In AICPA audits of small and mid-sized businesses, auditors must respond to the risk of management override and the presumed risk of fraud in revenue. Many of these clients lack the IT infrastructure, change management processes, or audit trail sophistication that large enterprises have. When companies use systems such as QuickBooks, which do not require system-generated journal entry IDs, auditors are often left scratching their heads about what to do next.
Testing Information Technology General Controls (ITGCs) is often impractical or irrelevant in these environments. Yet the auditor’s obligation to design procedures that identify potential fraud remains unchanged. When the majority of companies use small business accounting systems, the traditional approaches to journal entry testing quickly fall apart.
As a result, many audit teams fall back on outdated techniques, reviewing weekend postings, entries by specific users, or transactions created and posted on the same date. Since not all systems produce this metadata, auditors are once again left wondering how to proceed. Even when the data is available, these approaches often fail to detect real fraud because they rely on unvalidated fields in untested systems. How do you know passwords aren’t shared? How do you know someone can’t change the posted-on date? You see the issue. This approach to testing is full of holes and might not hold up in a peer review.
This white paper provides a modern, practical evaluation of how to identify fraud through a holistic audit approach that combines substantive testing and the Computer Assisted Auditing Techniques performed by Audit Sight. It introduces Audit Sight’s fraud detection framework, allowing auditors to confidently address fraud risk without relying on complex IT control testing or enterprise-grade systems.
Auditors performing AICPA financial statement audits are required to design procedures that address the risk of management override of controls and the presumed risk of fraud in revenue recognition under AU-C Section 240. For audits of small and mid-sized businesses, this requirement creates a unique challenge. These clients rarely maintain the IT documentation, access control logs, or process integrity needed to support traditional ITGC testing.
The absence of tested ITGCs does not remove the auditor’s responsibility to identify fraud. Audit Sight provides a structured, data-driven framework that gives auditors a logical and defensible way to find fraud even when formal ITGC testing is not feasible. Our methodology narrows risk from broad to precise, ensuring that auditors can demonstrate full coverage of fraud risk through a series of clear, evidence-based steps.
This framework is designed for AICPA audits of small and mid-sized businesses, helping auditors meet professional standards with a practical, scalable approach that does not depend on complex IT systems or heavy manual work.
Journal entry testing remains one of the most inconsistently executed audit procedures in small business audits. Traditional filters such as entries by user, weekend postings, or created versus posted dates originated in an era of manual accounting systems and often fail to provide meaningful assurance today.
In 2025, how many of your clients can you really say don’t work on the weekend? With work-life balance initiatives and the ability to access accounting records via the cloud, a new approach is needed.
In many small businesses, accounting data is maintained in basic systems like QuickBooks, Xero, or FreshBooks that lack strong access controls. The auditor cannot reasonably test ITGCs or prove the reliability of system metadata. Exports are often incomplete or poorly formatted, making population validation difficult.
When auditors rely on untested data for journal entry testing, the results are unreliable. Worse, the procedures may appear compliant on paper but fail to detect actual manipulation.
Audit Sight’s framework aligns with how fraud logically moves through a company’s records. It allows auditors to progressively clear legitimate activity and isolate what remains—the true residual risk of fraud.
A strong audit begins with balance-sheet assurance. By substantively testing accounts such as cash, accounts receivable, inventory, and accrued liabilities, the auditor eliminates many of the typical concealment paths for fraud. If the balance sheet is accurate, fraud cannot easily be buried within it. Once assets and liabilities are validated, remaining fraud risk must flow through revenue or expense accounts.
Principle: A verified balance sheet limits where fraud can hide.
Audit Sight’s Proof of Cash reconciles revenue and expenses to cash inflows per the bank, reconciling transactions across both banking and accounting data. This process effectively clears all routine, cash-backed activity in revenue and expense. Once those transactions are verified, any remaining entries that impact the income statement but are not supported by cash become the focus area for fraud testing.
Result: Routine entries are validated, and the residual risk is narrowed to non-cash or unusual activity.
Completeness is the cornerstone of all reliable analytics. Audit Sight performs a Journal Entry Completeness Test that ties the total ledger activity to the trial balance and ensures every entry is internally balanced. Without completeness, journal entry testing becomes sampling from an unknown population, which undermines the entire analysis.
Principle: Only complete populations yield complete conclusions.
After clearing the balance sheet and routine activity, the only logical place for fraud to be concealed is in unusual journal entries affecting revenue or expense. Audit Sight’s Journal Entry Module automatically isolates and quantifies these entries by detecting offsets to unexpected accounts, highlighting manual or end-period postings, and identifying reversal or round-trip patterns.
This analysis focuses the auditor’s attention precisely where management override could occur.
Result: Attention is directed to the few entries where fraud could truly exist.
Audit Sight’s framework does not depend on filtering by user, date, or weekend postings. However, if auditors choose to use these traditional methods, they should recognize that these filters are only valid if related ITGCs are effective and have been tested. This means you need to do additional testing outside of looking at these entries.
The key control domains that must be tested to rely on such filters include access management, change management, logging and monitoring, and time or period controls.
Result: If ITGCs have not been tested, these filters provide limited or misleading assurance and could lead to a comment in your peer review.
High-value postings to revenue require professional skepticism, but within Audit Sight’s framework, they are already covered through other procedures. If a high-dollar journal entry is routine, the Proof of Cash process will tie it to real cash inflows. If it is fraudulent, it will either appear as a reconciling item in Proof of Cash because the cash never hit the bank or it will be detected during balance-sheet testing since receivables or cash will not reconcile.
Every significant entry is either supported by evidence or detected through inconsistencies elsewhere.
Principle: Every major revenue entry is verified through cash or disproved through reconciliation.
Most tools fail because general ledger data is messy, incomplete, or inconsistent. Audit Sight overcomes this barrier with data-healing technology that reconstructs and normalizes ledgers, enabling reliable testing even for clients using simple accounting systems.
Our data-healing process matches debits and credits without unique IDs, creates balancing entries where data is incomplete, identifies and removes reversing entries, and splits batch postings into individual transactions.
This capability makes sophisticated testing possible in unsophisticated environments.
Audit Sight’s approach allows auditors to demonstrate with evidence that they have fully addressed the risk of fraud, even when ITGC testing is not practical.
Result: Audit Sight transforms journal entry testing from a compliance exercise into a clear, defensible fraud detection process.
Fraud hides in the gaps between systems, assumptions, and untested data. Audit Sight closes those gaps. By integrating completeness, Proof of Cash, and targeted anomaly analysis, auditors can focus their time where it matters most—the few transactions that truly carry fraud risk. Even in the absence of formal ITGC reliance, small-firm auditors can deliver large-firm confidence.
Audit Sight: Bringing clarity, coverage, and confidence to the modern audit.
