing 20 ASUs covering a range of topics.
Although it was not quite a record year in terms of the number of ASUs released, a
great deal of new guidance was issued. An executive overview of each ASU is provided
in the following sections to help accountants determine which ASUs will affect them in
the future.
¶ 104 ASU 2018-01

ASU 2018-01, Land Easement Practical Expedient for Transition to Topic 842, was issued
in January 2018. To understand this ASU, some background information is necessary.
In 2016, the FASB issued ASU 2016-02, Leases, intending to (1) change the definition of
a lease to be more comparable and (2) change the recognition of leases so that almost
all leases will end up on the balance sheet for most entities. That would lead to
comparability by not differentiating between an operating lease and a capital lease on
the balance sheet. However, ASU 2016-02 does include differences between operating
and capital leases (which are now called financing leases) on the income statement and
cash flow statement, but it is focused on trying to ensure that the balance sheet is the
same.
The definition of a lease may include a land easement, depending on the terms and
conditions. Because today’s standard contains no explicit guidance on land easements,
there are various ways to treat them. Some entities treat a land easement as a lease
under Topic 840. Others treat it as property, plant, and equipment; they actually
recognize the land under Topic 360. And others recognize the right to use the language
under intangibles, Topic 350.
Based on the updated definition of a lease, a land easement may qualify to be
treated as a lease under Topic 842. Those who were following Topic 840 are already
following lease accounting and would just adopt the new lease accounting going
forward. However, others were a bit concerned about being pulled into the lease
standard: those that already were reflecting the asset on their books under Topics 350
and 360. Basically, their concern was that if they were already following Topic 350 or
¶ 104
2 TOP ACCOUNTING AND AUDITING ISSUES FOR 2020 CPE COURSE
360, those land easements were already on the balance sheet and therefore there would
be little benefit to analyzing each of them under the new Topic 842 for leases to
determine whether they met the updated definition. It would be very costly to do so, and
for some entities, such as utilities or telecommunication companies, it would also be a
very complex undertaking.
In response, the FASB provided a practical expedient. Those who are not currently
following Topic 840, which is the extant lease standard, can continue to account for land
easements as they have been. They can continue to follow the old standard until either
the easement has expired and has to be renewed, or the easement is modified. On the
other hand, those who are currently using Topic 840 do not get a practical expedient.
They would continue to apply the current Topic 840 until they adopt Topic 842.
Effective date: ASU 2018-01 is effective with the transition for ASU 2016-02. Those who
early adopted Topic 842 should adopt this ASU upon issuance.
¶ 105 ASU 2018-02

The FASB issued ASU 2018-02, Income Statement—Reporting Comprehensive Income
(Topic 220): Reclassification of Certain Tax Effects from Accumulated Other Comprehen-
sive Income, in February 2018. The Tax Cuts and Jobs Act (TCJA) was enacted on
December 22, 2017, just nine days shy of the calendar year end. As a result, the FASB
began to receive unsolicited comment letters, specifically from the banking and insur-
ance industries. The U.S. Securities and Exchange Commission (SEC) had issued a
Staff Accounting Bulletin (SAB) in response to the TCJA, but the FASB was not working
on anything related to TCJA.
One issue identified by constituents is called the stranded tax effect. The stranded
tax effect is due to the enactment of the original deferred tax. Deferred taxes come from
“temporary differences; for example, the tax code treats the transaction one way and
the FASB codification another. One example is unrealized gains and losses for available
for sale debt securities. Under Generally Accepted Accounting Principles (GAAP),
entities recognize the unrealized gains and losses through comprehensive income. For
tax purposes, however, entities are not going to recognize the unrealized gains and
losses until they have a realized gain or loss. That creates a temporary difference. In one
scenario the unrealized gains and losses are recognized, and in the other they are not.
The deferred tax amount is actually recorded through accumulated other compre-
hensive income (AOCI) because in this scenario, available for sale debt securities are an
other comprehensive income (OCI) item. They are not a net income line item; they flow
through AOCI. Therefore, when the transaction is recorded, the deferred tax flows
through AOCI at the old tax rate.
Due to changes in the corporate tax rate under the TCJA, the deferred tax assets
and deferred tax liabilities are adjusted to reflect the new corporate tax rate on the act’s
enactment date. The change would flow through net income. That means that the
deferred tax that is sitting in AOCI is at the old rate and is going to remain in AOCI, but
the deferred tax asset and liability would reflect the new rate. The tax effects of items
that remain in AOCI is misstated, hence the term stranded tax effect.
ASU 2018-02 provides an option. It allows companies to reclassify out of AOCI and
into retained earnings to address the impact of the stranded tax effect. However, the key
is that this applies only to those items that are related to the TCJA. Companies cannot
make this reclassification for any other changes, past or future.
Note that companies are not required to classify; doing so is optional. However,
every entity must adopt the standard whether or not it has reclassified AOCI due to the
disclosure requirements. Under ASU 2018-02, a company has to disclose its accounting
¶ 105
MODULE 1 - CHAPTER 1 - Overview of ASUs Issued by FASB in 2018 3
policy of whether it has released the income tax effects from AOCI. If a company did
elect to do so, it must state that it elected to reclassify the income tax effects of the
TCJA from AOCI to retained earnings and then give a description of the impact.
COMMENT: Note that those who did not make the election are still required
to disclose in the period that they adopted the guidance that they did not make the
change to reclassify the income tax effects of TCJA. Therefore, every entity has to
adopt the ASU, whether or not it has actually done anything with it in terms of
reclassification. In other words, the disclosure applies to every entity, whether or
not it made the election of the option.
Effective date: ASU 2018-02 is effective for fiscal years beginning after December 15,
2018, but early adoption is permitted. Early adopters can apply it either in the period
that they adopt the standard or retrospectively to each period where they had a change
in the corporate tax rate resulting from the TCJA.
¶ 106 ASU 2018-03

The next ASU released by the FASB in 2018 is related to financial instruments. ASU
2018-03, Technical Corrections and Improvements to Financial Instruments—Overall
(Subtopic 825-10): Recognition and Measurement of Financial Assets and Financial
Liabilities, focuses on ASU 2016-01, the prior recognition and measurement standard.
ASU 2016-01 was issued in January 2016 and addresses recognition and measurement of
financial assets and financial liabilities.
Instead of a complete overhaul, ASU 2016-01 made some changes to equity
securities by eliminating the concept of “available for sale. As a result, all changes in
equity securities run through net income, and no portion ever will run through OCI
under ASU 2016-01. Topic 320 now covers only debt securities, whereas Topic 321
covers equity securities. ASU 2016-01 started affecting public companies in 2018, and in
February of that year, the FASB decided to issue technical corrections under ASU
2018-03. ASU 2016-01 eliminates the cost method and instead includes specialized
impairment guidance for equity securities that do not have a readily determinable fair
value.
The standard states that the alternative should be applied until the investment has
a readily determinable fair value or it becomes eligible for the net asset value practical
expedient. The ASU clarifies that companies can make a change to fair value through an
irrevocable election that would apply to that security and all identical or similar
investments of the same issuer, meaning that in this scenario, they could elect to switch
to fair value and not use the measurement method—but once they do, they cannot go
back to the alternative measurement method.
Another issue also relates to readily determinable fair value. In the alternative
measurement method, one would find a similar security and look at observable transac-
tions, and then use that as a proxy for the change in fair value. A question was raised
about whether the adjustment is made to reflect the fair value as of the transaction date
or the current reporting date. The standard clarifies that the measurement alternative
reflects the fair value at the date of the observable transaction, not necessarily the
current reporting date. Also, if a company has a forward contract or a purchase option, it
has to apply this alternative on a look-through basis. ASU 2018-03 also clarifies that the
entire value must be remeasured when there is a change in the underlying equity
security.
The fair value option creates a new OCI item with the issuance of ASU 2016-01. In
the past, if a company elected the fair value option, it was required to run the entire
change of fair value through net income. No portion was allowed to be allocated to OCI.
¶ 106
Under the new standard, there is something called instrument-specific credit risk, and
now when a company has a liability that has elected to be measured using the fair value
option, the instrument-specific credit risk would run through OCI, and the remaining
change in fair value would run through net income.
Questions were raised about whether how an entity elected the fair value option—
under financial instruments or under the derivatives—mattered. ASU 2016-03 clarified
that the topic would not impact the accounting treatment. It is applied regardless of
whether the fair value election was under derivatives and hedging or under the financial
instruments topic.
Other questions related to the fair value option relate to foreign currency. If a
company is separately electing the portion that is related to the instrument-specific
credit risk in OCI and the remaining running through net income, there were questions
about how one would determine the impact on the foreign currency. The FASB clarified
that the amount related to the instrument-specific credit risk is first measured in the
currency of denomination, and then the change in fair value would be remeasured in the
functional currency.
ASU 2016-03 also addresses another issue regarding fair value. If an entity was
going to use the new guidance for equity securities that did not have a readily
determinable fair value, the standard explicitly states that it can be used, adopted
prospectively. A question was raised about whether an entity could use the prospective
approach for all equity securities if they did not have a readily determinable fair value
but the entity was not electing the special measurement alternative. The answer is no.
The perspective method only applies if there is no readily determinable fair value and
the entity is using the measurement alternative.
Effective date: The effective date for ASU 2018-03 is the same as the effective date in
ASU 2016-01. All entities may early adopt these amendments for fiscal years beginning
after December 15, 2017, including interim periods within those fiscal years, as long as
they have adopted ASU 2016-01.
This ASU was issued in February, so public companies were already halfway
through their first quarter when it was issued. Consequently, the FASB gave such
entities a bit of extra time for adoption because they had already started the transition in
January for their first quarter. Public business entities with fiscal years beginning
between December 15, 2017, and June 15, 2018, are not required to adopt these
amendments until the interim period beginning after June 15, 2018.
¶ 107 ASU 2018-04

ASU 2018-04, Amendments to SEC Paragraphs Pursuant to SEC Staff Accounting Bulletin
No. 117 and SEC Release No. 33-9273, is related to SEC guidance. Sometimes the SEC
decides that it wants to have specialized guidance just for SEC companies, and it will
issue a SAB or equivalent for that purpose. The FASB then will issue an ASU to bring
that SEC guidance into the codification.
This scenario worked a little bit backward. The SEC had certain guidance that was
particular to SEC companies, and then FASB issued ASU 2016-01 regarding recognition
and measurement for financial instruments. As a result, the SEC issued SAB 117 in
November 2017. Basically, the bulletin stated that the SEC guidance would conform to
ASC 321, which is the new 2016-01 equity securities guidance. SAB 117 was related to
other than temporary impairment, which was updated in ASU 2016-01. In essence, the
SEC stated it would adopt the new ASU 2016-01 guidance. ASU 2016-04 aligns the SEC
guidance with the new ASU 2016-01 guidance and Topic 321. As a result, it only applies
to SEC entities.
¶ 107
Effective date: ASU 2018-04 is effective upon issuance.
¶ 108 ASU 2018-05

On the same day the TCJA was enacted, the SEC issued SAB 118, which provides
options for SEC registrants applying the TCJA changes. The SEC knew that the TCJA
contained many changes to the tax law, and that these changes may or may not be
clearly addressed in GAAP. SAB 118 states that companies that can come up with a
reasonable estimate should book that reasonable estimate. The reasonable estimate is a
provisional amount that is intended to be updated throughout the measurement period.
However, the SEC also understands that it is possible that a company does not
have the information it needs and therefore does not have a reasonable estimate. In this
case, the SEC recommends that the company does not book a provisional amount but
instead continues the accounting treatment it was using immediately prior to TCJA until
it is able to do its accounting and come up with a reasonable estimate. As a company is
updating its provisional amount, it simply runs it through income, so if there is a change
in the tax expense or tax benefit, the company runs that through continuing operations
during the measurement period.
COMMENT: Note that this measurement period concept only applies to the
TCJA. Anything that is not related to the TCJA is not a measurement period
adjustment.
The guidance requires companies to make certain disclosures, including disclo-
sures about provisional amounts; disclosing for which current and deferred amounts the
income tax impact was completed, the reason any accounting is incomplete, and any
information that would be needed to complete the accounting; the nature and amount of
any measurement period adjustments that were recognized during the period; and the
effect of these adjustments on the effective tax rate.
ASU 2018-05, Amendments to SEC Paragraphs Pursuant to SEC Staff Accounting
Bulletin No. 118 (SEC Update), brings SAB 118 into the Codification. In addition, the
FASB indicated that while SAB 118 applies only to SEC companies, private companies
can also adopt it as long as they apply the entire guidance, including the disclosures.
¶ 109 ASU 2018-06

ASU 2018-06, Codification Improvements to Topic 942, Financial Services—Depository
and Lending, was issued by the FASB in May 2018.
ASU 2018-06 updates the outdated guidance related to the Office of the Comptroller
of the Currency’s Banking Circular 202, Accounting for Net Deferred Tax Charges (Circu-
lar 202).
The FASB has an ongoing agenda project to look for outdated information in the
Codification, and it found some related to Circular 202. Although typically the FASB
would issue any updates in the annual technical correction ASU, in this case it chose to
issue it as a separate ASU to bring awareness to anyone using Topic 942, Financial
Services—Depository and Lending.
ASU 2018-06 rescinds the guidance in Topic 942-740 that the Office of Comptroller
of the Currency has rescinded because it is no longer relevant. The FASB does provide
a cross-reference to the old guidance to make sure it still continues to be useful.
Effective date: ASU 2018-06 is effective upon issuance.
¶ 109
¶ 110 ASU 2018-07

The next ASU issued by the FASB in 2018 was ASU 2018-07, Compensation—Stock
Compensation (Topic 718): Improvements to Nonemployee Share-Based Payment Account-
ing, which addresses non-employee share-based payment. The FASB had updated its
guidance on employee share-based payments as part of its simplification initiative, and it
later decided to also update non-employee share-based payment guidance.
Topic 505, which included the specific guidance for non-employee share-based
payment, was significantly different from the requirements for employee shared-based
payment under Topic 718. In addition, Topic 505 does not address nearly the same
amount of information as Topic 718. Consequently, the FASB decided to expand Topic
505 to be as encompassing as Topic 718 and also try to make the two as consistent as
possible. However, instead of fixing Topic 505, the FASB actually decided to expand the
scope of Topic 718 to include share-based payment transactions for acquiring goods and
services from non-employees. The FASB moved both employee and nonemployee
share-based payment guidance into Topic 718.
Non-employee share-based payment used to be measured as the fair value of the
consideration received or the fair value of the equity instrument issued, whichever was
more reliable. Under the new standard, non-employee share-based payment is consis-
tent with employee share-based payment at the grant date fair value of the equity
instrument.
With regard to performance conditions, under both employee share-based payment
and non-employee share-based payment, something has to be done in addition to
vesting. Under the previous guidance, non-employee share-based payment was mea-
sured at the lowest aggregate fair value. Under the new guidance, it will align with
employee share-based payment, so one must consider the probability of satisfying the
performance obligations when calculating the non-employee share-based payment.
If there is an equity classified non-employee share-based payment award, it would
have become subject to other GAAP after the good has been delivered. Theoretically,
after it is delivered, it might become subject to Topic 815 derivatives and hedging as a
result. Under the new standard, the classification of equity classified non-employee
share-based payment will be in Topic 718, and therefore there is no longer a require-
ment to reassess classification upon vesting.
There are also two good options for private companies. In calculating fair value, one
of the inputs used to value equity share-based payment is expected volatility. For many
nonpublic entities, it is very costly to determine the expected volatility of their share
price because they do not trade frequently. The new standard allows private companies
to use the historical volatility of an industry sector index as the expected volatility in lieu
of having to use an instrument-specific one for their instrument. Using an industry
sector index is a lot easier for these entities.
In addition, just as the FASB did for employee share-based payment, it will offer
private companies a one-time, no-questions-asked, no preferability analysis election to
switch their liability-classified awards from fair value to intrinsic value. Intrinsic value
was initially offered under Topic 718, but many entities did not realize that and thus did
not elect it. If an entity does not elect it upon adoption of a standard, it then must
perform a preferability analysis to determine whether the change is preferable. This
one-time, no-questions-asked opt-in to move to intrinsic value over fair value is easier to
calculate for those types of awards. ASU 2018-07 aligns this option with the one-time
option that private companies had under the simplification of employee share-based
payment.
¶ 110
Effective date: For public companies, ASU 2018-07 is effective for fiscal years begin-
ning after December 15, 2018, including interim periods. For everyone else, it is
effective for fiscal years beginning after December 15, 2019. Early adoption is permitted,
but no earlier than an entity’s adoption date of Topic 606.
¶ 111 ASU 2018-08

A very important standard for not-for-profit entities is ASU 2018-08, Not-for-Profit Entities
(Topic 958): Clarifying the Scope and the Accounting Guidance for Contributions Received
and Contributions Made, issued in June 2018. ASU 2018-08 makes significant changes to
contribution guidance, driven primarily by Topic 606 and revenue recognition.
When the FASB looked at implementation of Topic 606, it needed to address
diversity in practice regarding classification of a transaction as an exchange transaction
or nonexchange transaction. While addressing the diversity, the FASB also decided to
address some misconceptions.
Although this guidance is found in Topic 958 for nonprofits, it applies to all entities,
including public entities that receive or make contributions of cash or other assets.
There is one exception: this standard does not apply to transfers of assets from
government to business entities.
In regard to an exchange versus nonexchange, ASU 2018-08 considers if an entity
is receiving commensurate value. If an entity is receiving commensurate value, then the
transaction should be treated as an exchange transaction. The guidance clarifies what
commensurate value means. FASB clarified that the resource provider is not synony-
mous with the general public when making the determination of commensurate value.
In addition, fulfilling a nonprofit or a foundation’s mission or positive sentiment is also
not commensurate value. Finally, the standard clarifies that if a transaction is part of an
existing exchange transaction and a third party makes a payment, that still is consid-
ered an exchange transaction. Although the third party that is making the payment is
not getting commensurate value, there was an existing exchange transaction between a
customer and a recipient that therefore would continue to be an exchange transaction.
While the original objective of the project was to address diversity in practice, the
FASB realized that many items that are currently under the exchange guidance would
likely move to the nonexchange guidance and therefore would be subject to contribu-
tion accounting. The FASB took this opportunity to review the accounting for contribu-
tions and decided to deal with a concept that was very confusing: Is something a
condition or is it a restriction? As a result, the FASB updated the definition of a
condition. Under the new guidance, a contribution is conditional when the agreement
has both a barrier that must be overcome and a right of return or right of release. That
barrier is very different from the current concept of a future uncertain event that is
current practice. The FASB identified three indicators of a barrier that would typically
make more contributions conditional instead of restricted.
The first indicator of a barrier is the existence of a measurable performance-related
barrier. In addition, if there is limiting discretion on the conduct of the activity, it would
be an indicator of a barrier and condition. The guidance also addresses items that were
not really related to the purpose of the agreements but were stipulations. FASB clarified
that if the stipulation is not related to the purpose of the agreement, then it is not an
indicator barrier.
Effective date: For a public company or a nonprofit entity that has issued, or is a
conduit bond obligor for, securities that are traded, listed, or quoted on an exchange or
an over-the-counter market, ASU 2018-08 is effective for annual reporting periods
beginning after June 15, 2018, including interim periods within that annual period. For
¶ 111
other organizations, it is effective for annual reporting periods beginning after Decem-
ber 15, 2018, and interim periods within annual periods beginning after December 15,
2019.
¶ 112 ASU 2018-09

In July 2018, the FASB issued ASU 2018-09, Codification Improvements, as part of a
standing project on the FASB agenda to address suggestions received from stakehold-
ers on the codification and to make other incremental improvements to GAAP. The
codification improvements in this ASU are related to comprehensive income, debt
modification and extinguishment, distinguishing liabilities from equity, stock compensa-
tion—income taxes, business combinations—income taxes, derivatives and hedging,
fair value measurement, brokers and dealers—liabilities, and defined contribution
pension plans.
Effective date: Some provisions of ASU 2018-09 are effective upon issuance; others
have effective dates. The guidance includes a chart that shows the effective date by
issue number.
STUDY QUESTIONS
1. Which of the following ASUs relates to the reclassification of certain tax effects from
accumulated other comprehensive income?
a. ASU 2018-01
b. ASU 2018-02
c. ASU 2018-03
d. ASU 2018-04
2. Each of the following identifies an area impacted by ASU 2018-03, except:
a. Backward-looking contracts
b. Equity securities without a readily determinable fair value
c. Presentation requirements for certain fair value option liabilities
d. Transition guidance for equity securities without a readily determinable fair
value
3. ASU 2018-06 made codification improvements to which of the following ASC Topics?
a. ASC 280
b. ASC 606
c. ASC 842
d. ASC 942
¶ 113 ASU 2018-10

Issued by the FASB in July 2018, ASU 2018-10, Codification Improvements to Topic 842,
Leases, includes several clarifications and corrections. The ASU corrects incorrect
references and examples and includes a change in rates and variable payments. It also
clarifies the following: rates used for present value, classification reassessment, lessor
accounting for the lessee option election, transition guidance, and loss accounting.
¶ 112
Effective date: ASU 2016-02 is not yet effective, but early adoption was permitted. For
entities that early adopted Topic 842, the amendments are effective upon issuance. For
entities that have not adopted Topic 842, the effective date and transition requirements
will be the same as the effective date and transition requirements in Topic 842.
¶ 114 ASU 2018-11

ASU 2018-11, Leases (Topic 842): Targeted Improvements, was issued in July 2018. FASB
issued ASU 2016-02, Leases (Topic 842), in 2016 to increase transparency and compara-
bility by recognizing lease assets and lease liabilities on the balance sheet. The
improvements in ASU 2018-11 are related to implementation issues related to the
modified retrospective approach, and separation of lease and non-lease components for
lessors.
When the FASB issued 2016-02, it decided to use what it calls a modified retrospec-
tive transition, which means an entity would have to go back to a new lease and apply
the standard at the beginning of the earliest period presented. For example, a public
company that is applying it for calendar year 2019 year end and showing three income
statements would have to go back to January 1 of 2017, so it would have 2017, 2018, and
2019. That company might have a lease that expires in 2018 prior to the January 1, 2019,
effective date, but because it is going back and redoing it as of the beginning of the
earliest period presented, January 1, 2017, that lease has expired before the effective
date. However, the company would still have to redo the accounting so that the prior
periods are correct.
Many people complained that this was creating a lot of cost and complexity. As a
result, the FASB is offering in ASU 2018-11 an alternative transition method. A company
can keep the current one if it likes it, or can apply the standard at the adoption date and
use a cumulative effect adjustment to the opening balance in the period of adoption,
meaning that it would just adopt it for 2019 if it is a public company in that year and
would do a cumulative effect adjustment to the opening balance for retained earnings
without adjusting the prior periods. Companies must decide which option they prefer
under the new standard.
In addition, the FASB looked at the requirement to separate lease and non-lease
components for lessors. For example, consider a building that has 10 floors and 10
different tenants. Common areas might include the building’s lobby and elevators. The
landlord charges each tenant a portion of what it calls common area maintenance. What
is the cost to maintain those common areas? There might be common bathrooms, for
example. Therefore, the lease includes a lease component (the lease of the building)
and a non-lease component (the common area maintenance).
Entities are required to separate the lease components from the non-lease compo-
nents, and then allocate the total consideration paid for the total lease between those
components. Lessees were given a practical expedient to not separate their non-lease
component, so they basically were allowed to treat it as one component and just lump
them together. Unfortunately, lessors were not given the same practical expedient. The
new guidance gives lessors the option to lump these together if desired as a practical
expedient if elected. Lessors could then, by class of underlying assets, choose to not
separate the non-lease component from the lease component.
However, there are some limitations. The non-lease component would have to be
accounted for under Topic 606, the revenue standard, and the timing and pattern of
transfer for the lease and non-lease components would have to be the same, so they are
being offered at the same time and they are transferred at the same time. Finally the
lease component, if it was separate, would have been an operating lease. Therefore, if
the lease component would be classified as a capital lease (now called a financing lease),
the entity would not be able to apply this practical expedient.
¶ 114
ASU 2018-08 also clarifies that if an entity is combining a lease component with a
non-lease component, if the non-lease component is the predominant source, then Topic
606 should be used. If the lease component is the dominant source, the entity should
use Topic 842. Certain disclosures must be made related to adoption. An entity has to
disclose the fact that it is using the practical expedient. In addition, an entity must
indicate to which classes of assets it makes this election.
Effective date: Entities that have not yet adopted Topic 842 should follow the transition
for ASU 2016-02. For entities that have already adopted Topic 842, the effective date is
either the first reporting period following the issuance or at the original effective date.
The practical expedient may be applied either retrospectively or prospectively.
¶ 115 ASU 2018-12

One of the industry-specific ASUs that was issued in 2018 is ASU 2018-12, Financial
Services—Insurance (Topic 944): Targeted Improvements to the Accounting for Long-
Duration Contracts. Long-duration contracts include things such as life insurance.
Previously, the FASB had issued guidance for short-duration contracts, which include
contracts for car insurance or medical insurance. Instead of huge changes to the model,
the guidance includes targeted improvements.
COMMENT: Note that this guidance only applies to insurance entities under
Topic 944. It does not apply to holders of a long-duration contract or to noninsur-
ance entities.
The first update in the guidance is related to assumptions. Under previous gui-
dance, once an entity came up with an assumption to measure its liability, it was locked
at the inception date and held constant. The entity could not make an update. Under the
new standard, an entity is required to review and update its assumptions at least
annually. Any change in the estimate as a result of its update of its assumptions is
required to be run through net income. However, anything that is related to updating
the discount rate is going to run through OCI, creating another new OCI item.
In the past, the discount rate was an unobservable discount rate, based on the
entity’s expected yield on its investments when it was performing its discounted cash
flow analysis. Under the new standard, the entity has to use an observable market input,
which is the discount rate expected on future cash flows at an upper-medium-grade,
low-credit-risk, fixed-income instrument.
For market risk-benefits, two different measurement models were available: the fair
value model and the insurance accrual model. Under ASU 2018-12, all market risk
measurements must be measured using the fair value method, and any change in fair
value related to instrument-specific credit risk (a concept from ASU 2016-01) would be
recognized in OCI.
In terms of deferred acquisition costs, there were multiple amortization methods
with different inputs and different assumptions under the previous guidance. ASU
2018-12 applies more consistency by requiring amortization on a constant level basis
over the expected term. In the past, there were very limited disclosure requirements.
However, the new guidance includes several new disclosures specifically related to
disaggregation and inputs, judgments, assumptions, and methods. These are very
similar to the disclosures for short-duration contracts.
Effective date: For public business entities, ASU 2018-12 is effective for fiscal years,
and interim periods within those fiscal years, beginning after December 15, 2020. For all
other entities, the guidance is effective for fiscal years beginning after December 15,
2021, and interim periods within fiscal years beginning after December 15, 2022.
¶ 115
¶ 116 ASU 2018-13

The discussion of ASU 2018-13, Fair Value Measurement (Topic 820): Disclosure
Framework—Changes to the Disclosure Requirements for Fair Value Measurement, re-
quires a bit of background information.
The FASB uses a conceptual framework to write GAAP. The framework is the
underlying theory that is used to develop the individual ASUs. The FASB undertook a
huge project called the Disclosure Framework Project, whose goal was to identify the
most effective way of identifying disclosures. The FASB added Chapter 8, Notes to the
Financial Statements, to the conceptual framework, which acts as a set of yes/no
questions for the Board to consider. If the Board answers yes to a question, it should
consider whether it needs to require a disclosure and which disclosure would make
sense. If the Board answers no, typically a disclosure is not required. On an individual
ASU-by-ASU basis, the FASB would take those yeses and do a cost-benefit analysis to
decide if it needs to narrow those disclosures on a topic-by-topic basis.
ASU 2018-13 is the FASB’s first attempt at applying Chapter 8 to an individual ASC
section. The FASB went through existing disclosures and applied the new Chapter 8 to
assess whether each disclosure was needed, should be eliminated, or should be
modified under new conceptual framework. The good news is that the FASB ended up
removing quite a few disclosures. For example, the amount and reasons for transfers
between Level 1 and Level 2 have been removed. The policy for the timing of transfers
between levels was removed, as was the valuation process for Level 3 fair value. For
nonpublic entities, the change in unrealized gains and losses for the period that was in
earnings for recurring Level 3 fair value measurements was removed.
The FASB also made some modifications in ASU 2018-13. Nonpublic entities are
currently required to present a roll forward for their Level 3 fair value measurement.
Going forward, they do not have to do a formal roll forward; they just have to provide
certain inputs, such as transfers in and out of Level 3, as well as purchases and issues of
Level 3 assets and liabilities.
The guidance also includes modifications to net asset value. Entities need to
disclose the timing of liquidation only if the investee has communicated the timing to
the entity or announced the timing publicly. ASU 2018-13 also clarifies that the measure-
ment uncertainty disclosure is related to the uncertainty in measurement as of the
reporting date. For public companies, the guidance adds the change in unrealized gains
and losses for the period that is in OCI for recurring Level 3 fair value measurements. It
also adds the range and weighted average as significant unobservable inputs used to
develop Level 3 fair value measurements.
The current standard, prior to the issuance of this ASU, uses the term “an entity
shall disclose at a minimum. In the new guidance, the FASB removed “at a minimum
and clarified that materiality is an appropriate consideration when evaluating disclosure
requirements and that there is discretion by the entity when it looks at its value
measurement disclosures.
Effective date: ASU 2018-13 is effective for everyone for fiscal years and interim
periods within those years beginning after December 15, 2019, which would be calendar
2020. Public companies can adopt the removed items and only add the items at their
effective date.
¶ 117 ASU 2018-14

Very similar to ASU 2018-13 is ASU 2018-14, Compensation—Retirement Benefits—
Defined Benefit Plans—General (Subtopic 715-20): Disclosure Framework—Changes to
the Disclosure Requirements for Defined Benefit Plans. As part of its Disclosure Frame-
¶ 117
work Project, the FASB ran pensions through the new conceptual framework under
Chapter 8 for note disclosures and examined whether all the disclosures are needed.
The guidance removes the amount in AOCI expected to be recognized as a
component of net periodic benefit cost over the next year, the amount and timing of
plan assets expected to be returned to the employer, the disclosures related to the June
2001 amendments to the Japanese Welfare Pension Insurance Law, and some related-
party disclosures about the future annual benefits covered by insurance. For nonpublic
entities, it also removed the reconciliation of the opening and closing balance and
instead required only disclosure of transfers into and out of, and purchases of level 3
plan assets. Also eliminated is the sensitivity analysis for the assumed healthcare trends
rate.
However, the FASB also added some items, such as the weighted average interest
credit ratings for cash balance plans and explanation of the reasons for significant gains
and losses. In addition, it clarified certain disclosures regarding the projected benefit
obligation (PBO) and accumulated benefit obligation (ABO).
Effective date: ASU 2018-14 is effective for public business entities for fiscal years
ending after December 15, 2020 (calendar year 2021). For all other entities, it is
effective for fiscal years ending after December 15, 2021 (calendar year 2022). Early
adoption and retrospective application are permitted for all entities.
¶ 118 ASU 2018-15

Another option for early adoption is ASU 2018-15, Intangibles—Goodwill and Other—
Internal-Use Software (Subtopic 350-40): Customer’s Accounting for Implementation Costs
Incurred in a Cloud Computing Arrangement That Is a Service Contract (a consensus of
the FASB Emerging Issues Task Force).
In 2015, the FASB issued a standard around the accounting for cloud computing
arrangements and addressed the monthly or annual fee that entities pay for them. If an
entity had a license for internal use software, it could use Topic 350-40 and capitalize
those cloud computing fees. Unfortunately, if an entity did not include a software license
in the cloud computing arrangement, it was required to expense the hosting element or
service. As a result, stakeholders commented that there was no explicit guidance
regarding the implementation costs or “upfront costs that had to be paid to transition to
a cloud computing arrangement. They questioned whether those costs could be
capitalized.
The scope of ASU 2018-15 includes only implementation costs, setup costs, and
other upfront costs, where the hosting arrangement is treated as a service contract and
therefore is being expensed. The guidance does not change the accounting for fees; it
just addresses the implementation costs. ASU 2018-15 aligns the requirement for
capitalizing implementation costs with internal use software. Therefore, if an entity can
capitalize the implementation costs under internal use software, then even though it is
expensing the hosting element, the implementation costs can be capitalized. If an entity
is in the application development stage, all those costs are allowed to be capitalized.
However, if it is in the preliminary project or post-implementation stage, those costs
must be expensed.
However, if some items are going to be capitalized, the entity must expense the
capitalized implementation costs over the term of the hosting arrangement. Similar to
the lease standard, the term includes both the non-cancellable period as well as any
option periods. To the extent that it is reasonably certain that the entity is going to
exercise the option to extend, it should consider that for the determination of the term
of hosting term. For example, if the entity enters into an arrangement for a five-year
¶ 118
hosting contract and has the option to extend it another two years, if it is reasonably
certain the entity is going to exercise that option, the amortization period would be
seven years.
In addition, the guidance states that Topics 350 and 360, impairment and abandon-
ment, are both to be applied to the newly capitalized implementation costs. Although it
is a capitalization of the related expense, it is not going to show up as amortization. The
expense will be included in the same line item in the profit and loss statement as the
hosting element. So wherever an entity is putting the expense related to the actual
monthly or annual fees, that is where the expense related to the capitalized implementa-
tion costs should go. The same thing is true for the cash flow statements. Wherever the
payments for the fees related to the hosting element are presented, that is where the
capitalized implementation costs should be. Finally, for the balance sheet, the entity
would put costs in the same line item where either a prepayment or a delayed payment
would go on the balance sheet.
Effective date: For public business entities, ASU 2018-15 is effective for fiscal years
beginning after December 15, 2019, and interim periods within those fiscal years. For all
other entities, it is effective for annual reporting periods beginning after December 15,
2020, and interim periods within annual periods beginning after December 15, 2021.
Early adoption is permitted, including adoption in any interim period, for all entities.
¶ 119 ASU 2018-16

ASU 2018-16, Derivatives and Hedging (Topic 815): Inclusion of the Secured Overnight
Financing Rate (SOFR) Overnight Index Swap (OIS) Rate as a Benchmark Interest Rate
for Hedge Accounting Purposes, relates to issues with the use of LIBOR. Both the FASB
and GASB have major projects to address the use of the term LIBOR throughout the
codification.
However, the federal government is having significant concerns over LIBOR,
specifically related to its stability. The Federal Reserve got involved and created a
committee to pick an alternative rate to LIBOR for the United States. That committee
selected SOFR, the secured overnight financing rate, because it is a volume-weighted
rate that is calculated on a daily basis. SOFR is much less susceptible to manipulation
than the other rates.
As a short measure, the FASB issued this standard separately, which is just looking
at benchmark interest rates. Under U.S. GAAP, if an entity is using hedging and has a
fixed-rate financial instrument, it must use a benchmark interest rate. Only a handful of
benchmark interest rates are allowed: UST, LIBOR SIFMA, and the OIS based on the
federal fund rate. Those are the only permitted benchmark rates that are currently
available to entities. SOFR is not an eligible benchmark rate, but ASU 2018-16 permits
SOFR to be used as an eligible benchmark rate. In 2019, the FASB will probably issue
another ASU that addresses the use of the term LIBOR throughout the Codification.
Effective date: If an entity has not adopted hedge accounting (ASU 2017-12), it would
adopt 2018-16 with 2017-12. However, if a public entity already adopted ASU 2017-02,
then it would follow it for 2019, which was the original date. Everyone else would follow
it for 2020. However, entities can also early adopt this ASU.
¶ 120 ASU 2018-17

ASU 2018-17, Consolidation (Topic 810): Targeted Improvements to Related Party Gui-
dance for Variable Interest Entities, addresses the variable interest entity (VIE) excep-
tion for private companies issued by the Private Company Council and tries to extend it
even further. For the VIE model, two criteria must be considered: (1) the economic
¶ 120
criterion and (2) the power criterion. Unfortunately, for private companies, evaluating
these criteria is very difficult, primarily because many agreements between related
parties are not in writing. Private companies will not necessarily have a formal agree-
ment that dictates all the different elements or has an official end date, so the cost and
complexity of trying to determine who is the primary beneficiary has been difficult.
In 2014, a PCC alternative was issued for variable interest entities, and private
companies that were under common control and had leasing arrangements, were given
an exception to VIE guidance. Under ASU 2018-17, if a legal entity meets all of the
following criteria, it would no longer have to be evaluated to determine if it is a VIE by a
private company. First, the reporting entity and the legal entity have to be under
common control. In addition, the reporting entity and the legal entity are not under
common control of a public business entity. In addition, the legal entity that is under
common control is not a public business entity. Finally, the VIE exception cannot be
used to overcome voting interest entity (VOE) guidance, so an entity cannot have either
a direct or indirect controlling financial interest when it goes to the voting guidance. If
an entity meets these requirements, it is effectively scoped out of VIE guidance.
ASU 2018-17 offers an accounting policy election, so it is not mandatory. However,
once an entity elects it, it must apply it to all legal entities; it cannot cherry-pick which
ones it does or does not want to consolidate.
There are several new disclosures under this guidance. Obviously, there are some
disclosures related to risks associated with the reporting entity, including their involve-
ment with the legal entity under common control, and any carry amounts that they have
related to assets and liabilities for the reporting entity. What is the reporting entity’s
maximum exposure to loss, and if it exceeds the carrying amount, what quantitative and
qualitative information allows us to understand what is going on in that excess
exposure?
In addition, ASU 2018-17 includes a change related to the treatment of decision-
making fees. When an entity is trying to determine whether a decision-making fee is a
variable interest, to consider indirect interest held through related parties under
common control, currently a direct interest must be used. Going forward, this can be
done on a proportional basis.
Effective date: For entities other than private companies, ASU 2018-17 is effective for
fiscal years beginning after December 15, 2019, and interim periods within those fiscal
years. For private companies, it is effective for fiscal years beginning after December 15,
2020, and interim periods within fiscal years beginning after December 15, 2021.
Transition is retrospective, and early adoption is permitted.
¶ 121 ASU 2018-18

ASU 2018-18, Collaborative Arrangements (Topic 808): Clarifying the Interaction between
Topic 808 and Topic 606, addresses the relationship between Topic 808 and Topic 606.
Topic 808 does not provide comprehensive recognition or measurement guidance
for collaborative arrangements, and the accounting for those arrangements is often
based on an analogy. A collaborative arrangement, as defined by the guidance in Topic
808, is a contractual arrangement under which two or more parties actively participate
in a joint operating activity and are exposed to significant risks and rewards that depend
on the activity’s commercial success. This type of arrangement is common in the
pharma industry and in some nonprofits.
This ASU states that if the counterparty in a collaborative arrangement meets the
definition of a customer under Topic 606, transactions in the arrangement should be
accounted for under the new revenue guidance. It also adds unit of account guidance
¶ 121
(the concept of a distinct good or service from Topic 606) into Topic 808. However, the
guidance does not address the accounting for the relationship if it is not subject to
revenue recognition guidance. It does not provide collaborative arrangement guidance
for recognition and measurement.
Effective date: For public business entities, the effective date is fiscal years beginning
after December 15, 2019, and interim periods within those fiscal years. For all other
entities, ASU 2018-18 is effective for fiscal years beginning after December 15, 2020, and
interim periods within fiscal years beginning after December 15, 2021. Early adoption is
permitted.
¶ 122 ASU 2018-19

Issued in November 2018, ASU 2018-19, Codification Improvements to Topic 326,
Financial Instruments—Credit Losses, addresses a handful of questions related to the
current expected credit loss (CECL) model. The first question is related to the effective
date. It looks like there are three effective dates in the CECL model: one for SEC filers,
one for public companies that are not SEC filers, and one for private companies.
However, upon closer review, the effective date is essentially the same for nonpublic
business entities and public business entities that do not meet the definition of an SEC
filer. In response to requests from nonpublic entities for a delayed effective date, the
FASB pushed back the effective date to fiscal years beginning after December 15, 2021
(calendar year 2022) for private companies (the year after non-SEC filers that are public
business entities are required to adopt the standard).
ASU 2018-19 also addresses whether certain leases are subject to the CECL model.
ASC 326 explicitly says that if an entity is a lessor, the net investment in leases for its
sales type or direct financing leases are in scope. However, the guidance is silent as to
operating leases. ASU 2018-19 clarifies that if an entity has a receivable from an
operating lease, it is not within the scope of Topic 326. It would be subject to
impairment testing under Topic 842 for leases.
Effective date: For SEC filers, ASU 2018-19 is effective for fiscal years beginning after
December 15, 2019, including interim periods within those fiscal years. The effective
date for all other public business entities is fiscal years beginning after December 15,
2020, including interim periods within those fiscal years. For all other entities (including
not-for-profits), the guidance is effective for fiscal years beginning after December 15,
2021, including interim periods within those fiscal years.
¶ 123 ASU 2018-20

The FASB issued another ASU related to the lease standard in December 2018, ASU
2018-20, Leases (Topic 842): Narrow-Scope Improvements for Lessors, effectively starting
and ending 2018 with a lease standard.
In this ASU, the FASB adjusted its guidance in three areas. The first one is related
to sales tax. In the original standard, Topic 842 states that a jurisdiction-by-jurisdiction
analysis must be performed to determine whether sales tax is a lessee or a lessor
responsibility. In jurisdictions where it is a lessee responsibility and the lessor collects
and then remits sales, the lessor would be deemed to be acting as an agent and
therefore would exclude that amount from lease revenue. On the other hand, if it is a
lessor who is obligated for the tax, then that would be—if the lessor collects it from the
lessee—an amount that would be in lease revenue.
Commenters noted that Topic 606 included an exclusion from this analysis for
revenue and required a similar exclusion for leases. ASU 2018-20 offers an accounting
¶ 123
policy election where entities can exclude them from consideration. This guidance
represents a huge win for lessors who deal with multiple jurisdictions.
In addition, there were questions about the relationship between lessor costs and
whether they were being reimbursed by the lessee. The update basically states that the
lessor will exclude any variable payments paid by the lessee directly to a third party. For
example, if there is a cost that is really a lessor cost, and the lessee pays it directly to a
third party and does not pay it to the lessor, the lessor would exclude the amount from a
variable consideration. On the other hand, if there are lessor costs that are being paid
by the lessee but they are basically reimbursing the lessor, so the lessor makes the
payment and then the lessee reimburses them, that would be variable revenue. If the
lessor is making the payment and then charges the lessee for it, the lessor knows the
exact amount and would have to treat that as revenue.
Language in previous guidance seemed to imply that regardless of whether a
payment related to non-lease payments, there was explicit accounting. Under this new
guidance, a variable payment is to be allocated between lease and non-lease compo-
nents, and any amount that is allocated to the lease component would follow the
guidance in Topic 842. However, any amount that was allocated to the non-lease
component would follow the proper accounting under Topic 606.
Effective date: Not yet adopted; the effective date is the same as the effective date and
transition requirements in ASU 2016-02. Entities that have adopted Topic 842 should
apply changes at the original effective date of Topic 842 for the entity. There in an
option to adopt this guidance in either the first reporting period ending after the
issuance of this ASU or in the first reporting period beginning after the issuance of this
ASU.
STUDY QUESTIONS
4. The amendments in ASU 2018-12 include targeted improvements to the accounting

for which of following type of transactions?
a. Long-duration contracts
b. Share-based payments
c. Implementation costs in a cloud computing arrangement
d. Variable interest entities
5. The amendments in ASU 2018-13 prescribes changes to disclosure requirements
related to:
a. Leases
b. Revenue recognition
c. Fair value measurements
d. Defined benefit plans
6. Which of the following ASUs was issued in November 2018 and included codifica-
tion improvements to the accounting for credit losses on financial instruments?
a. ASU 2018-17
b. ASU 2018-18
c. ASU 2018-19
d. ASU 2018-20
¶ 123
17

CHAPTER 2: Credit Losses on Financial
Statements
¶ 201 WELCOME
This chapter provides an overview of Accounting Standards Update (ASU) No. 2016-13,
Measurement of Credit Losses on Financial Instruments, issued by the Financial Account-
ing Standards Board (FASB) in June 2016. The new standard will apply to nearly all
entities, not just those in the financial services industry, and will change how entities
document and account for credit impairment on their respective financial instruments.
This new standard is effective for public business entities for annual periods beginning
after December 15, 2019, and interim periods therein. As such, this means that
calendar-year SEC filers will have to apply the new requirements starting in first quarter
2020.

• Identify the key provisions of ASU No. 2016-13
• Recognize the credit loss measurement requirements for assets measured at
amortized cost and available-for-sale debt securities
• Identify the incremental financial statement disclosure requirements as a result
of ASU No. 2016-13
• Identify the effective date and transition requirements
• Recognize recent developments affecting entities that are required to apply the
amendments in ASU No. 2016-13
¶ 203 INTRODUCTION
The FASB issued final guidance that significantly changes how entities will measure
credit losses for most financial assets and certain other instruments that are not
measured at fair value through net income. By issuing the new amendments outlined in
Accounting Standards Codification (ASC) Topic 326, the FASB responded to criticism
that current accounting and reporting guidance delays recognition of credit losses. As a
result, the new standard will replace the current “incurred loss approach with an
“expected loss model for instruments measured at amortized cost and require entities
to record allowances for available-for-sale debt securities rather than reduce the carry-
ing amount, as they do today under the other-than-temporary impairment (OTTI)
model. The new standard also simplifies the accounting model for purchased credit-
impaired debt securities and loans. For clarity, some of the text in this chapter reflects
the FASB’s wording.
¶ 204 MAIN PROVISIONS OF THE ASU

The FASB notes that the main objective of this ASU is to provide financial statement
users with more decision-useful information about the expected credit losses on finan-
cial instruments and other commitments to extend credit held by a reporting entity at
each reporting date. To achieve this objective, the amendments replace the current
¶ 204
incurred loss impairment methodology with an updated methodology that reflects

expected credit losses and requires entities to consider a broader range of reasonable
and supportable information with respect to credit loss estimates.
More specifically, the ASU affects the following two types of assets:
• Assets measured at amortized cost
• Available-for-sale debt securities
With respect to assets measured at amortized costs, the amendments within the
ASU require a financial asset (or a group of financial assets) measured at amortized cost
basis to be presented at the net amount expected to be collected. The net amount
expected to be collected is determined by using a valuation account that is deducted
from the amortized cost basis. Regarding available for sale debt securities, the amend-
ments in the ASU require that credit losses relating to these types of financial instru-
ments should be recorded through an allowance for credit losses.
Assets Measured at Amortized Cost
Current accounting principles include multiple credit impairment objectives for certain
financial instruments. As previously mentioned, the current objectives generally delayed
recognition of the full amount of credit losses until the loss was probable of occurring.
Based on the FASB’s summary of the ASU, the FASB noted that the amendments in this
ASU are an improvement because they eliminate the probable initial recognition
threshold in current GAAP and, instead, reflect an entity’s current estimate of all
expected credit losses. Previously, when credit losses were measured under GAAP, an
entity generally only considered past events and current conditions in measuring the
incurred loss. As a result of this ASU, the changes broaden the information that an
entity must consider in developing its expected credit loss estimate for assets measured
either collectively or individually. Furthermore, the FASB notes that the use of fore-
casted information incorporates more timely information in the estimate of expected
credit loss, which will be more decision useful to users of the financial statements.
Available-for-Sale Debt Securities
Currently, credit losses on available-for-sale debt securities are required to be measured
and presented as a write-down. The amendments in this ASU do not change the
requirement to measure these credit losses, however, the amendments require that the
losses be presented as an allowance rather than as a write-down. The FASB notes that
this is an improvement to current accounting principles because an entity will be able to
record reversals of credit losses (in situations in which the estimate of credit losses
declines) in current period net income, which in turn should align the income statement
recognition of credit losses with the reporting period in which changes occur. This is in
contrast with current GAAP which prohibits reflecting those improvements in current
period earnings.
¶ 205 ASSETS MEASURED AT AMORTIZED COST

This section of the chapter explores the ASU amendments in more detail and focuses
specifically on the provisions for assets measured at amortized cost. This section serves
to summarize the key guidance included within ASC Topic 326, subtopic 20 (Measured
at Amortized Cost).
What Is in Scope?
One of the more basic elements to understanding the new amendments is to have a
good understanding of the types of transactions that are and are not in scope. As with
other ASC topics on various other accounting issues, the transactions that are and are
not in scope are prescribed within Section 15 (Scope and Scope Exceptions) of subtopic
20.
¶ 205
MODULE 1 - CHAPTER 2 - Credit Losses on Financial Statements 19
To that end, the guidance with respect to assets measured at amortized costs
applies to the following instruments (ASC 326-20-15-2):
• Financial assets measured at amortized cost basis, including the following:
— Financing receivables
— Held-to-maturity debt securities
— Receivables that result from revenue transactions within the scope of Topic
605 on revenue recognition, Topic 606 on revenue from contracts with
customers, and Topic 610 on other income
— Reinsurance recoverables that result from insurance transactions within the
scope of Topic 944 on insurance
— Receivables that relate to repurchase agreements and securities lending
agreements within the scope of Topic 860
• Net investments in leases recognized by a lessor in accordance with Topic 842
on leases
• Off-balance-sheet credit exposures not accounted for as insurance
While the above items are included within the scope of the topic, the following
items are specifically excluded from the scope of the topic (ASC 326-20-15-3):
• Financial assets measured at fair value through net income
• Available-for-sale debt securities
• Loans made to participants by defined contribution employee benefit plans
• Policy loan receivables of an insurance entity
• Promises to give (pledges receivable) of a not-for-profit entity
• Loans and receivables between entities under common control
STUDY QUESTIONS
1. The amendments within ASU No. 2016-13 included amendments for each of the
following financial instruments, except:
a. Assets measured at amortized cost
b. Fair value hedges
c. Available-for-sale debt securities
d. Purchased financial instruments with credit deterioration
2. Which of the following financial instruments are within the scope of ASC 326-20?
a. Financial assets measured at amortized costs
b. Available-for-sale debt securities
c. Loans made to participants by defined contribution employee benefit plans
d. Policy loan receivables of an insurance entity
¶ 206 INITIAL MEASUREMENT OF EXPECTED LOSSES

Recall from the earlier discussion that the amendments within this ASU replaced the
current “incurred loss model with more of an “expected loss type model. Because of
the use of an expected loss model, entities are now required to consider a broader
range of information in order to estimate expected credit losses over the lifetime of the
assets that are within scope.
¶ 206
The names used to describe the former and future models are fairly self-explana-
tory. However, the key principles of each model are worth reemphasizing. The incurred
model in the current day recognizes a loss only when an event has occurred that leads
the entity to conclude that a loss is probable. By contrast, the expected loss model
recognizes credit losses based on the expectation or anticipation of a certain future
event, or events, which will ultimately lead to a loss being recognized. This expected
loss model can be analogized to accounting for a customer’s accounts receivable where
an entity has set up an allowance for doubtful accounts.
In the end, the FASB ultimately concluded that the use of a current expected credit
loss, or CECL, model should be used for those assets that are measured at amortized
cost. It is important to note that the FASB considered, but ultimately rejected, various
alternatives to the CECL model when considering the feedback from stakeholders that
primarily advocated for the gross-up model and models that were an abbreviated
version of the CECL model (BC36).
Simply put, the allowance for expected credit losses represents the portion of the
amortized cost of a financial asset that an entity does not expect to collect. The FASB
prescribes its overall objective with respect to this allowance for credit losses through
ASC 326-20-30-1. Based on the paragraph, the FASB states that the allowance for credit
losses is a valuation account that is deducted from the amortized cost basis of the
financial asset(s) to present the net amount expected to be collected on the financial
asset. Furthermore, at the reporting date, an entity is required to record an allowance
for credit losses on financial assets. As a result, an entity is required to report in net
income (as a credit loss expense) the amount necessary to adjust the allowance for
credit losses for management’s current estimate of expected credit losses on financial
asset(s). In other words, the allowance for credit losses should represent the portion of
the amortized cost basis of a financial asset that an entity does not expect to collect.
Note that the FASB concluded that an entity should present the allowance for
credit losses as a contra-asset account to reduce the net amortized cost of the asset to
an amount that is expected to be collected. When the FASB considered truncated
models or other models that limited the measurement of credit losses to a specific time
period, it observed that the allowance for credit losses would not represent a complete
estimate of an entity’s expectations (BC42). The FASB also noted that if the measure-
ment objective is based on a trigger for recording expected credit losses, an added layer
of subjectivity and complexity would be added when identifying the assets that met a
particular trigger. As a result of those operability concerns for financial assets, the net
amortized cost basis (net of allowance) would be measured at an amount greater than
the amount expected to be collected (BC42).
Estimating the Credit Loss
The FASB notes that an allowance for credit losses may be determined using various
methods. In other words, it does not require a single method be used for estimating
credit losses. Acceptable methods outlined by the FASB include the following (ASC
326-20-30-3):
• Discounted cash flow methods
• Loss-rate methods
• Roll-rate methods
• Probability-of-default methods
• Methods that use an aging schedule
¶ 206
While the FASB does not prescribe a specific method be used by all entities, the
measurement requirements can vary depending on whether or not an entity elects to
use a discounted cash flow method. For example, if an entity estimates expected credit
losses using methods that project future principal and interest cash flows (i.e., a
discounted cash flow method), the entity should discount expected cash flows at the
financial asset’s effective interest rate (ASC 326-20-30-4). Furthermore, when a dis-
counted cash flow method is applied, the allowance for credit losses should reflect the
difference between the amortized cost basis and the present value of the expected cash
flows. If the financial asset’s contractual interest rate varies based on subsequent
changes in an independent factor, such as an index or rate—for example, the prime
rate, the London Interbank Offered Rate (LIBOR), or the U.S. Treasury bill weekly
average—that financial asset’s effective interest rate should be calculated based on the
factor as it changes over the life of the financial asset (ASC 326-20-30-4).
Alternatively, if an entity estimates expected credit losses using a method other
than a discounted cash flow method, the allowance for credit losses should reflect an
entity’s expected credit losses of the amortized cost basis of the financial asset(s) as of
the reporting date (ASC 326-20-30-5). For example, if an entity uses a loss-rate method,
the numerator would include the expected credit losses of the amortized cost basis (i.e.,
amounts that are not expected to be collected in cash or other consideration, or
recognized in income). In addition, when an entity expects to accrete a discount into
interest income, the discount should not offset the entity’s expectation of credit losses.
Note that an entity may develop its estimate of expected credit losses by measuring
components of the amortized cost basis on a combined basis or by separately measur-
ing the following components of the amortized cost basis, including both of the
following (ASC 326-20-30-5):
• Amortized cost basis, excluding premiums, discounts (including net deferred
fees and costs), foreign exchange, and fair value hedge accounting adjustments
(i.e., the face amount or unpaid principal balance)
• Premiums or discounts, including net deferred fees and costs, foreign exchange,
and fair value hedge accounting adjustments
Based on the requirements in the ASU, entities must estimate credit losses over
the contractual term of the financial asset. In the Board’s Basis for Conclusions BC, the
FASB acknowledged that estimating expected credit losses over longer periods of time
(such as the contractual term of financial assets) requires a significant amount of
professional judgment, especially when using discounted cash flow techniques. Al-
though an entity must estimate credit losses over the entire contractual term of the
financial assets (considering the effect of prepayments), the FASB recognized that as
the forecast horizon increases, the degree of judgment involved in estimating expected
credit losses also increases because the availability of detailed inputs to estimates for
periods in the future decreases. However, the FASB concluded that it is not useful to
assign a credit loss estimate of zero to certain periods merely because an entity is
unable to precisely estimate future economic conditions for those periods
Considering Available Information

ASC 326-20-30-7 requires that when developing an estimate of expected credit losses on
financial asset(s), an entity should consider available information relevant to assessing
the collectibility of cash flows. As a result, this information may include internal
information, external information, or a combination of both relating to past events,
current conditions, and reasonable and supportable forecasts. Furthermore, an entity
should also consider relevant qualitative and quantitative factors that relate to the
¶ 206
environment in which the entity operates and are specific to the borrower(s). However,
when financial assets are evaluated on a collective or individual basis, an entity is not
required to search all possible information that is not reasonably available without
undue cost and effort. While an entity is not required to develop a hypothetical pool of
financial assets, it may find that using its internal information is sufficient in determin-
ing collectibility.
As previously noted, the amendments within the ASU do not prescribe a specific
methodology for developing an expectation about the collectibility of a financial asset.
However, the FASB does note that an entity’s expectations about the collectibility of a
financial asset should consider available information about past events, including histor-
ical loss experience with similar assets, current conditions, and reasonable and support-
able forecasts that inform the entity about the estimated collectibility of the asset
(BC47). With respect to historical loss information, ASC 326-20-55-6 notes that historical
loss information generally provides a basis for an entity’s assessment of expected credit
losses. As a result, an entity may use historical periods that represent management’s
expectations for future credit losses. The important point to note is that when determin-
ing historical loss information in estimating expected credit losses, the information
about historical credit loss data, after adjustments for current conditions and reasonable
and supportable forecasts, should be applied to pools that are defined in a manner that
is consistent with the pools for which the historical credit loss experience was observed
(ASC 326-20-55-3).
While the previous paragraph mentioned that historical loss can serve as a good
benchmark for estimating credit losses, it is important to note that historical loss
experience may not fully reflect an entity’s expectations about the future. An entity
should, as a consequence, adjust historical loss information to reflect the current
conditions using reasonable and supportable forecasts not already reflected in the
historical loss information (ASC 326-20-55-4).
Included within the implementation guidance to ASC 326-20 is a list of significant
factors an entity should consider depending on the nature of the asset. Note that not all
of these may be relevant to every situation. As a result, the following list of significant
factors is not exhaustive.
Examples of significant factors an entity may consider include the following (ASC
326-20-55-4):
• The borrower’s financial condition, credit rating, credit score, asset quality, or
business prospects
• The borrower’s ability to make scheduled interest or principal payments
• The remaining payment terms of the financial asset(s)
• The remaining time to maturity and the timing and extent of prepayments on
the financial asset(s)
• The nature and volume of the entity’s financial asset(s)
• The volume and severity of past due financial asset(s) and the volume and
severity of adversely classified or rated financial asset(s)
• The value of underlying collateral on financial assets in which the collateral-
dependent practical expedient has not been utilized
• The entity’s lending policies and procedures, including changes in lending
strategies, underwriting standards, collection, write-off, and recovery practices,
as well as knowledge of the borrower’s operations or the borrower’s standing in
the community
• The quality of the entity’s credit review system
¶ 206
• The experience, ability, and depth of the entity’s management, lending staff, and
other relevant staff
• The environmental factors of a borrower and the areas in which the entity’s
credit is concentrated, such as:
— Regulatory, legal, or technological environment to which the entity has
exposure
— Changes and expected changes in the general market condition of either the
geographical area or the industry to which the entity has exposure
— Changes and expected changes in international, national, regional, and local
economic and business conditions and developments in which the entity
operates, including the condition and expected condition of various market
segments
Estimating Credit Losses

As was previously noted, the actual estimation of credit losses, no matter the type of
model utilized by an entity, can be highly judgmental and will undoubtedly be based on
entity-specific factors. Examples of entity-specific factors and judgments include the
following (ASC 326-20-55-6):
• The definition of default for default-based statistics
• The approach to measuring the historical loss amount for loss-rate statistics,
including whether the amount is simply based on the amortized cost amount
written off and whether there should be adjustments to historical credit losses
(if any) to reflect the entity’s policies for recognizing accrued interest
• The approach to determine the appropriate historical period for estimating
expected credit loss statistics
• The approach to adjusting historical credit loss information to reflect current
conditions and reasonable and supportable forecasts that are different from
conditions existing in the historical period
• The methods of utilizing historical experience
• The method of adjusting loss statistics for recoveries
• How expected prepayments affect the estimate of expected credit losses
• How the entity plans to revert to historical credit loss information for periods
beyond which the entity is able to make or obtain reasonable and supportable
forecasts of expected credit losses
• The assessment of whether a financial asset exhibits risk characteristics similar
to other financial assets
Using Pools
The new guidance for developing estimates on credit losses requires that entities
measure expected losses of financial assets on a collective, or pool, basis when similar
risk characteristics exist (ASC 326-20-30-2). If an entity determines that pooled assets do
not have similar risk characteristics, then they are to be evaluated on an individual
basis. This leads to the next obvious question: What is considered a pool?
Simply put, an entity should aggregate financial assets on the basis of similar risk
characteristics, which may include any one or a combination of the following (ASC
326-20-55-5):
• Internal or external (third-party) credit score or credit ratings
• Risk ratings or classification
¶ 206
• Financial asset type

• Collateral type
• Size
• Effective interest rate
• Term
• Geographical location
• Industry of the borrower
• Vintage
• Historical or expected credit loss patterns
• Reasonable and supportable forecast periods
The FASB noted that it considered including specific guidance that would have
prescribed when credit losses should be estimated on an individual asset basis (such as
a triggering event) or on a collective (or pool) basis. However, the FASB decided not to
specify the unit of measurement or require certain methods to be followed in specific
circumstances. Instead, the FASB decided to provide a consistent set of measurement
principles that could be implemented for both individual assets and groups of similar
assets, understanding that estimation techniques might differ (BC54). Furthermore,
note that new credit loss standards also require an entity’s allowance for credit losses
reflect the risk of loss, even when that risk is remote.
Use of a Valuation Allowance
Recall that the amendments require expected credit losses to be reflected through a
valuation allowance account instead of a direct adjustment to the cost basis of the asset.
However, there are certain instances where an actual write-off of a financial asset, or a
portion, is required.
Purchased Financial Assets with Credit Deterioration
Purchased financial assets with credit deterioration, as defined by the ASC Master
Glossary, are those individual financial assets that as of the date of acquisition have
experienced a more-than-insignificant deterioration in credit quality since origination, as
determined by the acquirer’s assessment. The FASB concluded that the allowance for
purchased assets with more than-insignificant credit deterioration since origination
should be added to the purchase price upon recognition of those assets (commonly
referred to as the gross-up approach). Recording the amortized cost as the sum of the
allowance and the purchase price enhances comparability and prevents the accretion of
the credit discount into interest income (BC86).
As a result of the FASB’s conclusions, an entity is required to add the allowance for
credit losses at the date of acquisition to the purchase price to determine the initial
amortized cost basis for purchased financial assets with credit deterioration (ASC
326-20-30-13). Furthermore, any noncredit discount or premium resulting from acquir-
ing a pool of purchased financial assets with credit deterioration should be allocated to
each individual asset. To that end, at the acquisition date, the initial allowance for credit
losses determined on a collective basis should be allocated to individual assets to
appropriately allocate any noncredit discount or premium.
¶ 206
STUDY QUESTION
3. If an entity estimates expected credit losses using a discounted cash flow method, it
should discount expected cash flows using which of the following?
a. Weighted average cost of capital
b. Effective interest rate
c. LIBOR rate
d. Cost of equity
¶ 207 SUBSEQUENT MEASUREMENT OF EXPECTED

CREDIT LOSSES
At each reporting date, an entity is required to record an allowance for credit losses on
financial assets (including purchased financial assets with credit deterioration). As a
result, an entity should compare its current estimate of expected credit losses with the
estimate of expected credit losses previously recorded. By doing this, an entity should
report in net income (as a credit loss expense or a reversal of credit loss expense) the
amount necessary to adjust the allowance for credit losses for management’s current
estimate of expected credit losses on financial asset(s) (ASC 326-20-35-1).
In addition to the subsequent measurement requirement prescribed above, an
entity should also evaluate whether a financial asset in a pool continues to exhibit
similar risk characteristics with other financial assets in the pool (ASC 326-20-35-2).
Financial Assets Secured by Collateral
With respect to financial assets secured by collateral, ASC 326-20 notes that regardless
of the initial measurement method, an entity is required to measure expected credit
losses based on the fair value of the collateral when the entity determines that
foreclosure is probable (ASC 326-20-35-4). Furthermore, when an entity determines that
foreclosure is probable, the entity is required to remeasure the financial asset at the fair
value of the collateral so that the reporting of a credit loss is not delayed until actual
foreclosure.
However, the FASB allowed for two practical expedients that entities can elect
when measuring expected credit losses on financial assets secured by collateral even
when foreclosure is not probable. One expedient is applicable to collateral-dependent
financial assets, whereas the second expedient is applicable to financial assets secured
by collateral maintenance provisions.
For collateral-dependent financial assets, an entity is permitted to estimate credit
losses on certain collateral-dependent financial assets as the difference between the
collateral’s fair value and the amortized cost basis of the financial asset. However,
entities are only allowed to use this practical expedient if repayment is expected to be
provided substantially through the operation or sale of the collateral when the borrower
is experiencing financial difficulty based on the entity’s assessment as of the reporting
date (ASC 326-20-35-5).
For financial assets with collateral maintenance provisions, an entity may be able to
elect a practical expedient to compare the amortized cost basis of the financial asset
with the fair value of collateral at the reporting date to measure the allowance for
expected credit losses. This practical expedient can be used if the financial asset
includes a collateral maintenance provision that requires the borrower to continually
adjust the amount of collateral securing the financial asset.
¶ 207
¶ 208 PRESENTATION
Under the new amendments, the presentation of the estimate of expected credit losses
for recognized assets on the balance sheet differs from the estimate of expected credit
losses for off-balance-sheet exposures. To that end, the estimate of expected credit
losses for recognized financial assets is presented on the balance sheet as an allowance
that reduces the amortized cost basis of the asset. Alternatively, estimates of expected
credit losses for off-balance-sheet credit exposures should be presented as a liability.
EXAMPLE: Estimating Credit Losses for Trade Receivables Using an
Aging Schedule (ASC 326-20-55-37 through 40)
This example illustrates one way an entity may estimate expected credit losses
for trade receivables using an aging schedule.
Entity E manufactures and sells products to a broad range of customers,
primarily retail stores. Customers typically are provided with payment terms of 90
days with a 2 percent discount if payments are received within 60 days. Entity E
has tracked historical loss information for its trade receivables and compiled the
following historical credit loss percentages:
• 0.3 percent for receivables that are current
• 8 percent for receivables that are 1–30 days past due
• 82 percent for receivables that are more than 90 days past due
Entity E believes that this historical loss information is a reasonable base on
which to determine expected credit losses for trade receivables held at the
reporting date because the composition of the trade receivables at the reporting
date is consistent with that used in developing the historical credit-loss percent-
ages (that is, the similar risk characteristics of its customers and its lending
practices have not changed significantly over time). However, Entity E has deter-
mined that the current and reasonable and supportable forecasted economic
conditions have improved as compared with the economic conditions included in
the historical information. Specifically, Entity E has observed that unemployment
has decreased as of the current reporting date, and Entity E expects there will be
an additional decrease in unemployment over the next year. To adjust the histori-
cal loss rates to reflect the effects of those differences in current conditions and
forecasted changes, Entity E estimates the loss rate to decrease by approximately
10 percent in each age bucket. Entity E developed this estimate based on its
knowledge of past experience for which there were similar improvements in the
economy.
At the reporting date, Entity E develops the following aging schedule to
estimate expected credit losses.
¶ 208
¶ 209 FINANCIAL STATEMENT DISCLOSURES

The required disclosures with respect to credit losses of financial instruments measured
at amortized cost are prescribed to accomplish three specific objectives. This includes
providing information that enables users of an entity’s financial statements to under-
stand each of the following (ASC 326-20-50-2):
• The credit risk inherent in a portfolio and how management monitors the credit
quality of the portfolio
• Management’s estimate of expected credit losses
• Changes in the estimate of expected credit losses that have taken place during
the period
Note that this ASU retains many of the existing financial statement disclosures
prescribed by ASU No. 2010-20, Receivables (Topic 310): Disclosures about the Credit
Quality of Financing Receivables and the Allowance for Credit Losses.
The disclosure requirements outlined within ASC 326-20-50 are broken out into
major categories, as is the case with other ASC topics. These include the following
categories:
• Credit quality information
• Allowance for credit losses
• Past-due status
• Nonaccrual status
• Purchased financial assets with credit deterioration
• Collateral-dependent financial assets
• Off-balance-sheet credit exposures
For certain types of financial instruments, entities may need to consider aggrega-
tion when developing disclosures. For example, financing receivables should be
presented by either portfolio segment or class of financing receivable whereas held-to-
maturity debt securities should be provided by major security type (ASC 325-20-50-3).
With respect to portfolio segments, this includes all of the following (ASC 326-20-55-10):
• Type of financing receivable
• Industry sector of the borrower
• Risk rating
As far as the class of financing receivables for purposes of determining the
appropriate level of disclosure, there are several factors that an entity should consider.
These include any of the following (ASC 326-20-55-12):
• Categorization of borrowers, such as any of the following:
— Commercial loan borrowers
— Consumer loan borrowers
— Related party borrowers
• Type of financing receivable, such as any of the following:
— Mortgage loans
— Credit card loans
— Interest-only loans
— Finance leases
¶ 209
• Industry sector, such as either of the following:

— Real estate
— Mining
• Type of collateral, such as any of the following:
— Residential property
— Commercial property
— Government-guaranteed collateral
— Uncollateralized (unsecured) financing receivables
• Geographic distribution, including both of the following:
— Domestic
— International
In cases where certain financial instruments are aggregated for disclosure pur-
poses, there is an inherent risk that excessive detail may obscure important financial
information useful to users of the financial statements. As a result, the FASB notes that
an entity must strike a balance between not obscuring important information as a result
of too much aggregation and not overburdening financial statements with excessive
detail that may not assist a financial statement user in understanding the entity’s
financial assets and allowance for credit losses (ASC 326-20-50-3). Examples of this
include an entity obscuring important information by including it with a large amount of
insignificant detail or an entity disclosing information that is so aggregated that it
obscures important differences between the different types of financial assets and
associated risks.
Credit Quality Information

With respect to credit quality information, entities are required to provide information
that enables a financial statement user to do both of the following (ASC 326-20-50-4):
• Understand how management monitors the credit quality of its financial assets,
and
• Assess the quantitative and qualitative risks arising from the credit quality of its
financial assets.
To meet the above objectives, an entity is required to provide both quantitative and
qualitative information by class of financing receivable as well as major security type
about the credit quality of financial assets (ASC 326-20-50-5). This includes disclosing all
of the following:
• A description of the credit quality indicator(s)
• The amortized cost basis by credit quality indicator (public business entities
only)
• For each credit quality indicator, the date or range of dates in which the
information was last updated for that credit quality indicator
So what is exactly meant by a “credit quality indicator? Included within the implemen-
tation guidance of ASC 326-20 are several examples of these credit quality indicators.
These examples include the following (ASC 326-20-55-15):
• Consumer credit risk scores
• Credit-rating-agency ratings
• An entity’s internal credit risk grades
• Debt-to-value ratios
¶ 209
• Collateral
• Collection experience
• Other internal metrics
When disclosing credit quality indicators of financing receivables and net invest-
ment in leases (except for reinsurance recoverables and funded or unfunded amounts of
line-of-credit arrangements such as credit cards), an entity is required to present the
amortized cost basis within each credit quality indicator by year of origination (com-
monly referred to as vintage year) (ASC 326-20-50-6). Alternatively, for purchased
financing receivables and net investment in leases, an entity should use the initial date
of issuance to determine the year of origination, not the date of acquisition.
For origination years before the fifth annual period, an entity may present the
amortized cost basis of financing receivables and net investments in leases in the
aggregate (ASC 326-20-50-6). Furthermore, for interim-period disclosures, the current
year-to-date originations in the current reporting period are considered to be the
current-period originations.
Allowance for Credit Losses

The disclosures with respect to an entity’s allowance for credit losses are lengthy. Like
the overall objectives of disclosures previously noted, so too are there specific objec-
tives outlined for the disclosures related to allowance for credit losses. Specifically, an
entity should provide information that enables a financial statement user to understand
(ASC 326-20-50-10):
• Management’s method for developing its allowance for credit losses
• The information that management used in developing its current estimate of
expected credit losses
• The circumstances that caused changes to the allowance for credit losses,
thereby affecting the related credit loss expense (or reversal) reported for the
period.
To meet the above objectives, entities are required to disclose all of the following
by both portfolio segment and major security type (ASC 326-20-50-11):
• A description of how expected loss estimates are developed
• A description of the entity’s accounting policies and methodology to estimate
the allowance for credit losses, as well as a discussion of the factors that
influenced management’s current estimate of expected credit losses, including:
— Past events
— Current conditions
— Reasonable and supportable forecasts about the future.
• A discussion of risk characteristics relevant to each portfolio segment
• A discussion of the changes in the factors that influenced management’s current
estimate of expected credit losses and the reasons for those changes (e.g.,
changes in portfolio composition, underwriting practices, and significant events
or conditions that affect the current estimate but were not contemplated or
relevant during a previous period)
• Identification of changes to the entity’s accounting policies, changes to the
methodology from the prior period, its rationale for those changes, and the
quantitative effect of those changes
• Reasons for significant changes in the amount of write-offs, if applicable
¶ 209
• A discussion of the reversion method applied for periods beyond the reasonable
and supportable forecast period
• The amount of any significant purchases of financial assets during each report-
ing period
• The amount of any significant sales of financial assets or reclassifications of
loans held for sale during each reporting period
In addition to the previous disclosures, entities are now also required to present a
rollforward schedule of the allowance for credit losses. This is one of the key changes
brought about as a result of ASU No. 2016-13. This rollforward schedule helps to enable
users of an entity’s financial statement to understand the activity in the allowance for
credit losses for each period. Specifically, an entity is required to disclose the following
activity in a rollforward schedule (ASC 326-20-50-13):
• The beginning balance in the allowance for credit losses
• Current-period provision for expected credit losses
• The initial allowance for credit losses recognized on financial assets accounted
for as purchased financial assets with credit deterioration (including certain
beneficial interests), if applicable
• Write-offs charged against the allowance
• Recoveries of amounts previously written off, if applicable
• The ending balance in the allowance for credit losses
Past-Due Status
In addition to the previous disclosures discussed thus far, entities are also required to
disclose certain information with respect to financial assets that are past-due. Specifi-
cally, an entity is required to provide an aging analysis of the amortized cost basis for
financial assets that are past-due as of the reporting date, disaggregated by class of
financing receivable and major security type (ASC 326-20-50-14). This is not a new
requirement based on ASU No. 2016-13, however, what is new is that an entity is
required to disclose its policy for determining when a financial asset is past-due.
Included within the implementation guidance is an illustration of how an entity can
meet the past-due disclosure requirements prescribed above. Refer to the following
table from ASC 326-20-55-80.
¶ 209
Nonaccrual Status
There are also specific disclosure requirements prescribed for those financial assets
with a nonaccrual status. Specifically, an entity is required to disclose the following,
aggregated by class of financing receivable and major security type (ASC 326-20-50-16):
• The amortized cost basis of financial assets on nonaccrual status as of the
beginning of the reporting period and the end of the reporting period
• The amount of interest income recognized during the period on nonaccrual
financial assets
• The amortized cost basis of financial assets that are 90 days or more past due,
but are not on nonaccrual status as of the reporting date
• The amortized cost basis of financial assets on nonaccrual status for which there
is no related allowance for credit losses as of the reporting date.
Additionally, there are incremental disclosure requirements regarding the signifi-

cant accounting policies for these financial assets. Entities are required to disclose
nonaccrual policies, including the policies for discontinuing accrual of interest, record-
ing payments received on nonaccrual assets (including the cost recovery method, cash
basis method, or some combination of those methods), and resuming accrual of
interest, if applicable (ASC 326-20-50-17).
¶ 209

There are also specific disclosure requirements for purchased financial assets with
credit deterioration. Specifically, an entity is required to disclose a reconciliation of the
difference between the purchase price of financial assets and the par value of those
assets, including the following (ASC 326-20-50-19):
• The purchase price
• The allowance for credit losses at the acquisition date based on the acquirer’s
assessment
• The discount (or premium) attributable to other factors
• The par value
Collateral-Dependent Financial Assets

For a financial asset for which the repayment is expected to be provided substantially
through the operation or sale of the collateral and the borrower is experiencing financial
difficulty, an entity should disclose each of the following by class of financing receivable
and major security type (ASC 326-20-50-20):
• The type of collateral
• Qualitative description of the extent to which collateral secures its collateral-
dependent financial assets, and if applicable, significant changes in the extent to
which collateral secures its collateral-dependent financial assets, whether be-
cause of a general deterioration or some other reason
Off-Balance-Sheet Credit Exposures

Off-balance-sheet credit exposures include credit exposures on off-balance-sheet loan
commitments, standby letters of credit, financial guarantees not accounted for as
insurance, and other similar instruments (other than derivative instruments).
With respect to these, an entity is required to disclose a description of the
accounting policies and methodology the entity uses to estimate its liability for off-
balance-sheet credit exposures and related charges for those credit exposures. Specifi-
cally, the description should identify the following (ASC 326-20-50-21):
• The factors that influenced management’s judgment
— For example, historical losses, existing economic conditions, and reasonable
and supportable forecasts
• A discussion of risk elements relevant to particular categories of financial
instruments
STUDY QUESTIONS
4. An entity is permitted to estimate, as a practical expedient, credit losses as the

difference between a collateral’s fair value and the amortized cost basis of which of the
following financial assets?
a. Purchased financial assets with credit deterioration
b. Available-for-sale debt securities
c. Certain collateral-dependent financial assets
d. Held-to-maturity securities
¶ 209
5. Entities are required to disclose which of the following through the use of a
rollforward schedule?
a. Purchase price
b. Write-offs charged against the allowance
c. Past-due status
d. Par value of purchased financial assets
¶ 210 AVAILABLE-FOR-SALE DEBT SECURITIES

This section of the chapter explores the ASU amendments in more detail and focuses
specifically on those requirements for available-for-sale debt securities. As a refresher,
an available-for-sale security is a type of investment that is not classified as either a
trading security or as held-to-maturity security. As a result, this section serves to
summarize the key guidance included within ASC Topic 326, subtopic 30, whereas the
previous section addressed those requirements prescribed within subtopic 20 (Mea-
sured at Amortized Cost).
Overall, the amendments within the ASU are fairly consistent in principle with the
current GAAP requirements for available-for-sale debt securities. The key difference is
that the amendments require that credit losses be presented as an allowance rather
than as a write-down. The FASB notes in the ASU summary that this approach is an
improvement to current GAAP because an entity will be able to record reversals of
credit losses (in situations in which the estimate of credit losses declines) in current
period net income, which in turn should align the income statement recognition of
credit losses with the reporting period in which changes occur. This is in stark contrast
to current GAAP requirements that prohibit reflecting those improvements in current
period earnings.
Scope
The scope of the new amendments outlined within subtopic 30 are applicable to all debt
securities that are classified as available-for-sale securities including loans that meet this
definition.
¶ 211 SUBSEQUENT MEASUREMENT

An investment is considered to be impaired if the fair value of the investment is less
than the amortized cost basis. The important point to note here is that an entity is
required to determine whether a decline in fair value below the amortized cost basis has
resulted from a credit loss or other factors. If an entity has determined that the
impairment results from a credit loss, then the entity should record the impairment
through an allowance for credit losses. With respect to the allowance, it should be
limited by the amount that the fair value is less than the amortized cost basis. If an
impairment has not been recorded through an allowance, then the impairment should
be recorded through other comprehensive income, net of applicable taxes (ASC
326-30-35-2).
In assessing whether a credit loss exists, an entity should compare the present
value of cash flows expected to be collected from the security with the amortized cost
basis of the security (ASC 326-30-35-6). If the present value of cash flows expected to be
collected is less than the amortized cost basis of the security, a credit loss exists and an
allowance for credit losses should be recorded for the credit loss, limited by the amount
that the fair value is less than amortized cost basis.
¶ 211
The impairment loss noted above should be recorded at each reporting date. Note
that with the fact that an allowance is used to record impairment losses, changes in the
allowance account can go both ways. In other words, the allowance can be increased to
reflect additional credit losses. Alternatively, the allowance can also be reduced to
reflect reductions in credit losses. However, at the risk of stating the obvious, the
allowance account can only be reversed up to zero (i.e., the asset’s value cannot be
written up above its original value before the first allowance recorded). Specifically, the
FASB notes in ASC 326-30-35-12 that an entity should not reverse a previously recorded
allowance for credit losses to an amount below zero.
With respect to the unit of account, impairment should be assessed at the individ-
ual security level (ASC 326-30-35-4). To that end, ASC 326 defines individual security
level as the level and method of aggregation used by the reporting entity to measure
realized and unrealized gains and losses on its debt securities.
Factors to Consider
The previous section identified the overall principles with respect to how and when a
credit loss and related allowance is recorded with an available-for-sale debt security.
This section focuses more on the specific factors that an entity should assess to
determine if an actual credit loss exists.
The actual factors an entity should assess are prescribed within the implementation
guidance of subtopic 30. While the listing and related considerations may seem fairly
comprehensive below, it should be noted that the listing is not meant to be all inclusive.
To summarize, there are numerous factors that should be considered when determin-
ing whether a credit loss exists. For starters, they include the following (ASC
326-30-55-1):
• The extent to which the fair value is less than the amortized cost basis
• Adverse conditions specifically related to the security, an industry, or geo-
graphic area; for example, changes in the financial condition of the issuer of the
security, or in the case of an asset-backed debt security, changes in the financial
condition of the underlying loan obligors. Examples of those changes include
any of the following:
— Changes in technology
— The discontinuance of a segment of the business that may affect the future
earnings potential of the issuer or underlying loan obligors of the security
— Changes in the quality of the credit enhancement
• The payment structure of the debt security (e.g., nontraditional loan terms as
described in paragraphs 825-10-55-1 through 55-2) and the likelihood of the
issuer being able to make payments that increase in the future
• Failure of the issuer of the security to make scheduled interest or principal
payments
• Any changes to the rating of the security by a rating agency
Specific to developing the estimate of cash flows expected to be collected, an entity
should also consider certain information with respect to the collectibility of the security.
This includes information about past events, current conditions, as well as reasonable
and supportable forecasts. This information should include all of the following (ASC
326-30-55-2):
• The remaining payment terms of the security
• Prepayment speeds
• The financial condition of the issuer(s)
¶ 211
• Expected defaults
• The value of any underlying collateral
In addition to the above factors, an entity should also consider the following to the
extent they influence the estimate of cash flows of a security (ASC 326-30-55-3):
• Industry analyst reports and forecasts
• Credit ratings
• Other market data that are relevant to the collectibility of the security
Finally, an entity should also consider how other credit enhancements affect the
expected performance of the security, including the following (ASC 326-30-55-4):
• Consideration of the current financial condition of the guarantor of a security (if
the guarantee is not a separate contract)
• The willingness of the guarantor to pay
• Whether any subordinated interests are capable of absorbing estimated losses
on the loans underlying the security
Furthermore, it is important to note that the remaining payment terms of the
security could be significantly different from the payment terms in prior periods (such
as for some securities backed by nontraditional loans). As a result, an entity should
consider whether a security backed by currently performing loans will continue to
perform when required payments increase in the future (including balloon payments).
Finally, an entity should also consider how the value of any collateral would affect the
expected performance of the security. If the fair value of the collateral has declined, an
entity should assess the effect of that decline on its ability to collect the balloon payment
(ASC 326-30-55-4).
Future Cash Flow Considerations
The estimates of expected future cash flows should be the entity’s best estimate based
on past events, current conditions, and reasonable and supportable forecasts. Further-
more, available evidence should be considered in developing the estimate of expected
future cash flows with weight given to the information used in the assessment being
commensurate with the extent to which the evidence can be verified objectively (ASC
326-30-35-8). Examples of this available information include existing environmental
factors such as industry, geographical, economic, and political (ASC 326-30-35-9).
Another important point to note is that if an entity estimates a range for either the
amount or timing of possible cash flows, the likelihood of the possible outcomes should
be considered in determining the best estimate of expected future cash flows.
Finally, the ASC 326 offers flexibility to entities when utilizing a rate for discounting
future cash flows. For example, some debt securities contractual interest rate varies
based on subsequent changes in an independent factor, such as an index or rate, for
example, the prime rate, the LIBOR, or the U.S. Treasury bill weekly average (ASC
326-30-35-11). In these situations when there is variability in the interest rate, an entity
may conclude that the security’s effective interest rate used to discount expected cash
flows may be calculated based on the changing factor or may be fixed at the rate in
effect at the date an entity determines that the security has a credit loss (ASC
326-30-35-11). The important takeaway with respect to this choice point is that the entity
should consistently apply its conclusion on the effective interest rate to be used for all
securities whose contractual interest rate varies based on changes in an independent
factor. In other words, an entity cannot apply a different discount percentage among
different securities whose contractual rate interest rate varies based on subsequent
changes in an independent factor. As with many other accounting principles, this needs
to be consistently applied.
¶ 211
STUDY QUESTION
6. Which of the following financial instruments is included within the scope of ASC
326-30?
a. Financing receivables
b. Reinsurance recoverables
c. Receivables that relate to repurchase agreements
d. Available-for-sale debt securities
¶ 212 FINANCIAL STATEMENT DISCLOSURES

Similar to the previous section on the financial statement disclosures for assets mea-
sured at amortized costs, the financial statement disclosure requirements with respect
to available-for-sale debt securities are outlined within subtopic 50 within ASC 326-30.
The required disclosures with respect to credit losses of available-for-sale debt
securities are prescribed to accomplish three specific objectives. This includes provid-
ing information that enables users of an entity’s financial statements to understand each
of the following (ASC 326-30-50-2):
• The credit risk inherent in available-for-sale debt securities
• Management’s estimate of expected credit losses
• Changes in the estimate of expected credit losses that have taken place during
the period
The disclosure requirements outlined within ASC 326-30-50 are broken out between
major categories, as is the case with other ASC topics. This includes the following
categories:
• Available-for-sale debt securities in unrealized loss positions without an allow-
ance for credit losses
• Allowance for credit losses
• Purchased financial assets with credit deterioration
Similar to the previous financial statement disclosure section, in cases where
certain financial instruments are aggregated for disclosure purposes, there is an inher-
ent risk that excessive detail may obscure important financial information useful to
users of the financial statements. Accordingly, an entity must strike a balance between
not obscuring important information as a result of too much aggregation and not
overburdening financial statements with excessive detail that may not assist a financial
statement user in understanding the entity’s financial assets and allowance for credit
losses (ASC 326-30-50-3).
Available-for-Sale Debt Securities in Unrealized Loss Positions

Without an Allowance for Credit Losses
For starters, there are specific disclosure requirements for those available-for-sale debt
securities that are in unrealized loss positions but that do not have an allowance for
credit losses. For these types of securities, including certain beneficial interests in
¶ 212
securitized financial assets, an entity is required to disclose all of the following in its
interim and annual financial statements (ASC 326-30-50-4):
• As of each date for which a statement of financial position is presented, quantita-
tive information, aggregated by category of investment—each major security
type that the entity discloses in accordance with this Subtopic—in tabular form:
— The aggregate related fair value of investments with unrealized losses
— The aggregate amount of unrealized losses (that is, the amount by which
amortized cost basis exceeds fair value)
• As of the date of the most recent statement of financial position, additional
information (in narrative form) that provides sufficient information to allow a
financial statement user to understand the quantitative disclosures and the
information that the entity considered (both positive and negative) in reaching
the conclusion that an allowance for credit losses is unnecessary. The disclo-
sures required may be aggregated by investment categories, but individually
significant unrealized losses should generally not be aggregated. This disclo-
sure could include all of the following:
— The nature of the investment(s)
— The cause(s) of the impairment(s)
— The number of investment positions that are in an unrealized loss position
— The severity of the impairment(s)
— Other evidence considered by the investor in reaching its conclusion that an
allowance for credit losses is not necessary, including, for example, any of
the following:
Performance indicators of the underlying assets in the security, including
any of the following:
• Default rates
• Delinquency rates
• Percentage of nonperforming assets
Debt-to-collateral-value ratios
Third-party guarantees
Current levels of subordination
Vintage
Geographic concentration
Industry analyst reports
Credit ratings
Volatility of the security’s fair value
Interest rate changes since purchase
Any other information that the investor considers relevant
Note that for the disclosures listed above requiring presentation in tabular form,
these should be disaggregated by those investments that have been in a continuous
unrealized loss position for less than 12 months and those that have been in a
continuous unrealized loss position for 12 months or longer (ASC 326-30-50-5). Included
within the implementation guidance is an example of the application of this tabular form
presentation for purposes of meeting the respective disclosure requirements.
¶ 212
Allowance for Credit Losses

The second disclosure area relates to the allowance for credit losses on available-for-
sale debt securities. Specifically, for interim and annual periods in which an allowance
for credit losses of an available-for-sale debt security is recorded, an entity is required to
disclose by major security type, the methodology and significant inputs used to measure
the amount related to credit loss, including its accounting policy for recognizing write-
offs of uncollectible available-for-sale debt securities. Examples of significant inputs
include, but are not limited to, all of the following (ASC 326-30-50-7):
• Performance indicators of the underlying assets in the security, including all of
the following:
— Default rates
— Delinquency rates
— Percentage of nonperforming assets
• Debt-to-collateral-value ratios
• Third-party guarantees
• Current levels of subordination
• Vintage
• Geographic concentration
• Industry analyst reports and forecasts
• Credit ratings
• Other market data that are relevant to the collectibility of the security
In addition to the preceding disclosures, entities are also required to present a rollfor-
ward of the allowance for credit losses for each interim and annual period for each
major security type. At minimum, this rollforward is required to include the following
(ASC 326-30-50-9):
• The beginning balance of the allowance for credit losses on available-for-sale
debt securities held by the entity at the beginning of the period
• Additions to the allowance for credit losses on securities for which credit losses
were not previously recorded
• Additions to the allowance for credit losses arising from purchases of available-
for-sale debt securities accounted for as purchased financial assets with credit
deterioration (including beneficial interests that meet the criteria in paragraph
325-40-30-1A)
• Reductions for securities sold during the period (realized)
• Reductions in the allowance for credit losses because the entity intends to sell
the security or more likely than not will be required to sell the security before
recovery of its amortized cost basis
• If the entity does not intend to sell the security and it is not more likely than not
that the entity will be required to sell the security before recovery of its
amortized cost basis, additional increases or decreases to the allowance for
credit losses on securities that had an allowance recorded in a previous period
• Write-offs charged against the allowance
• Recoveries of amounts previously written off
• The ending balance of the allowance for credit losses related to debt securities
held by the entity at the end of the period
¶ 212

The final disclosure area relates to specific disclosures with respect to purchased
financial assets with credit deterioration. To the extent an entity acquired purchased
financial assets with credit deterioration during the current reporting period, an entity is
required to provide a reconciliation of the difference between the purchase price of the
assets and the par value of the available-for-sale debt securities including the following
information (ASC 326-30-50-10):
• The purchase price
• The allowance for credit losses at the acquisition date based on the acquirer’s
assessment
• The discount (or premium) attributable to other factors
• The par value
¶ 213 TRANSITION
This chapter has focused primarily in presenting the new recognition and measurement
amendments as a result of ASU No. 2016-13. At this point in the chapter, it is critical to
address the respective transition requirements for entities. This is not one of those
ASUs that will be a simple adoption for most entities. In other words, it certainly does
not fit within the bucket of the FASB’s routine simplification initiatives that can
generally be easily adopted by entities without significant effort. This ASU, instead,
encompasses significant changes to current GAAP that requires entities to evaluate
many aspects of their current accounting policies with respect to credit losses.
As previously noted, for public business entities that are U.S. Securities and
Exchange Commission (SEC) filers, the amendments in this ASU are effective for fiscal
years beginning after December 15, 2019, including interim periods within those fiscal
years. By contrast, for all other public business entities, the amendments in this update
are effective for fiscal years beginning after December 15, 2020, including interim
periods within those fiscal years. Still, for all other entities, including not-for-profit
entities and employee benefit plans within the scope of Topics 960 through 965 on plan
accounting, the amendments in this ASU are effective for fiscal years beginning after
December 15, 2021, and interim periods within fiscal years beginning after December
15, 2021. Entities are required to apply the amendments from this ASU through a
cumulative-effect adjustment to retained earnings as of the beginning of the first
reporting period in which the guidance is effective. In other words, they are required to
apply a modified-retrospective approach.
The FASB noted in BC126 that initially it was determined the effective dates to be
one year earlier than the respective dates mentioned above. However, the final issuance
of the ASU occurred later than the FASB expected because additional outreach was
performed. As a result, in consideration of the Private Company Decision-Making
Framework and the FASB’s reconsideration of the effective dates to the effective dates
mentioned above, the FASB decided that all entities may adopt the amendments in the
ASU as of fiscal years beginning after December 15, 2018, including interim periods
within those fiscal years. Note that earlier adoption is not permitted as a result of this
ASU.
The FASB also understands that some stakeholders are of the view that a require-
ment to record the full estimate of expected losses may inhibit lending, particularly to
less creditworthy borrowers or during an economically stressed environment (BC9).
However, the FASB notes that the amendments in this ASU do not change the
economics of lending. Said another way, the same loss ultimately will be recorded,
regardless of the accounting requirements. The critical aspect that is changing is the
¶ 213
accounting threshold for the recognition of credit losses, which affects only the timing
of when to record credit losses, not the ultimate amount realized on the financial assets.
On account of these changes, the FASB notes that the guidance on credit losses should
provide information that is useful in making business and economic decisions, and that
guidance on credit losses should provide information that faithfully reports the econom-
ics of a transaction, regardless of any perceived positive or negative impact of reporting
that information in the financial statements (that is, “neutrality) has on business and
policy decisions (BC9).
Similar to ASU No. 2014-09, Revenue from Contracts with Customers, which included
sweeping changes to the accounting principles with respect to revenue recognition and
drove the creation of a Revenue Recognition Transition Resource Group (TRG), so too
is the case for the ASU that is the subject of this chapter. As a result, a TRG was put in
place at the FASB with respect to implementation issues of the new credit loss
amendments. The purpose of this TRG is to do the following:
• To solicit, analyze, and discuss stakeholder issues arising from implementation
of the new guidance
• To inform the FASB about those implementation issues, which will help the
Board determine what, if any, action will be needed to address those issues
• To provide a forum for stakeholders to learn about the new guidance from
others involved with implementation
¶ 214 RECENT DEVELOPMENTS

ASU No. 2018-19
This ASU was released in November 2018 and included codification improvements to
ASC Topic 326. This ASU primarily addressed the following two issues:
• Transition and Effective Date for Nonpublic Business Entities
• Operating Lease Receivables
The amendments in this ASU include items brought to the FASB’s attention by
stakeholders. In short, the amendments align the implementation date for nonpublic
entities’ annual financial statements with the implementation date for their interim
financial statements. This ASU also clarifies the scope of the guidance. To that end, it
clarifies that receivables arising from operating leases are not within the scope of
Subtopic 326-20. Instead, impairment of receivables arising from operating leases
should be accounted for in accordance with Topic 842, Leases.
ASU No. 2019-04
This ASU was released in April 2019 and also included several updates to other recent
ASUs. While this was also a codification improvements type ASU like the one discussed
previously, it included significantly more amendments. For starters, this ASU includes
changes based on the June 2018 and November 2018 Credit Losses TRG meetings.
Overall, the amendments clarify or address stakeholders’ specific issues such as
accrued interest and recoveries.
Additionally, there was a whole laundry list of other smaller updates to ASC Topic
326. These were primarily identified as areas of improvement which resulted in fairly
minimal updates to the previously issued amendments. These include areas such as the
following:
¶ 214
• Clarification That Reinsurance Recoverables Are Within the Scope of Subtopic
326-20
• Projections of Interest Rate Environments for Variable-Rate Financial
Instruments
• Consideration of Prepayments in Determining the Effective Interest Rate
• Consideration of Estimated Costs to Sell When Foreclosure Is Probable
STUDY QUESTION
7. Which of the following identifies one of the categories of financial statement

disclosures for available-for-sale debt securities?
a. Available-for-sale debt securities in unrealized loss positions without an allow-
ance for credit losses
b. Past-due status
c. Nonaccrual status
d. Collateral-dependent financial assets
¶ 214
43

CHAPTER 3: The New NPO Reporting Model
¶ 301 WELCOME
This chapter discusses Financial Accounting Standards Board (FASB) Accounting
Standards Update (ASU) 2016-14, Not-for-Profit Entities (Topic 958): Presentation of
Financial Statements of Not-for-Profit Entities, which will be effective for December 31,
2018, year ends.

• Recognize the effective dates of ASU 2016-14
• Identify the key areas of change in ASU 2016-14
• Differentiate between the two classes of net assets
• Explain how to prepare for the expanded disclosures needed under ASU 2016-14
• Identify key areas with respect to ASU 2016-14 for NPOs
• Describe ASU 2016-14’s new disclosure requirement with respect to liquidity
• Identify the requirements involving investment return
• Recognize which costs should be allocated to management and general ex-
penses and investment expense
¶ 303 INTRODUCTION
For the most part, the current not-for-profit organization (NPO) reporting requirements
came from FASB 117, Financial Statements of Not-for-Profits, which was issued in 1993.
In 2011, FASB initiated a project to review this standard. The result of that project is
ASU 2016-14, issued in August 2016.
The changes in ASU 2016-14 will affect substantially all NPOs. The effective date of
the guidance is fiscal years beginning after December 15, 2017 (December 2018 year
end). For entities with a June 30 fiscal year, the ASU is effective June 30, 2019. Entities
can early adopt the guidance if they so choose. In the year of adoption, they must apply
all the provisions for comparative presentation. However, if a NPO did not have to do a
statement of functional expenses in the past, it does not have to have one for the prior
year. Also, that NPO would not have to make a disclosure about liquidity and availability
of resources for the prior year; the disclosure can just be for the current year.
Under ASU 2016-14, entities must disclose the nature of any reclassifications on
restatements and their effects, if any, on changes in the net assets. They also must
include an emphasis of matter paragraph in the audit report if the adoption results in
changes that have a material impact.
The ASU includes key changes to five areas: reporting of net assets, liquidity
information provided by NPOs, the statement of cash flows, the operating measure
information provided, and the reporting of expenses. Some of these provisions are
robust, whereas others are much simpler. The guidance offers NPOs many ways to
emphasize and document items in their financial statements and footnotes.
¶ 303
¶ 304 REPORTING OF NET ASSETS

The first key area addressed in ASU 2016-14 is the reporting of net assets. There is new
guidance on reducing and renaming the classification of net assets, and on emphasizing
the amounts and purpose of board-designated assets. Under the old standard, if the
board designated funds, there was no requirement to disclose it. Now, however, the
standard requires the disclosure of the amounts and purpose of board-designated funds.
There is also a change related to reporting the expiration of restrictions on gifts
related to long-lived assets, and on reporting amounts related to underwater endowment
funds. These effects on net assets are detailed in the following sections.
Reducing and Renaming Net Assets
In ASU 2016-14, unrestricted net assets are renamed to net assets without donor restric-
tions. Although the new terminology is a bit awkward, it makes sense. Unrestricted
always meant “unrestricted from donor restrictions. But there are net assets that are
restricted—by bond covenants or debt covenants, or because of matching for donors.
Therefore, unrestricted was a misnomer because it meant unrestricted only from donors,
even though other restrictions could be involved. So now the term is net assets without
donor restrictions.
Temporary and permanently restricted net assets are combined into net assets
without donor restrictions. There are still footnote disclosures about endowments and
in perpetuity that do not change. Therefore, a NPO should still keep track of them.
The following is an example of what a statement of financial position presentation
would look like under the new guidance. As mentioned, board-designated assets must
be spelled out, and there will be more footnote wording.
Example from the Statement of Financial Position Presentation
Net Assets
Without donor restrictions:
Undesignated 152,000
Board designated 250,000
Total without donor restrictions 402,000

With donor restrictions 75,000
Total Net Assets 477,000
Total Liabilities and Net Assets xxx,xxx
Note that subsets can be included on the statement of financial position. Alterna-
tively, the total can be shown without donor restrictions and instead those details can be
included in a footnote. The following chart shows how the statement of activity would
appear if using a column approach without donor restrictions and with donor
restrictions.
Statement of Activity
Without Donor With Donor

Restrictions Restrictions Total
Revenues, gains, and other support:

Contributions $145,368 $56,776 $202,144
Fees 4,546 4,546
Investment return, net 63,181 63,670 126,851
Other 2,026 2,026
¶ 304
MODULE 1 - CHAPTER 3 - The New NPO Reporting Model 45
Statement of Activity
Without Donor With Donor

Restrictions Restrictions Total
Net assets released from restrictions:

Satisfaction of program 25,058 (25,058)
restrictions
Satisfaction of equipment
acquisition restrictions 4,000 (4,000)
Expiration of time restrictions 11,012 (11,012)
Appropriation from donor
endowment and subsequent
satisfaction of any related donor
restrictions 6,000 (6,000)
Total net assets released from

restrictions 46,070 (46,070)
Total revenues, gains, and other

support 261,191 74,376 335,567
Expenses:
Program Omega 97,068 97,068
Program Iota 83,012 83,012
Management and general 35,013 35,013
Fundraising 27,884 27,884
Total expenses 242,977 242,977
Change in net assets 18,214 74,376 92,590

Net assets at beginning of year 244,571 297,836 542,407
Net assets at end of year $262,785 $372,212 $634,997
Net Asset Disclosure Requirements

Under the 2016-14 disclosure requirements, a NPO has to include the composition of
net assets with donor restrictions, with an emphasis on how and when the resources
can be used. Donor restrictions might be related to the following:
• Support of particular activity
• Use in a specified future period
• Acquisition of long-lived assets
• Investment for a specified term
• Creation of donor restricted endowment that is perpetual in nature
• Assets, such as land or works of art, that are donated with stipulations that they
be preserved and not sold
NPOs will continue to provide information about the nature and the amount of
different types of donor-imposed restrictions either by reporting their amounts on the
face of the statement of financial position or by including relevant details in the
footnotes to the financial statements.
¶ 304
EXAMPLE: Net assets with donor restrictions at December 31, 2016, are
restricted for the following purpose or periods:
Subject to expenditure for a specified purpose (or purpose and
time):
Program #4 $ 4,410,000
Program #2 370,000
Education 320,000
5,100,000
Subject solely to the passage of time:
Future operations 1,570,000
Total subject to purpose and time restrictions 6,670,000
Subject to the Company’s spending policy and appropriation:

Investment in perpetuity 3,330,000
Total net assets with donor restrictions $ 10,000,000
Emphasizing the Amounts and Purposes of Board-Designated Net

Assets
Expanded disclosures are required for board-designated net assets, which are defined
as “net assets without donor restrictions subject to self-imposed limits by action of the
governing board. Many boards designate cash or investments; sometimes they would
show it on their financial statements, and other times they would not. Or, they would
show net assets on their financials and indicate board-designated with no clear explana-
tion of what they were designated for. ASU 2016-14 requires expanded disclosures.
The amounts and the purpose of board-designated assets must be stated, along
with similar actions resulting in self-imposed limits on the use of resource. Documented
policies and procedures on the establishment of board designations, the amounts, and
how such board-designated net assets may be released from designation are necessary.
EXAMPLE: Net assets without donor restriction are comprised of the follow-
ing as of December 31, 2016:
Undesignated 1,620,000
Designated by board for endowment 680,000
Invested in property and equipment 3,700,000
Total net assets without donor restrictions $ 6,000,000
Reporting Expiration of Restriction of Gifts Related to Long-Lived

Assets
The next area to discuss under net assets is the reporting expiration of the restriction of
gifts related to long-lived assets. Prior GAAP allowed recognition when an asset is
acquired and placed in service or in ratable amounts over the asset’s estimated useful
life. Under ASU 2016-14, however, an organization is no longer allowed to choose
between the “placed-in-service approach and the “estimated over useful life approach.
It must use the placed-in-service approach unless the donor explicitly states to recog-
nize the asset ratably over time.
¶ 304
As a result, if a NPO was estimating over the useful life and must now use the
placed-in-service approach, it will have a reclassification of net assets that will reflect a
decrease in net assets with donor restrictions and an increase in net assets without
donor restrictions.
Underwater Endowments
In prior GAAP, NPOs presented the aggregate amount by which endowments were
underwater in unrestricted net assets. Consider the following example.
EXAMPLE: Company A accepts a donation of $100,000 invested in stocks
from its client. The client says to Company A, ‘‘This donation is for your endow-
ment fund. This is in perpetuity. You can use the earnings. Company A retains
that investment, and that investment loses money. The investment is now worth
$90,000. In prior GAAP, Company A still has $100,000 of permanently restricted net
assets, yet only $90,000 in its investment account. That loss is negative unrestricted
net assets of $10,000 connected to this investment that has gone underwater. It is
less in value than what it was originally worth. Under the new guidance, the entire
investment is shown with donor restrictions. Even though Company A receives
$100,000, it only has $90,000, and it will show $90,000 with donor restrictions.
Previously, the term underwater endowment fund was not defined by FASB, but now
the following definition is included in the FASB Master Glossary: “a donor-restricted
endowment fund for which the fair value of the fund at the reporting date is less than
either the original gift amount or the amount required to be maintained by the donor or
by law that extends donor restrictions.
The new disclosure requirements include the following:
• Interpretation of the NPO’s ability to spend from underwater endowment funds
• The NPO’s policy, and any actions taken during the period, concerning appropri-
ation from underwater endowment funds
• Each of the following, in the aggregate, for all underwater endowment funds:
— The fair value of the underwater endowment funds
— The original endowment gift amounts (or level required to be maintained by
donor stipulations or by law that extend donor restrictions)
— The amount by which the original gift amount exceeds the fair value (the
deficiency = 2 less 1)
EXAMPLE: Examples of endowment disclosures include the following:
“From time to time, the fair value of assets associated with donor-restricted
endowment funds may fall below the level the Company is required to retain by
donor stipulation or law (underwater endowments). There were no underwater
endowments as of December 31, 2018.
or
“From time to time, the fair value of assets associated with donor-restricted
endowment funds may fall below the level the Company is required to retain by
donor stipulation or by law (underwater endowments). We have interpreted
UPMIFA to permit spending from underwater endowments in accordance with
prudent measures required under law. At December 31, 2018, funds with original
gift values of $4,189,234, fair values of $4,123,890, and deficiencies of $65,344 were
reported in net assets with donor restrictions. These amounts were fully recovered
during 2019 due to favorable market conditions.
¶ 304
¶ 305 LIQUIDITY INFORMATION

NPOs are required to provide information about liquidity by any of the following
methods: sequencing assets according to their nearness of cash and sequencing
liabilities according to nearness to maturity, classifying assets and liabilities as current
and noncurrent, or disclosing in the notes to the financial statements relevant informa-
tion about the liquidity.
New Disclosure Requirements
Under the new guidance, NPOs must disclose qualitative and quantitative information
about liquidity. This means:
• Qualitative information on how the organization manages its liquid resources
available to meet cash needs for general expenditures within one year of the
balance sheet date; and
• Quantitative information that communicates the availability of financial assets at
the balance sheet date to meet cash needs for general expenditures within one
year of the balance sheet date.
A NPO’s available financial assets might include its line of credit, or perhaps a
board-designated endowment fund, that it could tap if necessary. NPOs must disclose
qualitatively and quantitatively how they can keep going next year.
EXAMPLE: The liquidity and availability footnote might read as follows:
The Company manages its liquid resources by focusing on fundraising efforts
to ensure the entity has adequate contributions and grants to cover the programs
that are being conducted. The Company prepares very detailed budgets and has
been very active in cutting costs to ensure the entity remains liquid.
As discussed in Note X, the Company maintains a line of credit to assist in
meeting cash needs if they experience a lag between the receipt of contributions
and grants and the payment of costs.
The following reflects the Company’s financial assets (cash and cash
equivalents, pledges receivable, investments, and other assets) as of December 31,
2018 expected to be available within one year to meet the cash needs for general
expenditures.
Financial assets, at year end $ 13,410,000
Less those unavailable for general expenditures within one year,
due to:
Contractual or donor-imposed restrictions:
Restricted by donor with time or purposed restrictions (6,100,000)
Investments held in perpetuity (3,330,000)
Financial assets available to meet cash needs for general

expenditures within one year $ 3,980,000
¶ 306 STATEMENT OF CASH FLOWS

Under ASU 2016-14, NPOs have the option of using either the direct or indirect method.
NPOs are no longer required to show reconciliation of a change in net assets to cash
flows from operating activities if they are using the direct method.
Note that the original draft for this ASU was much more robust, and it originally
stated that the indirect method would no longer be an option. However, in response to
the pushback it received from commenters, the FASB decided not to eliminate the
indirect method.
¶ 305
STUDY QUESTIONS
1. Which of the following ASUs released in 2016 specifically impacts nearly all not-for-
profit entities?
a. ASU 2016-01
b. ASU 2016-04
c. ASU 2016-07
d. ASU 2016-14
2. Each of the following identifies a key area with respect to ASU 2016-14, except:
a. Reporting of net assets
b. Reporting of income
c. Liquidity information
d. Statement of cash flows
3. When was FASB 117, Financial Statements of Not-for-Profits, issued?
a. 1993
b. 1999
c. 2011
d. 2016
¶ 307 THE OPERATING MEASURE INFORMATION

PROVIDED BY SOME NOT-FOR-PROFITS
In prior GAAP, NPOs were allowed, but not required, to have a self-defined operating
measure on the statement of activities (operating vs. non-operating). If a NPO chooses
to do this, it is required to do the following:
• Report the change in unrestricted net assets.
• If the use of the term operations is not apparent from the details, include a note
to the financial statements describing the nature of the reported measure of
operations.
Under ASU 2016-14, NPOs will continue to follow that guidance. However, NPOs
that choose to present internal board designations, appropriations, and similar actions
on the face of the financial statements affecting that measure will have additional
reporting requirements. Specifically, such organizations will be required to report those
types of internal transfers appropriately disaggregated and described by type, either on
the face of the financial statements or in the notes.
The term operating activities is currently not defined in GAAP with regard to NPOs.
A NPO is typically not required to provide any disclosure about its reported intermedi-
ate measure of operations other than describing the reported measure if that informa-
tion is not apparent. The FASB noted that some NPOs report an operating measure on
the statement of activities that is impacted by governing board designations, appropria-
tions, and similar transfers. Some NPOs currently present these transfers as a single
line item, and it is difficult to determine if one or multiple transfers are occurring (and
possibly being netted). The FASB believes that such transfers can involve amounts that
warrant separate line items or disclosures.
¶ 307
¶ 308 REPORTING OF EXPENSES

With regard to the reporting of expenses, ASU 2016-14:
• Changes how investment expenses are reported
• Provides additional information related to allocated costs
• Refines/updates the definition of management and general activities, and
• Adjusts how NPOs report functional and natural expense information
Investment Return
Under the new guidance, a NPO must report investment return net of all external and
direct internal investment expenses. It is no longer required to disclose the components
of net expenses.
Internal expenses include the direct conduct or direct supervision of the strategic
and tactical activities involved in generating investment return, including salaries,
benefits, travel, and other costs associated with staff responsible for development and
execution of investment strategy, including the supervision, selecting, and monitoring
of external managers. Excluded are costs not associated with generating investment
return, such as administrative management, contracts, and pooled-fund administration.
Allocated Costs
ASU 2016-14 requires including a description of the method(s) used to allocate costs
among program and support functions.
A Sample Disclosure
The financial statements of the NPO report certain categories of expenses that are
attributable to more than one program or supporting function. Therefore, these ex-
penses require allocation on a reasonable basis that is consistently applied. The ex-
penses that are allocated include depreciation and occupancy costs, which are both
allocated on a square footage basis, as well as salaries and benefits, which are allocated
on the basis of time-and-effort studies.
Definition of Management and General Activities
In ASU 2016-14, management and general activities of NPOs are defined as supporting
activities that are not directly identifiable with one or more programs, fundraising, or
membership development.
Management and General Expenses
Management and general (M&G) expenses include business management and budget-
ing; general accounting, payroll, and annual reporting; financing, including unallocated
interest costs; billing and collecting fees; human resources; and all other management
and administration except for the direct conduct or direct supervision of program
services, fundraising activities, or membership development activities.
ASU 2016-14 provides examples of when to allocate M&G expenses. Because
information technology (IT) benefits various functions in an organization, it generally is
allocated. In a smaller organization, CEO expenses could be allocated between pro-
gram, fundraising, and M&G expenses. In a larger organization, CEO expenses typi-
cally are all allocated to M&G and fundraising. CFO expenses typically would be
allocated to M&G and maybe would be part of direct investment expense. And human
resources personnel would be assigned completely to M&G. With regard to grant
accounting and reporting, program reports that are grant-related are program expenses,
but financial reports are M&G.
¶ 308
Over the years, various opinions have been expressed about the importance of
functional and natural expense information. For creditors, natural expense information
is more important than functional expense information. The opposite is true for donors/
rating agencies: functional expense information is more important than natural. From a
recording standpoint, expenses generally originate in natural form and then require
additional coding and allocation to get to functional.
Adjusting How NPOs Report Functional and Natural Expense
Information
All NPOs, including voluntary health and welfare entities, must present an analysis of
expenses by function and nature in one location. The analysis can be presented in a
separate statement of functional expenses, presented in a footnote, or incorporated into
the statement of activities.
Currently, most voluntary health and welfare entities include the analysis in a
separate statement of functional expenses or in the footnotes. An example of a table of
functional expenses in the footnotes is shown below. It presents a NPO’s expenses by
both their function and nature for fiscal year 20X1.
Program Activities Supporting Activities
Management
and Total
Omega Iota Programs General Fundraising Supporting Expenses
Salaries and
benefits $54,020 $37,440 $91,460 $18,744 $12,196 $30,940 $122,400
Grants to
other
organizations 15,148 7,200 22,348 22,348
Supplies and
travel 6,314 9,600 15,914 3,960 7,000 10,960 26,874
Services and
professional
fees 1,168 14,304 15,472 3,300 4,875 8,175 23,647
Office and
occupancy 8,468 5,760 14,228 3,597 1,250 4,847 19,075
Depreciation 10,979 8,071 19,050 4,125 1,750 5,875 24,925
Interest 971 637 1,608 1,287 813 2,100 3,708
Total
expenses $97,068 $83,012 $180,080 $35,013 $27,884 $62,897 $242,977
The footnote would read as follows: “The table below presents Not-for-Profit D’s
expenses by both their function and nature for the year ending 20X1. Program
activities are broken out into Program Omega, Program Iota, and then other programs.
Supporting activities include Management and General, Fundraising, and Supporting.
Remember that the client prepares the financial statements. If the client asks the
auditors to help it draft the financial statements, the client still has to make the key
decisions. Will the client show the functional expenses on the statement of activities, or
will it have a separate statement of functional expenses or include them in the foot-
notes? It is management’s decision.
¶ 309 SUMMARY
This chapter has discussed ASU 2016-14’s key changes in the following five areas: (1)
reporting of net assets, (2) liquidity information from NPOs, (3) the statement of cash
flows, (4) the operating measure information provided, and (5) the reporting of ex-
penses. These changes can be summarized as follows:
¶ 309
• Reduced number of net asset classes, from three to two

• Expanded disclosures for net assets, including board designated net assets
• Placed-in-service approach for reporting expirations of restrictions on gifts of
cash or other assets to be used to acquire or construct a long-lived asset
• Additional disclosures for underwater endowments
• New required liquidity and availability disclosures
• Use of direct method in a statement of cash flows eliminates reconciliation of
change in net assets to cash flows from (used for) operating activities
• Expanded disclosure required if showing an operating measure
• Net investment return
• Reporting of expenses by nature and function is required, and description of the
methods used to allocate costs among functional categories
STUDY QUESTIONS
4. Which of the following identifies a new disclosure requirement with respect to

liquidity?
a. Information about liquidity by sequencing assets according to their nearness of
cash
b. Classifying assets and liabilities as current and noncurrent
c. Qualitative and quantitative information on how it manages liquid resources
available to meet cash needs for general expenditures within one year of the
balance sheet date
d. Disclosing relevant information about liquidity in the notes to the financial
statements
5. Which of the following direct costs are excluded from the activities involved in
generating investment return?
a. Pooled fund administration and contract costs
b. Salaries of staff responsible for execution of investment strategy
c. Travel costs for staff responsible for development of investment strategy
d. Costs incurred for selecting and monitoring external managers
6. Based on examples from the ASU, which of the following costs could be allocated to
M&G and investment expense?
a. IT
b. CEO
c. HR
d. CFO
CPE NOTE: When you have completed your study and review of chapters 1-3, which
comprise Module 1, you may wish to take the Final Exam for this Module. Go to
cchcpelink.com/printcpe to take this Final Exam online.
¶ 309
53
MODULE 2: TOP AUDITING ISSUES—

CHAPTER 4: Critical Audit Matters
¶ 401 WELCOME
This chapter provides an overview of important concepts identified in Auditing Standard
(AS) 3101, The Auditor’s Report on an Audit of Financial Statements When the Auditor
Expresses an Unqualified Opinion, as it relates to the development of critical audit
matters.

• Identify the PCAOB definition of a critical audit matter (CAM) and apply that
understanding to audit issues
• Apply the separate criteria identified by the PCAOB for determining CAM
issues
• Identify the PCAOB purpose for identification of CAM issues
• Recognize the appropriate methods for reporting CAMs in the auditor’s report
• List the appropriate documentation requirements for identified CAM issues
• Understand and apply the concepts for proper disclosure of CAM issues
• Recognize appropriate interactions with the audit committee regarding CAMs
• Apply the proper concepts for explanatory concepts of CAMs
• Identify the variances between critical audit matters and key audit matters
• Evaluate, through a case scenario, the considerations for evaluating whether a
CAM applies to a particular company
¶ 403 INTRODUCTION
In a world where it seems things change daily, one constant in business has been the
independent auditor’s report. The purpose of an external audit is to enhance the
intended financial statement user’s degree of confidence. Considering all the scandals in
financial reporting that have occurred in the last 20 years, it is surprising that the
auditor’s report has not been subject to changes earlier. However, this issue has not
gone unrecognized, as changes to improve communication to financial statement users
have been encouraged for many years. Reports cited that recognized this need include
the Cohen Commission in 1974 and the Treadway Commission in 1985. However, even
through this urging, and amid all the scandals that occurred in the late 1990s and early
2000s, changes to the auditor’s report have been minimal.
If your organization is a publicly traded company, two changes have been cited to
the standard auditor’s report and are applicable to the majority of Securities and
Exchange Commission (SEC) issues since the 1980s. These changes include:
• Adoption of PCAOB Auditing Standard 1, and
• Establishment of requirements for auditors to report on internal control over
financial reporting (ICFR) as outlined by the Sarbanes-Oxley Act of 2002.
¶ 403
Nevertheless, after more than 80 years, auditors still follow the pass/fail model that
requires them to state whether their clients’ financial statements are presented fairly or
not. Financial statements considered as presented fairly would receive a “pass rating,
while those considered not to be presented fairly would receive a “fail rating. Auditors
may provide a “qualified opinion, meaning that they could not deliver a full opinion
because some aspects of a client’s accounting failed to adhere to generally accepted
accounting principles (GAAP) or contained incomplete information. But that has essen-
tially been the crux of the requirements.
If the accounting and business world were black-and-white, this model may still be
relevant. But as we have seen over the past 15 to 20 years, the emergence of global
business and the speed at which technology is advancing has introduced a new
spectrum of colors into our business world. SEC standards have long allowed auditor
communication of critical audit matters (CAMs) to be performed on a voluntary basis.
Since the inception of the standard that covers requirements for the auditor’s report, the
content has largely gone unchanged. It is only reasonable to expect evolution and
change in the independent auditor’s report. Hence the emergence of the requirement to
disclose critical audit matters.
AS 3101, The Auditor’s Report on an Audit of Financial Statements When the Auditor
Expresses an Unqualified Opinion, retains the pass/fail opinion of the existing auditor’s
report but significantly changes its form and content—most importantly, expanding it to
include CAMs.
The new standard was presented by the Public Company Accounting Oversight
Board (PCAOB) in June 2018 and approved by the SEC in October 2018. While the
standard becomes effective as of fiscal years ending on or after December 15, 2017, the
new requirements with respect to CAMs are effective for audits of fiscal years ending on
or after June 30, 2019, for large accelerated filers. For all other companies where the
requirement applies, the deadline is for fiscal years ending on or after December 15,
2020.
Since significant time has elapsed with minimal change to the auditor’s report,
some may ask, why now? In principle, the PCAOB identified the need to make the
auditor’s report more relevant for investors by requiring the auditor to communicate
additional information about the audit. This concept is not new. Many of the require-
ments associated with the Sarbanes-Oxley legislation seek to enhance transparency,
readability, and integrity of the information provided in financial statements. These
initiatives have come after long-sought actions by the investment community for more
complete information about an organization’s financial health. The new auditor report-
ing standard will require communication of CAMs for many audits conducted under
PCAOB standards, however, communication of CAMs will not be required for the
following:
• Audits of brokers and dealers reporting under the Securities Exchange Act of
1934 Rule 17a-5
• Investment companies other than business development companies
• Employee stock purchase, saving, and similar plans
• Emerging growth companies.
A simple way to think about a CAM is to consider the concept of “what keeps the
auditors up at night. The new standard requires auditors to disclose to the public
certain aspects of the audit that came to their attention and raised their level of concern
during the audit. The new standard retains the existing “pass/fail opinion but makes
significant changes to other aspects of the auditor’s report. This includes the inclusion
of CAMs.
¶ 403
MODULE 2 - CHAPTER 4 - Critical Audit Matters 55
STUDY QUESTION
1. When do requirements prescribed by PCAOB AS 3101 specific to critical audit

matters become effective for large accelerated filers?
a. June 30, 2018
b. June 30, 2019
c. December 15, 2019
d. December 15, 2020
¶ 404 OVERVIEW: CRITICAL AUDIT MATTERS

Definition
The purpose of CAMs is to provide audit-specific information that is meaningful to
investors and other financial statement users about matters that required especially
challenging, subjective, or complex auditor judgment. CAMs are determined from
matters arising from the audit of the financial statements. They are rooted in the
financial statements themselves.
So, how exactly is a CAM defined, and what is the process for identifying a CAM?
CAMs are the backbone of PCAOB AS 3101. According to the standard, a CAM is
defined as any matter arising from the audit of the financial statements that:
• Has been communicated or was required to be communicated to the audit
committee. The standard does not exclude any required audit committee com-
munications from the source of CAMs.
• Relates to accounts or disclosures that are material to the financial statements. A
CAM may relate to a component of a material account or disclosure and does
not necessarily need to correspond to the entire account or disclosure in the
financial statements.
• Involved especially challenging, subjective, or complex auditor judgment.
The standard specifically states that CAMs are not a substitute for the auditor’s
departure from an unqualified opinion. Disclosure of a CAM must be informative,
should reflect differences in auditors’ experiences and competencies, and should limit
the extent to which expanded auditor reporting could duplicate management’s report.
Let’s further inspect each of these criteria when evaluating whether a CAM exists.
Purpose
When considering the new requirements for CAM disclosure, the PCAOB indicated the
new standard would:
• Apply the auditor’s responsibility for other information specifically to a com-
pany’s annual report filed with the SEC that contains the company’s audited
financial statements and the related auditor’s report;
• Enhance the auditor’s responsibility with respect to other information by adding
procedures for the auditor to perform in evaluating the other information based
on relevant audit evidence obtained and conclusions reached during the audit;
• Require the auditor to evaluate the other information for a material misstate-
ment of fact as well as for a material inconsistency with amounts or information,
or the manner of their presentation, in the audited financial statements; and
• Require communication in the auditor’s report regarding the auditor’s responsi-
bilities for, and the results of, the auditor’s evaluation of the other information.
¶ 404
STUDY QUESTION
2. Which of the following is included in the formal definition of a critical audit matter?
a. A matter resulting from the audit of financial statements that has been miti-
gated by management
b. A matter that includes certain required audit committee communications
c. A matter resulting from the audit of financial statements that relates to ac-
counts or disclosures that are material to the financial statements
d. A matter identified prior to the audit of financial statements
¶ 405 PRINCIPLE-BASED APPROACH TO INDENTIFYING

CAM
The PCAOB recommends a principles-based approach for identifying CAMs. This
approach involves the consideration of three separate criteria and evaluating various
factors inherent in those criteria. The criteria includes:
• Communication with the audit committee,
• Issues that relate to accounts or disclosures that are material to the financial
statements, and
• Matters that involved especially challenging, subjective, or complex auditor
judgment.
Each of these criteria involves specific considerations for the auditor. We will take a
deeper look at each criteria and elements involved with evaluating the area.
Criterion One: Communication with the Audit Committee

This criterion references the source of the CAM. PCAOB AS 1301, Communications
with Audit Committees, requires that the following items, among other things, be
communicated to the audit committee:
• Significant risks identified by the auditor;
• Certain matters regarding the company’s accounting policies, practices, and
estimates;
• Significant unusual transactions;
• Certain matters regarding the auditor’s evaluation of the company’s relation-
ships and transactions with related parties; and
• Other matters arising from the audit that are significant to the oversight of the
company’s financial reporting process.
The source also includes items actually communicated to the audit committee even
if not required by PCAOB standards. As you evaluate each of the above considerations
within the criteria, you will be able to clearly see the challenges embedded in the
considerations. For instance, the first consideration mentions “significant risks identi-
fied by the auditor. The definition of significant and the determination of that status is
filled with auditor judgment and can be impacted by a multitude of factors, including the
company, industry, control environment, and personnel, just to name a few. Similarly,
the second factor indicates “certain matters regarding the company’s accounting poli-
¶ 405
cies, practices, and estimates. It does not define what those “certain factors are and
will rely on the auditor to evaluate whether matters are worthy of reporting to the audit
committee. Factors may arise due to changes in policies or personnel, departure from
GAAP, changes in practices, or issues with the development of estimates.
The key to each of these areas is to recognize that auditor judgment will be deeply
imbedded in the determination of each of these specific considerations. As such, it is
important for the auditor and management to maintain constant, open, and transparent
communication about the auditor’s work and evaluations.
Criterion Two: Issues That Relate to Accounts or Disclosures That Are

Material to the Financial Statements
This criterion requires detailed evaluation of the definition of a CAM.
CAMs are matters arising from the audit of the financial statements that
have been communicated or were required to be communicated to the audit
committee, are related to auditing accounts or disclosures that are material
to the financial statements.
The key term is related to. The CAM could be a component of a material account or
disclosure but does not necessarily need to correspond to the entire account or
disclosure. An example could be the auditor’s evaluation of the company’s ability to
continue as a going concern. This CAM does not necessarily relate to a single account
or disclosure, but it could have a pervasive effect on the financial statement since it
relates to many accounts or disclosures.
A matter that does not relate to accounts or disclosure that are material to the
financial statements cannot be a CAM. Examples include:
• A significant deficiency in internal control over financial reporting, and
• A potential loss contingency communicated to the audit committee where the
likelihood of occurrence was deemed remote.
Some may wonder why a significant deficiency in internal control over financial
reporting (ICFR) would not be considered a CAM. Isn’t a consideration in evaluating
whether a control is significant or not tied to how it may impact accounts or disclosures?
The PCAOB has specifically stated that it cannot be a CAM because the determination
is not related to a specific account or disclosure. A deficiency in ICFR may impact an
account or disclosure, but the direct cause is not from the account or disclosure itself.
This undoubtedly is a very narrow interpretation. However, the PCAOB had stated that
a significant deficiency could be a consideration in determining that an issue is a CAM.
Criterion Three: Matters That Involved Especially Challenging,

Subjective, or Complex Auditor Judgment
Here is where auditor judgment comes front and center. In assessing such matters, the
PCAOB requires the auditor to take into account certain factors, including, but not
limited to the following:
• The auditor’s assessment of the risks of material misstatement, including signifi-
cant risks
• The degree of auditor judgment related to areas in the financial statements that
involved the application of significant judgment or estimation by management,
including estimates with significant measurement uncertainty
• The nature and timing of significant unusual transactions and the extent of audit
effort and judgment related to these transactions
¶ 405
• The degree of auditor subjectivity in applying audit procedures to address the

matter or in evaluating the results of these procedures
• The nature and extent of audit effort required to address the matter, including
the extent of specialized skill or knowledge needed or the nature of consulta-
tions outside the engagement team regarding the matter
• The nature of audit evidence obtained regarding the matter
It has been acknowledged that determining if a CAM exists can be especially
challenging. It is often a subjective determination and will require complex auditor
judgments. Each of the considerations stated is driven significantly by auditor judgment
and subjectivity. Auditors must be diligent in identifying these factors and properly
evaluating and assessing the considerations to determine the existence of a CAM.
STUDY QUESTIONS
3. The principles-based approach for identifying CAM recommended by the PCAOB

involves the consideration of three separate criteria while evaluating various factors
inherent in those criteria. The first criterion relates to communication with the audit
committee. Which of the following is a consideration that goes with this criterion?
a. Significant management discussions identified by the auditor
b. Certain matters regarding the company’s accounting policies, practices, and
estimates
c. Certain matters regarding the auditor’s evaluation of the company’s relation-
ships and transactions with board members
d. Certain matters regarding the company’s cyber risk management program
4. The principles-based approach for identifying CAM recommended by the PCAOB
involves the consideration of three separate criteria and evaluating various factors
inherent in those criteria. The third criterion includes matters that involved especially
challenging, subjective, or complex auditor judgment. Which of the following is a
consideration that goes with this criterion?
a. The nature and timing of significant unusual transactions
b. The extent of audit effort related to normal transactions
c. The degree of auditor objectivity in applying audit procedures
d. The time period evaluated
¶ 406 AUDIT REPORT REQUIREMENTS

In 2017, the PCAOB published Release No. 2017-001, The Auditor’s Report on an Audit of
Financial Statements When the Auditor Expresses an Unqualified Opinion, and Related
Amendments to PCAOB Standards. The main rule provisions require auditors to
describe CAMs in their audit reports.
The auditor’s report is required to identify specific elements related to CAM issues.
First, the auditor is required to include introductory language in the “critical audit
matters section of the report. An example of an introductory paragraph follows.
COMMENT: The SEC and PCAOB have cautioned against boilerplate narra-
tives. This would defeat the purpose of the standard. The following example is
provided by the PCAOB and should only be taken as guidance. The auditor must
create the appropriate language for the company he or she is reporting on.
¶ 406
EXAMPLE: Critical audit matters
The critical audit matters communicated below are matters arising from the
current period audit of the financial statements that were communicated or required
to be communicated to the audit committee and that: (1) relate to accounts or
disclosures that are material to the financial statements and (2) involved our espe-
cially challenging, subjective, or complex judgments. The communication of critical
audit matters does not alter in any way our opinion on the financial statements, taken
as a whole, and we are not, by communicating the critical audit matters below,
providing separate opinions on the critical audit matters or on the accounts or
disclosures to which they relate.
The standard requires that CAMs only be communicated for the current audit
period. If the auditor communicates CAMs for prior periods, the introductory language
should be modified to indicate the periods to which the CAMs relate. If the auditor
determines that there are no CAMs, the following language is suggested:
EXAMPLE: Critical audit matters
Critical audit matters are matters arising from the current period audit of the
financial statements that were communicated or required to be communicated to the
audit committee and that: (1) relate to accounts or disclosures that are material to the
financial statements and (2) involved our especially challenging, subjective, or com-
plex judgments. We determined that there are no critical audit matters.
When the current period’s financial statements are presented on a comparative
basis with those of one or more prior periods, the auditor may communicate CAMs
relating to a prior period. This may be appropriate, for example, when:
• The prior period’s financial statements are made public for the first time (e.g., in
an initial public offering), or
• Issuing an auditor’s report on the prior period’s financial statements because the
previously issued auditor’s report could no longer be relied upon for complex
judgments. The communication of critical audit matters does not alter in any
way our opinion on the financial statements, taken as a whole, and we are not, by
communicating the critical audit matters below, providing separate opinions on
the critical audit matters or on the accounts or disclosures to which they relate.
CAM Disclosure Requirements

For each CAM communicated in the report, the auditor must:
• Identify the CAM. This includes descriptive language that identifies the fact,
circumstances, and existence of the CAM.
• Describe the principal considerations that led the auditor to determine
that the matter is a CAM. The PCAOB had stated the description of the
principal considerations should provide a clear, concise, and understandable
discussion of what the matter involved and be specific to the circumstances that
created the CAM. It should also describe how the audit addressed the CAM. In
describing how the CAM was addressed in the audit, the auditor may describe
any, or a combination, of the following:
— The auditor’s response or approach that was most relevant to the matter,
— A brief overview of the audit procedures performed,
— An indication of the outcome of the audit procedures, and
— Key observations with respect to the matter.
¶ 406
• Describe how the CAM was addressed in the audit. When describing CAMs
in the auditor’s report, the auditor is not expected to provide information about
the company that has not been made publicly available. However, if such
information is necessary to describe the principal considerations that led the
auditor to determine that a matter is a CAM or how the matter was addressed in
the audit, it must be disclosed.
If the auditor chooses to describe audit procedures, the descriptions are expected
to be at a level investors and other financial statement users can understand. Auditors
must be cognizant of using understandable language and ensure the message can be
understood by constituents. This may require limiting the use of technical accounting
and auditing terms in the description of the CAM. The objective is to provide a useful
summary, not to detail every aspect of how the matter was addressed in the audit.
Language that could be viewed as disclaiming, qualifying, or restricting, or that
minimizes the auditor’s responsibility for the CAMs or the auditor’s opinion on the
financial statements, is not appropriate and may not be used. The language used to
communicate a CAM should not imply that the auditor is providing a separate opinion
on the CAM or on the accounts or disclosures to which they relate.
The auditor’s report must also refer to the relevant financial statement accounts or
disclosures that related to the CAM. If the auditor determines there are no CAMs, the
auditor must state so in the auditor’s report.
When the auditor identifies a CAM in a report, he or she is essentially drawing
closer attention to the issue. This is important as management and the audit committee
must devote time and effort into properly addressing the issue. Unfortunately, the
standard does not provide a checklist of potential issues or even provide guidance as to
the requirements on the exact content of issues. It does not list required CAMs or set
an expectation that certain items will be CAMs in all cases (e.g., matters considered
significant risks may be CAMs in certain cases but not in others) See the illustrative
example. The determination is left to auditor judgment and will be executed on a case-
by-case basis.
• Refer to the relevant financial statement accounts or disclosures that
relate to the CAM. For each CAM communicated in the auditor’s report, the
auditor is required to refer to the relevant financial statement accounts or
disclosures.
Determination of CAMs cannot follow a checklist approach. CAMs will be unique
to each audit. A variety of factors influence an auditor’s consideration of which matters
involved especially challenging, subjective, or complex auditor judgment. Several con-
cepts are important in developing an approach to identifying and communicating CAMs.
Auditors, preparers, audit committees, and others should plan accordingly for the
time it will take to determine and draft CAMs. The process to determine CAMs is the
auditor’s responsibility. CAMs may be identified throughout the audit, and it is impor-
tant that auditors discuss draft CAM communications with management and the audit
committee well in advance of when the auditor’s report is to be issued.
The auditor must communicate with management and the audit committee on a
regular and timely bases. This communication will assist in avoiding surprises about
issues that have been identified as CAMs. During the communication process, auditors
should be open and transparent with management about the process they have followed
when identifying and drafting CAM communication. This can also be important in later
aspects of preparing appropriate financial statement disclosures.
¶ 406
STUDY QUESTION
5. Which of the following is a disclosure requirement of CAM?

a. Describe the principal considerations that led the auditor to determine that the
matter is a CAM.
b. Identify who in the organization is responsible for the CAM.
c. Refer to the relevant financial statement accounts or disclosures that are not
related to the CAM.
d. Reference who is responsible for mitigating the CAM.
CAM Documentation Requirements

Consistent with the requirements of PCAOB AS 1215, Audit Documentation, audit
documentation for CAMs is required to be in sufficient detail to enable an experienced
auditor, having no previous connection with the engagement, to understand the deter-
minations made to comply with the provisions of PCAOB AS 3101.
• For matters determined to be CAMs, the description in the auditor’s report
(which, among other things, must describe the principal considerations that led
the auditor to determine that a matter was a CAM) should suffice as
documentation.
• For matters determined not to be CAMs, the amount of documentation required
could vary with the circumstances. A single sentence may be sufficient when the
auditor’s documentation prepared in the course of the audit includes sufficient
detail about why the matter did not involve especially challenging, subjective, or
complex auditor judgment. Other matters may require more extensive
documentation.
The PCAOB outlines that for each matter outlined as a CAM, documentation should
include that the CAM:
• Was communicated or required to be communicated to the audit committee,
and
• Relates to accounts or disclosures that are material to the financial statements.
In addition, the auditor must document whether or not the matter was determined
to be a CAM (e.g., it involved challenging, subjective, or complex auditor judgment) and
the basis for the determination.
CAM and Explanatory Paragraphs
CAMs are not a substitute for required explanatory paragraphs. There are circum-
stances in which the auditor is required to add explanatory language to the auditor’s
report. This may occur when there is substantial doubt about the company’s ability to
continue as a going concern. Another example is when there is a restatement of
previously issued financial statements.. There could be situations in which a matter
meets the definition of a CAM and also requires an explanatory paragraph, such as
going concern.
For these situations, both the explanatory paragraph and the required communica-
tion regarding the CAM are provided, by either:
• Including the required communications for a CAM in the explanatory para-
graph, with a cross-reference in the CAM section to the explanatory paragraph;
or
¶ 406
• Including both the explanatory paragraph and the CAM communication sepa-
rately in the auditor’s report, with a cross-reference between the two sections.
When both an explanatory paragraph and a CAM communication are provided,
the CAM description should not include conditional language that would not be
permissible in the explanatory paragraph.
Interactions with the Audit Committee
Any matter that will be communicated as a CAM should already have been discussed
with the audit committee. The auditor is required to provide a draft of the auditor’s
report to the audit committee and discuss the draft with them. While the auditor should
determine how best to comply with these communication requirements, the auditor
may discuss with management and the audit committee the treatment of any sensitive
information.
¶ 407 CAM ILLUSTRATION

An example of an area where auditors may or may not identify a CAM relates to revenue
recognition. We will evaluate two scenarios.
Company A Scenario
Company A develops widgets that are utilized in the manufacturing of luxury cars.
These widgets are the primary source of Company A’s revenues. The company sells its
products direct to car manufacturers through sales representatives. The product price is
a straightforward calculation that considers inputs to develop the product and a preiden-
tified markup margin. Company A has a ready market for the product (foreign luxury
cars). The product is an output of readily available input resources whose price has
remained stable over the last 10 years. Company A has standard contracts with auto
manufacturers that clearly indicate the number of widgets to be delivered each quarter.
This process is tightly controlled, and there is minimal opportunity for error. Products
are delivered within one month of order. There is a well-designed process to assess the
number of orders placed toward the end of a period.
Company B Scenario
Company B is an electric utility that services approximately 1 million customers
spanning the categories of residential, commercial, and industrial usage. Revenue is
based on customer usage, which can be volatile based on weather and demand. Rates
are also varied based on the size and category of customer and regulatory approval.
Residential usage represents 50 percent of the customer base, commercial usage is 30
percent, and industrial usage is 20 percent. The utility is required by regulation to either
read or estimate all meters within the monthly cycle. Although the company utilizes
automated meter reading, it is not possible to obtain accurate usage numbers on all
meters within the month. Most residential meters are capable of receiving automated
reads on a monthly basis; however, commercial and industrial meters must periodically
be estimated and then trued up the following months. The utility has agreed with the
regulators on a rotational method for estimating these meters. This estimation requires
complex calculations to record usage that may have been consumed during the period.
Although residential and industrial customers comprise 50 percent of the customer
base, they represent almost 70 percent of the revenue. This is due to the higher
volumes and rates.
¶ 407
Case Scenario Evaluation: Revenue Recognition CAM Considerations
Company A CAM Company B CAM
Assessment Area Company A Widgets determination Company B Utility Determination
The auditor’s Risk of material Revenue process is Commercial and Factors indicate
assessment of the misstatement is inherently high- industrial customer potential that
risks of material low. Price is risk; however, the usage is a large revenue estimation
misstatement. This known. Little to no risk of material percent of monthly could require
includes judgment is misstatement is revenue. The identification of a
assessment of involved in the significantly complex process of CAM. Commercial
significant risk. process. Standard mitigated by the estimation creates and industrial
contracts exist. company’s an inherent high customers are a
Orders have procedures. As risk of material significant portion
remained stable such, no CAM is misstatement. of the revenue
over 10 years. considered needed base. This area
relative to this would be
criteria. considered at high
risk for potential
material
misstatement.
Degree of auditor Little to no auditor Little to no auditor Estimating This area identifies
judgment/ judgment is judgment and no customer usage is as a potential CAM
estimation by required. The use of estimates complex and takes issue. This is
management. revenue process is creates a low level into account supported by its
Includes estimates straightforward and of management various factors complexity and use
with significant does not involve uncertainty. As such as weather, of judgment and
measurement significant such, no CAM is geography, rates, estimates.
uncertainty. management considered needed estimation, and
judgment. relative to this measurement
criteria. uncertainty.
Nature/timing of Transactions are No CAM based on Extent of audit This results in the
significant unusual normal. No this criteria. effort is significant. potential for a CAM
transactions and significant or This is due to the issue because audit
extent of audit unusual significance of effort requires not
effort/judgment transactions occur revenue estimation only extensive
related to these in this process. related to these procedures but also
transactions. transactions. auditor judgment
and assessment.
The degree of Auditor procedures No CAM based on Auditor subjectivity If auditor
auditor subjectivity are well designed, this criteria. is not considered subjectivity is held
in applying audit and the ability to high in this area. to a minimum in
procedures to apply the The estimation testing this area,
address the matter procedures to the procedures are well this may not
or in evaluating the revenue process is documented, and require a CAM
results of those transparent. audit tests can be identification.
procedures. designed to
validate
information.
The nature/extent The revenue No CAM identified The estimation The fact that
of audit effort process is based on this process requires a specialists are
required to address straightforward and criteria. strong knowledge required to
the matter. This does not require of the industry and evaluate the area
includes the extent specialized skill or the regulatory could point to the
of specialized skill outside requirements. The need for
needed or the consultants. external auditors identification of a
nature of are often required CAM.
consultations to call upon
outside the industry specialists
engagement team. to evaluate this
area.
¶ 407
CAM Reporting Effort

During the first year of compliance, it is anticipated that some level of effort will be
required in identifying and reporting CAMs. However, the goal of providing investors
additional information to assist in their valuations is considered worth the effort.
Separating out issues for specific attention will allow investors to be better informed
about the areas where management judgment and estimates are applied.
Another challenge that may occur is how many CAMs an auditor must detail in the
report. There is no set number for CAMs for the auditor to communicate. Thus,
auditors will need to critically evaluate their CAMs and ensure their identification is
within the spirit of the legislation.
The SEC has issued warnings regarding the potential for use of boilerplate lan-
guage when identifying CAMs. It feels that this method would inhibit the potential for
the standard to deliver meaningful information to investors. The CAM must provide
meaningful and accurate information about the audit and, as such, it may be okay to use
similar language year after year. However, caution and evaluation should be used.
The SEC has also stated that investors should not expect the CAMs to be a proxy
for the conversations they must still have with management, the audit committee, and
the auditors. This is not the purpose of the standard. However, investors will get
insights into what the auditor has found to be challenging or complex, which is a big
step forward. With this in mind, most are calling for a principles-based approach to
identifying potential CAM issues.
¶ 408 CRITICAL AUDIT MATTERS VERSUS KEY AUDIT

MATTERS
You may have heard of the term key audit matter (KAM) and wondered how the
concept is different than critical audit matter. In 2014, the International Auditing and
Assurance Standards Board (IAASB) adopted International Standard on Auditing (ISA)
701, Communicating Key Audit Matters in the Independent Auditor’s Report. This stan-
dard is a new requirement for auditors to communicate KAMs selected from among the
most significant matters communicated to those charged with governance, such as the
audit committee. This requirement became effective for audits of financial statements of
listed companies for periods ending on or after December 15, 2016. These items
included:
• The responsibilities of the auditor in relation to the financial statement audit;
• Planned audit scope, including the significant risks identified by the auditor and
timing of the audit;
• The auditor’s view of the accounting policies, estimates, and financial statement
disclosures;
• Significant difficulties encountered in obtaining audit evidence;
• Significant deficiency in internal control; and
• Auditor independence.
The frameworks for determining a CAM/KAM are similar and begin with matters
communicated or required to be communicated to the audit committee. However,
although the PCAOB indicates that a principles-based approach should be applied to
identify a CAM, it has been noted that the IAASB approach to the definition of a KAM is
stronger in its principles-based method than that utilized by the PCAOB.
Under ISA 701, KAMs are defined as those matters that, in the auditor’s profes-
sional judgment, were of most significance in the audit of the financial statements of the
¶ 408
current period. The concept of materiality is not included in the definition of a KAM;
however, the citation notes:
The importance of the matter to the intended users’ understanding of the
financial statements as a whole (in particular its materiality to the financial
statements), may be relevant to determining the significance of a matter
communicated to those charged with governance. This may determine
whether the item is indeed a KAM.
A KAM is required to be specific to the entity and consistent with the audit having
been performed. This allows the issue to provide relevant and meaningful information to
users. The KAM standard involves a two-step process that uses a judgment-based
framework to allow auditors to determine which matters are KAMs. This framework is
intended to focus auditors on areas about which investors and other users have
expressed interest. This may include areas that involve the most significant or complex
judgments by management and areas of auditor focus in accordance with the risk-based
approach embraced by the ISAs. Within the KAM framework, the nature of key auditor
matters included the following:
• Areas identified as significant risks specifically in the context of the entity
• Areas involving significant auditor judgment
• Areas in which the auditor encountered significant hours by the engagement
partner
• Areas involving consultation/evaluation of the engagement quality control
reviewer
• Accounting estimates with high estimation of uncertainty
• Significant transactions with related parties
• Limitation on the group audit
• Extensive unexpected effort required to obtain sufficient appropriate audit
evidence
• Recent economic, accounting, regulatory, and other developments
• Matters giving rise to a modification of the auditor’s opinion, which are by their
nature key audit matters
In addition, within the KAM framework, the number of KAMs to be included in the
auditor’s report may be affected by the following:
• The size and complexity of the entity.
• The nature of its business and environment.
• The facts and circumstances of the audit engagement.
• ISA 701 does not prescribe the number of KAMs that should be reported.
• KAMs are selected based on the auditor’s professional judgment.
• The greater the number of key audit matters, the less useful the auditor’s
communication of key matters may be.
Law and regulation may restrict the auditor’s communication of certain matters
with those charged with governance. In such case, the auditor may consider obtaining
legal advice.
Earlier, this chapter outlined the considerations auditors should use in defining a
CAM. The information previously outlined has been inserted into the following chart to
compare how auditors assess CAMs under AS 3101 and KAMs under ISA 701.
¶ 408
Comparison of CAM and KAM

PCAOB AS 3101 IIASB ISA 701 Variance
When determining if a matter The auditor shall determine, PCAOB utilizes the words
involves especially challenging, from the matters communicated “especially challenging,
subjective, or complex auditor with those charged with subjective, or complex auditor
judgment, the auditor should governance, those matters that judgment
take into account (alone or in required significant auditor ISA uses the reference “items that
combination), the following attention in performing the audit.
required significant auditor
factors as well as other factors In making this determination, attention.
specific to the audit: the auditor shall take into The distinction may seem
account the following: minimal, but in an audit of
financial statements, it is possible
an area requiring significant
auditor attention is different than
one involving subjective, complex,
or challenging auditor judgment.
The auditor’s assessment of Areas of higher assessed risk of The distinction references the
risks of material misstatement, material misstatement or procedures utilized in ISA 315.
including significant risks significant risk identified in Within PCAOB AS 3101, the
accordance with ISA 315 auditor’s assessment of a risk of
material misstatement is
performed utilizing a top-down
risk assessment with
measurement on various risk
factors. In ISA 701, the reference
to higher assessed risk of
material misstatement in
accordance with ISA 315 could
lead to different outcomes.
The degree of auditor judgment Significant auditor judgment The requirements as outlined by
related to areas in the financial related to areas in the financial PCAOB AS 3101 and by ISA 701
statements that involve the statements that involved materially consistent.
application of significant significant management
judgment or estimation by judgment, including accounting
management, including estimates that have been
estimates with significant identified as having high
measurement uncertainty estimation uncertainty
The nature and timing of The effect on the audit of PCAOB AS 3101 focuses more
significant unusual transactions insignificant events or broadly on significant unusual
and the extent of audit effort and transactions that occurred transactions and the required
judgment related to the during the period. The auditor audit effort and related judgment
transactions shall determine which of the used.
matters determined in ISA 701 references events
accordance with the previous identified within the previous step
requirement were of most and then requires the auditor to
significance in the audit of the determine the items that were of
financial statements of the most significance in the audit. It
current period and are therefore also references the use of
the key audit matters judgment and estimates.
In theory, both approaches
should yield similar results.
However, it could be very
dependent on the organization, its
risks, and the auditor judgment in
the evaluation process.
¶ 408
PCAOB AS 3101 IIASB ISA 701 Variance
The degree of auditor ISA 701 does not reference
subjectivity in applying audit auditor subjectivity. PCAOB AS
procedures to address the matter 3101 acknowledges that given the
or in evaluating the results of nature of an audit, procedures
those procedures performed may often involve
subjectivity when evaluating
outcomes. This level of
subjectivity should be a
considering factor in determining
CAMs because it introduces
additional auditor judgment into
the process.
The nature and extent of audit Similar to the consideration of
effort required to address the auditor subjectivity in developing
matter, including the extend of audit procedures, AS 3101
specialized skill or knowledge includes the degree of audit effort
needed or the nature of and the need for specialized skill.
consultations outside the The key component that varies in
engagement team the two standards is the
identification of the need to
consider the requirement of
specialized skill.
The nature of audit evidence AS 3101 references the nature of
obtained regarding the matter audit evidence. This recognizes
the concept that not all evidence
is created equal. The auditor must
take into account how direct the
evidence is to the audit area and
the method in which the evidence
was obtained.
Communicating Key Audit Matters

The communication of CAMs/KAMs should be tailored to the facts and circumstances
of the individual audit engagement. The number of CAMs/KAMs that will be communi-
cated may be affected by the complexity of the entity, the nature of the entity’s business
and environment, and the facts and circumstances of the audit engagement. Sugges-
tions for the communication of KAMs included the following:
• Limiting the use of highly technical auditing terms.
• Auditor to avoid giving original information.
• Reference is made to relevant disclosures in the financial statements.
• The auditor describes its effect on the audit.
• Procedures performed described at a high level and not a detailed description of
procedures.
• Address the specific outcome but avoid the impression that an opinion is
expressed on individual matters.
Procedures for Describing KAMs in the Audit Report

The following were recommendations for auditors to use when describing KAMs in the
audit report:
• Why the matter is considered to be of utmost significance.
• Reference to related disclosures
• How the matter was addressed in the audit
¶ 408
• Brief overview of procedures performed

• Key observation or indication of the outcome of the procedures
Both the PCAOB and the IIASB have recognized that challenges may exist with the
requirement of the KAM/CAM disclosures. These challenges include (among other
things) the potential for increased audit cost, increased auditor liability, and potentially
more time needed to issue the auditor report. In addition, as is the case with any
enhanced narratives, some investors may misinterpret the discussion of the issues and
assume there is an indication of a problem, even if the audit results in a clean/
unqualified opinion. There is also concern regarding the risk of disclosing information
that had not been disclosed by management. This is an area of importance and one for
which the auditor must ensure ongoing and effective communication of the identifica-
tion of KAM/CAM and proper discussion with management.
STUDY QUESTION
6. Which regulatory body prescribed rules with respect to key audit matters (KAMs)?
a. PCAOB
b. SEC
c. IIASB
d. ISO
¶ 409 SUMMARY
The overall impact of AS 3101 has yet to be realized. The standard has potential for both
positive and negative ramifications. The Center for Audit Quality indicates the new
standard “provide(s) additional information to investors and other stakeholders in an
increasingly complex and global business environment. However, this is just one
opinion. Others, including the U.S. Chamber of Commerce, feel the new requirements
“obfuscate disclosures for investors and make capital formation less efficient.
Time will tell as the new standard continues to roll out and be refined by
companies. It is important for both independent auditors as well as management to
become comfortable with this change and embrace the concepts outlined in applying a
principle-based approach to identification of CAMs.
¶ 409
69

CHAPTER 5: New Service Level of
Engagement for Attestation Engagements
(SSAE 18)
¶ 501 WELCOME
This chapter reviews the important aspects of Statement on Standards for Attesta-
tion Engagements No. 18 (SSAE 18). These attestation standards establish require-
ments and provide application guidance to auditors for performing and reporting on
examination, review, and agreed-upon procedures engagements, including Service Or-
ganization Controls (SOC) attestations. We will also review the variances between SSAE
16 (the previous standard) and how and when the application of SSAE 18 requirements
is appropriate.
SSAE 18 aims to increase the usefulness and quality of Service Organization
Control reports, now referred to as System Organization Control (SOC) reports. The
changes made to the standard require companies to take more control and ownership of
their own internal controls around the identification and classification of risk and
appropriate management of third-party vendor relationships. These changes, while not
overly burdensome, will help address key areas in which industry professionals noted
gaps in many service organizations’ reports.

• Summarize the history of Service Organization Control (SOC) reports
• Describe the transition of the accounting standards from Statement on Auditing
Standards (SAS) 70 to Statement on Standards for Attestation Engagements
(SSAE) 16 and now SSAE 18
• Recognize the various types of service and subservice organizations
• Explore procedures to conduct a SOC 1 engagement, develop proper control
objectives, and determine specific reporting methods
• Examine the variance and procedural requirements that exist between a SOC 1
Type I and SOC 1 Type II report
• Explore procedures to conduct and report on a SOC 2 engagement addressing
information security, availability, processing integrity, confidentiality, and pri-
vacy of services
• Examine the variance and procedural requirements that exist between a SOC 2
Type I and SOC 2 Type II report
• Recognize the requirements for SOC 3 reports
• Recognize the requirements to prepare for a SOC engagement and a readiness
assessment
• Identify specific changes related to monitoring controls at subservice
organizations
• Explain the concept of a detailed risk assessment for subservice organizations
• Explain the concept and requirements of complementary controls
• Recognize the need for evidence provided by service organizations
¶ 502
¶ 503 INTRODUCTION
The increased use of outsource providers for multiple aspects of business has created a
whole new dimension of risk(s) to organizations. Outsourcing work extends from
financial tasks such as accounts payable and payroll process to information technology
management and even compliance services. Originally, the AICPA issued SAS 70 to
address control assurance on outsourced providers for financial reporting purposes.
You may be familiar with the SSAE 16 requirements and SOC reports. In April 2016, the
AICPA Auditing Standards Board (ASB) issued SSAE No. 18, Attestation Standards:
Clarification and Recodification.
A service auditor’s examination performed in accordance with SAS 70 represented
that the organization has undergone a complete in-depth examination of its control
objectives and control activities. This often included controls over information technol-
ogy and related processes. In today’s global economy, service organizations must
demonstrate they have adequate controls and safeguards when they host or process
data belonging to their customers. The requirements of Section 404 of the Sarbanes-
Oxley Act of 2002 make SAS 70 audit reports even more important to the process of
reporting on the effectiveness of internal control over financial reporting.
For nearly 18 years, SAS 70 was the authoritative guidance for service organiza-
tions to disclose their control activities and processes to their customers and their
customers’ auditors. SAS 70 provides guidance to enable an independent auditor to
issue an opinion on a service organization’s description of controls through a Service
Auditor’s Report SAS 70 but does not specify a predetermined set of control objectives
or control activities that service organizations must achieve.
SAS 70 was generally applicable when an independent auditor was planning the
financial statement audit of an entity that obtains services from another organization.
However, as outsourcing became more prevalent, the AICPA issued SSAE 16 to expand
upon the requirements of SAS 70. In 2011, SSAE 16 took effect and replaced SAS 70 as
the authoritative guidance for performing a service auditor’s examination. SSAE 16
established a new attestation standard (AT 801) to contain the professional guidance. At
the same time, the AICPA launched a new Service Organization Controls (SOC)
reporting framework designed to allow practitioners to provide different types of reports
depending on the needs of service organizations and their stakeholders.
SSAE 16 was drafted with the intention of updating the U.S. service organization
reporting standard to mirror and comply with the international service organization
reporting standard, ISAE 3402. The main variance between SAS 70 and SSAE 16 was
that the service company was required to provide a written assertion to the auditor that
its description of services accurately represented its organizational “system.
Following is a summary of the authoritative statements and pronouncements
relative to internal control, related to service organizations that have been made since
the first Statement on Auditing Procedure (SAP) in 1939.
History of Control Reports
Statement Issuance Date Title of Statement
SAP 29 October 1958 Scope of the Independent Auditor’s Review of
Internal Control
SAP 41 November 1971 Reports on Internal Control
SAP 54 November 1972 The Auditor’s Study and Evaluation of Internal
Control
SAP 3 December 1974 The Effects of EDP on the Auditor’s Study and
Evaluation of Internal Control
SAS 44 December 1982 Special-Purpose Reports on Internal Accounting
Control at Service Organizations
¶ 503
MODULE 2 - CHAPTER 5 - New Service Level of Engagement 71
Statement Issuance Date Title of Statement
SAS 48 July 1984 The Effects of Computer Processing on the Audit
of Financial Statements
SAS 55 April 1988 Consideration of Internal Control in a Financial
Statement Audit
SAS 70 April 1992 Service Organization
SAS 78 December 1995 Consideration of Internal Control in a Financial
Statement Audit: An Amendment to Statement on
Auditing Standards No. 55
SAS 88 December 1999 Service Organizations and Reporting on
Consistency
SAS 94 May 2001 The Effect of Information Technology on the
Auditor’s Consideration of Internal Control in a
Financial Statement Audit
PCAOB AS 2 May 2004 An Audit of Internal Control over Financial
Reporting in Conjunction with an Audit of
Financial Statements. Note: Appendix B refers to
Service Organizations.
PCAOB AS 5 May 2007 An Audit of Internal Control over Financial
Reporting That Is Integrated with an Audit of
Financial Statements. Note: Appendix B17-B17
covers Service Organization considerations.
ISAE No. 3402 December 2009 Assurance Reports on Controls at a Service
Organizations
SSAE 16 April 2010 Reporting on Controls at a Service Organization
SSAE 16 2011 Service Organization Control Reports
SSAE 18 2016 Supersedes SSAE 16
In 2011, SOC reports were introduced and were intended to help address data
security and compliance issues. Three types of SOC reports and two subtypes for SOC 1
and SOC 2 were identified. The following table outlines the various report types and
their focus and purpose.
SOC Report Types and Purpose
SOC Type Focus
SOC 1 Type 1 Addresses the design of control over financial
reporting services
SOC 1 Type 2 Addresses both the design and operating
effectiveness of controls over financial reporting
services
SOC 2 Type 1 Addresses the design of controls surrounding the
security, viability, processing integrity,
confidentiality, and privacy of services
SOC 2 Type 2 Addresses the design of and operating
effectiveness of controls around the security,
availability, processing, integrity, confidentiality,
and privacy of services
SOC 3 General Purpose Public-facing document that gives a high-level
overview of information in the SOC 2 report
Even with the identification of various SOC reports, SSAE 16 was intended to be
specific to SOC 1 reports (addressing financial reporting). However, service auditors
began stretching the interpretation of the SOC reports to address the increased use of
technology.
In an effort to standardize attestation criteria, the AICPA issued SSAE 18 in April
2016 to replace SSAE 10 through 17. As of May 1, 2017, the SSAE 18 standard
superseded SSAE 16. SSAE 18 provides more definitive guidance on controls surround-
¶ 503
ing information technology including focusing on the Trust Service Criteria of informa-
tion security, availability, processing integrity, confidentiality, and privacy. It also places
responsibility on the service organization to monitor any subservice organizations they
may utilize. More importantly, SSAE 18 refers to many different types of attestation
reports, not just SOC 1 reports. Major changes from SSAE 16 to SSAE 18 include:
• Vendor management. SSAE 18 addresses vendor management for the first

time, referring to third-party vendors as “subservice organizations. SSAE 18
requires a vendor to define:
— The scope and responsibilities of each third-party vendor it uses
— The importance and specifics of each third-party vendor (including identify-

ing critical vendors)
— How reliable that third-party vendor is based on service level agreements

(SLAs), terms of agreement, warranties, and guarantees
• Complementary subservice organization controls. SSAE 18 establishes and

defines a concept of complementary subservice organizations and their controls.
Subservice organizations are those organizations utilized by the original service
organization to provide a component of services to the user entity. Organizations
utilizing subservice organizations must now assume responsibility for control
concepts in the design of their system description. These subservice organiza-
tions will be known as Complementary Subservice Organization Controls
(CSOCs). This helps clarify and provide more guidance around this area. Often
additional controls were disclosed in various places to help the reader of the
report. Clarification is intended to lead to more standard and consistent report-
ing across entities and practitioners.
• Written assertion requirements. SSAE 18 requires the practitioner to request

a written assertion from the responsible party in all attestation engagements.
This includes agreed-upon procedures engagements. When the client is the
responsible party, a refusal to provide a written assertion would result in the
practitioner withdrawing from both an examination and a review engagement or
disclaiming an opinion in an examination engagement. In an agreed-upon proce-
dures engagement, the practitioner would be required to disclose the responsi-
ble party’s refusal to provide a written assertion in the practitioner’s report.
Both service organization and service organization providers should ensure they
have a strong understanding of each type of SOC report and the elements required to
ensure the reports appropriately meet their intention.
The SSAE 18 requirements are expected to have the greatest impact in the
following areas:
• Naming convention. Moving forward, SOC reports will eliminate references to

SSAE 16. Service organization examination should be simply referenced as SOC
1, SOC 2, or SOC 3 reports, or service organization controls reports. The
reference to SAS 70, SSAE 16, or SSAE 18 reports should be eliminated.
• Vendor management. Management of a service organization that integrates

parts of its service with a subservice organization has the responsibility of
monitoring and reporting on the effectiveness of the subservice organization’s
controls. Currently, service organizations may carve out these entities and
¶ 503
demonstrate management’s review of the subservice organization’s SOC re-
ports. Going forward, additional monitoring efforts may be needed to assess the
effectiveness of subservice controls and react in a timely manner. Practical
examples of management’s monitoring of subservice organization’s activities
may include:
— Reconciling output reports generated from the subservice organization
— Formally documenting discussions with the subservice organization to en-
sure the organization’s controls are operating effectively
— Conducting internal audits or site visits at the subservice organization
— Testing controls at the subservice organization through the use of internal
audit or other internal personnel of the service organization
— Monitoring external communications and communicating observations to
the subservice provider
• Complementary subservice organization controls. Historically, service orga-
nizations have presented their own complementary user entity controls in the
system description section of the SOC report. Yet, the system description does
not concisely include reference to the relevant controls relied upon through
their use of subservice organizations. Complementary subservice organization
controls is a new term used to reference subservice organization controls that
service organizations rely on to meet the expected control objective. It is now a
requirement that management and the service auditor consider the subservice
organization controls assumed in the design of the service organization’s own
system as well as how the service organization ensures control objectives are
met.
• Service auditor risk assessment. In addition to gaining an understanding of
the description of the service organization’s system, the service auditor is now
responsible for obtaining a more in-depth understanding of the service organiza-
tion’s system and controls.
• Written assertion requirements. Prior to SSAE 18, it was optional for manage-
ment to officially sign the assertion letter because it signs a management
representation letter. Going forward, the service organization will need to sign
the management assertion presented with the service auditor’s SOC report.
All organizations are now required to issue their SOC report under the SSAE 18
standard. The SOC 1 report produced will look and feel very similar to the one issued
under SSAE 16; it will contain a couple of additional sections and controls to further
enhance the content and quality, and thus the ability of third parties to rely upon it.
STUDY QUESTIONS
1. Which of the following standard did SSAE 18 supersede and replace as the standard
for evaluating service organization controls?
a. SAS 70
b. SSAE 16
c. PCAOB AS 2
d. PCAOB AS 5
¶ 503
2. Which of the following appropriately describes the purpose of a SOC 1 Type II

report?
a. It addresses the design of controls surrounding the security, viability, process-
ing integrity, confidentiality, and privacy of services
b. It is the public-facing document that gives a high-level overview of information
in the SOC 2 report
c. It addresses both the design and operating effectiveness of controls over
financial reporting services
d. It addresses the design and operating effectiveness of controls around the
security, availability, processing, integrity, confidentiality, and privacy of
services
¶ 504 IMPORTANT CONSIDERATIONS FOR SSAE 18

Outside of the technical definitions associated with the SSAE 18 report, it is important
that professionals understand there are other impacted areas impacted by SSAE 18.
Those include the following:
• SSAE 18 is part of the comprehensive AICPA Service Organization Con-
trol (SOC) reporting framework. System and Organization Controls (SOC) is
a suite of service offerings CPAs may provide in connection with system-level
controls of a service organization or entity-level controls of other organizations.
These include:
SOC for service organizations. Internal control reports on the services provided
by a service organization. These reports will provide valuable information for
users to assess and address the risks associated with an outsourced service
organizations. The reports are as follows:
— SOC 1: SOC for Service Organizations: ICFR
— SOC 2: SOC for Service Organizations: Trust Service Criteria
— SOC for Service Organizations: SOC 2 HiTrust
— SOC for Service Organizations: SOC 2 CSA STAR Attestation
— SOC 3: SOC for Service Organizations: Trust Services Criteria for General
Use Report
SOC for cybersecurity. A reporting framework through which organizations can
communicate relevant useful information about the effectiveness of their cyber-
security risk management program. CPAs can report on such information to
meet the cybersecurity information needs of a broad range of stakeholders.
SOC for supply chains: under development. An internal controls report on an
entity’s system and controls for producing, manufacturing, or distributing goods
to better understand the cybersecurity risks in its supply chains.
• SSAE 18 reporting. Both Type I and Type II reports require a description of
the service organization’s “system along with a written statement of assertion
by management. In many cases, the service auditor “assists management in
preparing the description of the system. In a few cases, the service auditor has
completely prepared the system description. This is not the purpose of the
requirement. Management must attest to the description. Service auditors
should use caution when taking on the task of developing the description.
Management must fully evaluate and attest to the accuracy and completeness of
the description.
¶ 504
• SSAE 18 also brings to the light the relevancy of subservice organization
reporting, the internal audit function, and the ICFR concept. It is critical that
management take this responsibility serious and fully understand the processes
and procedures they have outsourced to a subservice organization.
• ISAE 3402 is the international standard (and equivalent) to the AICPA SSAE 16
attestation standard.
Types of SSAE 18 Reports

Professionals must understand the distinction between the terms SOC 1, SOC 2, and
SOC 3 and the subcategory of Type I or Type II reports. A discussion of each of these
follows.
SOC 1 report. A SOC 1 audit report provides user entities with reasonable assurance
that the controls at a service organization are operating effectively and appropriately
protecting client data. It represents an audit of internal controls at a service organization
that may affect the clients’ internal control over financial reporting. SOC 1 reports can
be further classified into Type I or Type II reports.
SOC 1 Type I report. This report is an attestation of controls at a service organization
at a specific point in time. It reports on the description of controls provided by
management of the service organization and attests that the controls are suitably
designed and implemented. The Type I report is specifically defined by the SSAE 18
guidance as a “report on a description of a service organization’s system and the
suitability of the design of controls—essentially, a determination of whether the
company’s controls are designed appropriately. When performing a Type I report, the
auditors will test the design effectiveness of the service organizations controls by
examining a sample of controls, review of policy, or through inquiry.
The Type I report has three sections. These include Management’s Assertion, the
Auditor’s Opinion, and the System Description of the service offerings under review and
corresponding control objectives and activities. This provides a user organization with
comfort that the service organization has controls in place. This work does not provide
evidence of operating effectiveness.
SOC 1 Type II report. SOC 1 Type II will report on both the design and the operating
effectiveness of controls over a period of time. A Type II report is what most companies
wish to see when asking for evidence of a SOC report. While the Type II report is
preferred, the Type I report can serve as a step in the right direction for an organization
that has never undergone an audit and is looking to show it is serious about compliance.
A SOC 1 Type II report is an attestation of controls at a service organization over a
minimum six-month period. It reports on the description of the controls provided by
management of the service organization, attests that the designs are suitably designed
and implemented, and attests to the operating effectiveness of the controls.
SOC 2 report. These reports are utilized for reporting on controls for IT-related
organizations, such as cloud computing, Software as a Service (SaaS), ad managed
¶ 504
services, along with data centers. These are just a few of the growing list of IT services.
SOC 2 reviews are an audit of a service organization’s nonfinancial reporting controls as
they relate to the Trust Service Criteria as defined by the AICPA. Those criteria include:
• Security. Information and systems are protected against unauthorized access,
unauthorized disclosure of information, and damage to systems that could
compromise the availability, integrity, confidentiality, and privacy of information
or systems and affect the entity’s ability to meet its objectives. Security refers to
the protection of:
— Information during its collection or creation, use, processing, transmission,
and storage
— Systems that use electronic information to process, transmit or transfer, and
store information to enable the entity to meet its objectives
OBSERVATION: Controls over security prevent or detect the breakdown
and circumvention of segregation of duties, system failure, incorrect processing,
theft, or other unauthorized removal of information or system resources; misuse of
software; and improper access to or use of, alteration, destruction, or disclosure of
information.
• Availability. Availability refers to the accessibility of information used by
the entity’s systems, as well as the products or services provided to its
customers. The availability objective does not, in itself, set a minimum
acceptable performance level. It does not address system functionality (the
specific functions a system performs) or usability (the ability of users to
apply system functions to the performance of specific tasks or problems).
However, it does address whether systems include controls to support
accessibility for operation, monitoring, and maintenance.
• Processing integrity. Processing integrity refers to the completeness, valid-
ity, accuracy, timeliness, and authorization of system processing. It ad-
dresses whether systems achieve the aim or purpose for which they exist
and whether they perform their intended functions in an unimpaired man-
ner, free from error, delay, omission, and unauthorized or inadvertent
manipulation. Because of the number of systems used by an entity, process-
ing integrity is usually addressed only at the system or functional level of
an entity.
• Confidentiality. Confidentiality addresses the entity’s ability to protect infor-
mation designated as confidential from its collection or creation through its
final disposition and removal from the entity’s control in accordance with
management’s objectives. Information designated as confidential is pro-
tected to meet the entity’s objectives. Information is confidential if the
custodian of the information is required to limit its access, use, and
retention and restrict its disclosure to defined parties. Confidentiality re-
quirements may be contained in laws or regulations or in contracts or
agreements that contain commitments made to customers or others. The
need for information to be confidential may arise for many different rea-
sons. For example, the information may be proprietary, intended only for
entity personnel.
OBSERVATION: Confidentiality is distinguished from privacy in that privacy
applies only to personal information, whereas confidentiality applies to various
types of sensitive information. In addition, the privacy objective addresses require-
ments regarding collection, use, retention, disclosure, and disposal of personal
information. Confidential information may include personal information as well as
other information, such as trade secrets and intellectual property.
¶ 504
• Privacy. Personal information is collected, used, retained, disclosed, and dis-
posed to meet the entity’s objectives. Although confidentiality applies to various
types of sensitive information; privacy applies only to personal information. The
privacy criteria are organized as follows:
— Notice and communication of objectives. The entity provides notice to data
subjects about its objectives related to privacy.
— Choice and consent. The entity communicates choices available regarding the
collection, use, retention, disclosure, and disposal of personal information to
data subjects.
— Collection. The entity collects personal information to meet its objectives
related to privacy.
— Use, retention, and disposal. The entity limits the use, retention, and disposal
of personal information to meet its objectives related to privacy.
— Access. The entity provides data subjects with access to their personal
information for review and correction (including updates) to meet its objec-
tives related to privacy.
— Disclosure and notification. The entity discloses personal information, with
the consent of the data subjects, to meet its objectives related to privacy.
Notification of breaches and incidents is provided to affected data subjects,
regulators, and others to meet its objectives related to privacy.
— Quality. The entity collects and maintains accurate, up-to- date, complete,
and relevant personal information to meet its objectives related to privacy.
— Monitoring and enforcement. The entity monitors compliance to meet its
objectives related to privacy, including procedures to address privacy-related
inquiries, complaints, and disputes.
The AICPA designed the Trust Services Criteria to provide flexibility in application
and use for a variety of different subject matters. Specifically, the following are areas
where the Trust Service Criteria may be utilized. The following are the types of subject
matters a practitioner may be engaged to report on using the Trust Services Criteria:
• When evaluating the suitability of the design and operating effectiveness of
controls relevant to the security, availability, or processing integrity of informa-
tion and systems, or the confidentiality or privacy of the information processed
by the entity.
• When evaluating the effectiveness of controls within an entity’s cybersecurity
risk management program to achieve the entity’s cybersecurity objectives using
the Trust Services Criteria relevant to security.
• When evaluating the suitability of design and operating effectiveness of controls
included in management’s description of a service organization’s system rele-
vant to one or more of the Trust Services Criteria throughout a specified period
to meet those criteria in a type.
• A Type II SOC 2.
• A SOC 3 engagement related to the design and operating effectiveness of a
service organization’s controls over a system relevant to one or more of the
Trust Services Criteria.
Practitioners generally do not use the Trust Services Criteria when engaged to
report on an entity’s compliance, or on an entity’s internal control over compliance with
laws, regulations, rules, contracts, or grant agreements. If the practitioner is engaged to
report on compliance with laws, regulations, rules, contracts, or grant agreements in
connection with an examination of the design and operating effectiveness of an entity’s
¶ 504
controls, the compliance portion of the engagement would be performed in accordance

with AT-C sections 105 and 315, Compliance Attestation.
When using the Trust Services Criteria, practitioners must consider how the
entity’s objectives (referred to in the criteria) are affected by the subject matter of the
engagement. In evaluating this concept, the Trust Service Criteria provides an example
of application. First, consider the following two circumstances:
• In a SOC 2 engagement, management is responsible for meeting its commit-
ments to customers. Commitments generally are included in written contracts,
service level agreements. Some commitments may be applicable to all custom-
ers (baseline commitments), where others are designed to meet individual
customer needs. System requirements refer to how the system should function
to meet the entity’s commitments to customers, relevant laws and regulations,
or guidelines of industry groups, such as trade or business associations.
• In a cybersecurity risk management examination, the entity establishes cyber-
security objectives. Cybersecurity objectives are those that could be affected by
cybersecurity risk and, therefore, affect the achievement of the entity’s compli-
ance, reporting, and operational objectives. The nature of an entity’s cyber-
security objectives will vary depending on the environment in which the entity
operates, the entity’s mission and vision, the overall business objectives estab-
lished by management, and other factors.
Now apply the Trust Service Criteria below to each example:
The entity restricts physical access to facilities and protected information
assets (e.g., data center facilities, backup media storage, and other sensitive
locations) to authorized personnel to meet the entity’s objectives.
In a SOC 2 engagement as identified in the example above, the phrase “to meet the
entity’s objectives would be interpreted as follows:
locations) to authorized personnel to meet the service organization’s com-
mitments and system requirements.
In addition, the criterion would only be applied as it relates to controls over the
trust service category(ies) relevant to the system(s) included within the scope of the
SOC 2 engagement.
In the cybersecurity risk management examination example, the phrase “to meet
the entity’s objectives would be interpreted as follows:
locations) to authorized personnel to meet the entity’s cybersecurity
objectives.
The criterion would be applied as it relates to controls within the cybersecurity risk
management program. This includes controls that are:
• Across an entire entity
• At a subsidiary, division, or operating unit level
• Within a function relevant to the entity’s operations, reporting, or compliance
objectives
• For a particular type of information used by the entity, depending on the scope
of the cybersecurity risk management examination
Similar to SOC 1 reports, SOC 2 reports can be further categorized into Type I and
Type II reports. While Type I reports simply report on the design of the controls at a
¶ 504
point in time, Type II reports discuss both the design and the operating effectiveness of
controls over a period of time. A SOC 2 audit report provides user entities with
reasonable assurance and peace of mind that the nonfinancial reporting controls at a
service organization are suitably designed, in place, and appropriately protecting sensi-
tive client data. This is a crucial report for any type of data that is entrusted with a third-
party provider, whether it includes large video files or confidential medical records. If
you use a third-party customer relationship management provider, the SOC 2 report will
verify the provider’s ability to keep the records online and the identity of your custom-
ers secure and in line with your own privacy policy.
SOC 3 report. A SOC 3 report outlines information related to a service organization’s

internal controls for security, availability, processing integrity, confidentiality, or pri-
vacy. These five areas are the focuses of the AICPA Trust Services Principles and
Criteria.
A SOC 3 reports on the same information as a SOC 2 report. The main difference
between the two is that a SOC 3 report is intended for a general audience. These reports
are shorter and do not include the same details as a SOC 2 report, which is distributed
to an informed audience of stakeholders. Due to their more general nature, SOC 3
reports can be shared openly and posted on a company’s website with a seal indicating
their compliance.
STUDY QUESTIONS
3. What are the specific components addressed within a SOC 2 Type II report?
a. The design of and operating effectiveness of controls around the security,
availability, processing, integrity, confidentiality, and privacy of services
b. The design of controls surrounding the security, viability, processing integrity,
c. The design of controls around internal controls over financial reporting
d. The design and operating effectiveness of internal control over financial
reporting
4. In relation to a SOC 2 Type II, one of the components addressed involves the privacy
principles. Which of the following are representative of the privacy principle concept?
a. Notice and communication of objectives, choice and consent, collection of
personal information, use, retention, and disposal, access, quality
b. Quantity of information, availability of information, type of information, authori-
zation of personal information
c. Collection of personal information, quantity of information collected, authoriza-
tion of personal information, availability of information
d. Description of individuals authorized to use information, availability of informa-
tion retention, cloud storage, server storage
¶ 504
¶ 505 SUBSERVICE ORGANIZATIONS AND SSAE 18

The concept of subservice organizations is part of SSAE 18. A subservice organization is
a service organization (used by another service organization) that assists or participates
in providing services to a user entity. It can be any third party with access (physical or
logical) to the service organization’s sensitive client data. Activities typically would be
included in the description of the primary service organization’s system.
A subservice organization goes one level deeper than a simple service organization.
Organizations that provide services to a service organization that are not considered
subservice organizations are referred to as vendors. These services do not impact the
controls of the primary service organization. Under SSAE 18, a service organization
should:
• Identify all subservice organizations used in providing services to its users.
• Include a description of any subservice organization controls (Complementary
Subservice Organization Controls) that the service organization relies on to
provide the primary services to its customers.
¶ 506 SSAE 18 VERSUS SSAE 16

SSAE 16 was specific to SOC 1 reports. It dealt with the controls at a service organiza-
tion that impact financial reporting of the customers of the service organization. By
contrast, SSAE 18 refers to many different types of attestation reports, not just SOC 1
reports. SSAE 18 is for all attestation engagements. Companies can no longer refer to
SOC 1 as an SSAE 16 examination. Since there will be many different reports produced
under SSAE 18, organizations must refer to these attestation reports by their proper
name (SOC 1, SOC 2, etc.) and not by the standard used to produce them.
SSAE 18 provides organizations with, in addition to processes related to financial

reporting, the ability to gain assurance on an entity’s compliance with certain laws or
regulations, contractual arrangements, or another set of defined agreed-upon proce-
dures. Some of the provisions of SSAE 18 may allow user auditors to reduce testing
through reliance on the service auditor’s report regarding internal controls at the
service organization. This may assist in gaining a competitive advantage against similar
organizations that have not received a SOC 1/SSAE 18 report. Other benefits that have
been cited include the ability to meet contractual requirements, benchmark controls,
and increase client satisfaction information.
There are a couple of key changes companies currently performing a SOC 1 or 2

report will need to take into consideration moving forward:
• Service organizations will need to implement a formal third-party vendor man-
agement program.
• Service organizations will need to implement a formal annual risk assessment
process.
In addition to the control-based changes, SOC reports should also contain two
additional sections describing the risk assessment process, as well as the subservice
organizations that play a role in the overall operation. Also included is a description of
the system and the corresponding controls the subservice organization may impact or
have complete ownership of. These two components were previously present in SOC 2
¶ 505
reports but not formally required. Now, this concept is being formalized and extended
to all SOC reports moving forward.
In the case of organizations that have not previously undergone a SOC 1 audit due
to their service and or operations not being financially significant, SSAE 18 expands the
definition of what is allowed to be reported on. It includes an entity’s compliance with
certain laws or regulations, contractual arrangements, or another set of defined agreed-
upon procedures. This now allows for an official, independent review of a wide range of
operations under a trusted and consistent set of auditing and reporting guidelines.
¶ 507 PHYSICAL COMPONENTS OF THE SSAE 18

REPORT
Many of the requirements for reporting outlined in SSAE 16 have stayed intact within
SSAE 18. One of the most critical changes is that SSAE 18 requires that controls be
implemented at the service organization that monitor the effectiveness of controls at the
subservice organization. A listing of SSAE 18 expectations include:
• Monitoring controls at subservice organizations
• Risk assessment
• Complementary controls
• Assertion criteria modification
• Written assertion
• Evidence provided by service organizations
Monitoring Controls
Services organizations are required to implement controls that monitor the effective-
ness of controls at the subservice organization. The following elements must be
included (not an all-inclusive list):
• Review of/reconciling output reports
• Regularly scheduled site visits
• Actual testing of controls
• Monitoring external communications
• Review of regulatory compliance reports
Potential monitoring procedures that have been recommended to meet these
requirements include the following:
• Hold periodic discussions with the subservice organization.
• Members of the service organization’s internal audit (IA) function test controls
at the subservice organization.
• Review Type 1 or Type 2 reports on the subservice organization’s system.
• Monitor external communications (i.e., customer complaints) relevant to the
services by the subservice organization.
Monitoring elements of internal control have become a stronger emphasis for
organizations since the Committee of Sponsoring Organizations (COSO) Internal Con-
trol Framework and Sarbanes-Oxley have come into play. Monitoring, although the final
component of the COSO framework, assists in ensuring the organization has properly
established controls. It also addresses the need for the organization to regularly risk
assess and evaluate control activities to ensure they are effective within their environ-
ment. Many of the requirements outlined in the COSO framework are important to
consider when executing monitoring procedures for SSAE 18. In addition, management
¶ 507
must understand that monitoring processes are not the sole responsibility of IA or a
third-party independent verification source. Management monitoring is often cited as
the second level of defense for internal controls. Management must establish processes
that are efficient to identify when controls are not working or have become ineffective.
They must then promptly address the deficiencies with actions. It is not acceptable to
“wait until the auditors come in.
Risk Assessment
As defined by COSO, risk assessment is an iterative process, not a one and done. With
the continuing changes in the business risk landscape, it is imperative organizations
have procedures in place to effectively execute timely risk assessments as well as
monitor emerging risks and consider them within their risk assessment processes.
SSAE 18 has specific requirements for risk assessments as opposed to existing
general considerations of risk in SSAE 16. Several places in the SOC 1 standard include
strong language around risk identification and risk management. Service auditors must
obtain a more in-depth understanding of the development of the subject matter than
currently required.
The SOC 1 standard previously stated the need for a “formal or informal risk
assessment process. The new standard for SOC 1 is asking auditors to understand
management’s process and assess if it is complete and correct. Auditors must evaluate
the linkage of controls identified in management’s description of the service organiza-
tion’s system with risks and determine that controls have been implemented. SSAE 18
requires a formal risk assessment process, which according to the AICPA, “may include
estimating the significance of identified risks, assessing the likelihood of their occur-
rence, and deciding about actions to address them.
The approach used to perform the risk assessment is left to the discretion of the
organization. The auditor will be determining whether the company risk assessment is
accurate and complete. The auditor is also required to obtain evidence that the
information provided for the risk assessment is reliable. This should lead to an im-
proved linkage between assessed risks and the nature, timing, and extent of attestation
procedures performed in response to those risks.
There are many approaches to performing a risk assessment. Those approaches
can include multiple facilitation methods as well as execution methodologies (inter-
views, questionnaires, checklists, evaluation of process area risk assessments, and
strength/weakness/opportunities/threat [SWOT] analysis).
From the execution perspective, organizations can consider whether their needs
are best met by performing a qualitative or quantitative risk analysis. Another option is
to combine the approaches to ensure proper risk coverage. Quantitative risk assess-
ments are sometimes viewed as more beneficial because they can provide more
concrete measurement. The utilization of an approach that includes quantitative factors
can bring several benefits to organizations that issue SOC reports. Such benefits include
the following:
• Improves the organization’s overall risk posture. In any risk assessment, a
key element is to ensure the data considered and risks analyzed support the
rationale related to the control in place to mitigate the risks. When using
quantification methods in financial terms, the organization can add rigor to the
risks identified and appropriately map the risks to the related control objectives
identified in the SOC report.
• Enhances reliability of information. The quality of a service organization’s
risk assessment process will ultimately influence the nature, timing, and extent
¶ 507
of audit procedures required. As such, it is important the results of the risk
assessment are reliable. Reliance allows the auditor to place emphasis on
supporting documentation and less time on extensive evaluations. By quanti-
fying risk in financial terms, the organization provides a greater degree of
objectivity in risk analysis. This can increase the extent to which the service
auditor can rely on this information.
• Builds assurance. The objective of a SOC report is to instill trust and assur-
ance in the service organization’s processes. Trust and assurance are built
through the knowledge that the service organization has sufficient controls in
place over its environment. Taking a quantitative approach to risk assessment
could increase the confidence that the service organization has taken the
appropriate steps to manage its highest risks and allocate the appropriate
controls to mitigate those risks.
• Streamlined process. The ability to have well-documented rationale on the
risk assessment process should help streamline efforts service auditors may
need to spend on their work.
Complimentary Control
The new standard introduces the concept of “complementary subservice organization
controls. This concept establishes and defines the controls for which user entities must
now assume in the design of the system description.
Complimentary subservice organization controls is a new term used to reference
subservice organization controls that service organizations rely on to meet the expected
control objective. Under these circumstances, management and the service auditor
need to consider the subservice organization controls assumed in the design of the
service organization’s own system and how the service organization ensures that
control objectives were met. Complementary controls are considered necessary for the
achievement of control objectives in the report.
Service organizations may outsource functions such as data center hosting or
transaction processing to outside vendors. These are referred to as subservice organiza-
tions. User entities may require information about the controls that are in place at these
subservice organizations to mitigate the risk presented by the service they are provid-
ing to the service organization. If controls at the subservice organization are used in
combination with controls at the service organization to provide assurance for a SOC
control objective, the controls performed by the subservice organization are referred to
as complementary subservice organization controls (CSOCs). When this occurs, service
organizations must incorporate complimentary subservice organization controls into
their SOC reports. The CSOCs must be specific to the services provided by the service
organization’s system. The description of the service organization’s system should
describe the subservice organization’s responsibility for implementing CSOCs. Exam-
ples that have been cited as types of CSOCs a subservice organization is assumed to
have implemented include the following:
• Controls relevant to the completeness and accuracy of transaction processing on
behalf of the service organization.
• Controls relevant to the completeness and accuracy of specified reports pro-
vided to and used by the service organization.
• General IT controls relevant to the processing performed for the service organi-
zation. Service organization management may request the service auditor’s
assistance when determining how to present the CSOCs in the description.
¶ 507
Assertion Modification
While always a part of SSAE 16, SSAE 18 requires a disclosure of the relationship
between the service organization and its relevant subservice organizations. Questions
the auditor should consider include, but are not limited to, the following:
• Has the service performed by the service organization been included or carved-
out?
• Is such disclosure made apparent in reporting?
SSAE 18 requires the service auditor to obtain a written assertion. An assertion is
the statement found within the SOC report where the service organization asserts the
system description provided is essentially true and complete. This statement has always
been within SOC 1 reporting, but the requirement for the service organization to sign
the document was optional.
Evidence
Historically speaking, auditing best practices have always included obtaining reliable,
current, relevant, and accurate data from a service organization. While almost every
previous auditing standard (SAS 70, SSAE 16, etc.) has discussed the concept of
evidence, it is now defined with more clarity under SSAE 18.
Evidence is considered documentation that provides evidence of the operating
effectiveness of controls. SSAE No. 18 provides a list of information that may require
additional assessment procedures. The list includes:
• Population lists for sample tests
• Exception reports
• Lists of data with specific characteristics
• Transaction reconciliations
• System-generated reports
• Other system-generated data (e.g., configurations, parameters, etc.)
¶ 508 SSAE DELIVERABLE

SSAE 18 is not a certification. Neither was SSAE 16, nor SAS 70 that preceded it. There
is no such thing as “SSAE 18 certified. Service organizations that use this terminology
are misleading customers and stakeholders. SSAE 18 is only the name of the standard
used by audit practitioners to perform a variety of attestation reports. It is not specific to
a certain type of attestation report (SSAE 16).
SSAE 18 while primarily clarifying existing auditing standard is also intended to
reduce instance of duplication within similar standards that cover examinations, re-
views, and agreed-upon procedure engagements. Organizations and auditors must be
familiar with the changes outlined in SSAE 18 to properly perform reviews.
SSAE 18 work and reports are intended to be performed by CPAs. In the past,
much of the work was done by other professionals and a CPA reviewed and signed off
on the project. CPAs who are “signing off on work performed by non-CPAs understand
all requirements and procedures expected by SSAE 18. The new standard will require
both auditors and user entities to perform deeper due diligence in regard to effectively
completing a SOC audit. These things include the following:
• SOC auditors will have to dig deeper in asking for more detailed evidence.
• Service organizations will need to start retaining more detailed records.
• There needs to be a stronger level of accountability for SOC reports.
• There is an expectation of stronger quality standards by CPA firms performing
SSAE 18 engagements.
¶ 508
¶ 509 WHO NEEDS AN SSAE AUDIT?

If your company performs outsourced services that affect the financial statements of
another company, you will more than likely be asked to provide an SOC 1 Type II
report, especially if the user organization is publicly traded. Some example industries
include:
• Software as a Service (SaaS)
• Medical claims processors
• Payroll processing
• Accounts payable processing
• Loan servicing
• Data center/co-location/network monitoring services
¶ 510 HOW TO PREPARE FOR A SOC REVIEW

Organizations considering a SOC review may want to evaluate some of the processes
and examine their needs to ensure they obtain the best product for the money. The cost
of a SOC review can vary based on the complexity of the organization as well as the type
of SOC requested. This makes it important to ensure organizations are aware of the
needs and requirements that will be placed on your firm in having a SOC performed. It
is also important to understand the prospective users that may benefit from a SOC of
your organization. There are some initial concepts to consider.
Readiness Assessment
Readiness assessments are designed to assist a service organization in assessing its
preparedness for a SOC engagement. However, organizations should keep in mind that
a readiness assessment is not something that is required. For smaller organizations, the
assessment could be an ineffective use of funds. In a larger organization, it may be a
good process to ensure the organization can receive a “passing grade for the SOC
audit.
During a readiness assessment, organizations need to be prepared to walk through
and document their processes and controls. This will be required regardless of whether
a company is getting a SOC 1 or a SOC 2. Often firms that provide SOC services will
perform a readiness assessment to determine if the relevant documentation is present
and available. As part of this process, the firm may also identify any weaknesses that
could preclude having an unqualified opinion in the report, or have findings show up in
the report in the testing section. This is a proactive approach to assist the service
organization in mitigating any exposure areas. Procedures that may be used during a
readiness assessment include:
1. Evaluate if a SOC engagement is right for the company. Some questions
to consider when attempting to determine if your organization is in need of a
readiness assessment are:
— Are you a service organization?
— Is trust a central part of what you offer clients?
— Do your clients care about the security, confidentiality, or privacy of their
data?
— How available are your services, and how well do you process information?
— If these situations apply, you may be looking for a SOC 2 or SOC 3.
¶ 510
If you are a service organization where you handle a client’s financial information,
then a SOC 1 may apply.
2. Evaluate whether specific SOC constraints may exist. Organizations that
believe they may need a SOC 2 or a SOC 3 must ensure they are in sync with
their auditor as to the areas that may need to be evaluated. This may include:
— What are the boundaries for the system being reviewed?
— Are there boundaries for cloud services?
— Are their criteria under certain principles that can be ignored given the
nature of your business?
— What is the minimum period of controls (6 months, 9 months, etc.) that
are required for an audit?
— Can your current IT operations meet change management requirements
that may be identified?
3. Choose SOC elements. This step assists the user organization in identifying
the elements of what it is looking at for a SOC report. For instance:
— What report type is needed? Type 1 or Type 2?
— What system is being evaluated? A system is typically organized to achieve
a specific business objective and has components of infrastructure,
software, people, procedures, and data.
— Which principles apply? Do five of the Trust Service Principles apply, or
only one?
— What criteria applies? In a SOC report, the service organization must
report on all criteria under the chosen principle.
4. Understand management commitments and customer standards that
must be met. Management typically will set out their commitments to the
customers in written service-level agreements. These serve as controls for the
various principles. For a SOC, management must have a list of their commit-
ments and must make sure their system is designed and operating to meet
those commitments.
5. Evaluate controls and gaps that can be readily identified. To perform an
effective gap analysis, a close review of the system and comparison against
the principles and criteria must be performed. If your organization is well
organized with strong procedures, this process can be easily executed. How-
ever, if policy, risk management and operations do not have mature
processes, gaps make take longer to mitigate.
6. Remediate identified gaps. This is an area that management must strongly
consider. If gaps are identified in the readiness assessment and management
wants an unqualified SOC report, the gaps must be remediated. This can
become involved and time consuming resulting in process redesign, training,
documentation, personnel changes, etc.
7. Develop systems description. This requirement for a SOC is one that
management must fulfill. Management should provide the auditor the full
description of the system. This is what the auditor will use as the basis of the
audit. The full list of what should be in the description is set out in four pages
of “AICPA Information for Management of a Service Organization 2011.
Some of the areas included are:
— A narrative explaining your services and the components of the system
— A completed Trust Services Criteria matrix for the principles that will be
addressed
¶ 510
— Explanations of why any relevant criteria are not addressed by a control
and whether the system has changed over the period of audit
— All necessary information about subservice organizations
— Specific, comprehensive privacy information for organizations addressing
the privacy principle
It is important to reiterate that the systems description is a product that should be
prepared by management. In many cases, auditors will work with management to
prepare the description in order to ensure all of the proper components are included.
However, the service auditor should use caution in taking responsibility for preparing
the narrative. The narrative must be such that management can fully agree to and
explain the information.
8. Build an effective audit period. The organization must have an operating
period under which the SOC report is based. This period can be three to six
months or a year. If the organization is looking for Type 2 report, the auditor
must have the requisite amount of time to ensure processes are operating
effectively and the auditor can adequately test the processes (i.e., three
months is not sufficient).
9. Prepare and undergo an audit. Essential elements for being properly
prepared to undergo an audit is to ensure you have prepared relevant walk-
throughs and have appropriate documentation of the process.
10. Distribute reports according to need and use. As we have previously
discussed, SOC 1, SOC 2, and SOC 3 reports have different structures and are
intended for different audiences. A SOC 1 report will focus on financial
aspects whereas a SOC 2 report focuses on information systems integrity. A
SOC 3 report is more general in nature, concise, and less detailed. Many
organizations use a SOC 3 to display on their website.
The following graphic depicts the steps and drivers of executing a readiness
assessment for a SOC 2 engagement:
¶ 510
STUDY QUESTION
5. The purpose of a readiness assessment is to:

a. Assist a service organization in assessing its preparedness for a SOC
engagement
b. Ensure the organization will be able to receive a passing grade on a SOC
engagement
c. Document all processes needed for the SOC engagement
d. Prepare management for what will be entailed in a SOC engagement
¶ 511 BENEFITS OF SOC REPORTS

There are numerous benefits to having a SOC report in place. With the ever-increasing
use of outsourced providers, the competitive nature of the industry requires that
organizations be able to provide to their customers that their processes are efficient and
reliable. Having a SOC report in place gives service organizations the ability to skillfully
perform outsourcing services for public companies. Public companies are required to
use a provider with a valid SSAE/SOC 1 in place in order to provide investors assurance
over controls that are performed by the outsourcing company. In addition, user organi-
zations are more likely to put trust in your organization for their personal, private, and
confidential information. Reasonably thinking, beyond compliance requirements, orga-
nizations want to trust a company with whom they are placing their data. They want to
¶ 511
ensure it is handled with the utmost care. Another benefit is having a third party to
review controls and activities and ensure they are functioning appropriately and can
provide lasting benefits. The organization can also be available to provide advice on how
to improve processes.
Some organization may ask, “Why can’t we just have our internal audit department
do the work? Internal audit departments are not always trained in the specific aspects
of the service trust principles. In addition, they apply different methodologies that may
not be as stringent as those applied by an outsourced provider. At the risk of stating the
obvious, internal audit departments are not a third-party but instead part of the com-
pany. Having a third-party resource will help to serve as a check on work of staff and
personnel. Additionally, if any findings were noted, your auditors are in a great position
to give you some tricks and tips to improve and help ensure everything functions well
the following period.
STUDY QUESTION
6. A SOC engagement would typically include obtaining a list of management commit-

ments. How are management commitments defined?
a. Those promises made by management to customers regarding the delivery of
their service.
b. Those promises that the customer expects to receive from the service he is
receiving.
c. Only those promises explicitly outlined within a formal document.
d. Those promises given by the user organization to the service organization
¶ 512 SUMMARY
The move to SSAE 18 helps to ensure service auditors avoid taking shortcuts when
performing audits. Service organizations typically vet the subservice organization ini-
tially when evaluating which subservice organization to partner with. However, it is just
as important to ensure subservice organizations are monitored on an ongoing basis
using the methods outlined in SSAE 18.
The language in SSAE 18 around third-party vendor management is extremely
clear. The primary difference relates to how service organizations will manage and
monitor the review of the subservice company. A service organization will now need to
implement a robust third-party vendor management policy.
¶ 512
91

CHAPTER 6: Understanding Blockchain: For
CPAs, Accountants, and Practitioners
¶ 601 WELCOME
This chapter discusses the basic concepts, lexicon, technology, and potential applica-
tions related to blockchain technology. It is designed to help CPAs, accountants, and
practitioners prepare for future conversations about blockchain with their clients,
prospects, colleagues, peers, and others.

• Describe the evolving world of blockchain technology
• Recognize the impact of blockchain on both the financial reporting process and
the audit approach
• Identify the latest blockchain software being utilized
¶ 603 INTRODUCTION
Many say the accounting profession is set to play a key role in driving the adoption of
blockchain to both privately held and publicly traded companies. But what exactly is
blockchain? In short, blockchain is a global digital ledger of economic transactions that
is transparent, continually updated by countless users, and considered by many as
almost impossible to corrupt or hack. Blockchain has the potential to significantly
disrupt the business sector and the public accounting industry in the next three to five
years.
¶ 604 WHAT IS BLOCKCHAIN?

History
Blockchain is a blend of both old and new concepts. It has elements of cryptography, a
practice that dates back to ancient Roman times. Especially during times of war, ancient
peoples sent private or secret messages to each other using a code to hide the
communications from their enemies.
Originally a computer science term for how to structure and share data, blockchain
came to the forefront in 2008 amid the global financial crisis as individuals and
businesses realized they needed to better control information related to financial
transactions. Trust had been shaken to the core as a result of the financial crisis and
high-profile hackings of people’s personal and business information. Cryptography
specialists in the San Francisco Bay area started online discussions about moving away
from central authorities (e.g., banks and other financial institutions) involved in such
transactions. They wanted to create an environment of trust that did not depend on
other organizations.
In 2008, a white paper was issued that described a peer-to-peer electronic cash
payment system to replace centralized financial institutions. Soon, the first blockchain
software was designed, incorporating distributed ledger technology. The first evolution
¶ 604
of blockchain was Bitcoin, which allows the transfer of digital tokens without dealing
with an intermediary. The second was the Ethereum network, and the third was the
Factom network. These will be discussed in more detail later in the chapter.
OBSERVATION: Blockchain is a class of software, whereas Bitcoin is a
specific cryptocurrency from that software. Bitcoin cannot stand on its own; it
needs the blockchain software in order to make digital tokens. Blockchain, on the
other hand, does not need Bitcoin, or any other cryptocurrency, to function.
Overview
Blockchain presents a novel way to deal with data. Recognized as the “fifth evolution of
computing, it is a distributed database that a group of individuals control to store and
share information. Blockchain is a data structure that creates a digital ledger of data
that can be shared in a network of independent third-party participants. It uses cryptog-
raphy to allow each participant on any given network to manage the ledger in a secure
way without the need for a central authority. The goal of blockchain is to create data
integrity by ensuring that sensitive information is viewed only by those parties that are
assigned access to it in the network.
Blockchain offers many advantages. It enables impeccable recordkeeping because
it creates permanent and reliable records and histories of transactions in a digital
format. To change any information, large portions of a blockchain community would all
have to agree to the change, and they are incentivized not to change information. When
users want to add a record (i.e., a transaction or entry), they must enter a validation
code. Because the data is very difficult to change or remove, blockchain creates trust in
digital data.
The computer code in the blockchain becomes law, and rules are executed as they
are written and interpreted by the blockchain network. This eliminates social biases and
behaviors. It also creates a clear timeline of who did what and when. Another advantage
of blockchain is the “proof of work concept. A proof of work is a confirmation of
transaction and plays an important role in making sure that the information remains
reliable and effective.
As mentioned earlier, blockchain is a peer-to-peer system with no central authority
to manage the flow of information. There is no regulator or standard-setter involved; the
software itself is the arbitrator. Central authority can be removed if there is a large
distributed network of independent users.
To prevent network corruption, two ingredients are necessary: (1) decentralization
of the structure of the software and (2) utilization of cryptocurrency. The likelihood that
a blockchain software network can be corrupted is very slim. To date, there have been
no instances of hacking a blockchain. Cryptocurrency is a form of currency that exists
only digitally. Although the most popular type is Bitcoin, other types of software create
other types of cryptocurrency. Each work in the blockchain gets paid different values,
depending on the complexity of the software involved. Because the software itself pays
the hardware to operate, integrity can be maintained. No third party pays to maintain
the environment.
There are many different types of blockchains and blockchain technology in the
marketplace. Each blockchain has unique functions and is used with different types of
transactions. Most, however, are involved in moving money or other forms of value
quickly and affordably (trading public company stock, foreign currency exchange,
paying foreign employees, etc.).
¶ 604
MODULE 2 - CHAPTER 6 - Understanding Blockchain 93
Blockchain Components
A blockchain is made up of three parts:
• Block: A list of transactions recorded onto a ledger over a period of time. The
size, period, and trigger events are different.
• Chain: The hash—or the “glue —that links one block to another, mathemati-
cally joining them together.
• Network: Composed of “full nodes —a computer running an algorithm that is
securing the network. Each node contains a complete record of all transactions
that were recorded in the blockchain.
The trigger events for blocks differ for every blockchain. Each block contains a
cryptographic hash that is unique to that block and chains it to the immediately
preceding block of information. Not all blockchains record and secure a record of the
movement of their cryptocurrency as their primary objectives, but blockchains do
record the movement of the cryptocurrency, the tokens that are being used. For such
transactions, information is recorded and then assigned a value. For a financial transac-
tion, the block interprets what the data means.
The chain in the blockchain is created from the data that was given from the
previous block. It acts like a fingerprint and puts the blocks together in order. Hashing
creates the mathematical algorithm that maps out the data, resulting in a one-way
function that cannot be decrypted. The chain creates trustworthy data.
As previously mentioned, the network is the arbitrator of the blockchain. The full
nodes, or individuals or organizations, run the algorithm that secures the network to
maintain the network’s integrity.
The process of creating honest, trustworthy and self-corrected blockchain systems
can be broken down into several steps.
1. A user requests a transaction.
2. The request is transmitted to the network.
3. The network validates or rejects the transaction.
4. If validated, the transaction is added to the current block of transactions.
5. The block of transactions is then chained to the previous block of transactions.
6. The transaction is confirmed.
The degree of trust the network has that all of its nodes are operating in the
blockchain will determine the type of consensus algorithm it uses to settle its ledgers.
STUDY QUESTIONS
1. Which of the following statements is correct regarding blockchain?

a. It was originally a computer science term for how to structure and share data.
b. It is recognized as the “Fourth Evolution of computing.
c. Every blockchain is consistent with other blockchains.
d. Data is relatively easy to change or remove.
2. Which of the following identifies the first evolution of blockchain technology?
a. Ethereum network
b. Factom network
c. Bitcoin network
d. Cryptography
¶ 604
3. Which of the following identifies something that mathematically links one block to
another?
a. Block
b. Chain
c. Node
d. Cryptocurrency
¶ 605 HOW TO SELECT A BLOCKCHAIN

Public, Private, and Permissioned Blockchains
When selecting a blockchain, individuals and organizations should consider the degree
of security, scalability, and data storage they need, as well as the software’s auditability.
Public blockchains—for example, Bitcoin—are large distributed networks that run
through a native token. A public blockchain is open to anyone at any level. Open-source
code is maintained by its community. Public blockchains tend to be slower and more
expensive to use than private blockchains. They are secured with cryptocurrency and
have limited storage capacity.
Private blockchains, on the other hand, are usually shared between trusted parties
and are not open to the public. They tend to be smaller, quicker, and less costly than
public blockchains. Tokens are not used, and membership is closely controlled. Private
blockchains are favored by consortiums that have trusted members and trade confiden-
tial information. Their storage capacity is unlimited.
Permissioned blockchains (e.g., Ripple) control the roles that individuals can play
within the network. They are large distributed systems that use a native token, and their
core code may or may not be open source. Permissioned blockchains utilize a
cryptocurrency and usually have a lower cost for application. They are scaled projects
and truly increase transaction volume. These types of networks can be very fast and also
have very high storage capacity over public networks.
COMMENT: Hybrid blockchains, which have some combination of the ele-
ments of public, private, and permissioned types, will likely emerge in the market-
place to meet organizations’ varying needs.
Centralized, Decentralized, and Distributed Networks

Organizations must also consider which type of blockchain network makes business
sense for it or for its clients.
• A blockchain with a centralized network stores and sends data through a single
database/server.
• A decentralized network is composed of clusters of centralized networks. Each
centralized cluster transmits information not only with itself but also to the other
clusters; thus, the clusters rely on each other.
• In a distributed network, there is no centralized database/server, and there is no
information storage.
Centralized networks tend to have a much faster rate of development and imple-
mentation, because everything comes to a single point. Distributed networks are
typically much more difficult to maintain because there is no single database/server. In
a decentralized network, clusters work independently of each other yet communicate to
each other.
¶ 605
With an understanding of blockchain structures and how they work, an organiza-
tion must consider not only its perspective but also its customers’ and that of others it
conducts business with. Uncertainties, complexities, and consequences associated with
selecting a blockchain, or having clients use a blockchain, have to be taken into
account. The following steps can be helpful.
1. Brainstorm with your leadership regarding key goals, such as volume, scale,
speed, security, immutability, and storage needed.
2. Select eight to ten key attributes you are seeking.
3. Create a table listing the choices and attributes.
4. Weigh the choices that are important to you
5. Select which blockchain works best for your circumstance: public network
(i.e., Bitcoin), private network, or permissioned network (i.e., Ripple).
The following table might be helpful in choosing a blockchain that works best for
an organization’s particular situation. It includes some of the more popular reasons
organizations are gravitating toward blockchain.
Purpose Blockchain Type
Move value between trusted parties Private
Move value between mistrusting parties Public
Trade value between dissimilar things Permissioned
Trade value between similar things Public
Create decentralized organization Public or permissioned
Create decentralized contract Public or permissioned
Trade securitized assets Public or permissioned
Publish for public recordkeeping Public
Publish for private recordkeeping Public or permissioned
Perform audits of records/systems Public or permissioned
Trading digital money/assets Public or permissioned
Building systems security Public
Of course, organizations should draft a plan or a strategy for blockchain software

selection. The project should be discussed with key stakeholders who can give advice
on possible unforeseen circumstances and the software’s key components. Next, a
project plan should be created based on the organization’s—or its clients’—daily needs
for posting transactions and recording/maintaining data.
The organization should also draft performance measurements, a statement of
scope, and a schedule, as well as evaluate costs. A risk management and staffing plan
are also important. Staff must be able to understand how to record transactions in the
blockchain software the organization is purchasing. Team members’ roles and responsi-
bilities also must be defined.
Finally, a kickoff meeting should be held to commence the project. The meeting
should explain the organization’s strategy and timeline for implementing the software,
as well as commitments that are being made. The blockchain’s effectiveness should also
be addressed in the meeting.
¶ 606 REALISTIC APPLICATIONS IN PRACTICE

This section discusses how blockchain technology is used in real-life situations. As
mentioned earlier, blockchain will change the way organizations deal with information
and data and record financial transactions. Real-time auditing—in which an auditor can
access a company’s data in real time on a daily basis—might become a reality in the
near future because of blockchain technology. The real-time distribution of information
¶ 606
is critical, especially for auditors performing analytical procedures or trying to reconcile

information. With blockchain, they can be confident that they are getting reliable
information instantaneously.
Auditors typically send out confirmations to the parties that are involved with their
clients to verify information. Because blockchain enables verification of information by
network members, these types of confirmations can be reduced or even eliminated.
Auditors can be assigned to a private blockchain or network and audit information in
real time. An entity or a client has the ability to allow different levels of access to the
blockchain, so as it deals with different transactions, it can give certain people access
without exposing information to other people who are not involved in those
transactions.
Currently, account reconciliations are very time-consuming, especially for auditors
trying to reconcile the information of their clients to the parties they do business with.
With blockchain software, these reconciliations are streamlined and possibly can be
eliminated.
The preparation of reports is another time-intensive process that can be sped up
with the use of blockchain. Currently, auditors spend a great deal of time correcting and
matching up information. That time will be reduced if they use blockchain software to
prepare reports because they will already have trustworthy data. From an internal
perspective, organizations will spend less time preparing data because the data stored in
the blockchain is reliable.
This same holds true for quarterly, semiannual, or annual closing of the books and
records. Now, dealing with internal accounting issues and ensuring that everything
matches up with the reports and the financial statements takes a great deal of time. A
blockchain software environment can speed up that work.
Imagine if auditors no longer had to confirm accounts receivable. With blockchain,
the software will act as the confirmation because auditors will be getting the same
information from their client’s side as well as from its customers’ side to make the
confirmation. Think of it almost like a triple-entry ledger. The same concept applies to
payroll testing. These are some of the possible applications as more people begin using
blockchain software. Auditors’ approaches to testing things will be streamlined because
blockchain offers more reliability.
¶ 607 BLOCKCHAIN SOFTWARE

Accountants and auditors must make a concerted effort to understand the latest
information technology trends, such as blockchain, in order to remain relevant and
competitive in the changing marketplace. The future of the profession should focus on
two key disciplines: (1) financial reporting, testing guidance, and so forth; and (2)
understanding information technology. In the future, those who are educated in both
disciplines will be mostly successful.
Popular blockchain software options that are currently available for purchase
include the following:
• Ethereum, which specializes in smart contracts
• Ripple, which is designed for financial and currency transactions
• Factom, which is designed for reducing processing time and paperwork (i.e.,
title insurance, mortgages, etc.)
¶ 607
• Hyperledger, which is an open-source ledger
• Multichain, which is an open-source private blockchain platform used by many
businesses for multiple purposes
The following sections discuss each option in more detail.
Ethereum
Ethereum (www.ethereum.org) was first described in 2013 in a white paper written by
Vitalik Buterin and went live in July 2015. In his paper, Buterin indicated he wanted to
expand the utility of Bitcoin beyond its trading of tokens. Ethereum is one of the most
complex blockchains ever built, and its features include excellent documentation and
user-friendly interfaces. It also offers good security for small applications.
This software is ideal for smart contracts, negotiating agreements, charters, wills,
and fund transfers. It is the best place to build decentralized applications.
Ripple
Ripple (https://ripple.com) was developed in 2004, before Bitcoin, by Ryan Fugger in
Canada. One of the most interesting of the blockchains, it is a global financial settle-
ment solution between banks and consumers. It is available at a very low cost, offers
exceptional security, and is on a distributed open-source Internet protocol. Ripple’s
native currency is called ripples.
Ripple enables users to send real-time international payments across its networks.
It is known for enabling cross-border payments and exchanging value between two
unlike items. The financial users of the system participate in the network by issuing,
accepting, and trading assets to facilitate payments. The operators participate in the
network by keeping track of the transactions and then coming to a consensus about the
validity and the ordering of those transactions with other nodes in the network.
Ripple provides two critical functions. It acts as a common ledger to connect banks
and payment networks, allowing them to clear transactions in literally a few seconds. It
constantly monitors the flow of transactions across the network. It acts as a neutral
transaction protocol in which it deals with the same type of value across different
currency transactions. Banking institutions are excited about this technology because it
allows them to move away from intermediaries and clearinghouses, and complete
transactions more quickly with less risk. Features include real-time payments, compre-
hensive transaction traceability, and the ability to convert almost any type of currency
and commodity or token.
Factom
Factom (www.factom.com), known as the “publishing engine, is a platform that is used
to minimize the volume and complexity of complicated legal transactions workpapers. It
is a powerful tool that publishes for data streams and security systems. Factom
integrates and links other blockchains to improve the security and data of the systems
involved.
Authentication of documents comes into play with this software, which has applica-
tion program interfaces. The network pays for itself and has its own cryptocurrency
called factoids. Factom is built on layers and chains that determine how the data is to be
structured. The chains allow applications to pull only the data that they are interested in
without needing to download the full data that is being sent to them. This type of system
allows a user to be separated from the tradable tokens and maintains a fixed cost for
consumers while allowing the free market to set the price of the factoids.
¶ 607
Harmony was the first commercial service Factom product. dLoc is one of the first
practical document authentication systems dealing with data integrity in the physical-
digital world. Organizations that deal with authentication of digital integrity may want to
consider using Factom.
Hyperledger
As mentioned earlier, Hyperledger (https://github.io/composer/) is an open-source
blockchain platform. As opposed to other blockchains, it is a distributed ledger (Saw-
tooth Lake by Intel) and does not operate with a cryptocurrency. Hyperledger offers a
graphic user interface (GUI), making it a user-friendly option for building blockchain
models for nontechnical users. Hyperledger is supported by the Linux Foundation, and
its transactions are secure, private, and confidential.
Multichain
Multichain (www.multichain.com) is an open-source, off-the-shelf platform typically
used for private blockchains (internal or shared). Focusing on privacy and control, it is
designed for permissioned participants and only includes events that relate to those
participants. Multichain is customizable and offers flexible security. It can run on
Windows, Mac, and Linux systems and, like Hyperledger, is user-friendly.
¶ 608 NEXT STEPS IN EVOLUTION OF YOUR PRACTICE

With the implementation of blockchain, it will not be long before auditors, accountants,
investors, and others can instantly access the information they are seeking. The next
steps in the evolution of a CPA firm’s practice include continuous/real-time auditing.
Auditors will need to be comfortable in both using the software and relying on it. In the
reconciliation process, with access to the private blockchain software, auditors will be
able to instantaneously see both sides of a client’s transaction without sending out a
confirmation.
The adoption of blockchain will give firms the opportunity to grow their accounting
function. Blockchain will also have an impact on revenue recognition and leasing
standards, especially the new revenue recognition standard that will be effective for
private businesses in 2019 and the new leasing standard in 2020.
Traditional auditing procedures, such as the following, will have to be reexamined
as an increasing number of firms adopt blockchain.
• Confirmation
• Analytical procedures
• Inquiry and observations
• Vouching of records, documents, physical assets
• Recalculation/reperformance
Blockchain is moving full steam ahead, with an increasing number of user-friendly
applications being developed. Small to mid-sized private companies are likely to start
using the technology before large publicly traded companies do. CPA firms will offer
advisory consulting services on blockchain to clients interested in bringing blockchain
into their businesses. Accounting and assurance services will soon be learning about
and adopting blockchain, too. Most experts predict the use of blockchain will be
widespread in the next three to five years.
Best Practices
Firms are advised to be careful when getting involved with blockchain as currently no
consumer protection is available. As of this writing, no regulatory agency is charged
¶ 608
with monitoring blockchain, so firms must exercise caution. Best practices for
blockchain includes simplifying contracts and always using trusted Wi-Fi networks.
Firms involved in buying and selling Bitcoin or other types of cryptocurrency
should always back up their digital wallets and hard-check the address before sending
currency. Obviously, accountants, auditors, and CPAs should always follow their respec-
tive Code of Professional Conduct and never use blockchain or cryptocurrencies for
illegal purposes.
Organizations that want to create their own blockchain software are advised to hire
a reputable blockchain developer. For those who want to learn more about this
technology, the following resources offer a wealth of helpful information:
• Blockchain University, http://blockchainu.co
• Ethereum 101, www.ethereum101.org
• Bitcoin Core, https://bitcoin.org
• Blockchain Alliance, www.blockchainalliance.org
• Factom University, www.factom.com/university
• Build on Ripple, www.ripple.com/build
• DigiKnow, https://youtube/scr68zFddso
• Multichain Blog, www.multichain.com/blog
• HiveMind, http://bitcoinhivemind.com
STUDY QUESTIONS
4. Which of the following identifies a characteristic of public blockchains?

a. Membership is closely controlled.
b. Favored by consortiums that have trusted members.
c. They tend to be small.
d. They are large distributed networks that run through a native token.
5. Which of the following types of blockchain has the purpose of trading value between
dissimilar things?
a. Permissioned
b. Private
c. Public
d. Private or public
6. Which of the following types of blockchain software is used to minimize the volume
and complexity of complicated legal transactions workpapers and is known as the
“publishing engine?
a. Ethereum
b. Factom
c. Ripple
d. Hyperledger
¶ 608
101

CHAPTER 7: Enhancing Audit Quality
¶ 701 WELCOME
This chapter discusses the current state of audit quality and focuses on what CPA firm
leaders, quality control professionals, and others can do to strengthen both their private
and public company audit practices.

• Identify realistic solutions regarding the challenges of maintaining a high-level
of audit quality with limited resources
• Recognize how to address systemic deficiencies noted in many accounting and
auditing practices while at the same time balancing the needs of the public
interest, regulators, and standard-setters
• Recognize how to comply with applicable U.S. and international accounting and
auditing standards, quality control standards, corporate governance and risk
management practices, and independence and professional ethics rules
• Identify clients’ businesses and the environments in which they operate
¶ 703 WHAT IS AUDIT QUALITY?

Although there currently is no formal definition, audit quality is understood to be a
focus on the credibility of the audited financial statements, or of any financial informa-
tion, provided by the auditor or accountant.
Audit quality means ensuring auditors or accountants consistently:
• Comply with all applicable accounting and auditing standards, quality control
standards, and independence and professional ethics standards
• Apply both a deep and broad understanding of clients’ businesses and the
environments in which they operate
• Use expertise to raise and resolve issues timely
• Exercise professional skepticism in all aspects of their work
The key word above is consistency. These actions must be performed at all times by
all of the partners and professional staff at the firm. If a firm has multiple offices, each
office must be consistent in these practices.
No matter which accounting financial reporting framework a firm’s client is using
(e.g., U.S. GAAP, IFRS, special-purpose frameworks), it must consistently comply with
the applicable accounting and auditing standards, quality control standards, and inde-
pendence and professional ethics rules. That means that if each member of the firm is
working with the same facts and circumstances, each will be able to deliver the same
end result. In reality, however, some professionals are performing certain engagements
better than others do. The question then becomes how to get them to all perform at the
highest level so that everyone produces the same results.
Some auditors believe that their product is the financial statements, but the reality
is that the financial statements belong to the client. The auditor issues two products: the
¶ 703
auditor’s report (or whatever report is issued) and the auditor’s workpapers. In terms of
quality control, these must be handled in a consistent manner, all the time.
Partners and professionals also must have a deep and broad understanding of their
clients’ businesses and their environments. Because auditors and accountants advise
clients not only on accounting matters but also on operational matters, they should live
and breathe the client’s industry, amassing a great deal of knowledge about it. Every-
body in the firm should have that same depth of understanding of the client’s busi-
nesses at the same time. A process and methodology should be in place in the practice
to ensure this consistency on both the technical side and the business side.
Accountants and auditors should consistently raise, and then timely resolve, any
issues that relate to an engagement. If a firm has five teams, each team should come to
the same conclusion on a particular issue.
Finally, professional skepticism must be exercised at all times. To be independent
and objective, an auditor must have a healthy level of professional skepticism. All of the
professionals involved in providing an attest function must have this skill. For example,
if an auditor believes his client is dishonest, he must remain neutral and focus on
including enough corroborative evidence in the workpapers to support the client’s
transactions and reduce his risk to an acceptable level. To ensure all staff apply
professional skepticism, this topic should be addressed in staff training. And although
the firm must provide sufficient training and guidance on professional skepticism to
staff members, the staff themselves are responsible for maintaining that professional
skepticism to ensure they are conducting engagements in accordance with the
standards.
By performing the four actions outlined above, a firm can ensure its staff will have
the correct documentation in their workpaper files, deliver high-quality products, and be
able to handle challenging and difficult assignments.
Elements of Audit Quality

Audit quality is an intricate concept comprising several elements. The following list
gives an overview of these components, and of the individuals in the public accounting
arena who contribute to audit quality.
• Leadership and culture of the firm. At the highest level of a CPA firm is its
leadership and culture, which play a significant role in audit quality.
• Skills and personal traits of audit partners and professional staff. The next
level of audit quality stems from the skills and the personal characteristics of the
audit partners themselves and of the professional staff. All of these individuals
must consistently perform the four tasks outlined in the previous section.
• Effective audit processes, methodologies, policies, and tools. Another
piece of the audit quality puzzle is the effectiveness of the firm’s audit processes.
The firm’s methodologies, policies it has instilled, and the tools in its arsenal are
all necessary to make sure that an engagement is conducted correctly from the
beginning to the end, all significant areas are addressed, and a proper report is
issued.
• Independence and ethics. The importance of these components to audit
quality is frequently underestimated. Many CPAs and auditors have not read, at
a minimum, the AICPA’s Code of Professional Conduct in full and have not made
a concerted effort to truly understand the independence and ethics rules that
govern the profession. As a result, some might not be aware of the fact that they
have run afoul of certain rules while conducting an engagement.
¶ 703
MODULE 2 - CHAPTER 7 - Enhancing Audit Quality 103
Many practitioners provide multiple services for attest clients. For example, they
may do tax work, bookkeeping, financial statement preparation, or other non-
attest services. However, if they are not aware of the extent to which they can
perform these services without violating their objectivity and their indepen-
dence, they may end up issuing a faulty audit opinion or a review report.
At a minimum, CPAs should have a thorough understanding of the AICPA Code
of Professional Conduct. Those who audit public companies and broker-dealers
need to follow the ethics and independence guidance of the U.S. Securities and
Exchange Commission (SEC) and Public Company Accounting Oversight
Board (PCAOB). The U.S. Department of Labor has its own set of rules
governing CPAs who audit employee benefit plans. Professionals who perform
“Yellow Book engagements that get federal funding must apply with rules set
forth by the Government Accountability Office, which are much more restrictive
than the AICPA’s.
• Market placement and specialization. In the last several years, client firms
have moved toward specializing in certain industries rather than being general-
ists. For example, practitioners might specialize in investment companies, not-
for-profits, employee benefit plans, public companies, or broker-dealers, to name
a few. Consequently, accountants and auditors must fully understand the types
of clients they are servicing, including their industries and any applicable
industry regulations. This knowledge is especially important for those involved
in complicated engagements.
• Quality control and consultation. Firms need to have a strong quality control
system in place to navigate treacherous waters. Having experts available—
whether in-house staff or external consultants—can help a firm respond to more
challenging areas in accounting and auditing.
¶ 704 ROOT CAUSES OF FAILURES

In the past several decades, the profession has faced many challenges with regard to
audit quality, including some major scandals. Learning about the root causes of these
failures can help firms and their staff avoid them.
Leadership Responsibilities
In some cases, a breakdown in quality control can be traced to the leaders of a firm—or
the “tone at the top. Failures have occurred when firm partners have not carried out
their responsibilities or neglected to create an environment that thrives on quality.
Many firms place the client first in their quality control initiatives, but instead the
firm should be first. The firm must give its professionals comprehensive training and
the right tools to protect the firm’s autonomy, brand, and reputation. The firm comes
first, not the client. The second priority when providing attest services is protecting the
public interest. After all, the CPA profession is charged with protecting the public
interest, being objective, and providing reasonable assurance that financial information
is reported correctly. The client is next in importance. A firm’s leadership must
communicate these priorities—firm, public interest, and client—to its professional staff.
Individual Professional Responsibilities

To perform their professional responsibilities and promote audit quality, accountants
and auditors need to own their career. To counter pressures from different fronts,
including clients, regulators, competitors, and others, they must invest time in their
career to ensure they provide high-quality services to their clients and meet their
deadlines. Career ownership includes staying abreast of current developments, attend-
¶ 704
ing conferences, and strengthening soft skills (research skills, branding, marketing,
public speaking, writing, etc.).
Professional Skepticism
As mentioned earlier in this chapter, auditors must have enough healthy professional
skepticism to perform responsibly. When auditors exercise professional skepticism in
all aspects of their work, they enhance overall audit quality.
Ethical Dilemmas
Ethical dilemmas often arise from a poor understanding of the ethics and independence
rules and regulations. The good news is that with proper knowledge and the right
mechanisms in place, professionals who encounter red flags are better able take swift
action to mitigate or eliminate the risk and in turn ensure audit quality.
Competence
Lack of competency in a certain area can have a major effect on audit quality. An
engagement team or firm that takes on an engagement for which it does not have
sufficient expertise or properly trained staff will not be able to successfully service the
client, understand all the financial reporting challenges, or comply with the applicable
standards.
When exploring new areas or opportunities, firms should consult experts in that
field for advice. If in-house staff do not have sufficient technical expertise and industry
knowledge in a particular area, audit quality might be affected. When it comes to
auditing versus consulting, the firm must make a business decision about whether it
can ensure quality work for both. Firm leadership should convey this message to staff
and emphasize the importance of following the appropriate rules for the engagement.
Client Acceptance and Continuance Decisions

Deciding whether to accept new clients or continue servicing current clients can be
challenging. Does the firm have enough bandwidth to accept a new client? Are staff
sufficiently trained to handle a client in a different industry? Should the firm continue
providing services for a client that has been problematic in the past? The firm must
make an informed decision, because choosing the wrong path can be detrimental to its
audit quality efforts.
Supervision and Legacy of Institutional Knowledge

In the accounting and auditing field, often there is not enough time for the higher-level
individuals on an engagement team to appropriately train other staff members. For the
next generation to advance, they need to learn the ins and outs of the client and the
industry, as well the accounting and auditing issues that are involved. However, in many
cases the senior people with years of knowledge have little time to pass it on. Having
experienced staff spend quality time sharing their knowledge with team members up
front can help to prevent issues during the engagement. To provide quality audits, firms
must find a way to ensure that the legacy of institutional knowledge is being passed
along.
Assignment of Personnel
Doling out the correct assignments to the right personnel also contributes to audit
quality. If the right people are not assigned to the engagement team, problems will
arise. Staff need to have the competency, experience, and capabilities to successfully
complete their assigned engagements.
¶ 704
Tight Deadlines and Fee Restrictions

Tight deadlines and fee restrictions also contribute to problems with audit quality. It
goes without saying that enough time must be allotted to each engagement to ensure
work is not rushed and mistakes are avoided.
Monitoring and Documentation Challenges

Auditors and accountants often have a great deal of information “in their head that
must be properly documented into the workpaper files. The best way to ensure this
information is recorded is to insist that everyone timely document their procedures
while they are doing them—not a few days or a few weeks later. Time should be set
aside each day to memorialize information in the workpaper.
In-House Technical Expertise and External Consultants

As mentioned earlier in this chapter, firms should consult the advice of experts when
necessary. Leveraging the knowledge of in-house technical experts and external consul-
tants enhances quality. Unfortunately, few CPA firms utilize or have access to these
resources, which can lead to major problems in audit quality.
Quality of Continuing Professional Education

The quality of continuing professional education (CPE) plays a huge role in the
competency of both an individual and a firm. Accountants and auditors must have not
only traditional and technical expertise, but also the necessary soft skills to be well-
rounded, critically thinking professionals. Firms must make sure that they are providing
high-quality, effective CPE to their staff members.
Disciplinary Actions
When someone violates a firm policy or a professional standard, in some cases the firm
takes no disciplinary action. With no repercussions, those responsible for the violation
might be likely to repeat it, or to commit other offenses. The effect on audit quality is
obvious. The firm must have policies in place explaining that there are repercussions for
those who fail to follow rules and standards. It needs to convey the message that
upholding its quality, its reputation, and its brand is essential. Depending on the
violation, discipline can range from a letter of reprimand in a person’s HR file to his or
her termination.
¶ 705 QUALITY CONTROL ELEMENTS CHALLENGES

The following discussion highlights areas of concern associated with the different
quality control elements that have been impacting audit quality over the past few
decades.
Leadership Responsibilities
The following matters were cited with respect to a firm’s “tone at the top.
• The firm emphasizes meeting time budgets. Schedules set by leadership are
unrealistic or expectations are not feasible.
• Repeat matters and findings are present. Certain matters keep reoccurring and
are not corrected.
• The firm fails to take appropriate action when events, subsequent to the issu-
ance of the engagement, determine the engagement to be nonconforming. The
firm makes no effort to correct this.
¶ 705
• The firm allows engagement partners to deviate from firm policies and proce-
dures. Partners are allowed to “do their own thing yet expect staff to follow
procedure.
Ethical Requirements
The following ethical issues posed challenges to audit quality.
• Lack of independence; unpaid prior year’s fees. Before starting on the new
engagement for a client, the firm did not ensure that the fees in the prior year
had been collected. This violates requirements of the AICPA’s Code of Profes-
sional Conduct.
• Impairment of independence is not identified. This highlights the importance of
understanding the independence and ethics rules.
• The firm did not complete its annual independence affirmations of its profes-
sional staff.
• The firm co-signs checks for clients. This action violates one of the basic
principles of independence.
• The firm performed account coding for one of its compilation clients and
approved invoices for payment. A compilation report can still be issued in this
situation, but it must state the lack of independence.
• The firm does not meet the General Requirements when performing non-attest
services for an audit client. Certain types of requirements must be met before
providing, for example, permissible tax, bookkeeping, or financial statement
preparation services.
Acceptance and Continuance of Clients

Problems cited in relation to this element of quality control include the following:
• Lack of documentation of communication with predecessor auditors.
• Lack of documentation of consideration of client acceptance. There is not
enough evidence to support the acceptance of a client was determined.
• Lack of documentation regarding new client acceptance. Often there is no
documentation about whether sufficient background checks were performed.
• Numerous engagement matters are related to the unique nature of the engage-
ment or the client’s industry, and the firm had no prior experience. It is unclear
whether it made sense for the firm to even take on this type of engagement.
• The firm was asked to complete an audit engagement in an unreasonable time
frame. Management created unrealistic expectations for the engagement team.
Human Resources
With respect to the human resources element of quality control, the following issues
can affect audit quality:
• Recent professional standards were not considered.
• Continuing education credit, for one or more personnel, was inadequate.
• Government auditing standards and employee benefit plan audit quality center
CPE was inadequate.
• Engagement team members were not aware of the recent changes under
professional standards.
¶ 705
Monitoring
The last element of quality control is monitoring, which observes the other four
elements. Monitoring includes conducting an internal inspection, performing post-
issuance reviews, or having a peer review done. These procedures allow a firm to do a
self-analysis of its quality control system. The firm analyzes its engagements and
practice during the past year to uncover any areas that need to be corrected so it will be
ready for the following busy season. The list below includes common problems associ-
ated with monitoring that can contribute to poor audit quality.
• Departures from standards are not identified and corrected on a timely basis.
• Results of monitoring were not summarized. The firm might conduct an internal
inspection but not document and summarize the results.
• The inspection did not detect certain engagement findings and deficiencies. As a
result, undetected issues are likely to resurface.
• Specialized industry considerations (employee benefit plans, Yellow Book en-
gagements, broker-dealers, etc.) were not considered in the inspection.
• The inspection was not performed in a timely manner.
• Post-issuance monitoring findings are not communicated to responsible firm
personnel. Those who are responsible for making adjustments and corrections
cannot do so if they never receive the findings.
• Inspection findings are identified, but there is no “closing the loop with a
recommended corrective action plan. That plan must detail who will be responsi-
ble for its implementation.
STUDY QUESTIONS
1. Each of the following identifies a characteristic of audit quality, except:

a. Consistently exercising professional skepticism in only material aspects
b. Consistently complying with applicable accounting and auditing standards
c. Consistently applying both a deep and broad understanding of the clients’
businesses and the environments in which they operate
d. Consistently using expertise to raise and resolve issues in a timely manner
2. Which of the following identifies a quality control challenge as it relates to leader-
ship responsibilities?
a. Lack of documentation of communication with predecessor auditors
b. Emphasis on meeting time budgets
c. Inadequate continuing education for one or more staff members
d. Impairment of independence not identified
3. Specialized industry considerations not being covered in the inspection process is a
quality control challenge related to which of the following?
a. Human resources
b. Acceptance and continuance of clients
c. Relevant ethical requirements
d. Monitoring
¶ 705
¶ 706 STRATEGIES TO INCREASE AUDIT QUALITY

Armed with knowledge of the root causes of poor audit quality and the problems
common in many firms, a firm can take several positive steps to boost its audit quality.
Strengthen the “Tone at the Top”

Firm leadership should create an environment of positive behaviors to drive their teams
to be successful. Their actions should include the following:
• Align appropriate culture and mindset.
• Ensure that all staff have sufficient time and resources to solve engagement
issues.
• Demonstrate a track record of consistency on standards-based decisions.
• Establish and regularly communicate a formal code of conduct.
• Challenge unethical behavior and address instances of noncompliance with the
firm’s code of conduct through swift disciplinary actions.
• Provide a copy of the firm’s quality control document to all professionals.
• Hire, compensate, promote, and reward professionals who possess and exhibit
high levels of integrity and demonstrate a commitment to quality.
Enhance the Client Acceptance and Continuance Process

CPA firms can take two major steps to improve this process:
• Perform sufficient client background checks. This applies to both new clients
and existing clients. Having a third-party organization do the background
checks is recommended.
• Associate only with highly ethical clients. Just one interaction with an unethical
client can forever damage a firm’s reputation.
Hire or Align With Experts, Specialists, and Consultants

When they run into a situation or a new opportunity, firms often need advice from
experts to determine the appropriate course of action. For this reason, they should:
• Welcome independent experts.
• Have sufficient technical personnel on hand at the firm or have access to
external experts, specialists, and consultants who can provide appropriate advice
and guidance when facing challenging issues.
Offer Quality Continuing Education and Training

It is not enough for staff to have knowledge of accounting, auditing, and independence
and ethics; they also need training in communication, writing, negotiations, branding,
marketing, public speaking, and other skills to make them well-rounded, high-quality
employees. CPA firms must review their CPE approach and:
• Offer a blended training package to increase competency from a technical and
soft skill standpoint.
• Focus on topics such as:
— Independence and ethics
— Applying professional judgment, professional skepticism. and objectivity
— Firm policies and procedures.
¶ 706
Establish a Quality Control Department

To take its audit quality efforts to the next level, a firm should consider investing in a
quality control department. This team of technical experts will:
• Develop accounting and auditing guidance as well as industry-specific guidance.
• Perform engagement quality control reviews of high-risk engagements.
• Monitor and evaluate the firm’s quality control policies and procedures.
• Provide technical consultation to personnel.
• Monitor the firm’s accounting and auditing training programs.
• Develop assurance policies and procedures.
• Participate in a dialogue with regulators and standard-setters when new account-
ing and auditing standards are being developed.
Streamline the Audit Process

All engagement teams must consistently apply and streamline the firm’s audit approach
so they can focus on areas of high risk and audit execution. When performing an audit,
many engagement teams waste valuable time reviewing low-risk areas rather than
concentrating on the high-risk ones. When priorities are defined, team members have a
clearer understanding of where they need to apply their time and energy.
Increase Specialization
CPA firms should consider specializing in a specific industry or niche so they can focus
their attention and build efficiencies to increase quality. For example, a public account-
ing firm that has expert knowledge of a certain industry can create specific methodolo-
gies for handling clients by building best practices, and master files and templates, that
its staff can follow. With this type of system in place, the firm can complete low-risk jobs
quickly and spend most of its time on more complicated engagements.
Rotate Key Professionals on Engagements

Another way to increase audit quality is to rotate partners, managers, and engagement
quality control reviewers on a periodic basis. This will allow a firm to apply fresh
perspectives to high-risk engagements. Although professional standards do not man-
date it, it is a best practice for auditors of private companies, or even review engage-
ments or compilation engagements, to consider rotating partners, managers, and in-
charge auditors periodically. Doing so will increase the quality of engagements.
Join an Accounting Network or Alliance

Joining a reputable accounting network or alliance program to collaborate and share
with other CPA firms will also help a firm increase its audit quality. Most large
international public accounting firms are structured as a network. The network includes
individual firms from around the world that have joined together and share similar
quality control systems, personnel, and other characteristics. Members of a network
benefit from knowing what others are doing, sharing systems, and creating similar
products.
An alliance program, on the other hand, is a looser grouping of firms that are each
independently operated. They are autonomous and do not necessarily share similar
quality control policies, procedures, or clients. But members of an alliance can bounce
ideas off each other and refer work to each other.
¶ 706
Other Strategies
Additional strategies for enhancing audit quality include the following:
• Individual professional commitment. This means each individual taking owner-
ship of their career—devoting time to learning and understanding clients’
industries, understanding technical and professional standards, enhancing their
soft skills, taking quality CPE, and making a commitment to honing their
professional skills to become the go-to person in their industry and area of
expertise.
• Set pride aside. Accounting and auditing professionals must acknowledge when
they do not know something, and either consult with someone or take the
initiative to research and learn on their own.
• Know the rules. Professionals must take the time to learn about and truly
understand the applicable standards and regulations.
• Increase technical presence and relationships with standard-setters and regula-
tors, such as the AICPA and FASB. Having these relationships can play an
important part in understanding why rules and standards were created and
further enhance the audit quality of the practice.
• Develop necessary soft skills. These include public speaking and writing, brand-
ing, marketing, and communication. Soft skills play a huge role in one’s career,
and also will help strengthen audit quality and practice.
• Communicate with academics to reform curriculum. Make sure that academics
look to strengthen their curriculum—investing time in teaching additional audit
skills and critical thinking, soft skills, and industry knowledge at the university
level.
• Deal with changes in corporate governance and risk management practices.
Successfully handling such changes plays a tremendous role in making sure
that audit quality is promoted. Sound practices include ensuring that people are
making the right decisions and bringing the right top-quality engagements into
the practice.
¶ 707 COMMON DEFICIENCIES

This section details common deficiencies encountered during both internal inspections
and peer reviews by firms and engagement teams in audits, SSARS reviews, and
compilation engagements. Awareness of these deficiencies, will make accountants and
auditors less likely to repeat them and more likely to deliver quality work.
Common Audit Deficiencies

Auditor’s Report
• Failure to appropriately modify the report for a scope limitation or a significant
departure from GAAP
• Missing report elements, including omissions of required critical reporting
elements of applicable standards
• Issuance of the report when the auditor was not independent
• Failure to disclose the omission of the statement of cash flows
Financial Statement Recognition and Measurement, Presentation, and
Disclosure
• Improper classifications between current and long-term assets and liabilities
• Cash overdrafts shown as negative assets
¶ 707
• Investments in a subsidiary and consolidated financial statements not presented
• Consolidation of variable interest entities (VIEs)
• Deferred income tax assets not recorded or properly measured
• Impairment of long-lived assets not recognized
• Intangible assets not assessed for impairment
• Deferred tax liabilities not recorded or measured correctly
• Capital lease obligations not recorded
• Deferred revenue not recognized
• Changes in equity not presented in a separate statement or on the income
statement
• Changes in accounting estimates shown are prior-period adjustments
• Elements of comprehensive income not reported
• Components of the statement of cash flows not categorized by operating,
investing, and financing activities
• Misclassifications of activities between investing and financing activities
• No disclosure of noncash investing and financing activities
• No disclosure of interest and income taxes paid (if not disclosed in the
footnotes)
• Significant accounting policies missing
• Basis of accounting other than U.S. GAAP
• Concentrations of credit risks
• Lack of applicable disclosures related to VIEs
• Use of estimates
• Information about concentrations
• Related-party transactions
• Disclosures of five-year debt maturities
• Leases
• Employee benefit plan disclosures
Audit Procedures and Documentation
• Lack of a written audit program
• Failure to document the consideration of internal control
• Failure to assess or document risk of fraud
• Failure to assess the level of materiality and control risk
• Failure to appropriately implement the performance or documentation provi-
sions related to risk assessment
• Failure to request a legal representation letter
• Failure to obtain a client-signed management representation letter
• Failure to perform or document significant audit areas
• Failure to observe inventory when the amount is material and the auditor’s
report does not report a scope limitation
• Failure to confirm significant receivables or document appropriateness and
utilizations of other audit techniques
• Failure to document the nature and extent of analytical procedures
¶ 707
• Failure to review loan covenants when the related debt is significant to the
financial statements
• Failure to perform cut-off procedures
• Failure to perform or document communications between predecessor and
successor auditors
• Failure to perform a review of subsequent events
• Outdated audit programs and checklists
• Failure to extrapolate results from sampling applications
• Dating discrepancies between the management representation letter and the
audit report date
• Failure to document communication with those charged with governance
• Stale attorney letters
• Failure to evaluate audit differences, individually and in the aggregate
Common SSARS Review Deficiencies
Accountant’s Report
• Failure to modify report for scope limitation or departure from GAAP
• Missing report elements
• Issuance of report when accountant is not independent
• Failure to disclose the omission of substantially all disclosures
• Omitted statement of cash flows
• SSARS 21: Failure to appropriately modify the report when financial statements
are prepared under SPF
• SSARS 21 preparation engagements: Failure to issue disclaimer on each finan-
cial statement (no assurance provided)
SSARS Procedures and Documentation
• Failure to establish an understanding with management regarding the services
to be performed
• Failure to document communications regarding identified fraud
• Failure to document significant findings or issues
• Failure to perform analytical and inquiry procedures for review engagements
• Failure to document matters covered by analytical and inquiry procedures in a
review engagement
• Failure to obtain a management representation letter for a review engagement,
or the letter does not substantially meet the representation requirements
• Failure to document significant unusual matters and their disposition
• Failure to document accountant expectations when performing analytical review
Common Compilations Deficiencies
Accountant’s Report
• Failure to update report language and to include the three-paragraph format for
compilations and four-paragraph format for reviews
• Failure to include a separate paragraph for departures from the financial report-
ing framework, including dollar amounts or a statement that impact was not
determined
• Failure to include all the reasons the accountant is not independent on a
compilation
¶ 707
Compilation Procedures and Documentation
• Failure to “read compiled financial statements for obvious or material errors
• Failure to obtain an engagement letter when engaged to prepare engagements
under SSARS 21
• For SSARS 21 engagements, failure to obtain all required signatures on the
engagement letter (or other suitable written agreement)
¶ 708 PREPARING FOR BUSY SEASON AND PEER

REVIEW
Adopting the following best practices can help ensure a firm and its staff are ready for
busy season and peer review.
• Plan ahead. Focus on the next season, because it will be here faster than
expected.
• Welcome change. To increase audit quality, be open to fresh perspectives and
avoid getting caught in a rut.
• Streamline the attest process. Review the entire process, from accepting an
engagement to ending it. How can it be more efficient?
• Pay attention to relevant standards. Monitor what the standard-setters and
regulators are doing, keeping up to date with exposure drafts and other projects
that will affect clients as well as the practice. One option is to have a few staff
members keep abreast of the standards and share new developments with the
team. However, professionals should always monitor the developments in their
specific areas of expertise.
• Perform interim procedures. If possible, do this early on, before beginning field
work at the end of the year. Good results at the interim can reduce the amount
of substantive testing at the end of the year.
• Pay attention to all applicable independence and ethics requirements. At a
minimum, know the elements of the AICPA Code of Professional Conduct. Those
who specialize in certain areas or industries should also understand any unique
ethics rules that apply to them.
• Timely document testing procedures. The minute a test is performed, every-
thing should be documented. The W questions—who, what, when, where, and
why—should be addressed and all decisions should be documented in the
workpapers. The workpapers should be able to stand on their own without any
oral explanations!
• Have access to reputable technical experts. Their expertise will strengthen the
practice.
• Update the firm’s quality control document. It represents the audit practice, and
the policies, procedures, and standards within it should reflect the reality of the
practice. The document should be updated periodically, at least annually, to
make sure that it is current.
Applying these tips—and the information presented throughout this chapter—can help
firms increase both audit quality and efficiency.
¶ 708
STUDY QUESTIONS
4. Which of the following is a strategy to increase audit quality as it relates to the client
acceptance and continuance process?
a. Ensure that all staff have sufficient time and resources to solve engagement
issues.
b. Only associate with highly ethical clients.
c. Offer a blended training package to increase competency from a technical and
soft skills standpoint.
d. Establish and regularly communicate a formal code of conduct.
5. Which of the following identifies a common audit deficiency as it relates to the
auditor’s report?
a. Failure to disclose the omission of the statement of cash flows
b. Improper classifications between current and long-term assets and liabilities
c. Intangible assets are not assessed for impairment
d. Failure to document the consideration of internal control
6. Which of the following identifies a common compilation deficiency related to the
accountant’s report?
a. Failure to read compiled financial statements for obvious or material errors
b. Failure to document accountant expectations when performing analytical
review
c. Failure to include all the reasons the accountant is not independent
d. Failure to obtain an engagement letter when engaged to prepare engagements
under SSARS 21
CPE NOTE: When you have completed your study and review of chapters 4-7, which
comprise Module 2, you may wish to take the Final Exam for this Module. Go to
¶ 708
115
MODULE 3: FRAUD OVERVIEW—

CHAPTER 8: 2019 Fraud Review
¶ 801 WELCOME
One of the main reasons certified public accountants (CPAs) and other accountants
often fail to detect fraud is that they are too honest. They find it difficult to think like a
criminal. This chapter is designed for individuals who would like to refresh their
understanding of fraud schemes and to learn how to recognize the red flags for
detecting fraud. Understanding how criminals commit fraud is the first step in prevent-
ing fraud. This chapter is designed to be a refresher course for CPAs, certified financial
examiners (CFEs), and others in the accounting field and is appropriate to fulfill the
four-hour fraud requirement for California CPAs.

• Understand theories as to why people commit fraud
• Recognize the different types of fraud, including occupational fraud, cyber fraud,
financial fraud, tax fraud, and identity theft
• Identify red flags for fraud
• Describe fraud schemes that affect businesses
¶ 803 INTRODUCTION
Fraud is a white-color crime; therefore, the theories as to why people commit crime will
apply to why they commit various types of frauds. Organizations can limit the opportu-
nity criminals have to commit fraud by establishing effective anti-fraud internal controls.
This course will concentrate on various types of fraud including occupational frauds
affecting public companies, private companies, not-for-profits, and governmental enti-
ties. To study fraud, we have to start with a definition:
An intentional perversion of truth for the purpose of inducing another in
reliance upon it to part with some valuable thing belonging to him or to
surrender a legal right. A false representation of a matter of fact, whether by
words or conduct, by false or misleading allegations, or by concealment of
that which should have been disclosed, which deceives and is intended to
deceive another so that he shall act upon it to his legal injury. Anything
calculated to deceive, whether by a single act or combination, or by suppres-
sion of the truth, or suggestion of what is false, whether it be by direct
falsehood or innuendo, by speech or silence, word of mouth, or look or
gesture. A generic term, embracing all multifarious means which human
ingenuity can devise, and which are resorted to by one individual to get
advantage over another by false suggestions or by suppression of truth, and
includes all surprise, trick, cunning, dissembling, and any unfair way by
which another is cheated.1
1 Black, Henry, Black’s Law Dictionary, Sixth
Edition, West Publishing Co., St. Paul, MN, 1990.
¶ 803
White-collar crimes, like fraud, are illegal and or unethical actions taken by
employees or other agents of an organization.2 The term white-collar crime is attributed
to Dr. Edwin Sutherland, who first used the term in 1939. He pointed out the difference
between crimes of trust, such as fraud, and blue-collar crimes such as murder and
robbery. Dr. Sutherland was one of the early criminologists in the United States and his
works are widely accepted.3 White-collar crimes are often viewed as being less severe
than violent crimes despite the financial damage done by white-collar criminals.4 Dr.
Sutherland went on to note that the penalties for white-collar criminals tend to be less
severe than the penalties imposed on violent criminals.5 Court ordered restitution and
voluntary restitution agreements are common punishments for white-collar criminals.6
However, a study by the Association of Certified Fraud Examiners (ACFE) indicated 53
percent of victims recover nothing after a fraud and 32 percent make a partial recovery,
while only 15 percent make a full recovery of losses.7
¶ 804 FRAUD THEORIES

Theory of Differential Reinforcement
Gabriel Tarde was a 19th-century French criminologist who developed the theory of
differential reinforcement in the 1880s and 1890s. The major components of this theory
are that people are most likely to imitate the actions of both those with whom they are
in close contact and their superiors. The concept of individuals imitating the actions of
their superiors is a grounding principle in the Committee of Sponsoring Organizations’
(COSO) control environment or as it is often referred to as the “Tone at the Top. Ethics
flows from the top of an organization down through the ranks. The theory of differential
reinforcement supports an organization’s need for an ethics policy and a code of
conduct. Gabriel Tarde was also the first to recognize a criminal’s tendency to return to
the scene of the crime and to be a repeat offender.
Theory of Differential Association

The field of criminology has accepted Dr. Edwin Sutherland’s (1947) theory of differen-
tial association and Akers’s (1985) social learning theory.8 There is empirical evidence
to support the social learning theory’s concepts that white-collar criminals anticipate the
rewards they will obtain have greater value than the consequences they will suffer if
caught, and that criminals learn their behavior from other criminals.9 Dr. Sutherland
coined the term white-collar criminal for crimes involving a breach of trust rather than
violence.
2 Vadera, A., and Aguilera, R. (2015). The evolu- 6 Faichney, D. (2014). Aurocorrect? A proposal
tion of vocabularies and its relation to investiga- to encourage voluntary restitution through the
tion of white-collar crimes: An institutional work white-collar sentencing calculus. Journal of Crimi-
perspective. Journal of Business Ethics, 128, 21–23.
3 Alalehto, T., and Persson, O. (2013). The Suth-
nal Law and Criminology, 104, 389–420.
7
erland tradition in criminology: A bibliometric Association of Certified Fraud Examiners 2018
story. Criminal Justice Studies: A Critical Journal Report to the Nation on Occupational Fraud and
of Crime, Law and Society, 26, 1–18. Abuse.
4 Leshem, E., and Ne’eman-Haviv, V. (2013). 8 Durrant, R., and Ward, T. (2012). The role of
Perception of white-collar crime among immi- evolutionary explanations in criminology. Journal
grants from the former Soviet Union in Israel. of Theoretical and Philosophical Criminology, 4(1),
Crime, Law & Social Change, 59, 555–576.
5 Dorminey, J., Fleming, A. S., Kranacher, M., 1–37.
9
and Riley, Jr., R. (2012). The evolution of fraud Moore, M. (2011). Psychological theories of
theory. Issues in Accounting Education, 27, 555– crime and delinquency. Journal of Human Behav-
579. ior in the Social Environment, 21, 226–239.
¶ 804
MODULE 3 - CHAPTER 8 - 2019 Fraud Review 117
Fraud researchers categorize fraudsters into one of three criminal categories:
situational offenders, routine offenders, and professional offenders. Situational offenders
are individuals who happen upon the opportunity and commit the crime. Routine
offenders look for and take advantage of opportunities as a type of continuous criminal
enterprise. Unlike most street criminals, professional fraudsters learn their trade from
research and participation in the legitimate and illegitimate economy and from associa-
tion with other criminal offenders.10
The Social Learning Theory

Akers’s (1998) social learning theory postulates that individuals learn criminal activity
and rationalize the acceptability of criminal activities based on their social networks.11
One quantitative study using regression models to compare the variables supported the
social learning theory as it relates to online criminal activity by linking peer offending to
online criminal activities in juveniles.12 Allen and Jacques (2013) conducted a qualitative
study of 16 campus police officers of a large university and in their findings indicated a
link between criminal activity to opportunity, social learning, peer pressure, supervision,
and culture.13 Another study indicated that virtual peers are just as influential to online
criminals as traditional peers are to offline offenders.14 Another mixed-methods cross-
sectional study of 1,674 participants indicated that the social learning theory was valid
despite the debate about the effects of self-control on criminal behavior.15
The social learning theory is a combination of the differential reinforcement theory
and the theory of differential association (Akers, 1998). The theory of differential
reinforcement postulates that criminal behavior occurs when individuals experience
positive reinforcement, such as obtaining something they desire, either actual or
anticipated, and the adverse consequences of their action are minor and do not control
or prevent further criminal behavior.16 By contrast, the theory of differential association
postulates that individuals learn criminal behavior by associating with other criminals,
the same way law-abiding citizens learn to behave by associating with other individuals
who obey the law.17 Dr. Donald Cressey conducted a review of the critics’ issues with
Dr. Sutherland’s differential association theory and stated that many of the critics’
issues derived from misinterpretation by the critics.18 The social learning theory also
contains variables from other criminology theories including deterrence, social bond-
ing, and neutralization theories.19
10 Vieraitis, L., Copes, H., Powell, Z., and Pike, self-control: Assessing the moderating potential of
A. (2015). A little information goes a long way: criminal propensity. International Journal of Of-
Expertise and identity theft. Aggression and Violent fender Therapy and Comparative Criminology, 56,
Behavior, 20, 10–18. 191–202.
11 Akers, R. L. (1998). Social learning and social 16 Megens, K., and Weerman, F. (2012). The
structure: A general theory of crime and deviance. social transmission of delinquency: Effects of peer
Boston, MA: Northeastern University Press. attitudes and behavior revisited. Journal of Re-
12 Holt, T., Bossler, A., and May, D. (2012). Low search in Crime and Delinquency, 49, 420–443.
self-control, deviant peer associations, and juvenile 17 Moore, M. (2011). Psychological theories of
cyberdeviance. American Journal of Criminal Jus- crime and delinquency. Journal of Human Behav-
tice, 17, 378–395. ior in the Social Environment, 21, 226–239.
13 Allen, A., and Jacques, S. (2013). Police of- 18 Cressey, D. (1952). Application and verifica-
ficer’s theories of crime. American Journal of tion of the differential association theory. Journal
Criminal Justice, 39, 206-227. of Criminal Law, Criminology and Police Science,
doi:10.107/s12103-013-9219-1 43(1), 43–52.
14 Miller, B., and Morris, R. (2014). Virtual peer 19 Capece, M., and Lanza-Kaduce, L. (2013).
effects in social learning theory. Crime and Delin- Binge drinking among college students: A partial
quency, 1–27. test of Akers’ social-structure-social learning the-
15 Yarbrough, A., Jones, S., Sullivan, C., Sellers, ory. American Journal of Criminal Justice, 38, 503–
C., and Cochran, J. (2012). Social learning and 519.
¶ 804
Dr. Akers indicated that the probability persons will engage in criminal and deviant
behavior increases (and the probability of conforming to the norm decreases) when
they:
• Differentially associate with others who commit criminal behavior and espouse
definitions favorable to it,
• Are relatively more exposed in-person or symbolically to salient criminal/
deviant models,
• Define it as desirable or justified in a situation discriminative for the behavior,
and
• Have received in the past and anticipate in current or future situations a
relatively greater reward than punishment for the behavior.
Akers’s social learning theory has received significant empirical support in explain-
ing criminal behavior and is regarded as one of the leading theories in criminology.20
According to the social learning theory, it is possible that when fraudsters perceive
that the potential benefits outweigh the risk of punishment associated with the criminal
act of fraud, they will commit the crime.21 The benefits received by the fraudsters
include employment, health care, social status, purchasing power, and access to credit
facilities. Because individuals with similar demographics and perhaps geographic loca-
tions can be grouped together, it is possible that individuals observing others in the
same demographic or geographic group receiving benefits from fraud would want to
learn the skill from those who were successfully committing the crime.
STUDY QUESTION
1. Which of the following individuals developed the Social Learning Theory?

a. Gabriel Tarde
b. Ronald Akers
c. Edwin Sutherland
d. Donald Cressey
The Fraud Triangle

The theoretical framework supporting fraud investigations and internal controls is the
fraud triangle theory. The seminal work about why people commit fraud, including
occupational fraud, is the fraud triangle developed by Dr. Donald Cressey in 1952. The
fraud triangle has three main points:
• Pressure or needs
• Rationalization
• Opportunity
Pressure comes from the need for something, such as cash to pay bills. Rationaliza-
tion is how individuals find ways to believe actions they know are wrong are acceptable
under the circumstances, such as convincing themselves they are only borrowing the
20 Tittle, C. R., Antonaccio, O., and Botchkovar, 21 Maskaly, J., and Donner, C. (2015). A theoret-
E. (2012). Social learning, reinforcement and ical integration of social learning theory with ter-
crime: Evidence from three European cities. So- ror management theory: Towards an explanation
cial Forces, 90, 863–890. of police shootings of unarmed suspects. Ameri-
can Journal of Criminal Justice, 40, 205–224.
¶ 804
money rather than stealing the money. Finally, opportunity occurs when the victim
allows the fraudster access to the victim’s assets. Kassem and Higson proposed a new
fraud triangle theory adding a new dimension: (a) motivation, (b) capability, (c)
opportunity, and (d) personal integrity.22 There is currently insufficient research to
support this expansion of the fraud triangle theory.
While Dr. Donald Cressey originally developed what researchers came to call the
fraud triangle, the first use of the term fraud triangle to describe the idea came from the
ACFE instead of Cressey.23 The American Institute of Certified Public Accountants
(AICPA) integrated the fraud triangle into the Statement on Auditing Standards Num-
ber 99.
Studies such as Dellaportas’s 2013 study on why accountants commit fraud have
continued to show the validity of Dr. Cressey’s fraud triangle theory.24 The cognitive
dissonance theory indicates fraudsters commit the crime then rationalize their behavior
to improve their own self-worth.25 I believe the cognitive dissonance theory supports the
rationalization component of the fraud triangle theory. Other researchers have claimed
the professional development of the fraud triangle as a criminology theory concentrates
on limiting opportunity and an individual’s lack of ethics to the exclusion of other factors
such as the role of society and political agendas in combatting crimes such as fraud.26
Sykes and Matza studied how perpetrators of crimes rationalized their behavior by
using neutralizing language.27 There are five basic ways to use neutralizing language to
rationalize criminal behavior:
• Denial of responsibility
• Denial of victim
• Denial of injury
• Condemnation of the condemners
• Appeal to higher loyalties28
By rationalizing their behavior, most white-collar criminals do not consider them-
selves to be criminals and deny they had intent when committing their crimes.29 Except
for their ability to rationalize their behavior and resistance to considering their activities
as crimes, white-collar criminals have been assumed to be basically normal people.30
Historically, white-collar crime, including identity theft, was considered to be a civil
dispute under common law rather than a criminal act.31
22 Kassem, R., and Higson, A. (2012). The new of the fraud triangle. Accounting, Organizations
fraud triangle model. Journal of Emerging Trends and Society, 39, 170–194.
in Economics and Management Sciences, 3(3), 27 Sykes, G., and Matza, D. (1957). Techniques
191–195. of neutralization: A theory of delinquency. Ameri-
23 Morales, J., Gendron, Y., and Guenin-
can Sociological Review, 22, 664–670.
Paracini, H. (2014). The construction of the risky 28 Klenowski, P. (2012). “Learning the good
individual and vigilant organization: A genealogy
with the bad: Are occupational white-collar of-
of the fraud triangle. Accounting, Organizations
fenders taught how to neutralize their crimes?
and Society, 39, 170–194.
24 Dellaportas, S. (2013). Conversations with in- Criminal Justice Review, 37, 461–477.
29 Stadler, W., and Benson, M. (2012). Revisit-
mate accountants: Motivation, opportunity and the
fraud triangle. Accounting Forum, 37(1), 29–39. ing the guilty mind: The neutralization of white-
25 Trompeter, G., Carpenter, T., Jones, K., and collar crime. Criminal Justice Review, 37, 494–511.
30 Benson, M. (2013). Editor’s introduction –
Riley, R. (2014). Insights for research and prac-
tice: What we learned about fraud from other White-collar crime: bringing the offender back in.
disciplines. Accounting Horizons, 28, 769–804. Journal of Contemporary Criminal Justice, 29, 324–
26 Morales, J., Gendron, Y., and Guenin- 330.
31 Bennett, R., LoCicero, H., and Hanner, B.
Paracini, H. (2014). The construction of the risky
individual and vigilant organization: A genealogy (2013). From regulation to prosecution to coopera-
¶ 804
The Elements of Fraud

There is another theory that explains how individuals commit white-collar crimes, such
as fraud, which is known as the elements of fraud.32 In this theory, Dorminey et al.
stated there are three elements of fraud:
• The act
• Concealment
• Conversion
The act consists of the actual theft or misappropriation of assets. Concealment
represents the perpetrator’s attempts to hide the act from others. Finally, conversion is
the process of turning the ill-gotten gains into something the perpetrator can use.
Criminals use other people’s identities in order to conceal their illegal activities. It’s
important to note that internal controls help to limit the opportunity fraudsters have to
commit the act or crime.
The elements of fraud are used by managers to help identify the risk of fraud in a
business.33 Internal controls can be used to help prevent or detect the act, which is the
first element in the elements of fraud theory. Managers and those with responsibility for
governance must implement controls to restrict a perpetrators access to assets and
deny them the opportunity to commit the act of fraud. Based on the elements of fraud
theory, managers and those charged with governance concentrate on developing
internal controls for the theft or misappropriations of assets.34 The elements of fraud
theory focus on starting with the criminal act without considering the demographics or
motivations of the fraud perpetrators that led up to the act.35
Predication of Fraud
It is necessary to determine if there is a predication of fraud before starting a fraud
investigation. Sometimes red flags for fraud, upon examination, are nothing more than
human error, with no intent to deceive or commit fraud. Predication of fraud is the total
of the direct and circumstantial evidence that would lead a reasonable person, trained in
law enforcement or fraud investigations, to believe that a fraud has occurred, is
occurring, or will occur in the future. Suspicion, alone without any objective direct or
circumstantial evidence, is an insufficient basis for conducting a fraud investigation.
Because fraud investigations can be costly it is necessary to determine that a predica-
tion of fraud exists prior to commencing a fraud investigation.
This should not be taken to indicate that suspicions of fraud should not be
reported. Employees who suspect fraud should report their concerns to their supervi-
sors, managers, human resources, or the company’s audit committee. The ACFE’s 2018
Report to the Nations on Occupational Fraud and Abuse indicated that a majority of
frauds are discovered by receiving tips and over half the tips reporting fraud come from
employees.
(Footnote Continued)
33 Power, M. (2013). The apparatus of fraud.
tion: Trends in corporate white collar crime en-
forcement and evolving role of the white collar Accounting, Organizations and Society, 38, 525–
criminal defense attorney. Business Lawyer, 68(2), 543.
411. 34 Power, M. (2013). The apparatus of fraud.
32 Dorminey, J., Fleming, A. S., Kranacher, M., Accounting, Organizations and Society, 38, 525–
and Riley, Jr., R. (2012). The evolution of fraud 543.
theory. Issues in Accounting Education, 27, 555– 35 Dorminey, J., Fleming, A. S., Kranacher, M.,
579. and Riley, Jr., R. (2012). The evolution of fraud
theory. Issues in Accounting Education, 27, 555–
579.
¶ 804
¶ 805 OCCUPATIONAL FRAUDS

Frauds that affect the workplace are considered to be occupational frauds. There are
three basic types of occupational frauds:
• Asset misappropriation
• Corruption
• Financial statement fraud
Asset misappropriation is the theft of either tangible or intangible assets. For
example, this could be fixed assets, inventory, or sensitive data. Corruption is the
misuse of an individual’s position for personal gain whereas financial statement fraud is
commonly referred to as “cooking the books. According to the ACFE’s 2018 Report
referenced previously,36 asset misappropriation is the most common type of occupa-
tional fraud, followed by corruption, and financial statement fraud. Many times, these
types of fraud occur together because criminals commit financial statement fraud to
cover up corruption and theft of assets. The ACFE study also indicated organizations
lose over $7 billion a year to fraud, have an average loss of $130,000 per fraud scheme,
and the fraud schemes run for an average of 16 months before they are detected.
The ACFE report also noted that internal control weaknesses were responsible for
nearly half of all frauds. Organizations that implemented anti-fraud controls had lower
losses than organizations that didn’t have anti-fraud controls. Organizations suffered the
greatest losses when there was collusion with a median loss of $339,000. Only four
percent of the fraud perpetrators had a prior fraud conviction and over the last ten years
referrals for prosecution have declined by 16 percent. The main reason for not making a
referral for prosecution is the fear of bad publicity. One interesting note was that
employees who had been with their organizations over five years stole an average of
$200,000 which was nearly twice as much as employees who were with their companies
for less than five years.
Asset misappropriations start with the basic theft of an organization’s assets. Thefts
of inventory, fixed assets, financial assets, data, and other intangible assets are common
in today’s world. Securing both tangible and intangible assets is important for all
organizations. Cash and financial assets are frequently stolen by fraudsters. According
to the ACFE report, 89 percent of detected fraud cases are asset mis appropriation cases
with a median loss of $114,000. Asset misappropriation frauds average lower losses than
financial statement frauds which have a median loss of $800,000. In the next sections of
this course, we will examine some of the common fraud schemes (in no particular
order).
Skimming
The ACFE report noted that the average loss for a skimming scheme was $50,000.
Skimming is a fraud where employees or volunteers steal cash or checks before
transactions are entered into the accounting system. They provide the customer with
products or services and instead of entering the transaction into the cash register they
pocket the payment and don’t record a sale. This is a common fraud when employees
are working alone, in drive-through retail outlets, and at fundraising events for not-for-
profit organizations. Governments are also susceptible because many taxpayers prefer
to pay taxes and fines in cash or by check. Skimming can be difficult to detect because
nothing has been entered into the accounting system so there is no audit trail or
transaction to review. Common internal controls that are effective in preventing and
detecting skimming include using cameras to record cash registers and cash collection
36 Available at www.acfe.com.
¶ 805
points. Many businesses post signs at the cash registers asking customers to report to
management anytime they don’t receive a receipt for their transaction. Often customers
are offered a reward such as a free coffee or gift card for taking the time to make the
report. This brings the customer into the internal control process and makes it difficult
for employees to process transactions without receipts.
Employees can also use coupons and discounts to conduct skimming schemes. An
example of this would be ringing up a customer who doesn’t have a coupon at the cash
register and then voiding the transaction after the customer leaves and reinputting the
transaction with the coupon. The employee can then pocket the cash. The explanation
for the transaction is that the customer remembered the coupon or discount after the
original transaction was processed and asked to have the coupon or discount applied.
Skimming is also done by business owners in order to reduce their tax burden. By
removing receipts from the business, they can reduce both their sales tax and income
tax liabilities. A common red flag for owner skimming is owners offering discounts for
cash payments. The owners pocket the cash payments and don’t include them in the
company financials or on their tax returns. This type of fraud can be difficult to detect
and is usually discovered during a tax audit when the auditors do a lifestyle audit to
show the business owner is living well beyond their means based on the reported tax
income. Receipts skimming is also done to reduce alimony and child support payments,
which are based on income. Another common reason for owner skimming is to qualify
for government benefits or to qualify for needs-based scholarships and government
backed student loans for their children’s college education.
STUDY QUESTION
2. Taking cash before it is recorded in the accounting system is referred to as:

a. Cash larceny
b. Kiting
c. Skimming
d. Cash drawer loans
Lapping
Lapping is a fraud scheme where employees “rob Peter to pay Paul. Lapping most
commonly occurs in organizations that have many customers who have similar pay-
ments. A typical lapping plan works in the following pattern. An employee steals a
payment from Customer A and pockets the money. Before Customer A gets a late
notice or late fee, the employee steals a payment from Customer B and posts it to
Customer A’s account. Then the employee steals funds from Customer C to cover the
theft from Customer B. At this point Customer A and Customer B are current on their
payments and the employee only needs to worry about covering the payment for
Customer C. It can be difficult for employees to track all the payments they have stolen
and to cover them before they become past due, making lapping one of the easier
frauds to detect.
Counterfeit Currency
Counterfeit currency is another fraud that organizations have to consider in their risk
assessment. Counterfeit currency schemes can be perpetrated by customers or employ-
ees. Customers can use counterfeit currency to pay for transactions, and employees can
swap counterfeit currency for real bills in their cash drawer, which leaves the employer
¶ 805
holding the counterfeit currency. Individuals can make counterfeit currency using a
color copier, or they can purchase it on the Internet. (Just Google “Buy Fake Dollars
and you will get over 22K hits).
Common internal controls to detect counterfeit currency include using black lights,
counterfeit detection pens, and counterfeit detection machines. Black lights allow
employees to view the color of the security threads in modern U.S. currency. Under a
black light the security thread in a $100 bill is pink, a $50 bill is yellow, a $20 bill is
green, a $10 bill is orange, and a $5 bill is blue. If the color of the security thread under
a black light doesn’t match the denomination of the bill, then it is a counterfeit.
Counterfeit detection pens are iodine-based pens that are used to detect standard wood-
based paper used in copiers and printers. U.S. currency is printed on a cloth-based
paper. The iodine in the counterfeit detection pen leaves a permanent black mark on
wood-based paper while leaving a temporary brown mark on cloth-based paper. Remem-
ber, it is illegal to use or possess counterfeit U.S. currency. The simple possession of
the currency is punishable with a prison term of up to 20 years. You should not attempt
to deposit or pass off counterfeit currency to another company. Federal statute 18 USC
Section 471 criminalizes making copies of U.S. currency, unless they are much larger or
much smaller than real U.S. currency (a minimum of 50 percent larger or 25 percent
smaller) or unless they are ‘‘rendered in black and white,’’ with up to 15 years in prison.
Should you receive a counterfeit bill, you are required to forward it to the U.S. Secret
Service (http://www.secretservice.gov/forms/ssf1604.pdf).
STUDY QUESTION
3. The security thread in a $20 bill glows ______ under a black light.
a. Blue
b. Green
c. Yellow
d. Pink
Asset Misappropriations
Asset misappropriation is usually tied to items of value that can be easily monetized.
Cash is one of the most frequently stolen assets because once the criminal has the cash
in their possession, it is difficult to prove they stole the cash and it wasn’t theirs to start
with. This is another reason to have cameras as part of your internal controls. Cash can
be stolen from cash registers, from safes and vaults, from the mail room, and from
deposits. I am still amazed that in today’s world people still send cash through the mail.
Asset misappropriation can also include the theft of inventory and fixed assets.
Criminals are usually trying to steal small, expensive items that are easily converted into
cash. An organization missing inventory or fixed assets should search online sales sites,
such as EBay and Craig’s List, as the thieves often try to sell the items they have stolen.
Intangible assets such as trade secrets, research and development, customer informa-
tion, employee information, and other data are also misappropriated by criminals.
Organizations have to make sure they have good internal controls in place to protect
both tangible and intangible assets.
Accounts Payable Frauds

There are numerous ways to commit accounts payable fraud. The most basic accounts
payable fraud scheme is to submit multiple invoices for the same transactions. The
¶ 805
extra invoice will be sent with a different invoice number or a slightly altered invoice,
such as a “-A at the end, to attempt to circumvent the automated controls in the victims
accounting software. Sometimes statements are generated by the criminal after a
payment is received but before it is posted to the system in order to obtain a duplicate
payment. If the victim questions the statement, they are told it “crossed in the mail.
Criminals will also generate fake invoices, or documents that look like invoices in
order to obtain payments. The classic example of this was invoices for the “Yellow
Book, which were made to look like invoices for yellow pages ads. Today we see fake
invoices for website optimization and SEO optimization, services that were never
ordered or provided, but the fraudsters hope the victim will process the invoice. There
was an interesting fake invoice scheme in Arizona a few years ago. The fraudsters sent
out fake invoices for $300 to limited liability companies in Arizona claiming that had not
filed their annual corporate reports. It should be noted that limited liability companies in
Arizona are not required to file corporate reports. The invoices contained the logo for
the Arizona Corporation Commission and were written to look like official correspon-
dence from the Corporation Commission. The Attorney General for the State of Arizona
put out a warning because thousands of businesses fell victim to this fake invoice
scheme.
Another type of accounts payable fraud is payment splitting. Payment splitting
occurs when an employee gets an invoice, either real or fake, that is over their approval
limit. In order to avoid review by a supervisor, the employee splits the invoice into two
payments, both of which fall into the employee’s approval limit. Sometimes employees
collude with vendors to have them reissue multiple invoices when the original payment
is over their approval limit.
Shell companies are often created in order to create and submit fake invoices. A
shell company is a company in name only. It is properly registered with the state, has an
EIN, P.O. Box address, and usually has a bank account, but it provides no actual goods
or services and has no operations other than generating invoices and receiving pay-
ments. W-9s are generated and the shell companies are set up as vendors in the victim’s
accounting system. Fake invoices are sent out and the payments are processed through
the shell company’s bank account.
It isn’t always necessary to go to all the trouble of setting up a shell company in
order to commit a disbursement fraud. Employees can find a stale vendor (a vendor that
hasn’t been used in a while) and process a change of address for that vendor. Since the
vendor is already in the system and approved, there is no need for a new W-9 or
approval. The employee then creates and approves invoices for the vendor and misap-
propriates and cashes the checks.
Altering a check is also a common type of disbursement fraud. Accounting person-
nel can print a check and then alter the payee in the accounting system. It is also
possible to steal a check from the check run and then to negotiate the check, making it
look like a legitimate cashed check on the bank reconciliation. The ACFE report
indicated the average loss to a company that is a victim of check and payment
tampering is $150,000.
Escheated funds are another area that are ripe for disbursement fraud. Sometimes
recipients fail to cash the checks they are sent. These checks have been issued but they
are variances on the bank reconciliation. At a certain point, depending on the state, the
funds should be turned over to the government. Employees can reissue the checks,
usually having them sent to a new address controlled by the employee, and then cash
the checks. From the company’s perspective, it appears that the check was reissued and
cashed by the intended recipient.
¶ 805
Accounts Receivable Frauds

Accounts receivable frauds start with the basics of skimming and lapping, which we
have already reviewed. More advanced accounts receivable frauds include account
identity theft. With account identity theft, the criminal sets up a bank account in a name
similar to that of the victim. The criminal then steals checks intended for the victim and
deposits them in the criminal’s bank account. The funds are then withdrawn or wired
out of the account as soon as the check clears. The payor sees that a check they wrote
cleared and they are unlikely to take any action until they are contacted by the victim,
usually several months later, to inquire about a past due payment.
Reaging receivables is a fraud perpetrated by management when the receivables
are being used for collateral for a loan. It is also done when fake sales have been
entered into the accounting system in order to disguise the fact that a payment hasn’t
been made. The reaging of receivables involves creating a new, fresh receivable and
using the funds to pay off an aged receivable. This can be done multiple times to make
the accounts receivable aging report show only current, and few past due, invoices.
Receivables dumping occurs when an employee, who normally has a connection
with a collection company, writes off a collectable receivable and sends it out for
collection. The collection company usually gets a third of the collection and the
employee either has an undisclosed interest in the collection company or is receiving a
kickback from the collection company.
Sometimes companies receive payments on accounts that have been written off as
uncollectable. The payments can come from a customer, lawyer, or the bankruptcy
courts. Since the company is not expecting to receive payments on accounts it has
charged off, it is easy to divert these funds.
Payment diversions occur when an employee accepts a payment from the customer
and posts it to their own account or to the account of a friend, relative, or other
accomplice. This type of fraud can be difficult to prove as the employee will assert that
they “just made a mistake.
Factoring fraud occurs when management inflates the value of accounts receivable
in order to qualify for a loan using the receivables as collateral. Fictitious sales are
recorded on the books to increase the accounts receivable balance. Factoring fraud is
usually done in conjunction with receivables reaging.
STUDY QUESTION
4. Creating new receivables to pay off older receivables is an example of:

a. Duplicate invoices
b. Receivables dumping
c. Reaging
d. Skimming
Revenue Frauds
The Public Company Accounting Oversight Board (PCAOB) reported the most com-
mon reason for having to restate financial statements was for improper revenue recogni-
tion. Companies recognize revenue before it is earned in order to increase profitability
in the current period and drive up stock prices. Companies can also record revenue
from fake sales. They create a sale using accounts receivable to increase revenue in the
¶ 805
current period and then either carry the receivable indefinitely or write it off in a future
period. The ACFE report notes that the average loss for a billing fraud scheme is
$100,000.
Recording revenue on conditional sales is done to manipulate a business’s revenue.
Conditional sales occur when the buyer has the right to return some or all of the
merchandise being purchased. Under U.S. GAAP, the revenue should not be recorded
until the return period has lapsed and the sale is complete. At a minimum, it is
necessary to set up an allowance for any potential returns.
Bill and hold frauds are another way to manipulate revenue in a company. With a
bill and hold scheme, the company sends an invoice to a customer for goods that were
never ordered by the customer, nor sent by the company. If the customer pays the
invoice, the company sends the goods; otherwise, the invoice is reversed or written off.
Sometimes the receivable is offset with a credit memo to avoid a direct write-off.
Improper sales cut-offs are a way to manipulate revenue in a company. There is a
high risk of cutoff issues for any company that has commissioned sales people or that
pays bonuses based on sales. Salespeople are known to manage their commissions by
sandbagging sales into future periods or by backdating sales in order to receive
commissions sooner.
Channel stuffing is another fraud scheme that can be used to manipulate revenue.
Channel stuffing occurs when a business ships more merchandise to a distributer than
they can reasonably be expected to sell. The distributer accepts the merchandise
knowing they can return any unsold items for credit. The company prematurely records
the revenue for this transaction as if the sale was final.
STUDY QUESTION
5. Which type of revenue fraud involves billing for goods without receiving an order or
shipping anything?
a. Bill and hold
b. Improper sales cut-off
c. Fake sales
d. Channel stuffing
Expense Reimbursement Frauds

The Association of Certified Fraud Examiners 2018 report to the nation on occupational
fraud and abuse indicated the average loss for expense reimbursement fraud schemes
was $31,000 per scheme. It takes an average of two years for a company to identify and
detect an expense reimbursement fraud scheme. Expense reimbursement frauds are
more likely to happen in smaller companies than they are in larger companies. Larger
companies tend to have automated expense tracking and better internal controls, which
help to reduce expense reimbursement fraud.
Marking up expenses is one way employees commit expense reimbursement fraud.
For example, a vice president of sales would entertain current and potential customers.
He paid for the tab on his personal credit card. At the restaurant he would receive two
copies of the credit card receipt. On the copy he left at the restaurant, he would place a
zero-dollar tip, and on the copy he submitted for reimbursement, he always had a 20
percent tip. The 20 percent was pocketed by the employee.
¶ 805
Another way employees commit expense reimbursement fraud is known as the
buyer and return fraud. Employees purchase items for the business but do not actually
deliver them to the business. Instead, they return them to the merchant for refund.
Sometimes employees will leave the items in their vehicle, and if the items aren’t
counted at the business location, it’s easy for them to return them; if the items are
counted, they merely claim, “let me check my car, and after checking their car will tell
you the item must’ve fallen out of the bag they found in their trunk. The purpose, of
course, is to make this appear as if it was an honest error or accident.
Purchasing personal items and including those items in their expense reports is
another way that employees commit expense reimbursement fraud. This can be easily
done at a hotel by having personal charges billed to the room and then only submitting
the credit card receipt rather than the detailed hotel invoice for reimbursement.
Employees have also been caught using company credit cards or purchase cards
(PCards) to make personal purchases.
Salespeople have a scheme known as “if you can’t sell, drive. With this scheme,
they make sales appointments all over town driving from north to south and east to west
to generate a lot of mileage for reimbursement. Sometimes they don’t even attend the
meetings they record on their mileage logs.
Employees can submit fraudulent receipts for reimbursement. Sometimes receipts
are submitted more than once, allowing for the payment of duplicate expenses. Employ-
ees can also take advantage of companies that don’t require receipts for de minimis
expenses. One example was an employee who submitted receipts for meals at $24.99
when the company’s controls indicated no receipts were required for expenses under
$25.
In some cases multiple employees are at the same meal or event and sometimes
they all will submit for reimbursement, even though only one employee paid. Another
issue to watch for is unauthorized expenses, such as employees who make purchases
without getting advanced authorization for those purchases. When employees have the
opportunity to make purchases for the company or on behalf of the company, it is
necessary to make sure that they don’t have a conflict of interest with the vendor.
Sometimes the employee has an ownership interest in the vendor or might be receiving
kickbacks from the vendor in order to process payments to that vendor.
Other types of expense reimbursement fraud include making purchases through a
shell company, purchasing gift cards in addition to the legitimate purchases they are
making, and altering receipts prior to submitting them for reimbursement. There have
also been issues with employees who purchase extended warranties on items and
submit for reimbursement the purchase including the extended warranty, while going
back to the vendor and canceling the extended warranty and receiving a refund. That
issue also has occurred with deposits, where a rental deposit, or other type of deposit, is
paid for up front and expensed to the business. When the rental item is returned and
the deposit is refunded on the employee’s credit card, the employee does not return the
funds to the business.
STUDY QUESTION
6. Employees generally commit expense reimbursement fraud by all of the following,

except:
a. Expensing items and then selling them on the Internet
b. Purchasing and canceling extended warranties
c. Entertaining customers
d. Shell companies
¶ 805
Inventory Frauds
Businesses that maintain inventory are susceptible to various types of inventory frauds.
The most common issue with inventory is the theft of inventory, either by employees or
by shoplifters, using the old “five-fingered discount. Inventory is stolen and the
criminals either use the items themselves or sell them for cash or virtual currencies.
The stolen inventory can also be bartered for drugs, prostitutes, or other illegal items. It
is important to have good internal controls in place to keep the inventory secure. This
can include using barcodes, Radio Frequency Identification (RFID) chips, cameras,
locked display cases, and alarm systems.
One type of inventory theft scheme involves having an employee who works at a
cash register collude with an outside party. The accomplice brings several items to the
checkout point, including one high-priced item. The employee rings up the items but
places his hand over the barcode of the high-priced item while passing it over the
scanner, thus preventing it from being recorded. The accomplice then pays for the
lower priced items and walks out with all of the items, including the items not recorded
by the cash register. If a supervisor is watching, or even if cameras are present, this can
look like a legitimate sale and no red flags are raised—until the inventory is counted,
and shortages are detected.
Another inventory fraud scheme starts with an employee removing inventory from
the store or warehouse and passing it off to an accomplice. The accomplice brings the
item back to the store and requests a refund. There is usually an excuse for not having
an original receipt, such as “it was a gift. The employee then processes a refund by
paying the accomplice and returning the stolen item into the store’s inventory.
Criminals also commit inventory fraud in manufacturing companies. In addition to
stealing finished goods, they also steal scrap. A classic example occurs at home
builders. Subcontractors order more materials, such as drywall, counter tops, wiring,
etc., and they cut the items down to size or keep the extra. We have caught subcontrac-
tors using stolen goods to fix up the properties they purchased to flip. You have a good
profit margin when all or the majority of your materials are free.
Failing to remove inventory from the books once it is sold is another classic
inventory fraud scheme. This was easier to do when companies used periodic inventory
tracking rather than perpetual inventory tracking. Since the inventory isn’t removed
from the books, the cost of goods sold is lower and the profits are higher. The Phar-Mor
fraud is a classic case study for this type of fraud. Phar-Mor even moved inventory from
store to store, so every day when the auditors arrived to count the inventory, the stores
were full of inventory. The auditors didn’t know they were counting the same inventory
over and over again.
Shell companies without any actual operations are also used in inventory frauds. In
this fraud the purchasing manager orders inventory from a shell that he or she set up or
had a relative or friend set up. The shell company then orders the merchandise from
legitimate vendors and repackages it and sends it to the victim company. The shell
company will then invoice the victim, typically for 10 percent to 20 percent over what
they purchased the merchandise for from the legitimate vendor, and the difference is all
profit. A good internal control to prevent this type of inventory fraud is to do periodic
Internet price checks on all the goods and services purchased to make sure the prices
being paid are in line with the market.
¶ 805
It is not uncommon for owners, managers, and employees to temporarily use items
from inventory for personal purposes. The items are removed from the packaging and
used by the fraudsters. The items are then repackaged and sold as new. The unsuspect-
ing customer believes they are purchasing a new product when in fact they are
purchasing a used product.
Merchandise inventory fraud also occurs through short shipping. This fraud can be
conducted by either management or employees. When a customer places an order for
100 items, the company short ships 98 items, hoping the victim doesn’t count the items
upon receipt. Should the customer count the items, the company claims it is an error
and immediately offers to ship the missing items or to issue a credit memo. Employees
commit this type of fraud by stealing items prior to shipping, and if a shortage is
reported, they will claim it was simply an error.
Manufacturers can commit inventory fraud by incorrectly recording overhead and
other indirect costs as direct inventory costs that are then capitalized with the inventory
rather than being expensed in the period in which the expense was made. For large
construction projects like buildings or airplanes, these companies can manipulate the
percentage of completion in order to manipulate the costs of construction.
It is always necessary to commit financial statement fraud to explain the inventory
shortages when a physical inventory count is done. Commonly, transactions are entered
to record the stolen inventory as breakage, shrinkage, spoilage, or obsolescence. Other
ways to conceal inventory frauds include altering inventory counts, altering inventory
values, recording phantom inventory, recording intercompany sales as final sales, failing
to record inventory at the lower of cost or market, and using improper cut-offs for
recording inventory purchases and sales.
STUDY QUESTION
7. Which of the following is a type of inventory fraud?

a. Bill and hold
b. Lapping
c. Cooking the books
d. Short shipping
Financial Statement Fraud

Financial statement fraud is usually done in conjunction with other frauds in order to
conceal the fraud and hide illegal activities. Financial statement fraud can also occur on
its own and is the costliest of the occupational frauds. You are probably already aware of
some of the famous financial statement frauds, such as Enron, WorldCom, Waste
Management, etc. These financial statement frauds occurred when management wanted
to give the appearance of increased profitability in order to drive up stock prices.
Managers can add fictitious revenues or hide or capitalize expenses in order to make a
company look more profitable. The executives at Enron used off-balance-sheet financing
to move liabilities off the company’s balance sheet into special purpose and variable
interest entities.
It should be noted, however, that the vast majority of financial statement frauds are
not designed to make a company look more profitable. Indeed, the business owners
skim revenue out of the business and pay personal expenses from business funds for
the sole purpose of making the company look less profitable. This is done to reduce the
¶ 805
sales and income taxes the business owner would otherwise have to pay. There are far
more small businesses in the country than there are large businesses, which is why this
is a more common fraud. Don’t be dismayed, however, because when it comes time to
sell the business, these criminals are more than willing to cook the books to make the
company appear more profitable for the buyer.
The easiest way to commit financial statement fraud is to record fictitious transac-
tions on the books. This includes recording fake sales in order to increase revenue or
recording fake expenses in order to reduce taxable income. Many times, fraudulent
entries are input into the accounting system using top-sided or other journal entries.
Businesses using the accrual method can also prematurely recognize revenue in order
to manipulate the financial statements.
It is also possible to manipulate the financial statements by overstating the value of
assets such as inventory, although intangible asset values are easy to manipulate.
Failing to record or miss recording depreciation and amortization is another way to
manipulate asset values. Companies have also been known to record consignment
goods as part of the company’s inventory. Understating liabilities or failing to disclose
liabilities in the financial statements is another example of financial statement fraud.
Manipulating reserve accounts, such as the allowance for doubtful accounts, war-
ranty, and repair allowances, environmental cleanup funds and returns and allowances
is another way to commit fraud. It is often common to see unrecorded liabilities,
especially in small businesses where the owners are funding the business with personal
loans or by using their personal credit cards. Failure to disclose contingent liabilities
can also be an issue. Improperly recording transactions in the wrong period, either
holding transactions for a future period before recording them, or backdating transac-
tions into past periods, it is also an example of financial statement fraud.
Financial statement frauds can be undertaken to alter the balance sheet, income
statement, or the statement of cash flows. Failure to provide proper financial statement
disclosures or filing misleading financial statement disclosures is also a type of financial
statement fraud.
Double Cashed Checks

There is a growing trend in check fraud schemes. This particular scheme takes
advantage of some of the newest technology in online banking. When a payee receives a
check, the payee uses their cell phone to deposit the check into their bank account. The
check clears, and the victim reconciles their bank account without any issues. Up to this
point everything is legal and above board. The fraudster then sits on the check for about
five months and then takes the original check to a checking cashing outlet and cashes
the check. If the victim is properly reconciling their bank accounts, they will notice this
check cleared a second time. If the victim is lucky, and using positive pay, then their
bank may refuse to pay the check a second time. Herein comes the legal issue. Since
the check cashing store has an original check with a valid signature, unless the victim
can prove the check cashing store knew the check had been previously deposited, the
check cashing store will be able to obtain a judgment for the amount of the check.
Once the victim has paid the check cashing store, their only recourse is to sue the
payee who cashed the check twice. It would be especially difficult to convince a
prosecutor to file criminal charges against the payee unless the victim could show a
history of double cashing checks, because the payee is going to claim it was a mistake
and they forgot they previously cashed the check. The payee will often offer a payment
plan of a minimal amount per month with no interest to repay the money. Because of
the claim that this was an error and an offer for restitution, it would be all but impossible
for the prosecutor to establish mens rea or intent for the crime.
¶ 805
Payroll Frauds
The ACFE report notes that the average cost to an organization that is the victim of a
payroll scheme is $63,000. There are numerous types of payroll fraud schemes. Payroll
fraud schemes can be conducted by employees, the accounting department, or by
owners and managers. The most basic payroll fraud scheme conducted by employees is
to improperly record hours on a time sheet, thereby getting paid for hours that are not
worked. Workers have been known to ask their fellow employees to “clock me out
because they need to leave early, or to ask someone to “punch me in if they know they
are going to be late. The unwritten agreement is a quid pro quo that if you help me out
now, I will do the same for you in the future. This is an example of combining asset
misappropriation and corruption into one fraud scheme. Another common employee
fraud scheme is slow work for overtime. This works because the employee deliberately
works slowly, knowing the work needs to be done by a certain deadline, and then the
employee works overtime to get the job done.
Employees have another scheme that applies to fire departments, police depart-
ments, and other essential service personnel. Employees usually have sick days or
personal time off that they can use, and they take those days when friends who need
some extra cash are on call. They get the day off and the friend gets overtime for the
shift. There is an understanding that the favor will be returned when the employee who
took the day off needs some overtime. Paperwork requirements can also be used to
create overtime. One example is leaving all of the paperwork until the end of the shift
and then working overtime to get caught up. Audits of government entities show many
first responders receive half of their W-2 income from overtime. This is a difficult area to
control because the work needs to be done and many times there are legitimate reasons
for the overtime.
Many payroll frauds can be conducted by employees in the accounting department.
Accounting personnel can enter ghost employees or ghost independent contractors into
the accounting system. Accounting personnel can also give unapproved raises to related
employees or sometimes give an employee an unapproved raise and then split the raise
with the employee by getting a kickback every payday. One case I investigated involved
a property management company where the husband was the maintenance manager
and the wife was the bookkeeper. She slowly raised her husband’s monthly salary from
$2000 per month to $4500 per month without the knowledge or permission of the
business owner. Red flags for ghost employees include no deductions for insurance or
retirement accounts, no use of sick time or vacation time, and multiple direct deposits
being made to one account.
Managers and owners can also commit payroll fraud. Owners can misclassify
employees as independent contractors in order to avoid paying payroll taxes on the
employee’s wages. Non-exempt employees can also be misclassified as exempt employ-
ees in order to avoid paying overtime. Some business owners and managers hire
undocumented immigrants to work in their businesses because they can pay them off
the record, usually in cash, and pay them less than the legally mandated federal
minimum wage.
¶ 806 CYBER FRAUDS

Cybercrime is evolving and is becoming more sophisticated. Cybercriminals now have
their own social networks and even have escrow services to protect their identities and
interests when conducting online transactions with other criminals. Malware can be
licensed by criminals, and, if they experience issues, there are even tech support teams
to assist them with their criminal activities. Criminals can rent botnets by the day or by
¶ 806
the hour to use in their illicit schemes. There are also pay-for-play malware programs
available for purchase on the darknet in addition to an active market for zero-day
exploits.37
Data Breaches
The theft of information, also known as a data breach, is a crime that was virtually
unknown two decades ago but is flourishing in the 21st century. A data breach is
defined as the theft of personal information including names, Social Security numbers,
birth dates, medical information, driver’s license numbers, user names and passwords,
and financial account information such as credit or debit card numbers. With an ever-
increasing reliance on computers and information technology, organizations are in-
creasingly susceptible to this type of fraud. Information thieves are misappropriating
data and selling the stolen information on the darknet. A data breach occurs when
someone gains access to information that contains confidential information. Confidential
information includes personally identifying information (PII) and personal health infor-
mation (PHI). This can occur because of a lack of security, the bypassing of security, or
the elimination of security. Data breaches occur when information is stolen from
computers and other electronic devices. Data breaches can also occur when devices
containing information are lost or misplaced. Because an organization is considered to
be negligent in its duties to safeguard the information provided to it by employees,
customers, and others, there is a significant cost to being a victim of a data breach.
Criminals breach the IT security of companies, not-for-profit organizations, and even
governmental units and steal information from their computers. Often, the Human
Resources department of an entity is targeted for payroll information, which includes
Social Security numbers. Retail outlets are also targeted because they store customer
information, including credit card numbers, on their computers. Not all data breaches
are aimed at large organizations. Small businesses are also targeted, including tax
providers, attorneys, medical offices, and insurance agents, because these professionals
often have their clients’ personal information stored on their computers.
One of the main reasons for stealing data is to profit from the data breach.
Criminals can sell stolen user IDs and passwords for $5 to $20 each on the dark net.
Criminals are aware that many people use the same passwords for multiple websites
and computer systems. The purchased IDs and passwords are input into software that
searches the Internet for websites where the stolen IDs and passwords work and then
notifies a human operator that access has been gained so they can determine if there is
any value in the website that was illegally accessed. This is known as credential stuffing.
Another large market for information on the dark net is the sale of stolen credit card
numbers. There are thousands of dark net sites selling stolen credit and debit card
numbers. Prices range from $2 to $100 per credit or debit card number, depending on
the validity of the numbers. Some card brokers even offer guarantees that if you
purchase a minimum number of credit or debit card numbers, should any of these
numbers prove to be invalid, they will replace them for free; sort of a money-back
guarantee for criminals.
In addition to credit card, debit card, and Social Security numbers, criminals also
purchase names, addresses, dates of birth, phone numbers, driver’s license numbers,
health insurance ID numbers, union numbers, and other personal identifying informa-
tion (PII) on the dark net. These purchases are usually done with virtual currencies,
such as BitCoin. There are even resources on the Internet for up-and-coming criminals,
including books and videos on how to profit from stolen credit cards and how to do
credential cramming. Stolen personal information is often used to commit identity theft.
37 See www.knowbe4.com.
¶ 806
Over the years, the theft of data has become a very profitable crime. In today’s
modern economy, businesses offer goods and services on credit to strangers based on
the data in the buyer’s credit history or through electronic means of payment such as
credit and debit cards. With telecommunications and Internet technology, buyers and
sellers do not need to meet in person to consummate their transaction. The Internet has
made access to information almost instantaneous. Additionally, people’s willingness to
share personal information about themselves on social media has increased the risk of
that information being misappropriated. Increased access to data on the Internet has
provided criminals easier access to personal information from both inside and outside
the United States. Identity thieves can use the Internet to gather an individual’s
identifying information without ever coming into personal contact with the victim.
Retail outlets are also targets of data breaches because they store customer
information, including credit and debit card numbers on their computers. The
cyberthieves targeted the point-of-sale (POS) cash registers in the Home Depot data
breach, allowing them to obtain the credit and debit card information of evey customer
making a purchase at the stores. Data breaches allow criminals to obtain a substantial
amount of information with a minimum risk of being caught. Many data breaches are
initiated through a phishing or other social networking attack wherein the criminals
email or otherwise contact an individual in the target company and include a virus or
other form of malware in the communication.
One of the most well-known data breaches occurred in November and December
of 2013, and the victim was Target. It was estimated that 70,000,000 debit and credit
card numbers were stolen from Target’s computers. In addition to the debit and credit
card numbers, the criminals also misappropriated the customer’s PINs, CVV codes, Zip
codes and other personal information. The initial estimates of the costs to Target for
this data breach were $3.6 billion. The Target data breach is important because of the
litigation that followed. The banks that had to replace the 70 million stolen credit cards
filed litigation against Target to recover their costs. The Federal District Court ruled in
favor of the banks, and Target appealed the ruling. The Federal Appellate Court
reaffirmed the lower court’s ruling, and Target appealed to the Supreme Court. The
Supreme Court declined to review the case, leaving the Appellate Court’s ruling in
place.
The courts have determined that companies have strict liability for lost information.
In other words, the victims do not need to prove the stolen information was used in an
identity theft. The fact that they need to pay to monitor their credit or take other actions
to protect their identity creates sufficient grounds for damage awards. Businesses must
use reasonable procedures to secure data in their possession. The procedures must be
documented in writing and be tested or audited on a periodic basis. There is no way to
guarantee that an organization will not become a victim of a data breach, but good
internal controls can reduce the risk of becoming a victim of this type of fraud.
STUDY QUESTION
8. A data breach occurs when:

a. Information is electronically copied from a credit card by a waiter at a
restaurant.
b. A fraudster takes a picture of a credit card while standing in line at a store.
c. Information is stolen from a company computer.
d. A shell company is used to process transactions on stolen credit cards.
¶ 806
Credential Stuffing
When I am speaking or conducting seminars on internal controls, I always stress the
importance of having complex passwords and updating them on a regular basis. In fact,
it is much better to use a complex pass phrase consisting of a minimum of twenty-four
characters, including uppercase letters, lowercase letters, numbers, and special sym-
bols. It is much harder for a criminal to hack a passphrase than to hack a short six-
character password. The fact that many individuals use the same user ID and password
for multiple sites is well known to criminals.
Credential stuffing is one of the ways criminals gain access to various systems.
When the criminals obtain user IDs and passwords through data breaches, phishing, or
other means, the criminal uses software to test the acquired user IDs and passwords on
various websites and computer systems. The criminal will attempt to access financial,
social media, email, and other sites using the stolen information. Company and govern-
ment websites are vulnerable because employees are not diligent in changing and
protecting their passwords and often use the same password on multiple systems.
One common software for conducting credential stuffing is known as Sentry MBA.
Less than 1 percent of these attempts are successful, but the successful attempts are
very profitable for the criminals as they gain access to the victim’s information and
accounts. Remember that credential hacking is done at computer speeds, so a criminal
can test the credentials millions of times an hour. If criminals are able to obtain 1 million
credentials by purchasing them in bulk on the darknet, they would be able to access
approximately 10,000 accounts. Also, since a user ID and password is only attempted
once per website, the user ID is not locked when it does not work, so the victim is
unaware their information has been tested. The criminals also use botnets (hijacked
computers) so that the requests all come from different IP addresses to prevent the
tested website from recognizing the access attempt is coming from a single source.
Organizations need to monitor login failure rates as a detective control to deter-
mine if they are targets of a credential stuffing attack. Adding two-factor authentication
to a website is a good preventive control to limit credential hacking. Another good
internal control is requiring complex passwords that contain an uppercase letter, a
lowercase letter, a number, and a symbol, and requiring users to update passwords
every 90 days and prohibiting the reuse of passwords.
One way to determine if your organization is being attacked by a criminal using
Sentry MBA is to Google “sentry mba your company name. You can also search your
web logs for some of the common user agent strings associated with Sentry MBA:
• Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; .NET CLR 1.1.4322; .NET
CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
• Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; .NET CLR 1.1.4322; .NET
CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
• Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.11)
Gecko/2009060215 Firefox/3.0.11
• Mozilla/5.0 (Windows; U; Windows NT 5.1; en) AppleWebKit/522.11.3
(KHTML, like Gecko) Version/3.0 Safari/522.11.3
• Opera/9.80 (Windows NT 6.0; U; en) Presto/2.2.0 Version/10.00
¶ 806
STUDY QUESTION
9. Which type of cyber fraud involves using stolen user IDs and passwords to try to
access multiple IT systems?
a. Data breaches
b. Credential stuffing
c. Ransomware
d. Phishing
Ransomware
Another type of cyber fraud that has been growing in the last year is ransomware.
Ransomware is a type of malware that is placed on a computer and then encrypts all of
the files on the computer. The criminals then require that the victim pay a ransom in
order to obtain the decryption key and have access to their files. The most well-known
example of ransomware is CryptoLocker. Cryptowall 2.0 is a newer version of ran-
somware being used by cybercriminals.
The FBI estimates that ransomware is a $1 billion a year fraud. A new type of
ransomware, called Reveton, installs itself onto the computer without the user’s knowl-
edge. Then, the computer freezes. A bogus message from the FBI pops up on the
screen, saying the user violated federal law. To unlock their computer, the user must
make a payment to the criminals.
¶ 806
For a single computer, the cybercriminals will initially request a ransom ranging
from $300 to $500. Larger ransoms are demanded when more computers are infected
with the ransomware. Once the deadline for the payment has passed, the criminals up
the ransom demand to around $1000 per infected computer.38 Unfortunately, criminals
are not always honest. When a victim makes a payment, sometimes the criminal gives
them the decryption code, sometimes the criminal asks for more money, and some-
times the decryption code doesn’t work and they refer the victim to a 900 number help
desk where the victim pays by the minute for help decrypting his information. Govern-
ments have also been victims of ransomware. In the spring of 2018, the City of Atlanta
was infected with ransomware that shut down city services for weeks.39
Typical ransomware software uses RSA 2048 encryption to encrypt files. Just to
give you an idea of how strong this is, an average desktop computer is estimated to take
around 6.4 quadrillion years to crack an RSA 2048 key.40 One issue with ransomware is
that it is a franchise-type criminal activity. Criminals with no programing experience can
contact ransomware developers on the darknet. The criminals pay an initial fee to get
access to the ransomware, and the developer provides them with a link to send out to all
of their contacts. If victims click on the link, infect their systems with ransomware, and
pay the ransom, the criminal gets 80 percent of the ransom and the developer gets 20
percent.
38 40
https://www.knowbe4.com/ https://www.knowbe4.com/
39 https://www.cnn.com/2018/03/27/us/at-
lanta-ransomware-computers/index.html
¶ 806
STUDY QUESTION
10. Which of the following cyber frauds encrypts the data on your computer?
a. Phishing
b. Ransomware
c. Spoofing
d. Spyware
Phishing
Phishing is a cybercrime in which the criminals contact the victim through email
messages that appear to come from legitimate business or government sources. Social
networking through phishing schemes is a common way to get around an organization’s
IT security. Often, the email headers are spoofed to make them look legitimate. One
purpose of the phishing email is to obtain information such as names, addresses, Social
Security numbers, phone numbers, dates of birth, credit card numbers, EIN numbers,
and other personal information from the victims. When the victims supply the informa-
tion, the criminals are able to use the information to steal the victim’s identity and
assets. Criminals also send phishing emails containing links with the hope that the
victim will click on the link and download the criminal’s malware onto the victim’s
computer.
Phishing Email Example 1
This email was sent out during tax season to tax preparers and at first glance
appears to be a request for assistance with personal taxes. If the recipient clicks on the
link to download the tax data, their computer will be infected with malware. Be alert for
phishing emails that include poor grammar in the text of the message and that provide
no contact information, such as a phone number or address. Also note that most
phishing emails come from outside the United States or use free services like Gmail and
AOL.
¶ 806
In this phishing example, the fraudster is trying to get the victim to click on a link
for a ShareFile attachment, and if the victim clicks on the link, their computer is
infected with malware. DropBox and other file service providers have also been used for
this fraud.
¶ 806
With this example, you can see the fraudsters spoofed my daughter’s email in
order to make it look like the email was coming from her. The criminals get the names
of your friends, relatives, and associates from your social media accounts and then send
you phishing emails containing links that will download malware onto your computer
that look like they are coming from someone you trust.
Criminals will often try to make you think a phishing email is coming from your
bank, credit card company, or other financial institution. They may indicate there is a
problem with your account or that your password is expiring. Either way, they ask you
to click on the link in the email and enter your user ID and password. Once they have
that information, they can use your user ID and password to access your real accounts
and misappropriate all of your funds.
¶ 806
Criminals also use phishing emails to try to convince you there is an issue with
your social media accounts, or that your accounts need to be updated. They will stress
the fact that you will lose all your posts on Facebook, Twitter, LinkedIn, etc., if you don’t
immediately log in through the link in the email and update your account.
Some criminals actually do their research before sending out a phishing email.
This is known as spear phishing. They gather information on the prospective victim and
tailor a phishing email directly at them. These emails can include the victim’s name, and
the names of people the victim knows. This phishing email proports that I failed to pay
my ASCPA dues in a timely manner. It even includes information for Cindie Hubiak,
who really is the president of the Arizona Society of CPAs. The criminals went to some
effort to make this look like a legitimate email. Once again, note the lack of contact
¶ 806
information in the body of the email. Also, the email came from a outlook.com email
address rather than the society’s normal ascpa.com address.
Vishing
Vishing is similar to phishing except the criminals use phones instead of emails. The
criminals will call a new employee or newly promoted employee (they get the informa-
tion from social media) pretending to be from the IT department, and tell the employee
they need to finish setting up their computer for the access they will need. The
criminals tell the employee they need to remote into their computer, and then once
inside the system set up a backdoor so they have continued access to the company’s
computer systems.
Vishing calls are also made to alert individuals or businesses that fraud has been
detected on their credit cards. The criminals use spoofed phone numbers to make it
appear that the call is coming from a bank or financial institution. The criminals then
ask the victim to verify information on the credit card, such as the account number,
billing zip code, security code, or expiration date, in order to gain access to information
that will allow them to use the credit card.
Other common vishing calls include calls that claim to be from the Internal
Revenue Service (IRS) trying to collect past due taxes, calls from collection agencies
trying to collect past due bills, and calls from law enforcement or regulatory agencies
trying to collect fines. A red flag for vishing calls is a request that payment be made with
gift cards, with virtual currencies, or by sending money through a money transfer
service. They will also stress the urgency to pay immediately in order to avoid jail time
or other penalties.
Brand Hacking
Brand hacking occurs when criminals post false or misleading information on websites
about a company’s products or services or about the company itself. This is usually
done via social media websites, rating websites such as Trip Advisor, or individual
blogs. The criminal’s purpose when brand hacking is to tarnish or damage the reputa-
tion of the brand being hacked. Negative ratings on the Internet can steer customers
away from a product or business. A twist on the concept of brand hacking occurred
when a hotel chain paid its employees to rate their “roach motel as a four-star resort on
various travel sites, enticing customers with fictitious reviews to get them to stay there.
For businesses in the service industry, the hackers can also go after the personal brand
or the reputation of the organization’s employees, often implying sloppy or unethical
work. Brand hacking is often linked to unsatisfied customers, disgruntled current or
former employees, and a business’s competition.
Spoofing
Spoofing is a term used to describe activity that makes a fraudulent website or email
look legitimate. Criminals can also spoof phone numbers and social media accounts.
The purpose of spoofing is to make the victim believe they are communicating with
someone they know, when, in fact, they are providing information to the criminals.
The CEO invoice spoof is a common type of email spoofing fraud directed at
companies. The typical CEO email spoof occurs when criminals send an email to an
accounting clerk, bookkeeper, or payables manager that appears to have originated
from the CEO, CFO, or other senior executive of the company. There is usually an
invoice attached with instructions to wire or ACH the funds to the vendor as soon as
possible. There is usually a tone of urgency applied such as, “Don’t leave work until this
is done or “We will have to pay a large penalty if the payment isn’t received today to
¶ 806
spur the employee into processing the transaction quickly. The bank account receiving
the funds is usually overseas, or, if it is in the United States, the funds are immediately
transferred overseas when they are deposited. Another version of this cybercrime
requires the request for copies of payroll records or W-2 and other tax records, giving
the criminals access to personal information of the company’s employees. In 2018, for
the 2017 tax season, there were a large number of spoofing emails that appeared to
come from a company’s auditors requesting payroll information and claiming the
information was needed to complete the audit.
Denial of Service (DoS) Attacks

Denial of service (DoS) attacks occur when criminals use their own computer networks,
or botnets, which are networks of infected computers, to bring down a website or
computer system by overloading its capabilities, thereby crashing the system. In many
instances, the criminals follow up on the DoS attack with an attempt to hack into the
system and upload malware onto the victim’s computer while the victim is busy trying
to fix the damage being done by the denial of service attack.
The most common and obvious type of DoS attack occurs when an attacker
“floods a network or website with large amounts of information or requests for access.
When you type a URL for a particular website into your browser, you are sending a
request to that site’s computer server to view the webpage. The server can only process
a certain number of requests at once, so if an attacker overloads the server with
requests, it can’t process your request. This is a “denial of service because you can’t
access that site. In a distributed denial of service (DDoS) attack, an attacker may use
your computer to attack another computer. By taking advantage of security vulnerabili-
ties or weaknesses, an attacker could take control of your computer. He or she could
then force your computer to send huge amounts of data to a website or send spam to
particular email addresses. The attack is “distributed because the attacker is using
multiple computers, including yours, to launch the DoS attack.41
Pharming
Pharming occurs when a virus or other malicious software is placed on the victim’s
computer. The malware hijacks the victim’s web browser and causes it to divert the
user to the criminal’s websites. When the victim types in the website for a legitimate
company, usually a bank or financial institution, the malware directs the victim’s
browser to a fictitious copy of the website set up by the criminal. The fraudsters often
copy the legitimate website, so it can be difficult to recognize that you have been
diverted. The criminal is hoping to capture the victim’s user ID and password or other
useful information. Pharming can also be done by exploiting vulnerabilities on an
organization’s website to allow the criminals to redirect legitimate customers to a
spoofed fraudulent website. It is important to always verify the website address before
entering any confidential information, such as a user ID or password, onto the site.
Often the change will be minor, such as “BanksofAmerica instead of “BankofAmerica.
Hacking
Virtually everyone has heard of hacking. Hacking is commonly done by placing
malware on a computer system in order to allow the criminals to gain control of the
victim’s computer or to gain access to information stored on the computer or other
electronic device. Hacking is usually done over the Internet, and any device connected
to the Internet with either a wired or wireless connection is at risk of being hacked.
41 Department of Homeland Security, www.us-
cert.gov/ncas/tips/ST04-015.
¶ 806
Computers, cell phones, tablets, webcams, IoT devices, and other electronic equipment
connected to the Internet are the main targets of cybercriminals. As the world is
becoming more automated, cybercriminals are increasingly attacking robots and auto-
mated production systems in addition to computer information systems. Gaining control
of a robot such as a self-driving truck transporting goods would allow the criminals to
hijack the shipment. Locking up the robots in a factory and halting production allows
the criminals to extort a payment from the company to release their automated systems.
A common tool used by cybercriminals in a computer hack is a computer virus. A
computer virus is a segment of computer code that attaches itself to a program, such as
Microsoft Office, that is already loaded on the victim’s computer. A computer virus can
cause the infected program to delete, email, or copy files on the computer or to perform
other actions such as altering files or destroying data. A computer virus creates copies
of itself that it inserts in data files thus when employees share files they also share the
computer virus allowing the virus to spread throughout the company’s system and to
customers, vendors, and others with whom files have been shared.
Another common type of malware is known as a Trojan or Trojan Horse. A Trojan
is a stand-alone malware program that is disguised as something else, usually a
program or application that the user wanted such as a computer game. Trojans, unlike
viruses, are stand-alone programs and do not need to infect a program already installed
on the computer but instead act on their own. Typical types of trojans include spyware,
keystroke loggers, and other software designed to compromise a system or to gather
data from a system. Malware can also be used to make an individual device or system
part of a botnet. A common use is to infect computers to create a network of slave
computers that is then used to mine crypto currencies like BitCoin. Trojans are often
disguised by piggy-backing on them on a free program or application downloaded by
the unsuspecting user of the device.
A computer worm is a type of malware that transmits itself over networks and the
Internet and infects any computer connecting with an infected source such as an
infected website. Computer worms can be transferred by linking to or visiting infected
websites. A computer worm is a stand-alone program that does not need to attach itself
to an existing program on the computer. A computer worm can carry a payload such as
a ransomware program. The most common payload is a program that installs a
backdoor on the infected computer. You are probably aware of how websites install
“Cookies on your computer when you visit the website. You could consider a worm to
be a bad cookie.
A rootkit is specifically designed to modify the operating system of an infected
computer. Legitimate uses for rootkits include installing updates and patches to a
computers operating system. However, criminals use rootkit programs to hide other
malware from the user of the computer. Because a rootkit program has administrator
access, it is not only able to modify the operating system but can also modify any other
software installed on the computer. Rootkits can be used to hide malware that the
criminals placed on a victim’s computers, so the victim can’t find or remove the
malware. Often the only fix when this is done is to wipe the computer and reload
everything from a backup.
A very dangerous type of malware is known as a backdoor. A backdoor allows the
cybercriminal unimpeded access to the infected computer, allowing the criminal to
bypass the normal authentication processes. A backdoor usually provides the hacker
with administrative access to the infected computer. A backdoor is the equivalent of the
criminal having their own user ID and password to gain access to the system whenever
they want.
¶ 806
It’s a common misconception that hackers are geniuses that dropped out of MIT
and are working on supercomputers in their basements. Although there are a number
of hackers who can bypass an organization’s firewalls and other cybersecurity defenses
to gain access to a system, a majority of hacking attacks are done using social
engineering. An organization’s employees are the weakest link in the organization’s
cybersecurity defenses. The hackers know this and attack the employees with phishing
and vishing attacks, or by friending them on social media websites and then sending
them infected links.
A common method for infecting mobile devices with malware is through a charg-
ing station. Cybercriminals load malware onto charging stations located in public places
like airports, malls, sports arenas, and subways. Unsuspecting users whose batteries are
running low, use their USB ports to connect to the charging stations to recharge
batteries in their devices. While they are connected, the data on their devices is copied,
and malware is installed. Employees should be required to use USB condoms whenever
recharging a company mobile device at a non-company location. The USB condom
blocks the data ports and prevents any transfer of data while allowing the battery to be
recharged. An alternative is to only charge devices through a standard electrical outlet.
¶ 807 FINANCIAL FRAUDS

Credit and Debit Card Fraud
Stolen personal information is often used to commit credit card fraud. According to
Statistic Brain, 40 percent of all financial fraud is related to credit cards. This amounts to
a total of $5.5 billion in credit card fraud worldwide annually. The same report breaks
this down into five types of credit card fraud: 37 percent is counterfeit credit cards, 23
percent is lost or stolen cards, 10 percent is “no-card fraud, such as giving information
to a non-legit telemarketer, 7 percent is cards stolen during mailing, and 4 percent is
identity theft.42
Most credit and debit card fraud occurs in the United States. In fact, a 2015
research note from Barclays stated that the United States is responsible for 47 percent
of the world’s credit and debit card fraud despite accounting for only 24 percent of total
worldwide payment card volume. U.S. credit card fraud is on the rise. About 31.8 million
U.S. consumers had their credit cards breached in 2014, more than three times the
number affected in 2013. Credit card fraud isn’t cheap for the banks and financial
institutions either. Nearly 90 percent of credit and debit card fraud victims in 2014
received replacement credit cards, costing issuers as much as $12.75 per card.43 Despite
the risk of fraud, credit and debit card transactions have been increasing over the last
decade. There are over 407 million credit cards in use in the United States alone and
over 1.5 billion credit cards in use worldwide according to CreditCards.com. Addition-
ally, there are approximately 1.9 billion debit cards being used worldwide.
Credit card application fraud is done by submitting false information to the financial
institution to obtain credit cards. This is often done online or through the mail.
Fraudsters also take over existing credit and debit card accounts. This can be done by
using stolen credit card information to make online purchases or by creating a duplicate
credit or debit card to use for live purchases. Criminals can purchase a credit and debit
card duplicator online for around $150. They can also purchase blank cards, including
EMV cards on the Internet. A common method used by criminals is to purchase a five-
dollar gift card, then to use the gift card and then copy the stolen information onto the
gift card using the duplicator. This allows them to present the gift card with the
42 https://www.cdkpay.com/fraud-risk-manage- 43 http://www.nasdaq.com/article/credit-card-
ment/credit-card-fraud-detection/ fraud-and-id-theft-statistics-cm520388
¶ 807
appropriate logo on the card, instead of using a blank white card to make a purchase.
Some larger credit card fraud rings actually order credit and debit card blanks that are
printed with the appropriate logos and contain all the security features of the cards
issued by the banks.
STUDY QUESTION
11. There are approximately ______ credit cards issued worldwide.

a. 407 million
b. 1 billion
c. 1.5 billion
d. 1.9 billion
EMV Card Present Fraud

While many people believe the security of their credit and debit cards has increased
because the banks and card issuers added EMV (Europay MasterCard and VISA) chips
to the cards, this may not in fact be true. Although the EMV chips make it more difficult
for criminals to skim the information on the card and create a duplicate card, the
criminals have developed a new fraud scheme to take advantage of the vulnerabilities of
the EMV chips. These chips are RFID, and you can pay for a transaction by waving the
EMV chip card over a point-of-sale transaction device designed to capture the RFID
information. What most consumers don’t know is that the chips in a smart card can be
read at distances up to three feet away.
The criminals are aware of the new chip card’s vulnerability and they use portable,
battery operated, point-of-sale devices to capture the information broadcast by the smart
cards and process card present transactions. The criminals go to crowded areas such as
malls, sports venues, subways, buses, and other public places carrying these portable
devices and have them automatically process a card present transaction for under $50,
which is the federal legal limit for the amount of a fraudulent transaction that is the
responsibility of the consumer. For fraudulent transactions over $50, the card issuer is
responsible for the transaction. When consumers attempt to dispute these transactions,
some card issuers will argue that since the card was present, and you still have
possession of the card, it must be a legitimate transaction. They may even imply you
just forgot about it.
Businesses and consumers need to protect themselves from this type of fraud. If
you have a smart card with an EMV chip, you need to carry the debit or credit card in
an RFID sleeve or an RFID safe wallet. RFID sleeves and RFID safe wallets have a lead
lining that prevents portable point-of-sale devices from reading the RFID chips while
you are carrying your card in your pocket, wallet or purse.
Obtaining Credit Card Information

Criminals use multiple methods for obtaining credit card information. One way is
through data breaches like the Equifax data breach that occurred in 2017, where the
criminals were able to steal the personal information of 147 million individuals. Another
common way to obtain credit card information is through the use of credit card
skimmers. These can be either handheld or attachable devices. Handheld skimmers are
used by individuals who have access to a credit card, such as a waiter or waitress who
takes a customer’s card to the back to process the payment and then skims the
information from the card. Attachable skimmers are attached to ATMs, point of sale
¶ 807
devices, and gas pumps, just to name a few. When customers use credit or debit cards
on these payment systems, the information is copied for the criminals. The criminals
often put cameras up around ATMs and other places cards are run to record Personal
identification numbers (PINs) and billing zip codes to make it easier to use the cards
they create with the skimmed information. Another common method for gathering
credit and debit card information is to stand behind someone in line at a retail store and
use a cell phone to record the information on a card when the person in front of them in
line presents it to the clerk.
Once the criminal has obtained the information on the credit or debit card, they
can then use a credit card duplicating device to create a copy of the card. I was able to
purchase a copy of a credit card duplicator on the Internet for $150 and was able to
purchase blank cards for a few cents each. The chip cards cost a little more, around 20
cents when purchased in bulk. I did a test run and copied one of my own credit cards. I
then went to a local retail store and made a purchase using a plain white card by swiping
the card through the magnetic reader at the retailer. The cashier never asked to see the
card nor did she ask for identification. I was able to make a purchase exceeding $250
with a plain white card and a copied magnetic strip. Based on the ease of this
transaction, I am sure you can see why criminals find this to be a very profitable
endeavor.
Investment Frauds
When discussing investment scams, the first one to come to mind is churning. Invest-
ment advisors buy and sell securities in a customer’s account not to benefit the
customer but to generate commissions for the investment advisors. Selling inappropri-
ate investments to generate commissions is another type of investment fraud. In one
case the investment advisor was visiting elder care centers. He convinced a 94-year-old
victim to cash out her certificates of deposit and purchase a 40-year annuity with an 18
percent front load and a 12 percent early termination fee. The victim would have had to
live to be 134 to break even on this investment.
Pump and dumps are another type of investment fraud. The criminals purchase a
non-performing stock, usually a penny stock, and then hype the stock on the Internet or
at investor luncheons. As the victims buy in, the criminals’ cash out and take their
profits. One version of the pump and dump is done by leaving messages on voice mail
that sound like the caller got the wrong number. For example, “Bill, don’t tell anyone,
but the law firm I’m working with is working on a deal for Google to purchase XYZ
Corp, buy the stock now if you want to make a bundle.
Ponzi Schemes
A Ponzi scheme is an investment fraud in which the fraudster promises high financial
returns or dividends that are not available through traditional investments. Instead of
investing the victims’ funds, the fraudster pays returns to the initial investors using the
principal amounts provided by subsequent investors. The scheme generally falls apart
when the fraudster flees with all of the proceeds, or when a sufficient number of new
investors cannot be found to allow the continued payment of investment returns.
Pyramid Schemes
Pyramid schemes, which are also called franchise fraud, are marketing and investment
frauds in which a victim is offered a distributorship or franchise to market a particular
product or service. The real profit is earned not by the sale of the product or service, but
by the sale of new distributorships or signing up new members. The emphasis in a
pyramid scheme is on selling franchises and recruiting new members, rather than on
selling the product. Eventually this leads to a point where the supply of potential
¶ 807
investors is exhausted and the pyramid collapses. At the heart of each pyramid scheme
is the claim that new participants can recoup their original investments by inducing two
or more new prospects to make the same investment. Promoters fail to tell prospective
participants that this is mathematically impossible for everyone to do, as eventually you
run out of new victims to con.
Advance-Fee Scams
An advance-fee scam is a confidence trick in which the victim is persuaded to advance
sums of money in the hope of realizing a future benefit. Current versions of this scam
used against consumers include getting advance payments from victims for credit
repair, employment opportunities, mortgage modification, debt consolidation, and for
obtaining a loan. For businesses, the fraudsters promise business loans and credit lines,
contacts with foreign buyers, introductions to decision makers, inside information on
projects and bids, etc. Fraudsters often use official-sounding corporate names to help
gain the confidence of the victim. Once the fees are paid, the fraudster absconds with
the money and no services are performed.
Bankruptcy Fraud
One classic example of bankruptcy fraud is the “bust out. This scheme starts with the
criminals creating a corporation and a great sales pitch. The criminals bring in investors
and secure loans for the new business. The criminals use all the funds to pay them-
selves, and to pay for lavish business trips for the founders. When they have pulled all of
the money out of the company, they file for bankruptcy, leaving the creditors and equity
investors with the losses.
It is also common for individuals and business that are going through a legitimate
bankruptcy to commit bankruptcy fraud. This can be done by hiding assets from
creditors and the bankruptcy court. I’ve always found it interesting that a bankruptcy
debtor can remember every debt they have, even that they borrowed two dollars from a
college friend to buy a beer, but they can’t remember what happened to their assets. In
one case an individual claimed to have misplaced $500,000 in gold coins that were
collateral for a loan and couldn’t find them. The amazing thing was she never reported
the loss to her insurance company or filed a claim for the missing coins.
In addition to transferring assets, another scam used to protect assets is to file
fraudulent liens on the property. Related entities and shell companies can also be used
to file fraudulent liens. This is commonly done with real property and registered
personal property. The fraudulent liens are filed in the name of friends or relatives, but
no loan took place. The liens are put in place to eliminate any equity in the property.
Obtain proof of a transfer of funds for any liens from friends, related entities, and
relatives.
The bankruptcy courts can be used by criminals to forestall a foreclosure on real
property. This was fairly common after the real estate bust. When a house is in
foreclosure, it is put up for sale at an auction on the courthouse steps. The fraudster
goes to the bankruptcy court to find an individual who is in bankruptcy. This is easy to
do since all bankruptcy court records are a matter of public record. Once they get the
name and case number of the victim, a day or two before the foreclosure sale the
fraudster files a quit claim deed with the county recorder to make the bankruptcy
debtor a one percent owner of the real property. This triggers the automatic stay, and
the property can’t be sold without the permission of the bankruptcy court. The lender
has to schedule a debtor’s hearing with the court. The debtor testifies they know
nothing about the property, do not have and never had an interest in the property, and
also note they never signed the quit claim deed. The creditor then gets to start the
foreclosure over again, and a day or two before the foreclosure sale another quit claim
deed is filed, giving a one percent interest in the property to a different bankruptcy
debtor.
¶ 807
¶ 808 IDENTITY THEFT

Identity theft is a crime that 20 years ago was hardly a concern for businesses or
individuals; however, today it is one of the most recognized crimes in the United States.
This does not imply that identity theft did not occur 20 years ago. Instead, the effects on
the victims were less noticeable. People in the 18th century coming to America from
Europe could use the identity of a person still in Europe with little or no effect on that
person. Even during the 19th century, it was common for someone in the United States
to move west and assume a new identity to escape criminal charges or creditors.
Indeed, until the passage of the Social Security Act in 1935 and the issuing of Social
Security numbers, a person’s identifying information consisted mostly of his or her
name and face. Even as late as the 1960s and 1970s, if you wanted to check a person’s
credit, you had to call all of his or her creditors individually, and you had to trust that
person had provided you with a complete list.
Over the years, identity theft has become a more profitable crime. This is because
in the modern economy, businesses offer goods and services on credit to strangers
based on the data in the buyer’s credit history. With telecommunications and Internet
technology, buyers and sellers do not need to meet in person to consummate their
transaction. The Internet has made access to information almost instantaneous. In-
creased access to data on the Internet has provided identity thieves easier access to an
individual’s personal information from both inside and outside the United States.
Identity thieves can use the Internet as a means to gather an individual’s identification
without ever coming into personal contact with the individual.
Identity theft is broadly defined as the use of one person’s identity or personally
identifying information by another person without his or her permission. Identity theft
is a type of fraud and can be committed against an individual or an organization. Fraud
is defined as making a false statement, omission, or action that someone else relies
upon and based on that reliance gives up something of value. By using false information
to obtain items of value, identity thieves are committing fraud.
The federal criminal definition of identity theft is when someone “knowingly

transfers, possesses, or uses, without lawful authority, a means of identification of
another person with the intent to commit, or to aid or abet, or in connection with, any
unlawful activity that constitutes a violation of federal law, or that constitutes a felony
under any applicable state or local law.44
Until 1996, identity theft was not recognized as a crime at the state level. Arizona
was the first state in the United States to pass laws against identity theft. Arizona made
taking the identity of another person or entity or knowingly accepting the identity of
another person a class 4 felony.45 Aggravated identity theft of another person or entity is
classified as a class 3 felony.46 Aggravated identity theft includes taking the identity of
three or more persons by purchasing, manufacturing, or possessing any identifying
information or where the economic loss from the identity theft exceeds $3000. Arizona
also identifies trafficking in the identity of another person or entity as a class 2 felony.47
Trafficking in the identity of another person or entity includes any sale, transfer, or
transmission of any personal identifying information to obtain or continue employment
or for any unlawful purpose whether or not an actual loss is suffered by the victim.
Other states have followed Arizona’s lead by adopting laws criminalizing identity theft.
44 46
18 USC § 1028(a)(7). Arizona Revised Statutes § 13-2009.
45 47
Arizona Revised Statutes § 13-2008. Arizona Revised Statutes § 13-1010.
¶ 808
Because identity theft is changing by adapting to new technology and thieves are
finding new ways to obtain identifying information and new ways to benefit from its
fraudulent use, state laws have not kept up with the changes in the methods used to
commit identity theft.
Identity theft has become a major problem on both national and international
levels. On May 10, 2006, President Bush issued Executive Order 13402, which estab-
lished the Identity Theft Task Force. Seventeen federal agencies and departments were
appointed to create a national strategy to combat identity theft.
To cushion businesses from the effects of identity theft, the Federal Trade Com-
mission has taken several steps. For example, in 2008, the Federal Trade Commission
adopted the “Red Flags Rule, which requires organizations identified in the rule to
develop and implement written identity theft protection programs. The Red Flags Rule
applies to all businesses that allow a consumer to pay for a product or service after the
product has been received or the service is performed.
Criminal Identity Theft

Many of us are aware of the issues with financial identity theft; which occurs when
someone misappropriates your personal information to open new accounts or uses your
existing accounts to make purchases. A new type of identity theft is spreading across
the country, and it can be even more damaging than having a criminal destroy your
credit rating. This new type of identity theft is known as criminal identity theft.
The typical pattern for criminal identity theft is for the criminal to first misappropri-
ate your Social Security number and personal information. There are various ways to do
this, including data breaches, mail fraud, phishing, vishing, etc. Once they have your
personal information they use your name and Social Security number to set up a shell
company, which is usually an LLC because it is the easiest to set up. The paperwork for
the shell company will be filed with the state, but there are no operations nor is there
any real business being conducted. After they have the shell company approved, they
open a bank account, with you as the principal, again using your Social Security
number, as the sole owner of the LLC. The address for the shell company will usually
be a box at a mailbox store that was rented in the victim’s name, usually paid with cash
in advance.
In setting up the shell company and bank accounts, it is sometimes necessary to
have documents notarized. To accomplish this, the criminal orders fake notary seals
because they know the notary’s credentials will rarely be challenged. Just to prove how
easy it is to get a fake notary seal, I ordered one for “I’m A Crook, which cost me $25
and expires in 2020. So if I were a criminal, I could use that to notarize documents. As
long as the criminals are willing to pay the fees, they can get as many notary stamps as
they want.
Once the shell company and bank accounts are set up, the fraudsters get to work
cashing stolen checks and processing transactions from stolen credit cards in the shell
company’s bank accounts. In one case in Houston, Texas, the fraudster was able to cash
over $5 million in stolen checks in this type of a fraud scheme. Once the funds are
available in the accounts, the criminals immediately wire the money out of the accounts,
usually on the very same day the funds were released. The funds are usually sent to
overseas bank accounts to make it more difficult to trace. The money is then laundered
and put back into the economy.
This situation works well for the thieves because when law enforcement is advised
of the fraudulent and stolen checks, and the multiple transactions being processed on
stolen credit cards, they launch an investigation into the accounts where these funds
were deposited, and this leads them to the shell company. Since the identity theft
¶ 808
victim’s name and Social Security number are listed on the shell company and bank
account, that person becomes the prime suspect for law enforcement investigating the
stolen funds. Usually, the victims of criminal identity theft don’t know they have a
problem until law enforcement officers show up at their home or place of business with
an arrest warrant and a search warrant. This puts you in a difficult position because you
get to do a perp walk and spend time being interrogated by law enforcement, who
usually don’t believe it when you tell them you are innocent. You have to give them
proof you didn’t do it.
As you can see, criminal identity theft can cause a person serious embarrassment
and cost a significant amount in legal fees to clear their name. Unfortunately, using a
credit monitoring service usually won’t alert you that you are a victim of criminal
identity theft. In addition to reviewing your credit report on a regular basis, it is also
necessary to run a background check on yourself to find out if you are listed as an
owner or statutory agent on any businesses you don’t recognize, and to find out if there
are any warrants out for you or if any litigation has been started listing you as a plaintiff.
Running a regular Google or other search on your name can also be helpful in detecting
criminal identity theft. Unfortunately, just like with financial identity theft, there is no
way to guarantee you won’t be a victim, so you need to take proactive steps to protect
your personal information and carry identity theft insurance to cover the expenses of
clearing your name.
STUDY QUESTION
12. Which of the following types of fraud involves opening bank accounts using false
information?
a. Cash drawer loans
b. Skimming
c. Criminal identity theft
d. Refund fraud
Sockpuppets
Is your personal information safe on your social media sites? Unfortunately, many
people will accept any friend requests they receive, putting them at greater risk for
identity theft. In the increasingly active world of identity theft, criminals have to find
ways to gather information on their victims. One common way of gathering information
is to set up fake social media accounts, known as sockpuppets, and use the fake
accounts to “friend people. Obviously, the criminals don’t want to use their real names
or social media accounts because these would be easy to trace in an identity theft
investigation.
The criminals start by getting fake personal information on websites like
fakenamegenerator.com. This website produces a fake name, address, birthdate, phone
number, mother’s maiden name, etc. It also gives you the opportunity to validate the
fake Social Security number you help generate. To further backstop the fake identity,
the criminal is provided with an email address, employment information, height, weight,
blood type, and a credit card number with an expiration date and CVV number.
Once the criminals have the fictitious identity information, they open accounts on
social media websites, dating websites, etc., in order to gather information. They send
out multitudes of friend requests to everyone they can find on the sites. Similar to a
¶ 808
phishing email, they are hoping you will accept their friend request. Once you accept,
they have access to your information and the information of your other friends.
To protect yourself, take a little extra time to look at the profile of the person
sending you a friend request, unless of course you know them already. To spot a
sockpuppet, look for few, if any, postings; few pictures; only one or two employers; no
group membership; one or two schools; one or two addresses; etc. Another giveaway is
few, if any, recommendations. Usually, the criminals don’t take the time to fully develop
the sockpuppet profile. There could be major gaps in their employment history or their
profile shows they have worked for 20+ years in the same entry-level job.
Medical Identity Theft

Medical identity theft occurs when the fraudster uses the medical insurance of the
victim. Most victims fail to notice this type of identity theft because the bills are sent to
the insurance company and the provider of the medical services has been given a false
address for sending bills to the fraudster. This type of identity theft can cause far
greater harm than just the increased insurance premiums. In today’s computerized
world, your medical records are becoming digitized and available to various providers of
medical services. A doctor or hospital could provide the incorrect treatment or refuse
treatment based on false information in your medical records. Some of the signs of
medical identity theft include: items on your explanation of benefits (EOB) that you do
not recognize, including procedures and doctors; a bill for medical services you did not
receive; and calls from collection companies for unrecognized medical bills.
Medical identity theft can occur in a number of ways. The most basic is an identity
thief using your medical ID number to receive medical services while avoiding paying
for the services, usually because they can’t afford to purchase their own insurance.
Another form of medical identity theft occurs when criminals set up fake doctor’s offices
or pharmacies and then bill the insurance companies for products and services that
were never provided. The other common type of medical identity theft is drug addicts
using your medical ID number to obtain prescription drugs. Some drug dealers have
even been caught doing this and then selling the drugs on the street.
One issue with medical identity theft is that under current law, many victims do not
have the right to review their medical files or correct errors in the files. HIPAA rules
make it difficult for individuals to discuss their medical information and find errors.
Also, victims of medical identity theft do not have the legal right to prevent health-care
providers, insurance companies, and medical clearinghouses from re-reporting any
information that was originally reported due to the identity theft. With medical identity
theft, the criminal doesn’t need your Social Security number. Your medical ID number,
date of birth, and address are usually enough information to commit the crime.
The Ponemon Institute, in its Fifth Annual Survey on Medical Identity Theft,48
reported that the average cost to clear up an issue of medical identity theft is $13,500.
NBC News reported instances of medical identity theft in 2014 exceeded 2.3 million
victims.49 Since the passage of the Affordable Care Act, there has been an increase in
medical identity theft. The most common way for criminals to obtain your health
insurance information is by hacking government computers, insurance company com-
puters, hospital computers, pharmacy computers, and computers in doctors’ and other
provider’s offices.
48 http://medidfraud.org/wp-content/ 49 http://www.nbcnews.com/tech/security/sto-
uploads/2015/02/2014_Medical_ID_Theft_Study1.pdflen-identity-2-3-million-americans-suffer-medical-
id-theft-n311006
¶ 808
In addition to the financial costs, the costs of medical identity theft could be life-
threatening. Cases of individuals being administered drugs that they were allergic to
and even being given the wrong blood type in emergency situations have resulted in
death because the wrong information was entered into the computer when the identity
thief used their medical ID and the hospital relied on the medical records in the
computer. In another case, a woman used a stolen medical ID to cover the costs of the
birth of her child. The identity thief’s drug test came back as positive for illegal drugs,
so child protective services removed the victim’s children from her care because she
was a drug addict. The victim then had to go to court to get her children back.
Insurance Identity Theft

Medical insurance is not the only type of insurance stolen by fraudsters. Individuals
who are uninsurable or who would otherwise pay extremely high insurance premiums
use insurance identity theft as a means of obtaining insurance. A good example of this is
auto insurance. An individual with multiple DUIs who cannot obtain insurance
purchases car insurance in the name of the victim. The fraudster usually purchases the
minimum required by state law to avoid being arrested if he or she is pulled over for
another traffic offense, as all states require drivers to carry insurance. This type of
insurance fraud not only hurts the victim whose identity was stolen, and who usually
finds out about the crime when they are sued for an accident in which they were not
involved, but also harms the victims in the accident who find out there is no insurance
to cover their losses.
Another type of insurance identity theft is committed against life insurance compa-
nies. The fraudster assumes the identity of the beneficiary of a life insurance policy
owned by the victim. The fraudster files a fraudulent death certificate with the insurance
company along with obituaries from the Internet to document the victim’s death. The
insurance company pays the beneficiary the proceeds of the policy. Victims don’t find
out until they see their own death reported on a credit report, or until they are arrested
for using the credit cards of a “deceased individual. This type of fraud scheme usually
involves an employee of the insurance company.
Child Identity Theft

Child identity theft occurs when the fraudster steals the identity of a person under legal
age. The most common type of identity theft affecting children is the use of a child’s
identity to obtain loans and credit cards. Surprisingly, family members who misman-
aged their own credit are usually the perpetrators in the theft of a child’s identity. Often,
a child doesn’t find out about his or her identity being stolen until he or she applies for
student loans or attempts to get a job.
In one case the fraud was exposed when the child was ready to go to college. She
filled out her Free Application for Federal Student Aid (FAFSA) information and was
denied her scholarship and student loans because of charged-off accounts on her credit
report. While investigating the fraud, it became apparent that the person who stole her
identity was her aunt. She was able to obtain the child’s Social Security number from
her mother by telling her she wanted to buy a U.S. Savings Bond for the child, who was
12 at the time, and that the bank required the child’s Social Security number to record it
on the bond.
The general public has several misconceptions about the difficulty of committing
child identity theft. People often assume that creditors verify the date of birth and/or
age of credit applicants. Usually, this information is taken at face value based on what
was entered on the credit application. Another misconception is that the credit reporting
agency will know that the Social Security number belongs to a minor. Unfortunately, the
¶ 808
birth date in the credit bureau’s file becomes official when the first request for a credit
report is sent to the credit bureau.
Professional Identity Theft

Professional identity theft occurs when the fraudster steals the professional identity of
another person. Because professional licenses and license numbers are a matter of
public record, it is relatively easy to commit this type of identity theft. An example is a
fraudster who cannot obtain a PTIN to file tax returns assuming the identity of a CPA
and preparing fraudulent tax returns using the PTIN obtained with the CPA’s license
number. Another common type of professional identity fraud is known as “notario
fraud. This type of professional identity fraud occurs when an individual uses the
identity of a real attorney, to pose as an attorney and collect fees from victims under the
guise of assisting them with immigration issues. Physicians are a prime target for
professional identity theft because the criminals want to use physicians’ prescribing
power to obtain prescription drugs for illegal use or to sell on the street. We have seen
individuals steal professional licensing information to pose as nurses, law enforcement
officers, teachers, day care workers, etc. In some of the worst cases, pedophiles steal
the identities of teachers so they can get hired to work in schools with young children.
Business Identity Theft

With business identity theft, the fraudsters use the business name to obtain loans or
credit. Often, they send out invoices in the name of the business or skim checks and
deposit them into an account they control in the business name. Fraudsters who
commit business identity theft are usually insiders, current or former employees with
access to the business’ financial information. Another type of business identity theft is to
spoof a website for a real business in order to get customers to enter their credit card
information for purchases. The victims never receive the products but find out that their
credit cards were charged to the limit within hours of their supplying their information
on the website.
STUDY QUESTION
13. A situation in which a fraudster uses the professional license of another person is
considered:
a. Business identity theft
b. Financial identity theft
c. Professional identity theft
d. Employment identity theft
¶ 809 TAX FRAUDS

There are numerous types of tax frauds available to criminals willing to break the law.
Some of the more common types include income tax fraud, sales and use tax fraud,
excise tax fraud, payroll tax fraud, property tax fraud, and estate and gift tax fraud.
Income tax fraud is unfortunately fairly common. It is usually done in conjunction
with financial statement fraud. When most people first think of financial statement
fraud, they think of large companies like Enron and WorldCom, and individuals like
Bernie Madoff, who cooked the books to increase revenue and/or decrease expenses to
make the company look more profitable and drive up the stock price. It should be noted
that the vast number of financial statement frauds in the United States work in the
¶ 809
opposite direction. Small and midsized businesses reduce revenue and inflate expenses
in order to make the company look less profitable, thereby reducing the tax burden on
the business owners. This is particularly common for sole proprietorships and pass-
through entities. The ultimate goal is to reduce the income and sales taxes paid by the
owners to allow them to keep more money in their pockets. Business owners do this by
skimming revenue out of the business. They might even offer customers discounts for
paying in cash so they don’t have to record the transaction on the books or deposit the
funds in a bank, which leaves a paper trail. Business owners can also record personal
expenses as business expenses to reduce the taxable income of the business. The new
big-screen TV for the house is recorded as a computer monitor for the business, or the
family vacation is recorded as a business trip.
Not recording sales in the accounting system also allows the business owner to
avoid paying sales and use taxes on those transactions. Business owners can also
misuse their sales tax exemption certificates, which allow the business to avoid paying
sales taxes on items the business purchases for resale in the business, to make personal
purchases. The most common place I have seen this done is in restaurants, where the
owners purchase the family groceries at a restaurant supply store and use the busi-
ness’s sales tax exemption certificate to avoid paying sales taxes on those purchases.
Many businesses make purchases on the Internet or from out of state and fail to report
and pay the use taxes on those transactions. The recent Wayfair decision by the
Supreme Court that overturned the previous Quill decision will probably make it harder
to avoid paying sales and use taxes on Internet and out-of-state purchases.
Business owners have been known to borrow money from payroll withholdings,
including an employee’s payroll tax withholdings, 401(4) withholdings, or other items
withheld from the employee’s paycheck. These monies are often used to fund opera-
tions or to pay the owners. Businesses sometimes misclassify employees as indepen-
dent contractors in order to avoid paying the business’s half of the employees’ payroll
taxes.
Additionally, failure to report tips, or to under-report tips, is another type of tax
fraud. Employees believe it is harmless and that they have a low chance of getting
caught. Historically that may have been correct, but with data analytics software, it is
possible to compare tips by employee, that were paid by credit card or check, to
transactions paid in cash. If there is a material discrepancy, the taxing authority can
access taxes on those tips as under-reported income. The IRS can also assess the
business for failure to collect and remit payroll taxes on the tips.
Tax Refund Identity Fraud

Tax refund identity fraud, which is also known as stolen identity refund fraud, occurs
when a criminal uses an individual’s personal information to submit fraudulent informa-
tion to the Internal Revenue Service (IRS). There are multiple ways this can be done.
The most common type of tax return refund fraud involves obtaining the victim’s name,
address, and Social Security number and filing fraudulent tax returns in order to receive
refunds from the IRS. The income and other information submitted with the return is
usually made up by the criminals in order to maximize the refunds they receive,
including the earned income tax credit (EITC) and other refundable credits. Usually,
the victims find out about this type of identity theft when they go to file their tax returns
and the IRS kicks them back saying they already filed a return that year.
Another type of identity fraud involving taxes is when the criminal uses the victim’s
information to obtain employment. Usually, the fraudster is in the country illegally and
cannot obtain employment using their own information. The employers submit W-2s
and 1099s to the IRS for the money paid to employees and independent contractors and,
¶ 809
of course, the victims do not report this on their returns. Usually, the victims find out
they are a victim of this type of tax fraud when they receive an audit letter from the IRS
indicating they failed to include income on their tax returns.
STUDY QUESTION
14. Which of the following types of identity theft usually involves tax refunds?
a. Stolen identity refund fraud
b. Medical identity theft
c. Government benefits fraud
d. Identity cloning
¶ 810 OTHER FRAUDS

Unemployment Fraud
Many businesses don’t consider unemployment fraud to be a major issue. This is
because the government makes the unemployment payments to the terminated employ-
ees. There is, however, a cost to the business in increased FUTA and SUTA payments.
Unemployment fraud occurs when employees receive payments they are not entitled to.
A common scheme is for an employee who is collecting unemployment to continue to
file for and collect unemployment benefits after they have started a new job. This is
especially common for individuals who decide to take a shot at self-employment. Other
unemployment frauds include falsifying the reason for termination. An employee who
was fired for cause or who quit claims they were laid off or terminated through no fault
of their own in order to collect unemployment checks. Misstating benefit year earnings
can also be done in order to increase the amount received in unemployment benefits.
This can just as easily work the other way with an employer laying off an employee and
then claiming they quit in order to avoid the unemployment claims. Employers have
also under-reported base year earnings for terminated employees in order to reduce
their premium costs.
Worker’s Compensation Fraud

Worker’s compensation fraud is a major issue for businesses in the United States. The
National Insurance Crime Bureau estimates the costs of worker’s compensation fraud in
the United States to be approximately $7.2 billion per year.50 Many workers have been
caught exaggerating or faking injuries in order to collect worker’s compensation
benefits. Workers who were in too much pain to spend eight hours at work have been
videoed playing sports, running marathons, and riding jet skis. One worker who was in
so much pain he couldn’t get out of bed was recorded carrying 100-pound rolls of tar
paper up a ladder to the roof of his house that he was repairing while receiving worker’s
compensation benefits. Even companies that have good safety records can be victims of
worker’s compensation fraud. The cost to companies is indirect as a result of higher
insurance premiums, but one company in southern California was able to reduce its
worker’s compensation insurance premiums by $1.3 million a year by investigating and
putting a stop to this type of insurance fraud.
50 http://quickbooks.intuit.com/r/trends-stats/
fraud-statistics-every-business-should-know/
¶ 810
Charity Frauds
Fraudsters set up fake websites for nonexistent charities and then spam for victims.
Stories of victims of the California wildfires, Hurricane Katrina, and other natural
disasters are posted on the website to get people to donate to help the victims. Once the
money is received, the fraudsters take the money and none of it ever gets to the victims
of the national disaster.
Lottery or Contest Frauds

Lottery frauds are perpetrated by sending the victim an e-mail, which is usually spam or
spoofed, informing the victim that he or she has won a large sum of money in a lottery.
The victim is told that the lottery commission needs personal information to verify the
funds are being sent to the correct winner. Usually, the fraudsters will also indicate that
tax payments are due on the winnings and the personal information is needed to
complete the appropriate tax forms. Once the victim provides personal information, his
or her identity is stolen and used by the fraudsters. Should the victim provide bank
account information, so that the winnings could be sent to the victim, the victim will find
that the fraudsters have cleaned out his or her bank account.
Corporate Prize Scam

The corporate prize scam works similarly to the lottery scam, with the prize coming
from a corporation or source other than a lottery. Often, fraudsters will claim that the
victim’s e-mail address was selected to receive a prize and will ask for the victim’s
personal information to verify the identity of the winner, or to complete tax forms on the
prize won. A common corporate prize scam involves telling the victim Bill Gates set up a
prize pool and Microsoft is giving money away. Another one in 2017 indicated Steve
Jobs wanted to give away his fortune from Apple. Sometimes it’s amazing what people
will believe. One victim was told she was the winner of the worldwide e-mail lottery and
that her e-mail had been picked out of all of the e-mails in the world to win the grand
prize.
Fake Dating Profiles

In one version of this type of fraud, the criminals prey on lonely individuals posing as
“supermodel potential boyfriends or girlfriends from outside the United States. They
then ask for money to help them clear passport issues in their home country, so they
can come to America and marry the “love of their life. Often, the photos posted on the
Internet dating website bear no resemblance to the person with whom the victim is
communicating. In another version of this scheme, the fraudster indicates that he or
she is starting a business and asks the victim to buy items and have them shipped to the
victim’s home with subsequent forwarding to the fraudster. The fraudster explains that
the items cannot be shipped to his or her company commercially. Once the victim
agrees, the fraudster then uses stolen credit cards (from other victims) to purchase
items that are shipped to the victim’s home. The victim usually finds out they have been
victimized when the police show up at their home with a warrant to search for items
purchased with stolen credit cards.
Online dating profiles are also used to gather information about individuals in order
to commit identity theft. The criminals will claim they want to get to know you, so they
want to exchange personal information, such as your mother’s maiden name, your high
school mascot, your father’s middle name, where you attended grade school, etc. This
information can then be used to answer typical security questions at financial institu-
tions (and other websites) to verify your identity if you have forgotten your password.
¶ 810
The fraudsters freely provide answers on themselves for the same questions, but of
course, their answers are all pure fiction.
Government Documents Fraud

In this type of identity theft, the fraudster obtains government documents such as a
driver’s license, Medicare card, Social Security card, or other document. The docu-
ments will have the name of the victim, but usually have the fraudster’s photo. These
documents are then used to obtain employment or government benefits.
Employment Fraud
In this type of fraud, the fraudster uses the name and Social Security number of the
victim to obtain employment. This is often done because the perpetrator of the fraud is
in the country illegally and needs legitimate documentation to obtain employment. In
1986, Congress enacted the Immigration Reform and Control Act of 1986. The act
prohibits employers from hiring individuals who are in the country illegally and
requires that employers verify individuals’ identity and eligibility to work in the United
States prior to presenting an employment offer.51
Resume Fraud
Fraudsters are able to get away with resume fraud because many organizations do not
do a thorough background check on new hires. Fraudsters who are committing resume
fraud list unearned college degrees and professional certifications on their resume to
make them look better to the prospective employer. They might also list exaggerated
titles or positions they never held. I asked one individual I caught doing this why he did
it, and he replied, “Nobody would be willing to pay me what I want to make if I told the
truth.
Fraudulent Recruiter Scam

Fraudsters retrieve the victim’s contact information from his or her online resume and
send e-mails posing as recruiters. The victim receives an e-mail of usually one to three
paragraphs explaining how the recruiter found the victim’s resume on the Internet and
that he or she would be a perfect fit for several high-paying jobs the recruiter has
available with large national or international companies. The message is usually signed
by an individual with an impressive title, such as Vice-President of Global Recruiting or
Senior Vice-President of National Recruiting. The e-mail contains a link to the re-
cruiter’s website, and this is the only method in the e-mail for contacting the recruiter.
When the victim clicks on the link and goes to the site, the website attempts to
download malicious software (spyware, Trojans, and/or bots) onto the victim’s com-
puter. Once on the site, the victim is presented with an application to complete that
requests personal information such as date of birth, Social Security number, driver’s
license number, and mother’s maiden name. This information is used to steal the
victim’s identity.
Fraudulent Employment Scam

The fraudsters get the victim’s name and contact information from the posted resume
and e-mails what appears to be a legitimate offer of employment. The e-mail is usually
sent from “the HR Department and usually does not contain a company name. The e-
mail usually discusses a good salary and benefits package without specifying a position.
51 Harper, J. (2012). Internal enforcement, e-
verify, and the road to a national ID. CATO Jour-

nal, 32(1), 125–137.
¶ 810
The e-mail will indicate that a formal offer can only be made once the paperwork is filled
out and the right to work in the United States has been verified. The fraudster attaches
a link to a W-4 and I-9 form, and sometimes a benefit form requesting names and Social
Security numbers of the victim’s spouse and dependents, to the e-mail asking the victim
to complete the forms online. The government forms provide a sense of legitimacy, so
the victim completes and returns the forms. The forms provide the fraudster with the
information necessary to steal the victim’s identity.
Internet Auction and Fake Retail Schemes

Fraudsters place items up for auction that do not exist, and once the victim pays for the
item, he or she never receives the purchase. Also, when victims will not pay in advance,
the fraudsters use stolen credit cards to purchase the items from a legitimate store and
ship the stolen items to the victim who now pays.
A variant of this fraud scheme is used to scam people attempting to sell a used car
by themselves by placing an ad for the car on the Internet or in a local paper. The
criminals show up, usually on the weekend, with a fake cashier’s check for the full
asking price for the car. They give the victim the fake check and transfer the title to the
car. By the time the victim finds out the check bounced and is worthless, the criminals
have transferred the title to the car multiple times and finally to a third-party buyer who
was unaware of the fraud. Since the current owner is was unaware of the fraud, the
victim can’t repossess the car but must instead sue the person who gave them the bad
check to recover their losses.
Long-Lost Relative
In this scam, the fraudsters pose as a barrister from England or another country and
claim the victim is the sole surviving relative of their deceased client. They will tell the
victim that he or she is inheriting a large sum of money as the only surviving heir of a
rich relative. Usually the claim that follows is that the estate taxes need to be paid
before the victim can receive his or her large inheritance. Once the victim sends money
or bank account information, the victim’s funds are promptly stolen from the account.
¶ 811 GOVERNMENT-SPECIFIC FRAUDS

Medicare Fraud
The National Health Care Anti-Fraud Association estimates healthcare fraud costs the
U.S. government between $68 billion and $230 billion per year. In 2015, the Department
of Justice filed claims under the Federal False Claims Act and recovered $1.9 billion that
was fraudulently billed to Medicare and Medicaid.52 Billing fraud occurs when doctors
and other medical providers bill for services that were not performed. In June 2015, the
Medicare Fraud Strike Force teams arrested 240 doctors, nurses, and other medical
professionals, charging them with billing $712 million for unnecessary services and for
services never performed.53
One large Medicare fraud involved the scooters that the elderly and disabled use
for mobility. Hoveround billed Medicare over $27 million for these mobility devices.
Many of them were never used. An audit of 200 recipients of Medicare-provided
scooters determined that 154 individuals who received the chairs were not eligible for
the chairs they received. Some scooter companies were enlisting seniors and paying
them a kickback to use their Medicare cards.
52 http://www.bcbsm.com/health-care-fraud/ 53 https://oig.hhs.gov/fraud/strike-force/
fraud-statistics.html
¶ 811
Social Security Fraud

In March 2015, the Inspector General reported there were 6.5 million people in the
United States getting Social Security who are over 112 years old.54 The inspector
general’s report said that between 2006 and 2011, individuals using nearly 67,000 Social
Security numbers generated $3.1 billion in tips, wages, and self-employment income.
Yet the employees’ or self-employed individuals’ names didn’t match the Social Security
number account-holders’ names. In one case, an individual opened bank accounts using
Social Security numbers for individuals born in 1869 and 1893. The Social Security’s
official database of active numbers indicated that both beneficiaries were alive—
meaning they would be older than 145 and 121 years, respectively.
¶ 812 NOT-FOR-PROFIT SPECIFIC FRAUDS

Netting
As its name implies, netting involves reporting as contribution income the net amount
left after conducting a special fundraising event. For example, if an organization incurs
$70,000 of costs in running a special event that brings in $190,000, the organization
limits its financial reporting to the $120,000 net proceeds—in essence showing $120,000
of contribution income with no offsetting costs. U.S. accounting rules were clarified in
the 1990s to drastically limit the instances in which this practice is acceptable (SFAS
Nos. 116 and 117). However, some organizations continue to do it rather than reporting
the total amount received as income and the costs of the event as fundraising and
management and general costs, as would normally be required. Netting results in lower
than actual fundraising and management and general costs, which artificially inflates the
program expense ratio.55
Overstating the Value of Non-Cash Gifts

Many charities receive non-cash contributions in the form of food, clothing, equipment,
supplies, vehicles, and other assets. Additional non-cash contributions may include rent-
free use of land or buildings and volunteer time. U.S. GAAP requires that most of these
contributions be recorded at fair market value (although certain types of contributed
services are not to be recorded at all). In most cases, this means recording income and
expense in equal amounts, based on the fair value of the contributed goods or services.
Most of the expenses are classified as program expenses since the donated items or
services are used in carrying out program activities. As a result, inflating the fair market
values of such contributions distorts the program expense ratio.56
¶ 813 MONEY LAUNDERING

Money laundering often coexists with fraud and other criminal activities because
criminals need to launder their illegally obtained funds to make them look legitimate. “A
definition of money laundering that covers both legal and illegal contexts is to take
money that comes from one source, hide that source, and make the funds available in
another setting so that the funds can be used without incurring legal restrictions or
penalties.57 Usually, the public associates money laundering with drug lords and
54 http:// 56 Zack, G. 2004. Identifying and Investigating
www.thefiscaltimes.com/2015/10/27/Here-s- Financial Reporting Fraud of Non-Profit Entities.

New-Plan-Crack-Down-Social-Security-Fraud Presented at the ACFE’s 15th Annual Fraud Con-
55 Zack, G. 2004. Identifying and Investigating ference, Las Vegas, NV; July 2004.
57 Crumbley, D. Larry; Heitger, Lester, Smith,
Financial Reporting Fraud of Non-Profit Entities.
Presented at the ACFE’s 15th Annual Fraud Con- G. Stevenson, Forensic and Investigative Account-
ference, Las Vegas, NV; July 2004. ing, 2nd ed., 2005, Chicago, CCH Incorporated.
¶ 813
prostitutes, professions that have traditionally relied on laundered funds. Recently,

money laundering has received a significant amount of press for the use of laundered
funds to sponsor and fund terrorist activities. One of the main uses of money laundering
is to avoid paying taxes on income; and since governments rely on tax income to
support their operations, they have a vested interest in preventing money laundering.
Recently, we have seen an increase in another use of money laundering, the conversion
of funds provided by government grants, which are reserved for specific uses, to
general purpose funds of the recipient organization or individual. Also, government
officials who accept bribes (e.g., an Illinois governor who wanted to personally gain
from appointing a person to fill a vacant Senate seat), need to launder the funds before
they can be spent.
The U.S. Treasury Department estimates that there are $300 billion in illicit funds
being laundered on an annual basis.58 A majority of the illegal funds being generated are
from drug trafficking and fraud. The three basic steps for laundering money are:
1. Placement
2. Layering
3. Integration
Placement is the initial deposit of the funds into an account at a financial institution.
Layering is moving the funds through various businesses entities, such as trusts, LLCs,
not-for-profits, and corporations, and often through multiple countries to hide the
origins of the funds. Integration is moving the funds into a legitimate account controlled
by the money launderer to make the funds appear legitimate.
To help combat money laundering, the Department of the Treasury requires banks
and financial institutions to file a Currency Transaction Report (CTR) when they receive
or disburse cash in excess of $10,000 in one or more related transactions in a year.
Money service businesses are also required to file a Suspicious Activity Report (SAR),
and according to the Internal Revenue Service, “There are two different dollar thresh-
olds that require a SAR. They depend on the stage of discovery and the type of
transaction involved. A $2,000 threshold applies if a customer is conducting or attempt-
ing to conduct a transaction(s) that aggregates to $2,000 or more. A threshold of $5,000
applies for transactions identified by issuers of money orders or traveler’s checks from a
review of clearance records. These thresholds are known as the $2,000 front door/
$5,000 back door rule. The $2,000 front door transactions are face-to-face with the
customer. The $5,000 rule applies after the records have been processed at the issuer
level, thus the back door.59 Additionally, the IRS requires taxpayers to file Form 8300
for all cash transactions in excess of $10,000.
One tool of the trade for money launderers is correspondent banks. International
banking is comprised of a network of correspondent and respondent banks that allow
for the 24-hour transfer of cash to and from anywhere in the world. Each correspondent
bank can have relationships with thousands of other banks around the globe, and large
international banks can process over a trillion dollars in wire transfers a day. Correspon-
dent banking takes place when one bank provides services to another bank to transfer
funds, exchange currencies, and access investment services such as money market
accounts, overnight investment accounts, trading accounts, certificates of deposit, and
their computer software for making wire transfers and instant updates on customer
account balances. Another service provided by foreign respondent banks to their clients
through these correspondent-banking relationships is a payable-through account. Such
58 https://www.treasury.gov/resource-center/ 59 http://www.irs.gov/businesses/small/
terrorist-illicit-finance/Documents/ article/0,,id=154555,00.html
National%20Money%20Laundering%20Risk%20Assessment%20%E2%80%93%2006-12-2015.pdf
¶ 813
an account enables the respondent bank’s clients within the country where the bank is
registered to write checks that are drawn directly on the respondent bank’s correspon-
dent account in the United States, thus disguising the source of the funds.
Shell banks are usually high-risk banks that exist without any physical presence in
any legal jurisdiction. Often shell banks only exist on the Internet. Shell banks will have
a legal banking license in a specific country, but they are unlikely to have staff and may
be operated as part of another business or operated out of an individual’s personal
residence. Shell banks are not subjected to any scrutiny by local banking regulators in
the country they are licensed in. Shell banks should not be considered to be a branch
bank without a physical presence in the country.
Offshore banks are different than shell banks, although the characterization is not
mutually exclusive. An offshore banking license prevents the bank from transacting
banking activities with any citizens of the licensing country or transacting business
using the local currency. Offshore banking operations solely exist to conduct interna-
tional financial transactions.
STUDY QUESTION
15. Which of the following is one of the three steps of money laundering?
a. Layering
b. Opportunity
c. Conversion
d. Rationalization
¶ 814 CORRUPTION
Corruption occurs when individuals use their position in their company, with a not-for-
profit, or with a governmental entity for their own personal gain. Anyone in a position of
power can be tempted to cross the line. As the saying goes, “Power corrupts, and
absolute power corrupts absolutely. Corruption involves unethical behavior by those in
positions of power. It can be as simple as dishonesty or it can be an elaborate fraud
scheme. The basic tenet of corruption is that the individual is doing it for personal gain.
Corruption has been uncovered in politics, sports, academics, unions, governments, not-
for-profits, and businesses. According to the ACFE 2018 Report, the average cost of a
corruption scheme is around $250,000. You are also more likely to find corruption in
larger organizations, those with over 100 employees, than you are to find corruption in
smaller organizations. However, you shouldn’t assume that small organizations are free
from the risk of corruption. Instead, they just have a lower risk. Tips play a big role in
discovering corruption, with tips resulting in the detection of 50 percent of all corruption
schemes.
There are many forms of corruption. Petty corruption involves the exchange of
small gifts or the use of personal property or connections in exchange for favors, or for
speedy approvals from governments. Bribery is the paying or receiving of something of
value (it doesn’t have to be money) in exchange for preferential treatment or special
favors. Kickbacks and bid rigging are two examples of bribery. An illegal gratuity
occurs when someone provides a gift, or something of value, after favorable actions
have been completed. Unlike a bribe, an illegal gratuity isn’t usually arranged in
advance of the action, and you don’t have to prove an intent to influence the person who
received the gift.
¶ 814
Extortion and blackmail are other examples of corrupt behavior. This occurs when
someone is threatened with actions, such as violence against themselves or their loved
ones, or is threatened with the release or publication of information that could harm the
person’s reputation. Basically, if you don’t want something bad to happen to you or
someone you love, you better do as you are told.
Abuse of discretion occurs when an individual misuses their power or authority for
personal gain; for example, a board member who favors a vendor owned by a friend and
presses the company to select that vendor. Other abuses of authority include favoritism,
cronyism, and nepotism when people in positions of authority provide special treatment
or favors to friends, associates, or family members.
One type of corruption that is often overlooked is an undisclosed conflict of
interest. A conflict of interest impairs an individual’s ability to make a fair and impartial
decision. These conflicts usually result in the person acting to benefit themselves
instead of meeting their fiduciary responsibilities to the organization or individuals they
are representing.
Graft is the use of a political office, either an elected or appointed position, for
personal gain. Taking a position on a political issue in exchange for campaign contribu-
tions is one example of graft. Accepting an all-expenses-paid vacation in exchange for
voting a certain way is another example of graft.
Bid rigging is another type of corruption. Government entities and many large
companies put projects and product requests out for bid. The contract is supposed to go
to the company that provides the lowest price or bid while meeting the contract
requirements. Bid rigging occurs when somebody at the purchasing organization
provides information to one of the bidders to give them an inside track. This is done for
personal gain, and kickbacks are usually involved. With the inside information, the
criminals can adjust their bid to make sure they come in as the lowest bidder, usually
just barely beating the next lowest bid.
For corruption to occur, someone has to have the power to make or influence a
decision. They have to exercise that power to provide preferential treatment based on
their relationship, or on receiving something of value, and there has to be a beneficiary
of that preference.
Many people consider corruption to include a monetary payment, but money isn’t
the only thing that can be used to influence people. Debt forgiveness, loans, sexual
favors, access to decision makers, keeping secrets, and the free or discounted use of
assets are all examples of methods of payments used in corruption schemes.
¶ 815 FRAUD WRAP-UP

Once criminals commit fraud, they need to take steps to conceal the fraud in order to
avoid being caught. The ACFE Report describes the top eight methods for concealing
fraud as follows:
• 55 percent of the time fraudsters created fraudulent physical documents.
• 48 percent of the time fraudsters altered physical documents.
• 42 percent of the time fraudsters created fraudulent transactions in the account-
ing system.
• 34 percent of the time fraudsters altered transactions in the accounting system.
• 31 percent of the time fraudsters altered electronic documents or files.
• 30 percent of the time fraudsters destroyed physical documents.
• 29 percent of the time fraudsters created fraudulent documents or files.
• 27 percent of the time fraudsters created fraudulent journal entries.
¶ 815
Remember that multiple methods are used to conceal a fraud, because a criminal
has to cover all of the bases to avoid being caught. Only 3 percent of the discovered
fraud cases did not involve an attempt to conceal the crime.
The ACFE Report documented the primary ways fraud is detected in organizations.
They include the following:
• 40 percent of the time fraud is detected with tips.
• 15 percent of the time fraud is detected by internal auditors.
• 13 percent of the time fraud is detected by management reviews.
• 7 percent of the time fraud is accidently discovered.
• 6 percent of the time other detections methods discover fraud.
• 5 percent of the time fraud is detected by reconciling accounts.
• 4 percent of the time fraud is detected through documentation examinations.
• 4 percent of the time the external auditors detect fraud.
• 3 percent of the time fraud is detected through surveillance and monitoring.
• 2 percent of the time organizations are notified by law enforcement.
• 1 percent of the time IT controls detect fraud.
• 1 percent of the time the criminals confess.
Fraud is reported in the following ways:
• 53 percent of fraud reports come from employees
• 21 percent of fraud reports come from customers
• 14 percent of fraud reports are done anonymously
• 8 percent of the time fraud reports come from vendors
• 5 percent of the time fraud reports come from other sources
• 3 percent of the time fraud is reported by competitors
• 2 percent of the time fraud is discovered by shareholders or owners
STUDY QUESTION
16. According to the 2018 ACFE Report, which of the following is the most common
way to conceal a fraud?
a. Creating fraudulent transactions in the accounting system
b. Creating fraudulent journal entries
c. Destroying physical documents
d. Creating fraudulent physical documents
CPE NOTE: When you have completed your study and review of chapter 8, which
comprises Module 3, you may wish to take the Final Exam for this Module. Go to
¶ 815
165
¶ 10,100 Answers to Study Questions

¶ 10,101 MODULE 1—CHAPTER 1
1. a. Correct. This ASU did not relate to the reclassification of certain tax effects
from accumulated other comprehensive income. Instead, it relates to a practical
expedient with respect to land easements.
b. Incorrect. The amendments in this ASU are required to be adopted by all entities for
fiscal years beginning after December 15, 2018. It is also important to note that early
adoption is permitted.
c. Incorrect. This ASU did not relate to the reclassification of certain tax effects from
accumulated other comprehensive income. Instead, it relates to recognition and mea-
surement of financial assets and financial liabilities.
d. Incorrect. This ASU did not relate to the reclassification of certain tax effects from
accumulated other comprehensive income. Instead, it relates to Amendments to SEC
Paragraphs Pursuant to SEC Staff Accounting Bulletin No. 117 and SEC Release No.
33-9273.
2. a. Correct. This is not an area impacted by ASU 2018-03. Instead, an area

impacted by this ASU is forward contracts and purchased contracts.
b. Incorrect. Equity securities without a readily determinable fair value is an area
impacted by this ASU. This relates to both the discontinuation and adjustments related
to these types of financial instruments.
c. Incorrect. Presentation requirements for certain fair value option liabilities is an area
impacted by this ASU. The effective date for this ASU is the same as the effective date
for ASU 2016-01.
d. Incorrect. Transition guidance for equity securities without a readily determinable
fair value is an area impacted by this ASU. You should note that all entities may early
adopt these amendments for fiscal years beginning after December 15, 2017.
3. a. Incorrect. ASU 2018-06 did not make codification improvements to this ASC
Topic 280. This ASC topic relates to segment reporting.
b. Incorrect. ASU 2018-06 did not make codification improvements to this ASC Topic.
This ASC topic relates to revenue from contracts with customers. It was created
through the issuance of ASU 2014-09.
c. Incorrect. ASU 2018-06 did not make codification improvements to this ASC Topic.
This ASC topic relates to leases. It was created through the issuance of ASU 2016-02.
d. Correct. ASU 2018-06 did make codification improvements to this ASC
Topic. This ASC topic relates to financial services specifically around depository
and lending. The amendments are effective upon issuance.
4. a. Correct. In 2013, the FASB issued Proposed ASU for a new topic related to
Insurance Contracts (Topic 834). However, the feedback supported making
targeted improvements to the existing insurance accounting model instead.
b. Incorrect. ASU 2018-07 included improvements to nonemployee share-based pay-
ment accounting. Early adoption is permitted, but no earlier than an entity’s adoption
date of Topic 606.
¶ 10,101
c. Incorrect. ASU 2018-15 relates to the customer’s accounting for implementation

costs incurred in a cloud computing arrangement that is a service contract. It was
issued in August 2018.
d. Incorrect. ASU 2018-17 made targeted improvements to related party guidance for
variable interest entities. These improvements were primarily driven by the cost &
complexity in applying the VIE model.
5. a. Incorrect. ASU 2018-13 did not impact disclosure requirements with respect to
leases. Instead, ASU 2016-02 was the ASU that significantly changed the accounting and
disclosure requirements with respect to leases.
b. Incorrect. ASU 2018-13 did not impact disclosure requirements with respect to
revenue recognition. Instead, ASU 2014-09 was the ASU that significantly changed the
accounting and disclosure requirements with respect to revenue recognition.
c. Correct. This ASU was issued in August 2018 as a part of the Disclosure
Framework Project. It amends disclosure requirements using the concepts in
Chapter 8 and also removes and adds various disclosures.
d. Incorrect. ASU 2018-13 did not impact disclosure requirements with respect to
defined benefit plans. Instead, ASU 2018-14 made changes to the disclosure require-
ments with respect to defined benefit plans.
6. a. Incorrect. ASU 2018-17 did not include codification improvements to the account-
ing for credit losses on financial instruments. Instead, this ASU included targeted
improvements to related party guidance for variable interest entities.
b. Incorrect. ASU 2018-18 did not include codification improvements to the accounting
for credit losses on financial instruments. Instead, this ASU clarified the Interaction
between Topic 808 and Topic 606.
c. Correct. This ASU was issued in November 2018 and included amendments
to Topic 326. This Topic was created through the issuance of ASU 2016-13.
Specifically, this ASU established the CECL model which replaces the incurred
loss model.
d. Incorrect. ASU 2018-17 did not include codification improvements to the accounting
for credit losses on financial instruments. Instead, this ASU prescribed narrow-scope
improvements for lessors.

1. a. Incorrect. The amendments within ASU No. 2016-13 include amendments with
respect to assets measured at amortized costs. Specifically, the amendments in this ASU
require a financial asset (or a group of financial assets) measured at amortized cost
basis to be presented at the net amount expected to be collected.
b. Correct. The amendments within ASU No. 2016-13 do not include amend-
ments related to fair value hedges. The accounting for these items is included in
ASC 815.
c. Incorrect. The amendments within ASU No. 2016-13 include amendments with
respect to available-for-sale debt securities. Specifically, the amendments require that
credit losses relating to available-for-sale debt securities should be recorded through an
allowance for credit losses.
d. Incorrect. The amendments within ASU No. 2016-13 include amendments with
respect to purchased financial instruments with credit deterioration. Specifically, the
FASB concluded that the allowance for purchased assets with more than-insignificant
¶ 10,102
ANSWERS TO STUDY QUESTIONS - Module 1 - Chapter 2 167
credit deterioration since origination should be added to the purchase price upon
recognition of those assets (commonly referred to as the gross-up approach).
2. a. Correct. Financial assets measured at amortized costs are within the scope
of ASC 326-20. Also included in the scope is off balance-sheet credit exposures
not accounted for as insurance.
b. Incorrect. Available-for-sale debt securities is not included in the scope of ASC
326-20. Instead, these are within the scope of ASC 326-30.
c. Incorrect. Loans made to participants by defined contribution employee benefit
plans are not included in the scope of ASC 326-20. An additional item not included in the
scope of ASC 326-20 include promises to give (pledges receivable) of a not-for-profit
entity.
d. Incorrect. Policy loan receivables of an insurance entity are not included in the
scope of ASC 326-20. Additional items not included in the scope of ASC 326-20 include
loans and receivables between entities under common control.
3. a. Incorrect. If an entity estimates expected credit losses using a discounted cash

flow method, the entity should not discount expected cash flows using the weighted
average cost of capital. This is the rate that a company is expected to pay on average to
all its security holders to finance its assets.
b. Correct. If an entity estimates expected credit losses using a discounted cash
flow method, the entity should discount expected cash flows using the effective
interest rate. Furthermore, when a discounted cash flow method is applied, the
allowance for credit losses should reflect the difference between the amortized
cost basis and the present value of the expected cash flows.
c. Incorrect. If an entity estimates expected credit losses using a discounted cash flow
method, the entity should not discount expected cash flows using the LIBOR rate. This
is a benchmark rate that some of the world’s leading banks charge each other for short-
term loans.
d. Incorrect. If an entity estimates expected credit losses using a discounted cash flow
method, the entity should not discount expected cash flows using the cost of equity.
The cost of equity is the return (often expressed as a rate of return) a firm theoretically
pays to its equity investors (i.e., shareholders) to compensate for the risk they under-
take by investing their capital.
4. a. Incorrect. Entities are not allowed a practical expedient with respect to measur-
ing credit losses for purchased financial assets with credit deterioration.
b. Incorrect. Entities are not allowed a practical expedient with respect to measuring
credit losses for available-for-sale debt securities.
c. Correct. For collateral-dependent financial assets, an entity is permitted to
estimate credit losses on certain collateral-dependent financial assets as the
difference between the collateral’s fair value and the amortized cost basis of the
financial asset. However, entities are only allowed to use this practical expedient
if repayment is expected to be provided substantially through the operation or
sale of the collateral when the borrower is experiencing financial difficulty based
on the entity’s assessment as of the reporting date.
d. Incorrect. Entities are not allowed a practical expedient with respect to measuring
credit losses for held-to-maturity securities.
¶ 10,102
5. a. Incorrect. Purchase price is not required to be disclosed within the rollforward

schedule. Instead, an example of a required component in the rollforward schedule is
the beginning balance in the allowance for credit losses.
b. Correct. Write-offs charged against the allowance is required to be disclosed
within the rollforward schedule. Additionally, recoveries of amounts previously
written off should also be disclosed, if applicable.
c. Incorrect. Past-due status is not required to be disclosed within the rollforward
schedule. Instead, an example of a required component in the rollforward schedule is
the ending balance in the allowance for credit losses.
d. Incorrect. Par value of purchased financial assets is not required to be disclosed
within the rollforward schedule. Instead, an example of a required component in the
rollforward schedule is the current-period provision for expected credit losses.
6. a. Incorrect. Financing receivables are not within the scope of ASC 326-30. Instead,
these instruments are within the scope of ASC 326-20.
b. Incorrect. Reinsurance recoverables are not within the scope of ASC 326-30.
Instead, these instruments are within the scope of ASC 326-20.
c. Incorrect. Receivables that relate to repurchase agreements are not within the scope
of ASC 326-30. Instead, these instruments are within the scope of ASC 326-20.
d. Correct. The scope of the new amendments outlined within subtopic 30 are
applicable to all debt securities that are classified as available-for-sale securities
including loans that meet this definition. An available-for-sale security is a type
of investment that is not classified as either a trading security or as held-to-
maturity security.
7. a. Correct. This is one of the categories of financial statement disclosures for

available-for-sale debt securities. For certain of these disclosures requiring
presentation in tabular form, these should be disaggregated by those invest-
ments that have been in a continuous unrealized loss position for less than 12
months and those that have been in a continuous unrealized loss position for 12
months or longer.
b. Incorrect. Disclosures with respect to past-due status relate to assets measured at
amortized costs. Specifically, an entity is required to provide an aging analysis of the
amortized cost basis for financial assets that are past due as of the reporting date,
disaggregated by class of financing receivable and major security type.
c. Incorrect. Disclosures with respect to nonaccrual status relate to assets measured at
amortized costs. Entities are required to disclose nonaccrual policies, including the
policies for discontinuing accrual of interest, recording payments received on nonac-
crual assets (including the cost recovery method, cash basis method, or some combina-
tion of those methods), and resuming accrual of interest, if applicable.
d. Incorrect. Disclosures with respect to collateral-dependent financial assets relate to
assets measured at amortized costs. For a financial asset for which the repayment is
expected to be provided substantially through the operation or sale of the collateral and
the borrower is experiencing financial difficulty, an entity should the type of collateral
and a qualitative description of the extent to which collateral secures its collateral-
dependent financial assets.
¶ 10,102

1. a. Incorrect. ASU 2016-01 did not specifically impact not-for-profit entities. Instead,
this ASU addresses certain aspects of recognition, measurement, presentation, and
disclosure of financial instruments for all entities.
b. Incorrect. ASU 2016-04 did not specifically impact not-for-profit entities. Instead, this
ASU relates to the recognition of breakage for certain prepaid stored-value products (a
consensus of the Emerging Issues Task Force).
c. Incorrect. ASU 2016-07 did not specifically impact not-for-profit entities. Instead, this
ASU relates to simplifying the transition to the equity method of accounting.
d. Correct. ASU 2016-14 directly impacts not-for-profit entities. The FASB
added this project to its agenda to improve the current net asset classification
requirements and the information presented in financial statements and notes
about a not-for-profit entity’s liquidity, financial performance, and cash flows.
2. a. Incorrect. This is one of the five key areas identified that were impacted by this
ASU. An additional area identified is the operating measure information provided.
b. Correct. The reporting of income is not one of the five key areas identified that
were impacted by this ASU. Instead, the reporting of expenses is one of the key
areas noted.
c. Incorrect. This is one of the five key areas identified that were impacted by this
ASU. The FASB’s Not-for-Profit Advisory Committee (NAC) and other stakeholders
indicated that existing standards for financial statements of not-for-profits are sound but
could be improved to provide more useful information to donors, grantors, creditors,
and other users of financial statements.
d. Incorrect. This is one of the five key areas identified that were impacted by this
ASU. An additional area noted is the reporting of expenses.
3. a. Correct. FASB 117 was issued in 1993; the current not-for-profit organiza-
tion reporting requirements came from that guidance.
b. Incorrect. FASB 117 was issued in a year other than 1999.
c. Incorrect. Although the FASB started a project to review FASB 117 in 2011, the
guidance was issued prior to that year.
d. Incorrect. FASB 117 was issued well before ASU 2016-14 was issued in 2016.
4. a. Incorrect. Disclosures relating to liquidity information by sequencing assets

according to their nearness of cash and sequencing liabilities according to nearness to
maturity is not a new disclosure. It is an existing disclosure option.
b. Incorrect. Classifying assets and liabilities as current and noncurrent is not a new
disclosure option with respect to liquidity.
c. Correct. This is a new disclosure required as a result of the ASU. Additionally,
an entity is required to also disclose quantitative information that communicates
the availability of financial assets at the balance sheet date to meet cash needs
for general expenditures within one year of the balance sheet date.
d. Incorrect. Disclosing relevant information about liquidity in the notes to the
financial statements is an existing disclosure requirement, not a new one. One of the
reasons the FASB published the ASU was deficiencies in the transparency and utility of
information useful in assessing an entity’s liquidity.
¶ 10,103
5. a. Correct. Internal expenses include the direct conduct or direct supervision

of the strategic and tactical activities involved in generating investment return.
However, this excludes costs not associated with generating investment return,
such as administrative management, contracts, and pooled-fund administration.
b. Incorrect. Salaries of staff responsible for execution of investment strategy would be
included within those activities involved in generating investment return. However,
costs not associated with generating investment return are not included.
c. Incorrect. Travel costs for staff responsible for development of investment strategy
would be included within those activities involved in generating investment return.
Benefit costs for these staff would also be included.
d. Incorrect. Costs incurred for selecting and monitoring external managers would be
included within those activities involved in generating investment return. However, it’s
important to note that entities are no longer required to disclose components of netted
expenses.
6. a. Incorrect. IT expenses benefit various functions and generally would be allo-

cated. However, the ASU does not specifically note that the costs could be allocated to
M&G and investment expense.
b. Incorrect. CEO costs were not noted as being allocated to M&G and investment
expense. Instead, these costs could be allocated to program, fundraising, and M&G.
c. Incorrect. HR costs generally would be assigned all to M&G. It would not be
allocated to M&G and investment expense.
d. Correct. Expenses related to the CFO could be allocated to M&G and invest-
ment expense. Additionally, costs for IT benefits various functions and generally
would be allocated accordingly.

1. a. Incorrect. AS 3101 is effective for large accelerated filers at a date later than June
30, 2018.
b. Correct. The new standard was presented by the PCAOB in June 2018 and
was approved by the SEC in October 2018. The standard becomes effective as of
fiscal years ending on or after June 30, 2019, for large accelerated filers specific
to the requirements related to critical audit matters.
c. Incorrect. The standard is not effective December 15, 2019. It is effective for large
accelerated filers as of fiscal years ending on or after a different date.
d. Incorrect. This is the deadline for all other companies to which the requirement
applies; it is not the deadline for large accelerated filers.
2. a. Incorrect. A matter resulting from the audit of financial statements that has been
mitigated by management is not part of the definition of a CAM.
b. Incorrect. Although the words appear close, the standard indicates that a matter
that includes certain audit committee communications is not a CAM.
c. Correct. According to the standard, a CAM is defined as any matter arising
from the audit of the financial statements that has been communicated or was
required to be communicated to the audit committee; relates to accounts or
disclosures that are material to the financial statements; and involved especially
challenging, subjective, or complex auditor judgment.
¶ 10,104
d. Incorrect. A matter identified prior to the audit of the financial statement is not
considered part of the definition of a CAM.
3. a. Incorrect. The considerations for the first criterion of communication with the
audit committee do not include significant management discussions identified by the
auditor.
b. Correct. The considerations are: significant risks identified by the auditor;
certain matters regarding the company’s accounting policies, practices, and
estimates; significant unusual transactions; certain matters regarding the audi-
tor’s evaluation of the company’s relationships and transactions with related
parties; and other matters arising from the audit that are significant to the
oversight of the company’s financial reporting process.
c. Incorrect. Relationships with board members is not one of the considerations of the
criteria related to communication with the audit committee.
d. Incorrect. Considerations related to the company’s cyber risk management process
are not relevant to communication with the audit committee.
4. a. Correct. The standard lists six considerations: (1) the auditor’s assessment
of the risks of material misstatement, including significant risks; (2) the degree
of auditor judgment related to areas in the financial statements that involved the
application of significant judgment or estimation by management, including
estimates with significant measurement uncertainty; (3) the nature and timing of
significant unusual transactions and the extent of audit effort and judgment
related to these transactions; (4) the degree of auditor subjectivity in applying
audit procedures to address the matter or in evaluating the results of these
procedures; (5) the nature and extent of audit effort required to address the
matter, including the extent of specialized skill or knowledge needed or the
nature of consultations outside the engagement team regarding the matter; and
(6) the nature of audit evidence obtained regarding the matter.
b. Incorrect. The extent of audit effort related to normal transactions is not a consider-
ation related to matters that involved especially challenging, subjective, or complex
auditor judgment.
c. Incorrect. The auditor’s degree of objectivity is not among the considerations
relevant to the third criterion.
d. Incorrect. The time period evaluated is not among the six considerations listed in
the standard.
5. a. Correct. According to the standard, the disclosure requirements include:
describe the CAM, describe the principal considerations that led the auditor to
determine the matter is a CAM, describe how the CAM was included in the audit,
and refer to the relevant financial statement accounts or disclosures that related
to the CAM.
b. Incorrect. Identifying the person responsible for the CAM is not one of the CAM
disclosure requirements according to the standard.
c. Incorrect. The disclosure requirements do not require reference to the relevant
financial statement accounts or disclosures that do not relate to the CAM.
d. Incorrect. There is no requirement to reference who is responsible for mitigating
the CAM.
¶ 10,104
6. a. Incorrect. The PCAOB issued the standard on CAMs, not KAMs.

b. Incorrect. The SEC did not issue rules on KAMs.
c. Correct. The IIASB issued the standard that requires auditors to communi-
cate KAMs.
d. Incorrect. ISO is not the standard-setting body that issued KAM standards.

1. a. Incorrect. SAS 70 was the initial standard issued in April 1992 that was primarily
intended to cover service organizations for financial control purposes.
b. Correct. SSAE 18 superseded SSAE 16. SSAE 16 was the standard issued in
2010 and updated in 2011 to provide a broader application than SAS 70.
c. Incorrect. PCAOB AS 2 was the auditing standard issued by the PCAOB after the
Sarbanes-Oxley legislation to provide auditors with guidance on how to apply work to
attest to Sarbanes-Oxley.
d. Incorrect. PCAOB AS 5 was the auditing standard issued by the PCAOB that
replaced AS 2.
2. a. Incorrect. A SOC 2 report addresses more than simply the design of controls
surrounding the security, viability, processing integrity, confidentiality and privacy of
services. As such, this is not the correct answer.
b. Incorrect. A public-facing document that gives a high-level overview of information
in the SOC 2 report is called a SOC 3 report.
c. Correct. A SOC 1 Type II report addresses both the design and operating
effectiveness of controls over financial reporting services.
d. Incorrect. A SOC 2 Type II report addresses the design of and operating effective-
ness of controls around the security, availability, processing, integrity, confidentiality,
and privacy of services.
3. a. Correct. A SOC 2 Type II report addresses the design and operating

effectiveness of controls around the security, availability, processing, integrity,
confidentiality, and privacy of services.
b. Incorrect. A report that only addresses the design of controls surrounding the
security, viability, processing integrity, confidentiality, and privacy of services is a SOC
2 Type I report.
c. Incorrect. A report that addresses the design of controls around internal controls
over financial reporting is a SOC 1 Type I report.
d. Incorrect. A report that addresses the design and operating effectiveness over
internal control over financial reporting is a SOC 2 Type II report.
4. a. Correct. The privacy principle concept covers notice and communication of

objectives; choice and consent; collection of personal information; use, reten-
tion, and disposal; access; and quality.
b. Incorrect. The privacy principle concept does not address quantity of information,
availability of information, type of information, and authorization of personal
information.
c. Incorrect. The privacy principle concept does not cover collection of personal
information, quantity of information collected, authorization of personal information,
and availability of information.
¶ 10,105
d. Incorrect. The privacy principle does not cover the description of individuals
authorized to use information, availability of information retention, cloud storage, and
server storage.
5. a. Correct. Readiness assessments, while not required, are designed to help

service organizations assess their preparedness for a SOC engagement.
b. Incorrect. Although the performance of a readiness assessment will assist in moving
management toward a passing grade in a SOC engagement, the purpose is not to
ensure the organization will be able to receive a passing grade on a SOC engagement.
c. Incorrect. Although a readiness assessment will assist in the requirements of
documentation for a SOC engagement, this is not the purpose of the assessment.
d. Incorrect. The purpose of a readiness assessment is not specifically to prepare
management for what will be entailed in a SOC engagement.
6. a. Correct. Management commitments are promises made by management to

customers regarding the delivery of their service. Commitments are typically
documented within contracts.
b. Incorrect. Management commitments are not promises that the customer expects
to receive from the service he is receiving.
c. Incorrect. Management commitments are not just the promises explicitly outlined in
a formal document.
d. Incorrect. Management commitments are not those promises given by the user
organization to the service organization.

1. a. Correct. It is a distributed database that a group of individuals control by
storing and sharing information. Furthermore, it is a data structure that creates
a digital ledger of data that can be shared in a network of independent third-party
participants.
b. Incorrect. It is not recognized as the “fourth evolution of computing. Instead, it is
recognized as the “fifth evolution of computing.
c. Incorrect. Blockchain uses cryptography to allow each participant on any given
network to manage the ledger in a secure way without the need for a central authority.
As a result, every blockchain is unique.
d. Incorrect. Large portions of a blockchain community would all have to agree to
change the information and are incentivized not to change the information. As a result,
data is very difficult to change or remove.
2. a. Incorrect. Ethereum network is not the first evolution of blockchain technology.

Instead, it is considered to be the second evolution of the blockchain.
b. Incorrect. Factom network is not the first evolution of blockchain technology.
Instead, it is considered to be the third evolution of the blockchain.
c. Correct. The Bitcoin network is the first evolution of blockchain technology.
Bitcoin is a specific cryptocurrency. It is open to anyone at any level and has
open-source code maintained by its community.
d. Incorrect. Cryptography allows each participant on any given network to manage
the ledger in a secure way without the need for a central authority. It is not considered
to be the first evolution of blockchain technology.
¶ 10,106
3. a. Incorrect. A block is a list of transactions recorded onto a ledger over a period of

time. The size, period, and trigger events are different.
b. Correct. A chain is a hash that joins one block to another by mathematically
linking them. This is the most challenging part to understand and is the part that
creates the trust.
c. Incorrect. A network is composed of full nodes, which are computers running an
algorithm that is securing the network. Each node contains a complete record of all
transactions that were recorded in the blockchain.
d. Incorrect. Cryptocurrency is digital tokens that have market value.
4. a. Incorrect. Membership being closely controlled is a characteristic of a private

blockchain, not a public blockchain. A public blockchain is open to anyone at any level.
b. Incorrect. Being favored by consortiums that have trusted members is a characteris-
tic of a private blockchain, not a public blockchain. Private blockchains are favored by
consortiums that have trusted members and trade confidential information.
c. Incorrect. Private blockchains, not public blockchains, tend to be small. Another
example of a type of blockchain is a permissioned blockchain.
d. Correct. Bitcoin is an example of a public blockchain. It is open to anyone at
any level and has open-source code maintained by its community.
5. a. Correct. Permissioned blockchain networks allow the network to appoint a

group of participants in the network who are given the express authority to
provide the validation of blocks of transactions (i.e., to participate in the consen-
sus mechanism).
b. Incorrect. Private blockchains are essentially forks of the originator but are
deployed in what is called a permissioned manner. A typical way for enterprises to use
private blockchains is intrabusiness, ensuring that only company members have access.
c. Incorrect. Public blockchain is the model of Bitcoin and Ethereum, and is essentially
considered to be the original distributed ledger structure. Public blockchains typically
have incentives to encourage people to join the network as well as to authenticate
transactions.
d. Incorrect. Private and public blockchains serve different purposes. For example, a
private blockchain has the purpose of providing more value between trusted parties. By
contrast, a public blockchain has the purpose of providing more value between mistrust-
ing parties.
6. a. Incorrect. Ethereum is one of the most complex blockchains that have been built.
It is Ideal for smart contracts, charters, wills, and fund transfers.
b. Correct. Factom is the platform that is used to minimize volume and complex-
ity of complicated legal transactions workpapers. Harmony is its first commer-
cial service product.
c. Incorrect. Ripple was developed before Bitcoin in 2004. It is a global financial
settlement solution between banks and consumers. It enables users to send real-time
international payments across its networks.
d. Incorrect. Hyperledger is an open source blockchain platform. It has a graphic user
interface (GUI) that is user-friendly in building blockchain models for nontechnical
users. It also has a modular architecture.
¶ 10,106

1. a. Correct. This is an incorrect statement. While professional skepticism
should be performed in all material respects, it should not be limited to only
material respects. An auditor should exercise it in all respects.
b. Incorrect. This is a characteristic of audit quality. An auditor should consistently
comply with applicable accounting and auditing standards, quality control standards,
and independence and professional ethics.
c. Incorrect. Consistently applying both a deep and broad understanding clients’
businesses and the environments in which they operate is a characteristic of audit
quality. Leadership and culture of a firm is one factor that impacts audit quality.
d. Incorrect. This is a characteristic of audit quality. There is no formal definition of
audit quality. However, the focus is on the credibility of an entity’s audited financial
statements.
2. a. Incorrect. This is a quality control challenge with respect to acceptance and

continuance of clients, not leadership. Lack of documentation of consideration of client
acceptance is another quality control challenge.
b. Correct. Another quality control challenge as it relates to leadership is if a firm
fails to take appropriate action when events, subsequent to the issuance of the
engagement, determine the engagement to be nonconforming.
c. Incorrect. This is a quality control challenge with respect to human resources, not
leadership. Another quality control challenge relating to human resources is if recent
professional standards were not appropriately considered.
d. Incorrect. This is a quality control challenge with respect to relevant ethical
requirements, not leadership. A firm that does not complete annual independence
affirmations is another example of a quality control challenge related to relevant ethical
requirements.
3. a. Incorrect. Human resources quality control challenges include, but are not
limited to, engagement team members not being aware of the recent changes under the
standards and requirements of recently effective professional standards not being
appropriately identified.
b. Incorrect. An example of a quality control challenge related to acceptance and
continuance of clients is numerous engagement matters related to the unique nature of
the engagement or the client’s industry and the firm had no prior experience.
c. Incorrect. An example of a quality control challenge related to relevant ethical
requirements is if the firm performed account coding for one of its compilation clients
and approved invoices for payment.
d. Correct. Other quality control challenges related to monitoring include, but
are not limited to, departures from standards not identified and corrected on a
timely basis and the results of monitoring not being appropriately summarized.
4. a. Incorrect. This is a strategy to increase audit quality as it relates to firm

leadership and strengthening the tone at the top. Another strategy in this area is to
demonstrate a track record of consistency on standards-based decisions.
b. Correct. Another strategy to increase audit quality as it relates to the client
acceptance and continuance process is to perform sufficient client background
checks. A firm should also consider establishing a quality control department.
¶ 10,107
c. Incorrect. This is a strategy to increase audit quality as it relates to continuing

education and training. A firm’s CPE should focus on topics such as applying profes-
sional judgment, professional skepticism, and objectivity, as well as independence and
ethics.
d. Incorrect. Establishing and regularly communicating a formal code of conduct is a
strategy to increase audit quality as it relates to firm leadership and strengthening the
tone at the top. A strategy to increase audit quality as it relates to the client acceptance
and continuance process is to perform sufficient client background checks.
5. a. Correct. Another example of a common audit deficiency related to the

auditor’s report is the failure to appropriately modify the report for a scope
limitation or a significant departure from GAAP.
b. Incorrect. This is a common audit deficiency related to financial statement recogni-
tion and measurement, presentation, and disclosure. Instead, a common audit defi-
ciency related to the auditor’s report is the issuance of the report when the auditor was
not independent.
c. Incorrect. Intangible assets not being assessed for impairment is a common audit
deficiency related to financial statement recognition and measurement, presentation,
and disclosure. A common audit deficiency related to the auditor’s report is the
omissions of required critical reporting elements of applicable standards.
d. Incorrect. Failure to document the consideration of internal control is a common
audit deficiency related to audit procedures and documentation, not the auditor’s report.
Another common audit deficiency related to audit procedures and documentation is the
failure to appropriately implement the performance or documentation provisions related
to risk assessment.
6. a. Incorrect. Failure to read compiled financial statements for obvious or material

errors is a common compilation deficiency related to procedures and documentation,
not the actual report.
b. Incorrect. This is a common SSARS review deficiency, not a compilation deficiency.
Failure to document significant unusual matters and their disposition is another exam-
ple of a common SSARS review deficiency.
c. Correct. Another common compilation deficiency related to the accountant’s
report is the failure to include a separate paragraph for departures from the
financial reporting framework, including dollar amounts or a statement that the
impact was not determined.
d. Incorrect. This is a common compilation deficiency related to procedures and
documentation, not the actual report. Another common deficiency in this area is the
failure to obtain all required signatures on the engagement letter (or other suitable
written agreement) for SSARS 21 engagements.

1. a. Incorrect. Gabriel Tarde developed the Theory of Differential Association.
b. Correct. Ronald Akers developed the Social Learning Theory. The social
learning theory postulates that individuals learn criminal activity and rationalize
the acceptability of criminal activities based on their social networks.
c. Incorrect. Edwin Sutherland developed the Theory of Differential Association.
d. Incorrect. Donald Cressey developed the Fraud Triangle Theory.
¶ 10,108
2. a. Incorrect. Cash larceny is stealing cash that has been recorded in the accounting
system from a register, a deposit, or the safe.
b. Incorrect. Kiting is done with checks, not with cash. It involves taking advantage of
the float to make use of non-existent funds in a checking or other bank account.
c. Correct. Skimming is taking the cash before it is recorded in the accounting
system. This is a common fraud when employees are working alone, in drive-
through retail outlets, and at fundraising events for not-for-profit organizations.
d. Incorrect. Cash drawer loans involve employees putting personal NSF checks in
their cash drawer in exchange for cash.
3. a. Incorrect. The security thread in a $5 bill glows blue under a black light.
b. Correct. The security thread in a $20 bill is green when viewed with a black
light.
c. Incorrect. A black light will show a yellow security thread in a $50 bill.
d. Incorrect. Pink is the color of a security thread in a $100 bill.
4. a. Incorrect. Duplicate invoice fraud involves sending multiple invoices hoping to

get paid more than once.
b. Incorrect. Receivables dumping occurs when employees assign collectable accounts
to a collection for a kickback or other compensation.
c. Correct. Reaging occurs when new accounts receivable are created to pay aged
receivables to make the receivables look current. This can be done multiple
times to make the accounts receivable aging report show only current, and few
past due, invoices.
d. Incorrect. Skimming involves taking payments before they are recorded in the
accounting system.
5. a. Correct. Bill and hold frauds involve billing for goods without receiving an
order or shipping anything. If the customer pays the invoice, the company sends
the goods; otherwise, the invoice is reversed or written off. Sometimes the
receivable is offset with a credit memo to avoid a direct write-off.
b. Incorrect. An improper cut-off fraud involves posting transactions in the wrong
period.
c. Incorrect. Fake sales are entered into the accounting system, but invoices are not
sent.
d. Incorrect. Channel stuffing occurs when a business ships more merchandise to a
distributer than it can sell, with a promise to buy back unsold items, while recording the
entire sale as revenue.
6. a. Incorrect. Expensing items and then selling them on the Internet is a way that
employees commit expense reimbursement fraud.
b. Incorrect. Purchasing and canceling extended warranties is a way that employees
commit expense reimbursement fraud.
c. Correct. Entertaining customers is not fraud. Instead, an example of a way an
employee commits expense reimbursement fraud is to expense items and then
sell them on the Internet.
d. Incorrect. Shell companies are a way that employees commit expense reimburse-
ment fraud.
¶ 10,108
7. a. Incorrect. A bill and hold scheme is a revenue scheme, not a type of inventory
fraud.
b. Incorrect. Lapping is an accounts receivable fraud, not a type of inventory fraud.
c. Incorrect. Cooking the books is financial statement fraud, not a specific type of
inventory fraud.
d. Correct. Short shipping is a type of inventory fraud. This fraud can be
conducted by either management or employees.
8. a. Incorrect. This is an example of skimming, not a data breach.

b. Incorrect. This is an example of shoulder surfing, which is not a data breach.
c. Correct. Stealing information from a computer is an example of a data breach.
d. Incorrect. This is an example of criminal identity theft, not a data breach.
9. a. Incorrect. A data breach involves obtaining confidential information from a

computer system.
b. Correct. Credential stuffing involves using stolen user IDs and passwords to
try to access multiple IT systems.
c. Incorrect. Ransomware encrypts data on a system.
d. Incorrect. Phishing is done with email. Social networking through phishing
schemes is a common way to get around an organization’s IT security.
10. a. Incorrect. Phishing uses email to obtain personal information or to get you to
download malware by clicking on a link.
b. Correct. Ransomware encrypts the information on your computer. The
criminals then require that the victim pay a ransom in order to obtain the
decryption key and have access to their files.
c. Incorrect. Spoofing hides the true origin of an email or website to make it look
legitimate.
d. Incorrect. Spyware tracks your information; it doesn’t encrypt it.
11. a. Incorrect. There are 407 million credit cards issued in the United States, not
worldwide.
b. Incorrect. There are more than a billion credit cards issued worldwide.
c. Correct. There are approximately 1.5 billion credit cards issued worldwide.
d. Incorrect. There are 1.9 billion debit cards issued worldwide, versus 1.5 billion
credit cards.
12. a. Incorrect. Cash drawer loans involve postdated checks from an employee’s
bank account.
b. Incorrect. Skimming is taking funds before they are entered into the cash register
or accounting system.
c. Correct. Criminal identity theft involves opening bank accounts using false
information. The typical pattern for criminal identity theft is for the criminal to
first misappropriate your Social Security number and personal information.
There are various ways to do this, including data breaches, mail fraud, phishing,
vishing, etc.
¶ 10,108
d. Incorrect. Refund frauds are committed by entering false returns into the cash
register.
13. a. Incorrect. During a typical business identity theft scheme, the fraudsters use
the business name to obtain loans or credit.
b. Incorrect. During a typical financial identity theft scheme, the fraudsters use the
personal information to obtain financial benefits.
c. Correct. The fraudulent use of a professional license is considered profes-

sional identity theft. Physicians are a prime target for professional identity theft
because the criminals want to use physicians’ prescribing power obtain prescrip-
tion drugs for illegal use or to sell on the street.
d. Incorrect. During a typical employment fraud scheme, the fraudster uses the name
and Social Security number of the victim to obtain employment.
14. a. Correct. Stolen identity refund fraud involves filing false returns to receive
tax refunds.
b. Incorrect. Medical identity theft involves assuming someone’s identity to obtain

health care.
c. Incorrect. Government benefits fraud involves using someone else’s identity to

receive government benefits.
d. Incorrect. Identity cloning involves concealing a fraudster’s true identity by cloning

a victim’s identity and using it openly in plain sight.
15. a. Correct. Layering is one of the three steps of money laundering.
b. Incorrect. Opportunity is part of the fraud triangle, not one of the three steps of
money laundering.
c. Incorrect. Conversion is an element of fraud, not one of the three steps of money
laundering.
d. Incorrect. Rationalization is part of the fraud triangle, not one of the three steps of
money laundering.
16. a. Incorrect. Creating fraudulent transactions in the accounting system occurs 42

percent of the time versus 55 percent of the time for creating fraudulent physical
documents.
b. Incorrect. Creating fraudulent journal entries is the least likely way to conceal a
fraud.
c. Incorrect. Destroying physical documents to conceal a fraud occurs 30 percent of

the time versus 55 percent of the time for creating fraudulent physical documents.
d. Correct. Fifty-five percent of the time, fraudsters create fraudulent physical

documents to conceal a fraud.
¶ 10,108
181
Index
References are to paragraph (¶ ) numbers.
A ASU 2018-04, Amendments to SEC Paragraphs

Pursuant to SEC Staff Accounting Bulletin No. 117 and
Accounting Standards Update (ASU). See specific ASU SEC Release No. 33-9273 . . . . . . . . . . . . . . . . . 107
Accounts payable fraud . . . . . . . . . . . . . . . . . . . 805 ASU 2018—05, Amendments to SEC Paragraphs

Pursuant to SEC Staff Accounting Bulletin No. 118 (SEC
Accounts receivable fraud . . . . . . . . . . . . . . . . . . 805 Update) . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
Accumulated benefit obligation (ABO) . . . . . . . . . . . 117 ASU 2018-06, Codification Improvements to Topic
Accumulated other comprehensive income (AOCI) . 105, 117 942, Financial Services—Depository and Lending . . 109
AICPA Code of Professional Conduct . . . . . . 703, 705, 708 ASU 2018-07, Compensation—Stock Compensation
(Topic 718): Improvements to Nonemployee Share-Based
American Institute of Certified Public Accountants
Payment Accounting . . . . . . . . . . . . . . . . . . . 110
(AICPA) . . . . . . . . . . . . . . . . . . . . . . . . . . . 804
ASU 2018-08, Not-for-Profit Entities (Topic 958):
Amortized costs, assets measured at . . . . . . . . . . . 205 Clarifying the Scope and the Accounting Guidance for
AS 1215, Audit Documentation . . . . . . . . . . . . . . . 406 Contributions Received and Contributions Made . . . 111
AS 1301, Communications with Audit Committees . . . . 405 ASU 2018-09, Codification Improvements . . . . . . . . . 112
AS 3101, The Auditor’s Report on an Audit of ASU 2018-10, Codification Improvements to Topic
Financial Statements When the Auditor Expresses an 842, Leases . . . . . . . . . . . . . . . . . . . . . . . . . 113
Unqualified Opinion . . . . . . . . . . . . . . . . . . 403–409 ASU 2018-11, Leases (Topic 842): Targeted
Asset misappropriations . . . . . . . . . . . . . . . . . . . 805 Improvements . . . . . . . . . . . . . . . . . . . . . . . 114
Association of Certified Fraud Examiners (ACFE) . 803–805, ASU 2018-12, Financial Services—Insurance (Topic
814–815 944): Targeted Improvements to the Accounting for Long-
Duration Contracts . . . . . . . . . . . . . . . . . . . . 115
ASU 2010-20, Receivables (Topic 310): Disclosures
about the Credit Quality of Financing Receivables and the ASU 2018-13, Fair Value Measurement (Topic 820):
Allowance for Credit Losses . . . . . . . . . . . . . . . 209 Disclosure Framework—Changes to the Disclosure
Requirements for Fair Value Measurement . . . . . . 116
ASU 2014-09, Revenue from Contracts with
Customers . . . . . . . . . . . . . . . . . . . . . . . 213, 214 ASU 2018-14, Compensation—Retirement
Benefits—Defined Benefit Plans—General (Subtopic
ASU 2016-01, Financial Instruments—Overall 715-20): Disclosure Framework—Changes to the
(Subtopic 825-10): Recognition and Measurement of Disclosure Requirements for Defined Benefit Plans . 117
Financial Assets and Financial Liabilities . . . . . . . 106
ASU 2018-15, Intangibles—Goodwill and
ASU 2016-02, Leases (Topic 842) Section A—Leases: Other—Internal-Use Software (Subtopic 350-40):
Amendments to the FASB Accounting Standards Customer’s Accounting for Implementation Costs
Codification . . . . . . . . . . . . . . . . . . . . . . . 104, 114 Incurred in a Cloud Computing Arrangement That Is a
ASU 2016-13, Measurement of Credit Losses on Financial Service Contract . . . . . . . . . . . . . . . . . . . . . . 118
Instruments ASU 2018-16, Derivatives and Hedging (Topic 815):
. assets measured at amortized cost . . . . . . . . . . . . 205 Inclusion of the Secured Overnight Financing Rate (SOFR)
. disclosures . . . . . . . . . . . . . . . . . . . . . . . . . . 209 Overnight Index Swap (OIS) Rate as a Benchmark Interest
. estimating . . . . . . . . . . . . . . . . . . . . . . . . . . 206 Rate for Hedge Accounting Purposes . . . . . . . . . 119
. main provisions . . . . . . . . . . . . . . . . . . . . . . . 204
ASU 2018-17, Consolidation (Topic 810): Targeted
. presentation of . . . . . . . . . . . . . . . . . . . . . . . . 208
Improvements to Related Party Guidance for Variable
ASU 2016-14, Not-for-Profit Entities (Topic 958): Presentation Interest Entities . . . . . . . . . . . . . . . . . . . . . . 120
of Financial Statements of Not-for-Profit Entities
ASU 2018-18, Collaborative Arrangements (Topic
. cash flows, statement of . . . . . . . . . . . . . . . . . . 306
808): Clarifying the Interaction between Topic 808 and
. expenses, reporting of . . . . . . . . . . . . . . . . . . . 308
Topic 606 . . . . . . . . . . . . . . . . . . . . . . . . . . 121
. liquidity information . . . . . . . . . . . . . . . . . . . . . 305
. operating measure information . . . . . . . . . . . . . . . 307 ASU 2018-19, Codification Improvements to Topic
. reporting of net assets . . . . . . . . . . . . . . . . . . . . 304 326, Financial Instruments—Credit Losses . . . . 122, 214
ASU 2018-01, Land Easement Practical Expedient for ASU 2018-20, Leases (Topic 842): Narrow-Scope
Transition to Topic 842 . . . . . . . . . . . . . . . . . . 104 Improvements for Lessors . . . . . . . . . . . . . . . . 123
ASU 2018-02, Income Statement—Reporting ASU 2019-04, Codification Improvements to Topic

326, Financial Instruments—Credit Losses, Topic 815,
Comprehensive Income (Topic 220): Reclassification of
Derivatives and Hedging, and Topic 825, Financial
Certain Tax Effects from Accumulated Other
Instruments . . . . . . . . . . . . . . . . . . . . . . . . . 214
Comprehensive Income . . . . . . . . . . . . . . . . . . 105
Attestation standards
ASU 2018-03, Technical Corrections and
. clarification and recodification (SSAE 18) . . . . . . . 503–512
Improvements to Financial Instruments—Overall
. Service Organization Control (SOC) . . . . . . . . . . 503–512
(Subtopic 825-10): Recognition and Measurement of
Financial Assets and Financial Liabilities . . . . . . . 106 Audit committee, communication with . . . . . . . . . . . 405
AUD
182 INDEX
Audit documentation . . . . . . . . . . . . . . . . . . . . . 406 Critical audit matter (CAM)

. AS 3101 guidance . . . . . . . . . . . . . . . . . . . . 403–409
Audit quality . . . . . . . . . . . . . . . . . . . . . . . . 701–708
. audit report requirements . . . . . . . . . . . . . . . . . . 406
. deficiencies, common . . . . . . . . . . . . . . . . . . . . 707
. definition of . . . . . . . . . . . . . . . . . . . . . . . . . . 404
. definition of . . . . . . . . . . . . . . . . . . . . . . . . . . 703
. disclosure requirements . . . . . . . . . . . . . . . . . . . 406
. elements of . . . . . . . . . . . . . . . . . . . . . . . . . . 703
. documentation requirements . . . . . . . . . . . . . . . . 406
. ethics and . . . . . . . . . . . . . . . . . . . . . . . . 704–705
. identifying, principle-based approach for . . . . . . . . . 405
. failures . . . . . . . . . . . . . . . . . . . . . . . . . . . . 704
. versus key audit matter . . . . . . . . . . . . . . . . . . . 408
. strategies for increasing . . . . . . . . . . . . . . . . . . . 706
Cryptocurrency . . . . . . . . . . . . . . . . . . . . . . 604–607
Auditing Standards Board (ASB) . . . . . . . . . . . . . . 503
Currency Transaction Report (CTR) . . . . . . . . . . . . 813
Available-for-sale debt securities . . . . . . 106, 204, 210, 212
Current expected credit loss (CECL) model . . . . . . 122, 206
B Cybercrime . . . . . . . . . . . . . . . . . . . . . . . . . . . 806
Cyber fraud . . . . . . . . . . . . . . . . . . . . . . . . . . . 806
Bankruptcy fraud . . . . . . . . . . . . . . . . . . . . . . . 807
Cybersecurity . . . . . . . . . . . . . . . . . . . . . . . . . 504
Bid rigging . . . . . . . . . . . . . . . . . . . . . . . . . . . 814
Bitcoin . . . . . . . . . . . . . . . . . . . . . . . . . . . 604–607 D
Blackmail . . . . . . . . . . . . . . . . . . . . . . . . . . . . 814
Data breaches . . . . . . . . . . . . . . . . . . . . . . . . . 806
Blockchain . . . . . . . . . . . . . . . . . . . . . . . . . 601–607
Debit card fraud . . . . . . . . . . . . . . . . . . . . . . . . 807
. Applications . . . . . . . . . . . . . . . . . . . . . . . . . 606
. best practices . . . . . . . . . . . . . . . . . . . . . . . . 607 Debt securities, available-for-sale . . . . . . . . 106, 210, 212
. components of . . . . . . . . . . . . . . . . . . . . . . . . 604 Defined benefit plans . . . . . . . . . . . . . . . . . . . . . 117
. history of . . . . . . . . . . . . . . . . . . . . . . . . . . . 604
Denial of service (DoS) attacks . . . . . . . . . . . . . . . 806
. software . . . . . . . . . . . . . . . . . . . . . . . . . . . 607
. types of . . . . . . . . . . . . . . . . . . . . . . . . . . . . 605 Derivatives and hedging . . . . . . . . . . . . . . . . . . . 119
Double-cashed checks . . . . . . . . . . . . . . . . . . . . 805
C
E
CECL model. See Current expected credit loss (CECL) model
Employment fraud . . . . . . . . . . . . . . . . . . . . . . . 810
Charity fraud . . . . . . . . . . . . . . . . . . . . . . . . . . 800
EMV card fraud . . . . . . . . . . . . . . . . . . . . . . . . 807
Checks
. accounts payable fraud . . . . . . . . . . . . . . . . . . . 805 Endowments, underwater . . . . . . . . . . . . . . . . . . 304
. accounts receivable fraud . . . . . . . . . . . . . . . . . . 806 Enron . . . . . . . . . . . . . . . . . . . . . . . . . . . . 805, 809
. business identity theft . . . . . . . . . . . . . . . . . . . . 808
Ethereum . . . . . . . . . . . . . . . . . . . . . . . . . . . . 607
. criminal identity theft . . . . . . . . . . . . . . . . . . . . 808
. double-cashed . . . . . . . . . . . . . . . . . . . . . . . . 805 Expense reimbursement fraud . . . . . . . . . . . . . . . 805
. skimming . . . . . . . . . . . . . . . . . . . . . . . . . . . 805 Explanatory paragraphs . . . . . . . . . . . . . . . . . . . 406
Circular 202 . . . . . . . . . . . . . . . . . . . . . . . . . . 109 Extortion . . . . . . . . . . . . . . . . . . . . . . . . . . . . 814
Cloud computing arrangements . . . . . . . . . . . . . . 118
F
Cohen Commission . . . . . . . . . . . . . . . . . . . . . . 403
Collaborative arrangements . . . . . . . . . . . . . . . . . 121 Factom . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 607
Collateral-dependent financial assets . . . . . . . . . . . 209 Fair value measurement . . . . . . . . . . . . . . . . . 106, 116
Commensurate value . . . . . . . . . . . . . . . . . . . . . 111 Financial Accounting Standards Board (FASB)
. ASUs issued in 2018 . . . . . . . . . . . . . . . . . . 103–123
Committee of Sponsoring Organizations (COSO) . . 507, 804
Financial assets
Conflict of interest . . . . . . . . . . . . . . . . . . . . 805, 814
. Recognition of . . . . . . . . . . . . . . . . . . . . . . . . 106
Continuing professional education (CPE) . . . . . . . 704, 706
Financial fraud . . . . . . . . . . . . . . . . . . . . . . . . . 807
Contribution accounting . . . . . . . . . . . . . . . . . . . 111
Financial instruments . . . . . . . . . . . . . . . . . . . 106, 122
Corruption . . . . . . . . . . . . . . . . . . . . . . . . . . . 814
Financial liabilities
Counterfeit currency . . . . . . . . . . . . . . . . . . . . . 805 . Recognition of . . . . . . . . . . . . . . . . . . . . . . . . 106
Credential stuffing . . . . . . . . . . . . . . . . . . . . . . 806 Financial statement fraud . . . . . . . . . . . . . . . . . . 807
Credit card fraud . . . . . . . . . . . . . . . . . . . . . . . 806 Fraud . . . . . . . . . . . . . . . . . . . . . . . . . . . . 803–815
. Corruption . . . . . . . . . . . . . . . . . . . . . . . . . . 814
Credit losses . . . . . . . . . . . . . . . . . . . . . . . . . . 122
. Cyber . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 806
. allowance for . . . . . . . . . . . . . . . . . . . . . . . . . 212
. Financial . . . . . . . . . . . . . . . . . . . . . . . . . . . 807
. disclosures . . . . . . . . . . . . . . . . . . . . . . . . . . 209
. government-specific . . . . . . . . . . . . . . . . . . . . . 811
. estimating . . . . . . . . . . . . . . . . . . . . . . . . . . 206
. identity theft . . . . . . . . . . . . . . . . . . . . . . . . . 808
. pool basis for measuring . . . . . . . . . . . . . . . . . . 206
. money laundering . . . . . . . . . . . . . . . . . . . . . . 813
. presentation of . . . . . . . . . . . . . . . . . . . . . . . . 208
. not-for-profit . . . . . . . . . . . . . . . . . . . . . . . . . 812
Cressey, Donald . . . . . . . . . . . . . . . . . . . . . . . . 804 . occupational . . . . . . . . . . . . . . . . . . . . . . . . . 805
AUD
INDEX 183
Fraud—continued N
. tax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 809
. theories . . . . . . . . . . . . . . . . . . . . . . . . . . . . 804 National Health Care Anti-Fraud Association . . . . . . . 811
. triangle . . . . . . . . . . . . . . . . . . . . . . . . . . . . 804
Nonprofits. See Not-for-profit (NPO) entities
Fraud theories . . . . . . . . . . . . . . . . . . . . . . . . . 804
Not-for-profit (NPO) entities
Fraud triangle . . . . . . . . . . . . . . . . . . . . . . . . . 804 . ASU 2016-14 guidance . . . . . . . . . . . . . . . . . 303–309
. ASU 2018-08 guidance . . . . . . . . . . . . . . . . . . . 111
G . board-designated net assets . . . . . . . . . . . . . . . . 304
. cash flows, statement of . . . . . . . . . . . . . . . . . . 306
Generally Accepted Accounting Principles (GAAP) 105, 110, . expenses, reporting of . . . . . . . . . . . . . . . . . . . 308
112, 119, 204, 213, 304, 307, 403, 703, 805, 812 . fraud specific to . . . . . . . . . . . . . . . . . . . . . . . 812
Government Accountability Office . . . . . . . . . . . . . 703 . liquidity information . . . . . . . . . . . . . . . . . . . . . 305
. management and general expenses . . . . . . . . . . . . 308
Government-specific fraud . . . . . . . . . . . . . . . . . 811
. operating measure information . . . . . . . . . . . . . . . 307
. reporting of net assets . . . . . . . . . . . . . . . . . . . . 304
H . underwater endowments . . . . . . . . . . . . . . . . . . 304
Hacking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 806
O
Hedge accounting . . . . . . . . . . . . . . . . . . . . . . . 103
Hyperledger . . . . . . . . . . . . . . . . . . . . . . . . . . 607 Off-balance-sheet credit exposures . . . . . . . . . . . . 209
Other comprehensive income (OCI) . . . . . . . . . . 105, 115
I Other-than-temporary impairment (OTTI) model . . . . . 203
Identity theft . . . . . . . . . . . . . . . . . . . . . . . . . . 808

P
Immigration Reform and Control Act of 1986 . . . . . . . 810
Instrument-specific credit risk . . . . . . . . . . . . . . . 106 Payroll fraud . . . . . . . . . . . . . . . . . . . . . . . . . . 805
Internal control over financial reporting (ICFR) . 403, 405, 504 Peer review . . . . . . . . . . . . . . . . . . . . . . . . . . . 708
International Auditing and Assurance Standards Personal health information (PHI) . . . . . . . . . . . . . . 806
Board (IAASB) . . . . . . . . . . . . . . . . . . . . . . . 408 Personally identifying information (PII) . . . . . . . . . . 806
ISA 701, Communicating Key Audit Matters in the Pharming . . . . . . . . . . . . . . . . . . . . . . . . . . . . 806
Independent Auditor’s Report . . . . . . . . . . . . . . 408
Phishing . . . . . . . . . . . . . . . . . . . . . . . . . . . . 806
J Ponzi schemes . . . . . . . . . . . . . . . . . . . . . . . . . 807

Private Company Council . . . . . . . . . . . . . . . . . . 120
Japanese Welfare Pension Insurance Law . . . . . . . . 117
Private Company Decision-Making Framework . . . . . . 213
K Projected benefit obligation (PBO) . . . . . . . . . . . . . 117

Professional skepticism . . . . . . . . . . . . . . . . . 703–704
Key audit matter (KAM) . . . . . . . . . . . . . . . . . . . . 408
Projected benefit obligation (PBO) . . . . . . . . . . . . . 117
L Public Company Accounting Oversight Board

(PCAOB) . . . . . . . . . . . . . . . . . . . 403–408, 703, 806
Land easements Pyramid schemes . . . . . . . . . . . . . . . . . . . . . . . 807
Treatment of . . . . . . . . . . . . . . . . . . . . . . . . . . 104
Lapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 805 Q
Leases Quality control . . . . . . . . . . . . . . . . . . . . . . . 701–708

. FASB guidance on . . . . . . . 104, 113–114, 121–123, 214
Quill decision . . . . . . . . . . . . . . . . . . . . . . . . . 809
Lessor costs . . . . . . . . . . . . . . . . . . . . . . . . . . 123
LIBOR . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119, 211 R
Life insurance . . . . . . . . . . . . . . . . . . . . . . . . . 115
Ransomware . . . . . . . . . . . . . . . . . . . . . . . . . . 806
Long-duration contracts . . . . . . . . . . . . . . . . . . . 115
Readiness assessment . . . . . . . . . . . . . . . . . . . . 510
Recognition and measurement of financial assets
M
and financial liabilities . . . . . . . . . . . . . . . . . . 106
Madoff, Bernie . . . . . . . . . . . . . . . . . . . . . . . . . 809 Ripple . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 607
Management and general activities . . . . . . . . . . . . . 308 Risk assessment . . . . . . . . . . . . . . . . . . . . . . . 507
Medicaid fraud . . . . . . . . . . . . . . . . . . . . . . . . . 811
S
Medicare fraud . . . . . . . . . . . . . . . . . . . . . . . . . 811
Money laundering . . . . . . . . . . . . . . . . . . . . . . . 813 Sales tax . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
Multichain . . . . . . . . . . . . . . . . . . . . . . . . . . . 607 Sarbanes-Oxley Act of 2002 . . . . . . . . . . . . 403, 503, 507
SAR
184 INDEX
Secured overnight financing rate (SOFR) . . . . . . . . . 119 T

Service Organization Controls (SOC) . . . . . . . . . 503–512
. complementary subservice organization controls Tarde, Gabriel . . . . . . . . . . . . . . . . . . . . . . . . . 804
(CSOCs) . . . . . . . . . . . . . . . . . . . . . . . . . 507 Tax Cuts and Jobs Act (TCJA) . . . . . . . . . . . . . . 105, 108
. readiness assessment . . . . . . . . . . . . . . . . . . . 510
. reports, benefits of . . . . . . . . . . . . . . . . . . . . . . 511 Tax fraud . . . . . . . . . . . . . . . . . . . . . . . . . . . . 809
. reports, history of . . . . . . . . . . . . . . . . . . . . . . 503 Theory of differential association . . . . . . . . . . . . . . 804
. reports, types of . . . . . . . . . . . . . . . . . . . . . 503–504
. SOC review, preparing for . . . . . . . . . . . . . . . . . 510 Theory of differential reinforcement . . . . . . . . . . . . 804
. SSAE 18 and . . . . . . . . . . . . . . . . . . . . . . 503–508 Transition Resource Group (TRG) . . . . . . . . . . . . . 213
Share-based payment, nonemployee . . . . . . . . . . . 110
Treadway Commission . . . . . . . . . . . . . . . . . . . . 403
Skimming . . . . . . . . . . . . . . . . . . . . . . . . . . . . 805
Trojan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 806
SOC report. See Service Organization Controls (SOC)
Trust Services Criteria . . . . . . . . . . . . . . . . . . 504, 510
Social learning theory . . . . . . . . . . . . . . . . . . . . 804
Social Security fraud . . . . . . . . . . . . . . . . . . . . . 811 U
Sockpuppets . . . . . . . . . . . . . . . . . . . . . . . . . . 808
U.S. Chamber of Commerce . . . . . . . . . . . . . . . . . 409
Software as a Service (SaaS) . . . . . . . . . . . . . . . . 509
U.S. Department of Labor . . . . . . . . . . . . . . . . . . 703
Spoofing . . . . . . . . . . . . . . . . . . . . . . . . . . . . 806
U.S. Securities and Exchange Commission (SEC) . 105, 107–
SSAE 18, Attestation Standards: Clarification and
108, 122, 201, 213, 403, 407
Recodification . . . . . . . . . . . . . . . . . . . . . 503–512
. reports, benefits of . . . . . . . . . . . . . . . . . . . . . . 511
. reports, physical components of . . . . . . . . . . . . . . 507 V
. reports, types of . . . . . . . . . . . . . . . . . . . . . 503–504
. SOC review, preparing for . . . . . . . . . . . . . . . . . 510 Variable interest entity (VIE) . . . . . . . . . . . . . . . . . 120
. SSAE audit, who needs . . . . . . . . . . . . . . . . . . . 509 Vishing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 806
. subservice organizations and . . . . . . . . . . . . . . . . 505
Stranded tax effect . . . . . . . . . . . . . . . . . . . . . . 105 W
Subservice organizations . . . . . . . . . . . . . . . . . . 505
Wayfair decision . . . . . . . . . . . . . . . . . . . . . . . . 809
Suspicious Activity Report (SAR) . . . . . . . . . . . . . . 813
WorldCom . . . . . . . . . . . . . . . . . . . . . . . . . 805, 809
Sutherland, Edwin . . . . . . . . . . . . . . . . . . . . . 803, 804
SWOT analysis . . . . . . . . . . . . . . . . . . . . . . . . . 507
Y
System Organization Control. See Service Organization
Controls (SOC) Yellow Book . . . . . . . . . . . . . . . . . . . . . . . . . . 703
SEC
185
¶ 10,200 Glossary
AAA: American Accounting Association.
ABV: Accredited in Business Valuation.
Accounting Standard Update (ASU): Issued by the Financial Accounting Standards
Board (FASB) to communicate changes to the FASB codification, including changes to
non-authoritative Securities and Exchange Commission content.
Accounting Standards Codification (ASC): The source of U.S. Generally Accepted
Accounting Principles (GAAP) that is organized and maintained by the Financial
Accounting Standards Board (FASB).
Accounts payable: Amounts due to vendors for products and services received.
Accounts receivable: Amounts due from customers for products or services provided.
ACFE: Association of Certified Fraud Examiners.
ACFEI: American College of Forensic Examiners International.
Ad hoc: For a single or special purpose.
Advance fee fraud: Fraudulently obtaining a fee in advance for services that are never
done.
Amicus curiae: Also known as “Friend of the Court; a third party who is not directly
involved in the litigation or dispute is allowed to file a brief on behalf of one of the
parties to the litigation.
Amortized cost basis: The amount at which an investment is acquired, adjusted for
accretion, amortization, collection of cash, previous other-than-temporary impairments
recognized in earnings (less any cumulative-effect adjustments), foreign exchange, and
fair value hedge accounting adjustments.
Arbitration: In lieu of litigation the dispute is heard before a third party that renders a
decision. Arbitrations can be binding or nonbinding.
Auditing Standards Board (ASB): A committee of the American Institute of Certified
Public Accountants (AICPA) that develops, updates, and communicates standards and
guidance for auditing, attestation, and quality control.
Authentication: The process of making a written document admissible as evidence in a
court of law.
Automated controls: Automated controls are controls that are built into the computer
software. Automated controls can be either preventive or detective.
Available-for-sale securities: Investments that are not classified as either trading
securities or as held-to-maturity securities.
Backdoor: A route into a computer that circumvents the user authentication process
and allows hackers open access to the system once it is installed.
Balance: Summarizes a company’s assets, liabilities and shareholders’ equity at a
specific point in time.
Bank reconciliation: The process of matching the balances in an entity’s accounting
records for a cash account to the corresponding information on a bank statement.
Bankruptcy: A legal way to discharge or reorganize debt.
¶ 10,200
Best evidence rule: (also referred to as the original writing rule), to prove the contents
of a writing, recording, or photograph, the original writing, recording, or photograph
usually must be presented.
Bitcoin: A decentralized cryptocurrency that allows the transfer of digital tokens
without dealing with an intermediary.
Block: A list of transactions recorded onto a ledger over a period of time. It is one of the
three components of blockchain.
Blockchain: A data structure that creates a digital ledger of data that can be shared in a
network of independent third-party participants. It uses cryptography to allow each
participant on any given network to manage the ledger in a secure way without the need
for a central authority.
Board-designated assets: Net assets without donor restrictions that are subject to
self-imposed limits by action of a not-for-profit organization’s governing board.
Board-designated restriction: An action by a not-for-profit organization’s board of
directors to earmark an asset for a specified purpose.
Bookkeeping: The process of recording all of the accounting information for a
business.
Bribery: Illicit payments for information or actions paid to corrupt employees or
officials.
Budget: A forecast of the financial results and financial position of a company for one or
more future periods.
Business calculation: A business calculation is less extensive than a business valua-
tion and uses an agreed upon methodology. Business calculations cannot be presented
in court.
Bustout: A preplanned bankruptcy used to misappropriate assets from creditors.
CECL model: The current expected credit losses model for estimating allowances for
credit losses.
CFE: Certified Fraud Examiner.
CFF: Certified in Financial Forensics.
CFIP: Certified Forensic Investigative Professional.
Chaffing: A method for sending hidden messages over the Internet.
Chain: In blockchain, the hash—or the “glue—that links one block to another,
mathematically joining them together.
Chain of custody: The process for verifying who had care, custody and control of
evidence from the time it is collected until it is submitted to the court.
Chart of accounts: A list of all accounts used in a business.
Check tampering: Altering information on a check.
CIA: Certified Internal Auditor.
Circumstantial evidence: Indirect evidence from which the validity or truth of an
issue can be derived.
Collaborative arrangement: As defined by the guidance in Topic 808, a contractual
arrangement under which two or more parties actively participate in a joint operating
activity and are exposed to significant risks and rewards that depend on the activity’s
commercial success.
¶ 10,200
GLOSSARY 187
Common costs: Costs that are not directly tied to making and selling a product or
service.
Common law: Consists of the usages and customs of a society as interpreted by the
courts, it is also referred to as case law.
Compilation engagement: A procedure whereby an accountant is hired for the
purpose of using his or her professional expertise versus his or her knowledge in the
area of auditing in the overall summarization of a company’s financial details.
Complaint: The plaintiff’s formal written pleading filed with the court expressing a
claim for relief and initiating court action.
Complimentary subservice organization control: A subservice organization control
that service organizations rely on to meet the expected control objective.
Computer crime: An illegal act conducted using a computer or electronic device.
Computer forensics: Procedures applied to computers and electronic equipment to
gather evidence that can be used in a court of law.
Computer virus: A computer virus is usually hidden in a computer program and
performs functions such as copying or deleting data files. A computer virus creates
copies of itself that it inserts in data files or other programs.
Computer worms: A type of malware that transmits itself over networks and the
Internet to infect more computers with the malware.
Conflict of interest: Occurs when an employee, manager, or executive has an undis-
closed economic or personal interest in a transaction that adversely affects that person’s
employer.
Continuing professional education (CPE): The means by which people maintain
their knowledge and skills related to their professional lives.
Control activities: Approvals, segregation of duties, reconciliations, reviews, proce-
dures, etc. that ensure that processes are followed and that the opportunities for errors
or fraud have been minimized.
Control environment: Often referred to as the “Tone at the Top, the ethical values of
the organization and relies on the strength of corporate governance.
Control risk: The risk that a control does not prevent or detect a material misstatement
in an account balance.
CPA: Certified Public Accountant.
Credit quality indicator: A statistic about the credit quality of financing receivables.
Credit report: A report maintained by independent organizations containing informa-
tion on an individual’s credit history.
CrFA: Certified Forensic Accountant.
Critical audit matters: Matters arising from the audit of the financial statements that
have been communicated or were required to be communicated to the audit committee,
that are related to auditing accounts or disclosures that are material to the financial
statements.
Cross-examination: Questioning of witnesses in court by the other party’s attorney.
Cryptocurrency: A digital currency in which encryption techniques are used to regu-
late the generation of units of currency and verify the transfer of funds, operating
independently of a central bank.
¶ 10,200
Current liabilities: Liabilities expected to be paid in cash- within 12 months or the

accounting cycle of a business. The 12-month period is almost always used.
CVA: Certified Valuation Analyst.
Data breach: The release or taking of data from a secure source to an unsecured third-
party location (computer).
Data mining: A process that uses mathematical algorithms to detect hidden patterns in
data.
De facto: In fact; actually.
De jure: Lawful, in the law.
Debit entry: Accounting entries that are posted on the left side of a ledger.
Debt security: Any security representing a creditor relationship with an entity.
Debt to equity ratio: Long-term debt/shareholders’ equity. Indicates the amount of
debt a company has, compared with equity.
Decentralized network: Clusters of centralized networks, with each centralized cluster
transmitting information not only within itself but to the other clusters.
Defined benefit plan: A type of pension plan in which an employer/sponsor promises
a specified pension payment, lump-sum (or combination thereof) on retirement that is
predetermined by a formula based on the employee’s earnings history, tenure of
service, and age, rather than depending directly on individual investment returns.
Demonstrative evidence: Documents, photos, videos, charts, or other items that
illustrate testimony but which possess no probative intrinsic value.
Deposition: Testimony given by a witness, under oath, but outside of the courtroom.
Detective controls: Policies and procedures that are put in place to help find errors or
fraud that have already occurred. Detective controls are put in place so that corrections
can be made.
Direct evidence: Evidence that directly proves a fact, without any need for presump-
tion or conjecture.
Direct examination: The questioning of a witness by the attorney for which the
witness is testifying.
Direct method (cash flow): A method of creating the cash flow statement in which
actual cash flow information from the company’s operations segment is used, instead of
accrual accounting values.
Discovery: A pretrial process in which the parties to the litigation exchange informa-
tion which will help them prepare for the trial.
Effective interest rate: The rate of return implicit in the loan, that is, the contractual
interest rate adjusted for any net deferred loan fees or costs, premium, or discount
existing at the origination or acquisition of the loan.
Electronic data interchange (EDT): The exchange of electronic data between
computers.
Electronic funds transfer (ETF): A transfer that is designed to move funds instantane-
ously between accounts.
Embezzlement: Theft of money or property by an employee or fiduciary from their
employer.
Emphasis of matter paragraph: A paragraph included in the auditor’s report that
refers to a matter appropriately presented or disclosed in the financial statements that,
¶ 10,200
GLOSSARY 189
in the auditor’s judgment, is of such importance that it is fundamental to users
understanding of the financial statements.
Endowment fund: An established fund of cash, securities, or other assets to provide
income for the maintenance of a not-for-profit entity.
Engagement letter: A written agreement that describes the business relationship to be
entered into by a client and a company.
Entity level controls: Internal controls designed to provide reasonable assurance that
the entity’s objectives are met. Entity level controls relate to the whole organization.
Ethereum: Blockchain software that specializes in smart contracts.
Evidence: As defined by SSAE 18, documentation that provides evidence of the
operating effectiveness of controls.
Expert report: A written report prepared by an expert witness on an issue before the
court.
Expert witness: A person who, because of specialized training or experience, testifies
in court to assist the judge or jurors understand complicated and technical subject
matter.
Fact witness: A witness who testifies in court as to specific facts.
Factom: Blockchain software that is designed for reducing processing time and
paperwork.
Fair value: The price that would be received to sell an asset or paid to transfer a
liability in an orderly transaction between market participants at the measurement date.
Financial asset: Cash, evidence of an ownership interest in an entity, or a contract that
conveys to one entity a right to either receive cash or another financial instrument from
a second entity or exchange other financial instruments on potentially favorable terms
with the second entity.
Financial statement fraud: Fraud designed to cook the books and present false
information on the financial statements.
Financing receivable: A financing arrangement that has both of the following charac-
teristics: (1) it represents a contractual right to receive money either on demand or on
fixed or determinable dates, and (2) it is recognized as an asset in the entity’s statement
of financial position.
Firewall: Hardware or software designed to prevent malware from being installed on a
computer and to prevent unauthorized access to a computer system.
Fixed assets: Assets that are used to generate revenue or operate the business. Fixed
assets are generally held as long term assets and are not quickly converted into cash.
Inventory is never considered a fixed asset.
Forensic: Pertaining to, connected with, or used in courts of law or public discussion
and debate.
Fraud auditor: An accountant especially skilled in auditing who is generally engaged
in auditing with a view toward fraud discovery, documentation, and prevention.
Fraud triangle: The theory developed by Dr. Donald Cressey explaining why individu-
als commit occupational fraud.
Fraud: A deception deliberately practiced in order to secure unfair or unlawful gain.
Ghost employee: A phantom employee that exists only on the books.
¶ 10,200
Habeas corpus: A writ asking the court to release a prisoner from unlawful
imprisonment.
Hacker: Someone attempting to gain access to a computer for malicious or illegal
purposes.
Hearsay: An out-of-court statement of an individual offered in court to prove the truth of
the issue under litigation.
Horizontal analysis: A technique for analyzing the percentage change in individual
financial statement items from one year to the next.
Hyperledger: An open-source ledger blockchain platform.
Identifying information: Information such as a name, phone number, address or
Social Security number that can be used to identify an individual.
Identity theft: Broadly defined as the use of one person’s identity or personally
identifying information by another person without his or her permission. Identity theft
is a type of fraud and can be committed against an individual or organization.
IIA: Institute of Internal Auditors.
IMA: Institute of Management Accountants.
Impairment: An other than temporary decline in value of an asset where the market
value of the asset is lower than the book value of the asset.
Indirect method (cash flow): A method of creating the cash flow statement in which
an entity uses accrual accounting information to present the cash flows from the
operations section on its cash flow statement.
Individual security level: As defined by Accounting Standards Codification Topic 326,
the level and method of aggregation used by a reporting entity to measure realized and
unrealized gains and losses on its debt securities.
Internal controls: A process, effected by an entity’s board of directors, management,
and other personnel, designed to provide reasonable assurance regarding the achieve-
ment of objectives relating to operations, reporting, and compliance.
Interrogation: The process of questioning an individual suspected to be involved in a
crime.
Interrogatories: Questions that are submitted to an opposing party in a lawsuit.
Interview: The informal questioning of an individual.
Judicial precedent: Case law; using a prior court decision to settle a current case with
the same or similar facts.
Jurisdiction: Authority of a court to hear a particular type of case.
Key audit matters: Matters that, in the auditor’s professional judgment, were of most
significance in the audit of the financial statements of the current period.
Kickback: The giving or receiving anything of value to influence a business decision.
Larceny: Theft.
Liquidity: The degree to which an asset or security can be quickly bought or sold in
the market without affecting the asset’s price.
Litigation: Engaging in legal proceedings, a lawsuit.
Litigation services: According to the AICPA, services that involve pending or potential
formal legal or regulatory proceedings before a trier of fact in conjunction with the
resolution of a dispute between two or more parties.
¶ 10,200
GLOSSARY 191
MAFF: Master Analyst in Financial Forensics.
Mala prohibita: An act or omission that is by statute criminal regardless of intent
(mens rea).
Malware: Software that is placed on computers or cell phones to hijack the computers,
steal data, or encrypt the data for ransom.
Management and general activities: With regard to not-for-profit organizations, sup-
porting activities that are not directly identifiable with one or more programs, fundrais-
ing, or membership development.
Manual controls: Controls that are that are done by individuals. Manual controls can
be either preventive or detective.
Means of identification: Any type of information that can identify a particular individ-
ual such as Social Security numbers, credit card numbers or the like.
Mediation: Process whereby an impartial third-person assists the parties in reaching a
resolution of the dispute.
Mens rea: A person’s state of mind; intent.
Misappropriation: Obtaining something of value, or avoiding an obligation by decep-
tion or false statements; a type of fraud.
Mitigate: To act to minimize damages.
Money laundering: Taking funds from an illegal source, hiding the source of funds,
and making the funds available for use without legal restrictions or penalties.
Motion in limine: A motion requesting the court to exclude certain evidence from
being presented at trial.
Multichain: An open-source private blockchain platform used by many businesses for
multiple purposes.
NACVA: National Association of Certified Valuation Analysts.
Net worth: The amount by which assets exceed liabilities.
Niche: Denoting or relating to products, services, or interests that appeal to a small,
specialized section of the population.
Node: A point in a network or diagram at which lines or pathways intersect or branch.
Nolo contendere: A plea wherein the defendant agrees not to contest the charges, but
does not admit to, or deny the charges.
Not for profit (NPO): A type of organization that does not earn profits for its owners.
Occupational fraud: Fraud occurring in the workplace or relating to employment.
Parol evidence: Oral evidence.
Pharming: A virus or malicious software is secretly loaded onto the victim’s computer
and hijacks the web browser.
Phishing: A technique used by fraudsters to obtain personal information for purposes
of identity theft. This theft can include sending illegitimate emails asking for personal
information.
Portfolio segment: The level at which an entity develops and documents a systematic
methodology to determine its allowance for credit losses.
Predication of fraud: Circumstances, when taken as a whole, will lead a reasonably
prudent professional to believe a fraud is occurring, or has occurred, or will occur.
¶ 10,200
Preventive controls: Policies and procedures that are put in place to help prevent
errors or fraud from occurring.
Pro se: Representing oneself in court.
Process level controls: Internal controls designed to provide reasonable assurance
that the entity’s processes are followed, applications are working, and transactions are
properly completed and recorded. Process level controls relate to a single activity.
Professional skepticism: An attitude that includes a questioning mind, being alert to
conditions that may indicate possible misstatement due to error or fraud, and a critical
assessment of audit evidence.
Purchased financial assets with credit deterioration: Acquired individual financial
assets (or acquired groups of financial assets with similar risk characteristics) that as of
the date of acquisition have experienced a more-than-insignificant deterioration in credit
quality since origination, as determined by an acquirer’s assessment.
Pyramid scheme: A scheme in which a buyer or participant is promised a payment for
each additional buyer or participant recruited by that person.
Qui tam suit: Litigation filed by a whistle-blower under the Federal False Claims Act
against a contractor or company on behalf of the federal government.
Ratio analysis: A means of measuring the relationship between two different financial
statement amounts.
Real evidence: Refers to physical objects which may be introduced as evidence at a
legal proceeding.
Reinsurance recoverable: All amounts recoverable from reinsurers for paid and
unpaid claims and claim settlement expenses, including estimated amounts receivable
for unsettled claims, claims incurred but not reported, or policy benefits.
Residuum rule: The rule is that no finding may be supported solely by hearsay
evidence.
Ripple: Blockchain software that is designed for financial and currency transactions.
Risk assessment: An assessment conducted to determine where key controls need to
be in the processes of the organization. Controls should be put in place in high risk
areas, but it is necessary to consider the cost/benefit of each control because excessive
controls can reduce an organizations efficiency.
Rootkits: Software that modifies the operating system to hide malware from the
computer users. Some rootkits contain code that prevents the malware from being
removed from the computer.
Rules of evidence: The rules governing the admissibility of evidence in court.
Shell companies: Legal business entities created for the purpose of committing fraud.
There is no actual business, just the paperwork.
Skimming: Removal of cash from a victim entity prior to its entry in an accounting
system.
Spoofing: Term used to describe fraudulent e-mail activity in which the sender’s
address or other parts of the e-mail header are altered to appear as though the e-mail
originated from a different source.
Staff Accounting Bulletin (SAB): A summarization of the views of the Securities and
Exchange Commission’s staff regarding how Generally Accepted Accounting Principles
are to be applied.
¶ 10,200
GLOSSARY 193
Statement on Standards for Attestation Engagements (SSAE): Guidance on attesta-
tion engagements that is promulgated by the Accounting Standards Board (ASB) of the
American Institute of Certified Public Accountants (AICPA).
Subpoena: A court order requiring a witness to appear at a specified time and place in
order to testify.
Subpoena duces tecum: A court order to produce specified documents, or other items
for the court.
Subservice organization: An organization utilized by the original service organization
to provide a component of services to the user entity.
System and Organization Controls (SOC): A suite of service offerings CPAs may
provide in connection with system-level controls of a service organization or entity-level
controls of other organizations.
Tax Cuts and Jobs Act of 2017: A congressional revenue act originally introduced in
Congress that amended the Internal Revenue Code of 1986. Major elements of the
changes include reducing tax rates for businesses and individuals, and a personal tax
simplification by increasing the standard deduction and family tax credits but eliminat-
ing personal exemptions and making it less beneficial to itemize deductions.
Tone at the top: A term that is used to define management’s leadership and commit-
ment toward openness, honesty, integrity, and ethical behavior.
Trojan horse: A malware program that is disguised as something else. Users assume it
is a beneficial program when it fact it is not. Trojans horses are often used to insert
spyware onto computers.
Troubled debt restructuring: A restructuring of a debt constitutes a troubled debt
restructuring if the creditor for economic or legal reasons related to the debtor’s
financial difficulties grants a concession to the debtor that it would not otherwise
consider.
Underwater endowment fund: A donor-restricted endowment fund for which the fair
value of the fund at the reporting date is less than either the original gift amount or the
amount required to be maintained by the donor or by law that extends donor
restrictions.
Venue: The place where the court has jurisdiction and will hear the case.
Vertical analysis: A technique for analyzing the relationships between the items on an
income statement, balance sheet, or statement of cash flows by expressing components
as percentages.
Virtual currency: A currency that only exists in cyber space. There is no physical or
tangible item to represent the currency.
Whistleblower: An employee who reports illegal or unethical conduct of the employer.
¶ 10,200
195
¶ 10,300 Final Exam Instructions

To complete your Final Exam go to cchcpelink.com/printcpe, click on the title of the
exam you wish to complete and add it to your shopping cart (you will need to register
with CCH CPELink if you have not already). Click Proceed to Checkout and enter
your credit card information. Click Place Order to complete your purchase of the final
exam. The final exam will be available in My Dashboard under My Account.
This Final Exam is divided into two Modules. There is a grading fee for each Final
Exam submission.
Online Processing Fee: Recommended CPE:
$90.00 for Module 1 4 hours for Module 1
$292.50 for all Modules 13 hours for all Modules
Instructions for purchasing your CPE Tests and accessing them after purchase are
provided on the cchcpelink.com/printcpe website. Please note, manual grading is
no longer available for Top Accounting and Auditing Issues. All answer sheets
must be submitted online for grading and processing.
Recommended CPE credit is based on a 50-minute hour. Because CPE requirements

vary from state to state and among different licensing agencies, please contact your CPE
governing body for information on your CPE requirements and the applicability of a
particular course for your requirements
Expiration Date: December 31, 2020
Evaluation: To help us provide you with the best possible products, please take a
moment to fill out the course Evaluation located after your Final Exam.
Additional copies of this course may be downloaded from cchcpelink.com/printcpe.

Printed copies of the course are available for $3.99 by calling 1-800-344-3734 (ask for
product 10024493-0007).
¶ 10,300
197
¶ 10,301 FINAL EXAM QUESTIONS: MODULE 1
1. ASU 2018-02, related to the reclassification of certain tax effects from accumulated
other comprehensive income, is effective for all entities for fiscal years beginning after:
a. December 15, 2017
b. December 15, 2018
2. Outdated guidance related to the Office of the Comptroller of the Currency’s
Banking Circular 202 resulted in the issuance of which of the following ASUs?
a. ASU 2018-06
b. ASU 2018-07
c. ASU 2018-01
d. ASU 2018-03
3. The amendments prescribed by ASU 2018-07 include improvements related to:
a. Subsequent measurement of goodwill
b. Fair value measurement disclosures
c. Defined benefit pension plans
d. Nonemployee share-based payment accounting
4. ASU 2018-18 included amendments that clarified the interaction between Topic 808
and which of the following topics?
a. Topic 450
b. Topic 606
c. Topic 842
d. Topic 978
5. Training costs (post-implementation phase) related to a hosting agreement that is a
service contract should be:
a. Expensed as incurred
b. Capitalized separately
c. Capitalized with the hosting costs
d. Not recognized
6. Which of the following is not an indicator of a barrier according to ASU 2018-08?
a. Measurable performance-related barriers
b. The extent to which a stipulation limits discretion by the recipient on the
conduct of an activity
c. The probability of the condition is greater than remote
d. Whether a stipulation is related to the purpose of the agreement
7. ASU 2018-02 was issued due to the passage of which of the following laws?
a. Tax Cuts and Job Act
b. Sarbanes-Oxley Act
c. Affordable Care Act
d. Civil Rights Act
¶ 10,301
8. ASU 2018-11 provides a new practical expedient for lessors to use which transition
approach?
a. Full retrospective
b. Modified retrospective
c. Cumulative effect adjustment
d. Prospective
9. ASU 2018-16 adds which interest rate to the permitted benchmark list?
a. SIFMA
b. LIBOR
c. SOFR
d. UST
10. Which of the following is not a requirement to be within the scope exception in
ASU 2018-17?
a. The reporting entity and the legal entity are under common control.
b. The reporting entity and the legal entity are not under common control of a
public business entity.
c. The legal entity under common control is not a public business entity.
d. The reporting entry directly has a controlling financial interest in the legal
entity.
11. The requirements prescribed by ASU No. 2016-13 are effective for public business
entities for annual periods beginning after:
12. The amendments within ASU No. 2016-13 require a financial asset (or a group of
financial assets) measured at amortized cost basis to be presented at which of the
following?
a. Net amount expected to be collected
b. Net book value
c. Fair value
d. Fair value less costs to sell
13. Prior to the amendments within ASU No. 2016-13, credit losses on available-for-sale
debt securities are required to be measured and presented as which of the following?
a. Write-downs
b. Valuation allowances
c. Contra-assets
d. Other comprehensive income
14. Which of the following financial instruments are not included in the scope of ASC
326-20?
a. Financial assets measured at amortized cost basis
b. Net investments in leases
c. Off-balance sheet credit exposures
d. Policy loan receivables of an insurance entity
¶ 10,301
FINAL EXAM QUESTIONS: MODULE 1 199
15. The FASB provided for two practical expedients as a result of ASU No. 2016-13 for
which of the following types of financial instruments?
a. Financial assets secured by collateral
b. Financial assets measured at fair value through net income
c. Available-for-sale securities
d. Loans made to participants by defined contribution employee benefit plans
16. Which of the following is a required disclosure as it relates to credit quality
information?
a. Management’s method for developing its allowance for credit losses
b. The information that management used in developing its current estimate of
expected credit losses
c. The amortized cost basis by credit quality indicator (public business entities
only)
d. The amortized cost basis of financial assets on nonaccrual status as of the
beginning of the reporting period and the end of the reporting period
17. Which of the following statements is correct with respect to the available-for-sale
debt security impairment model?
a. There is no allowance recognition threshold.
b. The unit of measurement is the individual available-for-sale debt security.
c. There are several acceptable methods for measuring credit losses.
d. The measurement of credit losses is the expected credit loss that reflects the
loss even if that risk is remote.
18. Which of the following disclosures with respect to credit losses on available-for-
sale debt securities is required to be presented in tabular form?
a. Nonaccrual status
b. Available-for-sale debt securities that are in unrealized loss positions
c. Purchased financial assets with credit deterioration
d. Collateral-dependent financial assets
19. Which of the following ASUs included codification improvements to ASC Topic 326
related to areas such as accrued interest and recoveries?
a. ASU No. 2018-15
b. ASU No. 2018-17
c. ASU No. 2019-03
d. ASU No. 2019-04
20. Entities are required to apply the amendments in ASU No. 2016-13 through a
cumulative-effect adjustment to:
a. Retained earnings
b. Net income
c. Other comprehensive income
d. Other assets
¶ 10,301
21. Current not-for-profit reporting requirements primarily come from which of the
following FASB statements?
a. FASB 112
b. FASB 114
c. FASB 117
d. FASB 123
22. The amendments of ASU 2016-14 are effective for fiscal years beginning after:
23. In the year of adoption, a(n) ________ paragraph should be included in the
auditor’s report if the adoption results in changes that have a material impact on the
financial statements.
a. Other matter
b. Emphasis of matter
c. Consistency
d. Adoption
24. ASU 2016-14 made key changes in the five areas: (1) reporting of net assets, (2)
liquidity information from NPOs, (3) the statement of cash flows, (4) the operating
measure information provided, and (5) _________.
a. The reporting of expenses
b. The measurement of credit losses
c. Revenue from contracts with customers
d. Derivatives
25. Not-for-profits will continue to provide information about the nature and amounts
of different types of donor-imposed restrictions either by reporting their amounts on the
face of the statement of financial position or ________________.
a. As a supplement to the annual report
b. Within the audit report
c. As a disclosure within the profit and loss statement
d. Including relevant details in the notes to the financial statements
26. Which of the following statements is correct regarding reporting expiration of
restriction of gifts related to long-lived assets?
a. GAAP requires recognition when the asset is acquired and placed in service.
b. GAAP permits recognition of ratable amounts over the asset’s estimated useful
life if that is part of the donor’s restriction.
c. Entities are allowed to choose between the placed-in-service approach or
ratable amounts over the asset’s estimated life.
d. Both A and B
¶ 10,301
27. Which of the following identifies funds for which the fair value of the fund at the
reporting date is less than either the original gift amount or the amount required to be
maintained by the donor or by law that extends donor restrictions?
a. Impaired funds
b. Underwater endowments
c. Negative carrying value funds
d. Reduced endowments
28. Regarding liquidity information, under ASU 2016-14, a not-for-profit entity is re-
quired to disclose qualitative information on how it manages its liquid resources
available to meet cash needs for general expenditures within ____ year(s) of the balance
sheet date.
a. One
b. Two
c. Three
d. Five
29. Currently, not-for-profits are ____________ a self-defined operating measure on the
statement of activities.
a. Encouraged to have
b. Required to have
c. Allowed to have
d. Prohibited from having
30. Which of the following types of costs would be allocated fully to management and
general (M&G) expenses?
a. CFO
b. CEO
c. IT
d. HR
¶ 10,301
1. According to the PCAOB AS 3101, which of the following components is included in

the definition of a critical audit matter?
a. Any matter arising from the audit of the financial statements that has been
communicated or was required to be communicated to the audit committee
b. Any matter arising from the audit of the financial statements that relates to
accounts or disclosures that are material to the financial statements
c. Any matter arising from the audit of the financial statements that involved
especially challenging, subjective, or complex auditor judgment
d. All of the above
2. Criterion two outlined for identifying CAM issues includes issues that relate to
accounts or disclosures that are material to the financial statements. Several issues are
identified as those that are not considered CAMs. Which of the following is one of those
issues?
a. Significant risks identified by the auditor
b. Significant unusual transactions
c. A significant deficiency in internal control over financial reporting
d. Matters involving the company’s accounting policies, practices, and estimates
3. When considering the new requirements for CAM disclosure, the PCAOB indicated
the new standard would provide certain benefits. Those benefits include which of the
following?
a. Apply the auditor’s responsibility for other information specifically to a com-
pany’s annual report filed with the SEC.
b. Require management to be more secretive.
c. Enhance the auditor’s responsibility with respect to other information by
adding procedures for the auditor to perform in evaluating the other informa-
tion based on relevant audit evidence obtained and conclusions reached during
the audit.
d. a and b
e. a and c
4. The requirements for disclosure of CAMs in the auditor’s report include:
a. An introductory paragraph and identification of the CAM
b. A summary paragraph at the end of the report that reviews the CAMs
c. Identification of who was responsible for creating the issue that resulted in the
CAM
d. The use of complex, highly technical language to describe the CAM
5. What is the primary consideration when it comes to audit documentation required
for CAMs?
a. Audit documentation must include detailed audit narratives and process flows.
b. Audit documentation must be in sufficient detail to enable an experienced
auditor, having no previous connection with the engagement, to understand
the determinations made to comply with the standard.
c. Audit documentation must include the signature of the partner in charge of the
audit.
d. Audit documentation must include who on the audit team identified the CAM.
¶ 10,302
6. When describing CAMs in the auditor’s report, what is the auditor not expected to
disclose?
a. Information about the company that has not been made publicly available
b. Items identified as significant or unusual
c. Items identified as extremely complex in their calculations
d. Items of concern related to third-party transactions
7. Which of the following statements is correct with respect to the identification and
communication of CAMs to an entity’s audit committee?
a. CAMs should have been communicated to the audit committee as significant
deficiencies in internal control.
b. CAMS should have been communicated to the audit committee as material
weaknesses.
c. Any matter that will be communicated as a CAM should already have been
discussed with the audit committee.
d. CAMs should be communicated to the audit committee and must include a
detailed action plan by management when presented.
8. CAMs are not a substitute for required explanatory paragraphs. For these situa-
tions, both the explanatory paragraph and the required communication regarding the
CAM would be provided, using one of two methods. Which of the following is one of
those methods?
a. Including the required communication for a CAM in the CAM section with a
hyperlink to the explanatory paragraphs.
b. Combining the explanatory paragraphs and the CAM section into one section
titled “Critical Audit Matters and Explanatory Paragraphs.
c. Including the required communication for a CAM in the explanatory para-
graph, with a cross-reference in the CAM section to the explanatory paragraph
d. Listing the CAM section and the explanatory paragraphs next to each other in
the report’s table of contents.
9. Which of the following identifies one of the major differences between the definition
of key audit matters and critical audit matters?
a. The concept of judgment is not mentioned in key audit matters.
b. The concept of estimates is not mentioned in critical audit matters.
c. The concept of materiality is not mentioned in the definition of key audit
matters.
d. The concept of complex transactions is not mentioned in critical audit maters.
10. Revenue recognition is an area that is considered inherently high in risk and would
most likely be considered by independent auditors as an area where the identification of
a CAM may occur. In which of the following situations would issues surrounding
revenue recognition likely not be a CAM?
a. When the revenue recognition process involves significant estimates.
b. When the revenue recognition process involves complex judgments.
c. When the revenue recognition process is inherently routine and consistent
with similar entities.
d. When the revenue recognition process is determined to be high-risk and
subject to potential material misstatement.
¶ 10,302
11. What was the first standard that addressed service organization control reports?
a. SSAE 16
b. SSAE 18
c. SAS 70
d. PCAOB 5
12. What was the primary purpose for the transition from an SSAE 16 to an SSAE 18
report?
a. To address subservice organizations and properly address controls surround-
ing information technology
b. To better address controls surrounding internal controls over financial
reporting
c. To enhance the reporting process for service organizations
d. To eliminate the possibility of cybersecurity risks
13. A SOC 2 Type I report addresses:
a. The design of control over financial reporting services
b. Both the design and operating effectiveness of controls over financial reporting
services
c. The design of controls surrounding the security, viability, processing integrity,
d. The design and operating effectiveness of controls around the security, availa-
bility, processing, integrity, confidentiality, and privacy of services
14. When conducting a SOC 2 engagement, one of the issues the auditor would focus
on is information security. What does security refer to in this context?
a. Security for systems that use electronic information to process, transmit or
transfer, and store information to enable the entity to meet its objectives
b. The physical security of documents
c. The security for individuals who managed IT resources
d. The alarm system for the facility’s entrance and exit doors
15. What is the primary difference between a SOC 2 Type I report and a SOC 2 Type II
report?
a. A Type II report only evaluates the design of the controls.
b. A Type I report only evaluates the design of the controls.
c. A Type II report only evaluates the operating effectiveness of controls.
d. A Type I report only evaluates the operating effectiveness of controls.
16. What is the main difference between a SOC 3 report and a SOC 2 report?
a. A SOC 3 report is intended for reporting of internal controls over financial
reporting.
b. A SOC 3 report only reports on the operating effectiveness of controls.
c. A SOC 3 report is intended for a general audience.
d. A SOC 3 report evaluates internal control over financial reporting design and
operating effectiveness.
¶ 10,302
17. What is the primary purpose for performing a readiness assessment?
a. To ensure management has the processes, policies, and structures in place
that will be evaluated within a SOC engagement
b. To inform management of what will happen in a SOC engagement
c. To obtain assurance that the organization will be able to get a clean SOC
opinion
d. To eliminate the need for a SOC engagement
18. What changes did SSAE 18 make in regard to subservice organizations?
a. Management of the user company must take responsibility for controls in place
at the subservice organization.
b. Management of the service organization must ensure that the controls utilized
by the subservice organization that impact their service to the user organiza-
tion are adequate.
c. Subservice organizations are scoped out of SSAE 18.
d. Subservice organizations must obtain their own SOC report separate from
service organizations.
19. What should most appropriately be included in a detailed risk assessment of a
service organization?
a. Facilitation of appropriate risk identification and risk management
b. Identification of all fraud risk within the service organization
c. Identification of all risk that falls outside the responsibility of the service
organization
d. Evaluation of specific information technology controls
20. Which of the following statements is correct with respect to the impacts of SSAE
18 on complimentary controls?
a. Complimentary controls are considered controls implemented by the subser-
vice organization as a secondary control for those at the service organization.
b. Complimentary controls are not a requirement of the subservice organization;
they are only required by the service organization.
c. The user organization must identify what complimentary controls it expects to
be in place.
d. Management and the service auditor must consider the subservice organiza-
tion controls in the design of the service organization’s own system and how
the service organization ensures that control objectives were met.
21. Which of the following identifies a data structure that creates a digital ledger of
data that can be shared in a network of independent third-party participants?
a. Cryptobase
b. Ripple
c. Blockchain
d. Node
22. Which of the following identifies the two ingredients to prevent network
corruption?
a. Decentralization and utilization of cryptocurrency
b. Centralization and utilization of cryptocurrency
c. Decentralization and utilization of nodes
d. Centralization and utilization of nodes
¶ 10,302
23. Blockchain is widely regarded as being born in ______ amid the global financial
crisis.
a. 2005
b. 2008
c. 2010
d. 2014
24. The Ethereum network is considered to be the _______ evolution of blockchain.
a. First
b. Second
c. Third
d. Fourth
25. Which of the following identifies a list of transactions recorded onto a ledger over a
period of time?
a. Blocks
b. Bits
c. Nodes
d. Hashes
26. Which of the following identifies a characteristic of private blockchains?
a. Has large distributed networks that run through a native token.
b. Is open to anyone at any level.
c. Has open-source code maintained by its community.
d. Has closely controlled membership.
27. A public blockchain is used to trade value between _______ things and to derive
more value between _______ parties.
a. Similar, Mistrusting
b. Similar, Trusted
c. Dissimilar, Mistrusting
d. Dissimilar, Trusted
28. Which of the following types of blockchain software specializes in smart contracts?
a. Ripple
b. Factom
c. Ethereum
d. Hyperledger
29. Which of the following identifies an open-source private blockchain platform used
by many businesses for multiple purposes?
a. Hyperledger
b. Multichain
c. Factom
d. Ripple
¶ 10,302
30. Each of the following identifies a blockchain best practice, except:
a. Simplify your contracts.
b. Use trusted Wi-Fi networks.
c. Hire a reputable blockchain developer.
d. Back up your digital nodes.
31. While there is no formal definition of audit quality, the focus is on __________ of
the audited financial statements.
a. Credibility
b. Materiality
c. Consistency
d. Delivery
32. One of the key elements of audit quality is exercising professional __________ in
all aspects of the audit.
a. Judgment
b. Skepticism
c. Testing
d. Cynicism
33. Auditing versus consulting, client acceptance decisions, and assignment of person-
nel are examples of which of the following as it relates to audit quality impacts?
a. Processes and procedures
b. Materiality
c. Root causes of poor audit quality
d. Critical matters
34. Which of the following identifies a quality control element challenge as it relates to
relevant ethical requirements?
a. Leadership emphasizes meeting time budgets.
b. Repeat matters and findings are present.
c. Firm allows engagement partners to deviate from its own policies and
procedures.
d. Impairment of independence is not identified.
35. When a firm is asked to complete an audit engagement in an unreasonable
timeframe, this represents a quality control element challenge related to:
a. Acceptance and continuance of clients
b. Human resources
c. Leadership
d. Relevant ethical requirements
¶ 10,302
36. In order to strengthen the ____________, firm leadership should align appropriate
culture and mindset and ensure that all staff have sufficient time and resources to solve
engagement issues.
a. Public interest
b. Tone at the top
c. Diversity
d. Monitoring process
37. One strategy to increase audit quality is to offer quality continuing education and
training. In doing this, professionals should most appropriately focus on each of the
following topics, except:
a. Independence and ethics
b. Applying professional judgment and skepticism
c. Time management
d. Firm policies and procedures
38. Which of the following identifies a common audit deficiency related to financial
statement recognition and measurement, presentation, and disclosure?
a. Misclassifications of activities between investing and financing activities
b. Failure to disclose the omission of the statement of cash flows
c. Lack of a written audit program
d. Failure to assess the level of materiality and control risk
39. Which of the following identifies a common audit deficiency related to audit
procedures and documentation?
a. Lack of applicable disclosures related to variable interest entities
b. Missing significant accounting policies
c. Failure to perform or document significant audit areas
d. Cash overdrafts shown as negative assets
40. Which of the following identifies a common deficiency related to SSARS proce-
dures and documentation related to a review engagement?
a. Failure to include a separate report for departures from GAAP
b. Failure to document significant unusual matters and their disposition
c. Failure to read compiled financial statements for obvious or material errors
d. Failure to obtain an engagement letter
¶ 10,302
1. Which of the following types of cyber fraud is used to hide the origin of an email?
a. Phishing
b. Pharming
c. Whaling
d. Spoofing
2. Which of the following identifies the most common way to pay for stolen credit card
numbers purchased over the Internet?
a. Cash
b. BitCoin
c. Credit card
d. Check
3. Bid rigging normally falls under which type of corruption?
a. Conflicts of interest
b. Bribery
c. Illegal gratuities
d. Economic extortion
4. Which of the following types of corruption primarily involves the misuse of political
office?
a. Nepotism
b. Graft
c. Bribery
d. Illegal gratuities
5. Which of the following types of corruption payment is most likely to be associated
with economic extortion?
a. Gifts
b. Hospitality
c. Access to decision makers
d. Keeping a secret
6. Counterfeit detection pens are used to detect:
a. Wood-based paper
b. Rag-based paper
c. Hemp-based paper
d. Inferior ink
7. Possession of counterfeit currency is punishable by up to ____ years in jail.
a. 5
b. 10
c. 15
d. 20
¶ 10,303
8. Which of the following components is not part of the fraud triangle?

a. Rationalization
b. Concealment
c. Opportunity
d. Pressure
9. Which of the following is the most common concealment method used by
fraudsters?
a. Creating fraudulent physical documents
b. Altering physical documents
c. Altering electronic files
d. Creating fake journal entries
10. Which of the following individuals developed the fraud triangle theory?
a. Gabriel Tarde
b. Edwin Sutherland
c. Ronald Akers
d. Donald Cressey
11. Which of the following fraud schemes involves stealing payments from one cus-
tomer and covering the theft with payments stolen from other customers?
a. Skimming
b. Lapping
c. Billing fraud
d. Graft
12. CryptoLocker is an example of:
a. Phishing
b. Ransomware
c. Spoofing
d. Money Laundering
13. Which of the following is not a type of corruption?
a. Conflict of interest
b. Bribery
c. Economic extortion
d. Asset misappropriation
14. Which of the following identifies the most common way that fraud is detected?
a. External audits
b. Accidental discovery
c. Tips
d. Confession
15. Each of the following is an example of expense reimbursement fraud, except:
a. Altering receipts
b. Split expenses
c. Laundered expenses
d. Deposit refunds
¶ 10,303
16. Which of the following types of cyber-attack is used to try to take down a
government website?
a. Denial of service
b. Phishing
c. Ransomware
d. Data breach
17. Banks are required to file a Suspicious Activity Report (SAR) for cash transactions
over:
a. $1,000
b. $5,000
c. $7,500
d. $10,000
18. Identity theft is a:
a. Civil, not criminal, matter
b. Criminal misdemeanor
c. Criminal felony
d. Misdemeanor
19. The Identity Theft Task Force was established in what year?
a. 1996
b. 2001
c. 2006
d. 2008
20. The Federal Trade Commission passed the Red Flags Rules in what year?
a. 1996
b. 2001
c. 2006
d. 2008
21. Which type of asset misappropriation involves stealing cash before it is recorded in
the accounting system?
a. Theft of cash
b. Lapping
c. Skimming
d. Billing schemes
22. Which of the following is not a common way to steal data from a computer?
a. Malware on charging stations
b. Social networking
c. Vishing
d. Hacking
¶ 10,303
23. Which of the following statements is correct?

a. Fraudsters cannot duplicate gift cards.
b. Fraudsters cannot duplicate the new chip cards.
c. Fraudsters cannot purchase blank credit cards.
d. Any card can be easily duplicated.
24. Which of the following identifies the most common way that occupational fraud is
discovered?
a. By accident
b. Tips
c. External auditors
d. Internal auditors
25. Shoplifting or employee theft would be considered to be a type of:
a. Corruption
b. Skimming
c. Asset misappropriation
d. Lapping
26. Sandbagging is related to:
a. Bill and hold frauds
b. Channel stuffing
c. Fake sales
d. Improper sales cut-off
27. Which type of payroll fraud uses fictitious employees?
a. Slow work for OT
b. Vacation abuse
c. Ghost employees
d. Falsification of hours worked
28. Which of the following accounts receivable frauds involves management misstating
the accounts receivable balance to lenders?
a. Factoring fraud
b. Payment diversions
c. Skimming
d. Check swaps
29. Which of the following would not normally be involved in a skimming scheme?
a. Business owners
b. Employees
c. Managers
d. Customers
30. A person’s _______ is not considered to be personally identifying.
a. Name
b. Occupation
c. Address
d. Social Security number
¶ 10,303
213
¶ 10,400 Answer Sheets

¶ 10,401 Top Accounting and Auditing Issues for 2020
CPE Course: MODULE 1
(10047722-0003)
Go to cchcpelink.com/printcpe to complete your Final Exam online for instant
results.
A $90.00 processing fee will be charged for each user submitting Module 1 to cchcpe-
link.com/printcpe online for grading.
Module 1: Answer Sheet

Please answer the questions by indicating the appropriate letter next to the correspond-
ing number.
1. 10. 19. 28.
2. 11. 20. 29.
3. 12. 21. 30.
4. 13. 22.
5. 14. 23.
6. 15. 24.
7. 16. 25.
8. 17. 26.
9. 18. 27.
Please complete the Evaluation Form (located after the Module 3 Answer Sheet).
Thank you.
MODULE 2 - ANSWER SHEET 215

(10047723-0003)
results.
A $112.50 processing fee will be charged for each user submitting Module 2 to
cchcpelink.com/printcpe for online grading.

ing number.
1. 11. 21. 31.
2. 12. 22. 32.
3. 13. 23. 33.
4. 14. 24. 34.
5. 15. 25. 35.
6. 16. 26. 36.
7. 17. 27. 37.
8. 18. 28. 38.
9. 19. 29. 39.
10. 20. 30. 40.
Thank you.
MODULE 3 - ANSWER SHEET 217

(10078842-0001)
results.
A $90.00 processing fee will be charged for each user submitting Module 3 to cchcpe-
link.com/printcpe for online grading.

ing number.
1. 11. 21.
2. 12. 22.
3. 13. 23.
4. 14. 24.
5. 15. 25.
6. 16. 26.
7. 17. 27.
8. 18. 28.
9. 19. 29.
10. 20. 30.
Thank you.
219
¶ 10,500 Top Accounting and Auditing

Issues for 2020 CPE Course: Evaluation Form
(10024493-0007)
Please take a few moments to fill out and submit this evaluation to Wolters Kluwer so
that we can better provide you with the type of self-study programs you want and need.
Thank you.
About This Program
1. Please circle the number that best reflects the extent of your agreement with the
following statements:
Strongly Strongly
Agree Disagree
a. The Course objectives were met. 5 4 3 2 1
b. This Course was comprehensive and 5 4 3 2 1

organized.
c. The content was current and technically 5 4 3 2 1

accurate.
d. This Course content was relevant and 5 4 3 2 1

contributed to achievement of the learning
objectives.
e. The prerequisite requirements were 5 4 3 2 1

appropriate.
f. This Course was a valuable learning 5 4 3 2 1

experience.
g. The Course completion time was 5 4 3 2 1

appropriate.
2. What do you consider to be the strong points of this Course?
3. What improvements can we make to this Course?
THANK YOU FOR TAKING THE TIME TO COMPLETE THIS SURVEY!

221
222

TAIBK - 2020 - Top Accounting and Auditing Issues

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

TAIBK - 2020 - Top Accounting and Auditing Issues

Uploaded by

Copyright:

Available Formats

1

Top Accounting and

Melisa Galasso, CPA

This publication is designed to provide accurate and authoritative information in

© 2019 CCH Incorporated and its affiliates. All rights reserved.

No claim is made to original government works; however, within this Product or

Printed in the United States of America

Additional copies of this course may be downloaded from cchcpelink.com/printcpe.

MODULE 1: TOP ACCOUNTING ISSUES—

¶ 102 LEARNING OBJECTIVES

Upon completion of this chapter, you will be able to:

¶ 104 ASU 2018-01

¶ 105 ASU 2018-02

¶ 106 ASU 2018-03

¶ 107 ASU 2018-04

¶ 108 ASU 2018-05

¶ 109 ASU 2018-06

¶ 110 ASU 2018-07

¶ 111 ASU 2018-08

¶ 112 ASU 2018-09

¶ 113 ASU 2018-10

¶ 114 ASU 2018-11

¶ 115 ASU 2018-12

¶ 116 ASU 2018-13

¶ 117 ASU 2018-14

¶ 118 ASU 2018-15

¶ 119 ASU 2018-16

¶ 120 ASU 2018-17

¶ 121 ASU 2018-18

¶ 122 ASU 2018-19

¶ 123 ASU 2018-20

4. The amendments in ASU 2018-12 include targeted improvements to the accounting

MODULE 1: TOP ACCOUNTING ISSUES—

¶ 202 LEARNING OBJECTIVES

Upon completion of this chapter, you will be able to:

¶ 204 MAIN PROVISIONS OF THE ASU

incurred loss impairment methodology with an updated methodology that reflects

¶ 205 ASSETS MEASURED AT AMORTIZED COST

¶ 206 INITIAL MEASUREMENT OF EXPECTED LOSSES

Considering Available Information

Estimating Credit Losses

• Financial asset type

¶ 207 SUBSEQUENT MEASUREMENT OF EXPECTED

¶ 209 FINANCIAL STATEMENT DISCLOSURES

• Industry sector, such as either of the following:

Credit Quality Information

Allowance for Credit Losses

Additionally, there are incremental disclosure requirements regarding the signifi-

Purchased Financial Assets with Credit Deterioration

Collateral-Dependent Financial Assets

Off-Balance-Sheet Credit Exposures

4. An entity is permitted to estimate, as a practical expedient, credit losses as the

¶ 210 AVAILABLE-FOR-SALE DEBT SECURITIES

¶ 211 SUBSEQUENT MEASUREMENT

¶ 212 FINANCIAL STATEMENT DISCLOSURES

Available-for-Sale Debt Securities in Unrealized Loss Positions

Allowance for Credit Losses

Purchased Financial Assets with Credit Deterioration

¶ 214 RECENT DEVELOPMENTS

7. Which of the following identifies one of the categories of financial statement

MODULE 1: TOP ACCOUNTING ISSUES—

¶ 302 LEARNING OBJECTIVES

Upon completion of this chapter, you will be able to: