APPLICATION OF SAS NO. 82 TO AUDITS OF SMALL BUSINESSES

By Thomas A. Ratcliffe and Paul Munter

In February 1997, the Auditing Standards Board (ASB) issued Statement on Auditing Standards (SAS) No. 82, Consideration of Fraud in a Financial Statement Audit. SAS No. 82--

* describes fraud and its characteristics;

* requires the auditor specifically to assess the risk of material misstatement due to fraud and provides categories of fraud risk factors to be considered in the auditor's assessment;

* provides guidance on how the auditor responds to the results of the assessment;

* provides guidance on the evaluation of audit test results as they relate to the risk of material misstatement due to fraud;

* describes related documentation requirements; and

* provides guidance regarding the auditor's communication about fraud to management, the audit committee, and others.

To help practitioners in their attempts to implement SAS No. 82, the AICPA also has issued an implementation manual, Considering Fraud in a Financial Statement Audit: Practical Guidance for Applying SAS No. 82. The implementation guide discusses issues an auditor needs to consider when attempting to comply with the provisions of SAS No. 82.

Subsequent to the issuance of SAS No. 82 and the related implementation guide, questions have arisen regarding the application of this new guidance to audits of small businesses.

Domination by Single Owner/Manager

One of the problems with attempting to apply SAS No. 82 to audits of smaller businesses is the domination by a single owner/manager. That fact, in and of itself, does not indicate a failure by management to display and communicate an appropriate attitude regarding internal control and the financial reporting process. Thus, in audits of financial statements of smaller, privately-held entities, it may be necessary for auditors to tailor the risk factors indicated in SAS No. 82 so that the risk factors are particularly applicable to small business clients. Such tailoring will require greater partner/manager time to ensure that these risk factors are properly incorporated into the audit plan. The AICPA's implementation manual provides some suggestions as to how these risk factors may be tailored.

Internal Controls. Small business clients often are characterized by internal control conditions that might be considered fraud risk factors in larger business clients. For example, in larger entities, the domination of management by a single individual is unusual and probably would be considered as a risk factor in evaluating the likelihood of material misstatement due to fraud. In audits of smaller entities, however, this condition is normally encountered and is much less useful as an indicator of risk of fraud. For that reason, when assessing the risk related to fraudulent financial reporting, auditors of small businesses typically focus on the motivation of managements to fraudulently misstate their financial statements and their attitudes and characteristics that indicate the willingness to do so. In considering controls relative to the risk of material misstatement due to fraud, auditors should attempt to distinguish those control weaknesses that are understandable given the entity's size and nature from those that display an inappropriate attitude regarding internal control and the financial reporting process.

A lack of controls due to an owner/ manager's improper attitude may indicate a willingness to commit fraudulent financial reporting. However, a lack of controls due mainly to the nature of the client (e.g., too few employees to have a sufficient segregation of duties) does not necessarily affect the risk of fraudulent financial reporting. The lack of segregation of duties does, however, leave the company vulnerable to misappropriation of assets. And, in most cases, small business entities usually are more susceptible to material misstatements in the financial statements that were caused by a defalcation scheme than they are to fraudulent financial reporting.

Operating Characteristics. In small business entities, the financial performance of the entity has a direct impact on the owner/manager. For that reason, the risk factors described in SAS No. 82 relating to the operating characteristics and financial stability of the entity may be considered as factors that affect an owner/manager's motivation to engage in fraudulent financial reporting. Specific examples of operating characteristics indicating that an owner/manager may be motivated to fraudulently misstate the financial statements are--

* threat of imminent bankruptcy or foreclosure,

* poor or deteriorating financial position when management has personally guaranteed significant debts of the entity, and

* adverse consequences on significant matters if poor financial results are reported.

Motivation to Underreport Income or Assets. Auditors should be aware of situations where the owner/manager of a small business entity may be motivated to misstate (understate or overstate) income or assets. For example, the owner/manager may be motivated inappropriately to reduce income taxes. Or, an owner/manager may be motivated to underreport income or assets to defraud a divorced spouse or partner of his or her share of the profits or assets of the business or to convince a judge or arbitrator that the business has inadequate cash flow. Conversely, if the owner is attempting to sell the business, the motivation may be reversed--to overstate assets, income, and cash flows--in an effort to increase the selling price of the business. Auditors are not required to plan audits to discover personal information (e.g., marital status) of the owner/manager; however, if the auditor does become aware of such information, the information should be considered in the assessment of risk related to material misstatement of financial statements due to fraud.

It is very important that auditors be alert to the personal goals, objectives, and situations faced by the owner/manager when auditing a small business, since these factors may play a critical role in the auditor's ability to properly interpret the risk factors that are present.

Risk Factors that Clearly Do Not Apply

SAS No. 82 includes several risk factors that clearly are inapplicable to a privately-held entity. For example, risk factors relating to stock price or hostile takeovers need not be considered. Practitioners that decide to tailor a risk factor list related to small business engagements may want to--

* review and update the list regularly (i.e., do not let the list become "stale") and

* circulate the list among the staff within the firm and educate the staff on how to use this tailored list.

Risk Factors Related to Fraudulent Financial Reporting

When considering the risk of fraudulent reporting in small business engagements, auditors should consider the following risk factors related to management characteristics and the influence of management over the control environment:

* A motivation for the owner/manager to engage in fraudulent financial reporting due to--

* an interest in minimizing reported earnings for tax reasons,

* adverse consequences on significant matters if poor financial results are reported (e.g., a violation of debt covenants),

* poor or deteriorating financial position when the owner/manager has personally guaranteed significant debts of the entity,

* significant pressure to obtain additional capital necessary to stay competitive,

* threat of imminent bankruptcy or foreclosure, or

* a practice by the owner/manager to commit to creditors and other third parties to achieve what appear to be unduly aggressive or unrealistic forecasts;

* A known history of claims against the entity or its owners alleging fraud;

* A failure by the owner/manager to display and communicate an appropriate attitude regarding internal control and the financial reporting process; and

* A strained relationship between the owner/manager and the current or predecessor auditor.

When considering the risk of fraudulent financial reporting in small business engagements, auditors should consider the following risk factors related to industry conditions:

* New accounting, statutory, or regulatory requirements that could impair the financial stability or profitability of the entity;

* A declining industry with increasing business failures and significant decrease in customer demand; and

* Rapid changes in the industry (e.g., high vulnerability to rapidly changing technology or rapid product obsolescence).

When considering the risk of fraudulent financial reporting in small business engagements, auditors should consider the following risk factors related to operating characteristics and financial stability:

* Inability to generate cash flows from operations while reporting earnings and earnings growth;

* Assets, liabilities, revenues, or expenses based on significant estimates that involve unusually subjective judgments or uncertainties, or that are subject to potentially significant changes in the near term in a manner that may have a financially disruptive effect on the entity (e.g., timing of revenue recognition or significant deferral of costs). This can be a particular problem when auditing a construction company or a community bank because of the significance of estimates in the financial reporting process;

* Significant related-party transactions not in the ordinary course of business or with related entities not audited or audited by another firm;

* Significant, unusual, or highly complex transactions, especially those close to year-end, that pose difficult "substance over form" questions;

* Overly-complex organizational structure--particularly given its small business status;

* Unusually rapid growth or profitability compared with that of other similar companies;

* Especially high vulnerability to changes in interest rates; and

* Unusually high dependence on debt or marginal ability to meet debt repayment requirements.

Risk Factors Related to Misappropriation of Assets

When considering the risk of misappropriation of assets in small business engagements, auditors should consider the following risk factors related to susceptibility of assets to misappropriation:

* Large amounts of cash on hand or processed,

* Inventory characteristics (e.g., small size, high value, or high demand),

* Easily convertible assets, and

* Fixed asset characteristics (e.g., small size, marketability, or lack of ownership identification).

When considering the risk of misappropriation of assets in small business engagements, auditors should consider the following risk factors related to controls:

* Lack of appropriate oversight by the owner/manager;

* Lack of appropriate segregation of duties or independent checks (Inadequate segregation of duties quite often is understandable in a small business environment because of the entity's size. However, as noted earlier, auditors should consider this factor in conjunction with other risk factors and with mitigating controls.);

* Lack of job applicant screening procedures relating to employees with access to assets susceptible to misappropriation;

* Inadequate recordkeeping with respect to assets susceptible to misappropriation;

* Lack of appropriate system of authorization and approval of transactions, e.g., in purchasing (Here, for example, the owner/manager can strengthen the controls by remaining directly involved in the approval process.);

* Poor physical safeguards over cash, investments, inventory, or fixed assets;

* Lack of timely and appropriate documentation for transactions (e.g., credits for merchandise returns); and

* Lack of a mandatory vacation policy for employees performing key control functions. *

Thomas A. Ratcliffe, PhD, CPA, is dean, Sorrell College of Business, Troy State University, Troy, Ala. Paul Munter, PhD, CPA, is KPMG Professor and chairman, department of accounting, University of Miami, Coral Gables, Fla.

Editors:
Douglas R. Carmichael, PhD, CPA Baruch College