Last month, this column discussed identifying and addressing risks of material revenue understatements in general, and those specific risks presented by outsiders who control and have an incentive to intentionally—or sometimes unintentionally—underreport the transactions or activities that generate revenues that are based on contractual requirements with others, such as customers, lessees, or licensees. This column continues by discussing 1) special risks associated with the use of managing agents who are entrusted with, among other functions, the collection of and accountability for revenues, and 2) risks associated with fraudulent behavior by management (such as that motivated to minimize income taxes) or against the company (such as employee theft, commonly motivated by economic stress).
Special Risks Associated with Managing Agents
Whenever an entity operates, in fact or substance, as a central management company or managing agent of properties owned by others that are or include properties or other operations both within and outside the entity or group of entities currently under audit, a principal risk, especially when properties are being sold, is that the operating results might be overstated or understated. This generally occurs through intentional or inadvertent misdirection of revenues or expenses from or to properties outside the group of controlled properties, such as by misallocations of general and administrative or other common costs and expenses. It is also necessary to ascertain and consider whether a significant risk of misstatement is posed by incentive compensation arrangements with various principals of the managing agent that might cause it to want to shift revenues or profits from one property or entity to another.
Accordingly, auditors must be concerned with, and probably test, controls over the maintenance and protection from alteration of signed leases and the receipt, recording, and transmission of rent and other revenues by the managing agent, particularly when cash might be involved. Based on the perceived strength or weakness of relevant controls, auditors ordinarily should, at a minimum, perform substantive analytical procedures comparing key operating ratios of the controlled properties to those of others outside the group, cautiously considering that what look like relatively small percentage variances could, in fact, translate into large dollar amounts requiring further investigation.
As noted last month, however, auditors must be mindful that analytical procedures may not be sufficiently precise to stand alone regarding any assertion with a perceived significant risk of material misstatement, unless adequately supported by relevant control testing at the managing agent level (as noted in last month’s column). Such testing should be designed to assure, among other things, that revenue is being credited to the appropriate property. Substantive tests of revenue completeness, particularly when reported occupancy is low or merely below expectations, ordinarily should include onsite property inspections that focus on whether the apparent occupancy is consistent with the reported or expected revenue level. Such inspections also may contribute to other audit objectives unrelated to revenue, such as asset impairment tests.
Completeness of Revenue Risk in Periods of Economic Stress
Fraud often occurs as a result of some combination of incentive (motivation), opportunity, and rationalization. In a troubled economic environment, the risk of fraud in the form of asset misappropriations by management or other employees, including revenue diversion (i.e., conversion or skimming), can be expected to increase substantially from those who are or fear suffering from the effects of an economic recession (e.g., job losses, pay cuts, mortgage foreclosures). In addition, those employed in a financially troubled company may feel financially motivated and compelled to engage in asset misappropriations. Finally, such individuals may feel a sense of entitlement to such enrichment compensation for having made considerable personal sacrifices during their employment.
Whenever such economic conditions prevail, auditors should concern themselves with possible misstatements as a result of employee misappropriations, particularly with respect to revenue understatement for cash businesses and inventory items for entities such as manufacturers and distributors. A company’s only likely defense against such illicit activity is to maintain effective controls that reduce or eliminate the opportunity for theft. In addition, auditors should be aware that the managements of troubled companies in danger of violating loan covenants might likely be motivated to misstate financial statements in order to hide events of default.
In circumstances where the risk of such unrecorded revenue is significant, auditors must rely on identifying and testing relevant controls to reduce these risks. They must also employ analytical tests in combination with control tests that will afford them reasonable assurance that all shipments, billings, and related cash receipts are recorded timely.
The Consequences of Failure
Companies, their managements, and their auditors may suffer serious consequences as a result of a failure to adequately address these understatement risks when the potential for under-statement is significant. Other risks especially apply for SEC issuers, who are required under several federal securities laws to safeguard their resources for the benefit of their public shareholders and report material control weaknesses under section 404(a) of the Sarbanes-Oxley Act of 2002 (SOX). Failure to do so can expose management to allegations of violations of the securities law, as well as liability to investors. The failure of auditors to report related control weaknesses to those in charge of governance or to investors under SOX section 404(b), if applicable, or to address such risks appropriately in the audit scope, can, likewise, expose them to risks of liability from stakeholders and to disciplinary action by regulators.
Because it is difficult, if not impossible, to audit what is not there, auditing for completeness risks is always a challenge. Accordingly, a careful consideration of such risks, particularly relative to revenue understatement, and the selection of appropriate audit procedures to address them effectively, should be made in the early stages of designing an audit strategy.