- Title: `Cash Controls in AUD: Why One Person Should Not Move, Record, and Reconcile the Money`
- Slug: `cpa-cash-controls-segregation-duties-audit-evidence`
- Certification: CPA
- Level: Core
- Section: AUD
- Topics: `["Internal Control","Audit Evidence","Risk Assessment","Cash"]`
- Tags: `["segregation-of-duties","cash-controls","bank-reconciliations","audit-evidence","fraud-risk"]`
- Related Q&A placeholders: `["cash-cycle-incompatible-duties", "cash-posting-control-risk", "small-team-compensating-cash-controls", "audit-evidence-for-cash-disbursement-controls"]`
- Related question-bank placeholders: `["cash-cycle-incompatible-duties-identification", "cash-disbursement-compensating-control", "bank-reconciliation-review-control", "audit-evidence-bank-data-reliability"]`
Cash Controls in AUD: Why One Person Should Not Move, Record, and Reconcile the Money
Cash is the account where internal control theory becomes very practical. If one employee can initiate a payment, approve the payment, record the journal entry, and reconcile the bank account, that person can make an error or unauthorized payment and then use the accounting records to hide it. On the CPA Exam, the answer is rarely "cash is wrong." The sharper answer is usually: the control design gives one person incompatible duties, so the auditor should assess higher risk and adjust procedures.
The Cash Cycle Is a Control Map, Not a Job Title List
Segregation of duties separates the powers that let someone both create a problem and conceal it. A compact way to remember the logic is:
- Custody: physical or electronic access to cash, such as initiating wires or controlling bank credentials.
- Authorization: approval power, such as releasing an electronic payment or approving a vendor setup.
- Recording: ability to post cash receipts, disbursements, or manual journal entries.
- Reconciliation and review: comparing the bank statement to the general ledger and investigating differences.
In a strong design, those powers are split. In a weak design, they collapse into one person or one login path.
The dotted relationships show where AUD questions often hide the issue. It is not always wrong for a staff accountant to record bank activity. It becomes risky when the same person also has custody of cash or performs the final reconciliation without independent review.
Worked Example: Harbor Kite Supply
Harbor Kite Supply has a three-person finance team:
- Lina, the controller, approves vendor payments over $5,000.
- Marco, the staff accountant, prepares weekly wire templates and posts cash disbursement entries.
- Priya, the accounting manager, reviews bank reconciliations and receives read-only bank statements directly from the bank portal.
During April, Marco prepares a $18,600 wire to North Pier Plastics. Lina approves the payment in the bank portal. Marco records the entry:
| Account | Debit | Credit |
|---|---|---|
| Accounts payable | $18,600 | |
| Cash | $18,600 |
Priya later compares the April bank statement to the general ledger, agrees the wire to the approved invoice package, and signs the reconciliation review.
This is not perfect, but it has separation at the key points: Marco records and prepares, Lina releases, and Priya reconciles and reviews. Now change one fact. Suppose Marco can also release wires and complete the bank reconciliation. The same transaction would create a control deficiency because Marco could direct a payment to an unauthorized bank account, code it to a real vendor, and clear the reconciling item himself.
How the Auditor Thinks About the Weakness
The auditor does not stop at "bad control." The auditor asks four exam-relevant questions:
What assertion is exposed?
Cash disbursement weaknesses usually affect occurrence, completeness, accuracy, cutoff, and classification. The specific assertion depends on the transaction. An unauthorized payment is an occurrence and authorization issue. A hidden bank fee or unrecorded transfer may raise completeness and cutoff concerns.
Is this a design problem or an operating problem?
If the policy allows one person to initiate, record, and reconcile cash, the design is weak. If the policy is strong but review signatures were missing for two months, the design may be acceptable but the control did not operate effectively.
Can a compensating control reduce the risk?
Small teams cannot always split every task. A compensating control must be precise enough to address the missing separation. Helpful controls include:
- Dual approval in the bank portal before any wire is released.
- Read-only bank statement access for the reviewer.
- Automated bank feeds that cannot be edited by the preparer.
- Monthly bank reconciliation review by someone without cash movement rights.
- Exception reports for new vendors, changed bank accounts, and manual journal entries to cash.
A vague "management watches cash" control is usually not enough on an exam question.
What audit evidence is persuasive?
For cash, external or directly obtained evidence is often stronger than client-prepared evidence. Bank confirmations, bank statements obtained through a controlled portal, and auditor-observed system permissions may be more persuasive than a spreadsheet prepared by the same person who posts cash entries. Client-produced reports can still be used, but the auditor needs to evaluate whether they are complete and accurate for the audit purpose.
Exam Framing
AUD questions about cash-cycle duties usually test judgment, not memorized phrasing. Look for the person who can:
- Move money.
- Approve money movement.
- Change vendor payment details.
- Record cash entries.
- Reconcile or review the bank account.
When two or more of those powers sit with the same person, ask whether an independent review, system restriction, or dual approval control actually interrupts the fraud path. If it does, the weakness may be mitigated. If it does not, expect higher control risk, expanded substantive procedures, or a deficiency communication depending on the fact pattern.