SAS 55 has introduced new requirements for audits, particularly of small businesses. In this comprehensive survey of small business audits, the authors show how a required evaluation of internal controls can be of great help both to auditors and clients in this environment. A description of inadequate controls found in practice, and the corrective action taken, clearly illustrates the benefits of a better understanding of controls.

Audits of small business have traditionally presented unique challenges for the CPA. The auditor must thoroughly understand the complexities involved in these engagements, and design the audit approach accordingly.

The AICPA's Auditing Research Monograph No. 5, "Audit Problems Encountered in Small Business Engagements," describes a small business-- for purposes of its study--as possessing some or all of the following characteristics:

1. Owner/manager dominance created by the concentration of ownership or operational control in one or a few individuals.

2. Management and employees have only limited accounting skills.

3. Management does not perceive the need for qualified accounting personnel or believes their employment would be cost prohibitive.

4. Potential for management override of the internal control structure is high.

5. Significant internal control deficiencies exist relating to insufficient segregation of functions, relatively easy access to physical assets by company personnel, and informal or nonexistent procedures for planning, budgeting, accounting and reporting functions.

6. Presence of an inactive or ineffective policy-making body.

CHALLENGE FOR THE AUDITOR

Smaller audit clients face a number of problems. These dilemmas basically entail determining the professional services needed, and then locating the right professional to provide them. A number of these needed services are readily apparent such as legal and tax advice, "comfort letters" for a banker, compliance reporting for an employee program, and evaluation of emerging business opportunities. A small business clearly needs a business adviser who knows its business well enough to offer objective commentary. The CPA, who knows the business through annual audit and other services, represents the most viable business adviser for a small business.

However, CPAs face a dilemma. Many small businesses represent a dream of the enterpreneur and not necessarily a well-run business. This dream focuses on the delivery of a product or service with concomitant growth and profits for the enterprise. Very few of these small businesses have managers who understand a control environment, basic accounting systems, and control procedures. Additionally, they typically employ family members in key positions, thereby presenting unique challenges for the auditor.

Numerous problems may arise in this type of engagement due to management inexperience. A first-year client may not know what to expect, fees may appear too large, the time spent on site may appear too long, and the management letter may appear more intimidating than helpful. The CPA's comments may even be perceived as being critical of the client's dream.

Interpersonal problems create even more headaches for the auditor. Some people fear an audit. On one engagement, a bookkeeper shredded every ledger and supporting document before the auditor arrived. When questioned, the bookkeeper said he didn't want the auditors to find anything wrong and think that errors were intentional!

ASSESSING AUDIT AND BUSINESS RISKS

A small business necessarily has a high inherent auditing risk factor due to staffing and other resource constraints. Small enterprises also suffer from a number of environmentally-related problems that heighten their vulnerability. These include marketing factors such as the presence of better capitalized and innovative competitors entering their market, technology obsolescence, and adverse governmental actions.

For example, franchised convenience and video stores have replaced numerous "mom and pop" groceries and independent video rental stores. Innovative marketing of mobile dog grooming services has seriously threatened the profitability of smaller pet stores. Technological changes of personal computers that replace manual typewriters has significantly eroded the business base for small typewriter repair service shops. Governmental fiats, such as changing a two-way street with free parking to a one-way street with meters, may significantly impair a small firm's ability to survive.

Other risks inherent in a small business audit relate to potentials for management override of accounting controls, an ineffective or nonexistent policy-making body, and informal recordkeeping systems. Other accounting-related issues are set forth in Figure 2.

DEVELOPING AN AUDIT STRATEGY

In an audit of a larger entity, the accounting staff often assists the CPA in preparing various schedules and summaries. This request can be quite disruptive to a small business's operations. The limited accounting experience of many small business employees inhibits their abilities to prepare these schedules without instruction and review by the CPA. So, while it may not often be feasible for a client's staff to do some data gathering for the auditor, the risk of inaccuracy mandates additional auditor review, negating some of the time savings envisioned.

An audit strategy for a small business engagement must recognize the inherent risks previously outlined. For the small entity, a temptation always exists to develop an audit approach that parallels one used with larger clients. Because of internal control structure differences and other divergent characteristics between these types of engagements, using an audit program designed for the larger entity is inefficient and often generates unreliable audit evidence. A more appropriate strategy for the small business audit requires a substantive approach with more extensive verification, confirmation, and reperformance. This is necessitated by the lack of management and personnel expertise, and the inherent deficiencies normally found in a small entity's internal structure.

THE INTERNAL CONTROL STRUCTURE

In developing an appropriate audit strategy for a small business client, the auditor must consider the expanded responsibilities mandated by recently issued SAS 55, "Consideration of the Internal Control Structure in a Financial Statement Audit."

Under previous standards for internal control evaluation, (SASs 1 and 43) auditors normally would not rely on internal control to any great extent. The primary reason was efficiency. Professional standards did not mandate it so that if it was quicker to do more substantive testing rather than testing effectiveness of internal controls, the auditor would do an "all substantive" audit. Generally, the CPA would simply adopt a policy of non-reliance on a small client's internal controls and document the rationale in the working papers. There were other practical reasons. Often, for the smaller business, internal control was less structured and limited due to the very nature of small business structure. The following case illustrates the kind of control conditions, or lack thereof, that an auditor encounters in the small business.

War Story One

A family-run convenience store chain had a "we've always done it that way" philosophy when it came to their accounting system. The basic system had changed very little from the one established many years ago when the company had owned only a few small grocery stores. By the time the grocery stores had become supermarkets and the enterprise had branched out into the convenience store market as well (140 stores), the management philosophy and operating style had changed very little. Management had never adjusted control methods to monitor and follow up performance.

To keep pace with competition, the stores added gasoline, wine and beer sales. The sale of gasoline marked their first encounter with the problems of accepting credit cards and dealing with clearing-houses. What had once been essentially a cash enterprise now had to track receivables. Understandably, because the turn-around time on the credit card reimbursement was longer than cash payment terms for gasoline, this created a cash squeeze. State laws concerning alcoholic beverages required payment to vendors upon delivery of beer and wine, which, of course, heightened cash flow problems.

The company entered documentation for accounts payable into a computer to create both an accounts payable detail ledger and postings to general ledger accounts. However, the computer created two files at that point-- one detail and one summary. Certain journal entries affected the summary file without posting to the detail file, thereby allowing the accounts payable detail and the accounts payable ledger account to be out of balance. The company religiously used the detail file to prepare historical trend reports and forecasts for management, but failed to address completeness and file integrity control objectives within the system.

The owners believed they had quite cleverly solved the beer and wine purchase cash drain dilemma. Because the stores sold money orders for customer convenience, they prepared a money order payable to wine and beer distributors for each delivery. However, the store did not accrue a payable or expense charges for these money orders, and therefore understated both expenses and liabilities. To further compound problems, nobody reconciled the money orders issued to vendors' monthly statements, thus ignoring basic controls addressing completeness, asset protection, and proper supervision.

The auditor recommended a simple, numeric control log for the money order stock, with a reconciliation to monthly statements and beer and wine purchases, along with standard journal entries to record sales and liability transactions. Recommended periodic analyses of beer and wine purchases against sales and ending inventory would provide further control. In this instance management expressed frustration over the simplicity of controls proposed; controls that were logical and straightforward, but never realized as essential. It was irritating for management to realize that the effective controls needed were so simple. This scenario further emphasizes the importance of an effective management philosophy with regard to internal control structure.

Another internal control-related characteristic common to small businesses relates to the physical size of the entity. A smaller business naturally enhances development of close personal relationships. With fewer employees, smaller organizations normally create an environment of closer working relationships and longer job tenure. These characteristics foster stronger personal relationships within the company that can sometimes compromise any established internal controls. This development also results in an over-dependence on selected key individuals with reciprocal pressure to perform per expectations. The following experience from public practice illustrates this aspect.

War Story Two

A real estate development and management company had hired a bookkeeper to maintain a complete set of records for approximately 20 projects and business ventures that the partners had established. The transaction volume was low on each individual entity, but the number of projects and the overlap of parties dealing with multiple projects created a complex cost allocation environment. Because preparation of individual statements and tracking of individual statutory filings for each project became obviously too time consuming, the bookkeeper simply decided not to perform a large portion of required functions. A number of bank accounts were never reconciled monthly, financial statements were not prepared for every project, and notices from taxing authorities (for example, worker's compensation and the State Department of Revenue) were dumped into desk drawers. These errors and inefficiencies related to control failures could have been detected, and corrected, by proper organization, supervision, and management operating style.

These failures surfaced when the CPA attempted to audit. Incomplete records, unpaid bills, and delinquent reporting could no longer be hidden or justified. The inadequacy of records, and potential legal jeopardy from failure to file regulatory returns negated any attempt to perform the audit due to significant scope limitations caused by lack of competent evidence. Management had to settle for a professional service narrower in scope than the anticipated audit engagement. Had management's philosophy been different concerning the hiring of competent accounting personnel or had their oversight function been more effective, the engagement could have been completed expeditiously.

NEW STANDARDS

It is no surprise to realize that auditors have historically utilized a substantive testing approach to auditing small businesses. Past standards only required the auditor to understand the internal control environment and flow of transactions. Once minimum standards were met, auditors typically planned and executed the engagement with no reliance on any controls.

However, the new standards for internal control significantly broaden the auditor's minimum responsibilities. The new SAS expands the concept of internal control, comprised of three elements: the control environment, the accounting system, and control procedures. The minimum work to be done and working paper documentation for the assessment of internal control have been expanded.

The new standards mandate that the auditor "obtain an understanding of the three elements of the internal control structure sufficient to plan the audit." An understanding of each element is now required before an auditor can plan the substantive audit procedures.

As noted in Figure 3, the control environment of a client is comprised of a number of important elements. This environment represents the collective effect of factors that can dramatically impact the establishment, enhancement, and effectiveness of an entity's control procedures. Especially for a small business engagement, it is essential that the auditor assesses the potential impact of these factors on the audit scope.

For a small business the control environment is primarily a direct function of the owner/manager. The owner's basic operating philosophy essentially determines the viability of any control procedures established and, in effect, either supports or nullifies controls that may be in place.

Understandably, management's concern for the integrity and accuracy of accounting information has a direct impact on the auditor's substantive testing. The views of the owner/manager relating to hiring of qualified accounting personnel and sufficient staffing of accounting functions are other examples of how management's philosophy and operating style directly impact the CPA's audit approach.

Professional standards also indicate that the entity's organizational structure and the methods management uses to assign responsibility and monitor performance are key factors in assessment of the control environment. While most small businesses lack the employees to adequately segregate accounting functions, the manager's involvement in the process and monitoring of accounting functions significantly impacts the effectiveness of that control structure.

The following scenarios illustrate the importance of this function.

War Story Three

The owner of a meat packing company believed that accounts receivable turned over so frequently that there was really no need for an allowance for bad debts. Indeed, a preliminary aging analysis indicated that 80% of the receivables were current and that 90% were normally collected within 60 days. The remaining 10%, though, stretched out over 180 days. The company shipped their product in truckload quantities, valued at approximately $20,000 per load.

Industry practice was quite forgiving in granting credit for what was termed "out of spec" meat (too high a lean-to-fat ratio). If one part of a shipment was considered "out of spec," the customer normally refused the entire truckload. Competition in a buyers' market had significantly cut profit margins, while forcing extension of liberal terms to key customers.

Creating even more problems, authorization and documentation controls over credit memos were nonexistent. These credit memos could be initiated by the plant manager, the controller, or even someone in the sales department. Also, total authorized write-off credits were never tracked or reconciled. Slow-moving receivables were never analyzed, and no departments performed any follow-ups.

The auditor expressed concerns over satisfying the basic engagement objectives of completeness, accuracy, authorization, and file integrity because customers had either not replied to confirmation requests, or had replied with disputed amounts. After an analysis of bad debts a proposal was made to write off some receivables immediately, and create a significant allowance for bad debts. Management fought both adjustments because the charges to income pushed the company further from expected performance goals. Management had failed to consider the importance of accurate information for internal as well as external reporting purposes. After addressing control weaknesses that had and would continue to have an even more serious impact on future operations, revised policies for issuing credits and follow-ups of aged receivables were finally established.

War Story Four

A second example of the importance of monitoring involved a fabricator of consumer shelving products that had considerable success in a consumer goods niche with little competition. Management rapidly expanded product lines through overpriced acquisitions, over-stocked materials, and even purchased perks often reserved for executives of Fortune 500 companies--a company plane, for example.

In the face of such prosperity, basic controls pertinent to any manufacturing industry were ignored. Management failed to match sales forecasts with purchasing activities. Subsequent aging of inventory by the external auditor indicated large quantities on hand of two items that could only be used as parts of certain assemblies. At the organization's current rate of consumption which, incidently, was inconsistent with their sales forecasts, the company had stockpiled a five-year supply of one part and a nine-year supply of another, both of which had significantly shorter shelf lives. Obviously, basic controls relating to asset management and purchasing procedures were ignored in enthusiastic and overly optimistic projections by management.

Once an auditor has performed enough procedures to understand the entity's internal control structure, professional standards mandate a documentation of this understanding. While the form and extent of this documentation varies with the size and complexity of the organization, for a small business it may be sufficient to substantiate this understanding with a simple memorandum. Other methods could include simple flowcharts or questionnaires. Regardless of the documentation methods, it must provide evidence that a sufficient knowledge of the control structure has been obtained. On a more practical vein, the procedures should also be relatively easy to complete and be cost efficient.

THE PROFESSIONAL AUDITOR'S IMPACT: MAKING THE DREAM COME TRUE

The CPA knows all the dreams of the small business because an effective relationship between the auditor and the client will allow the owner/manager to speak openly about business concerns and attitudes. This rapport allows the CPA to profer suggestions that a client needs to hear. The small business relationship retains professional objectivity and independence while enjoying a close working relationship.

A the same time, professional standards require the CPA to consider the client's control structure when engaged to audit financial statements. While more work is now obviously required under the new SAS, the auditor may still find it advantageous to perform these extended procedures. In the CPA's role as business advisor, the auditor is in a much better position to make recommendations concerning the system to help improve effectiveness and efficiency of operations. As illustrated by the war stories, having to evaluate the three elements of the internal control structure allows the CPA as "business adviser" to make more constructive comments. And it is the generation of these incisive recommendations that may very well help small business owners and managers achieve their dreams.

FIGURE 1 TYPICAL SMALL BUSINESS CHARACTERISTICS

CPAs serving emerging and small businesses normally face the following problems when planning their audit:

1. Cost or family concerns preclude hiring qualified staff, resulting in poor record keeping or inadequate presentation of information.

2. Entrepreneurs primarily focus their energy on the creative aspects of their businesses rather than on idenfying key problem areas or appropriately planning for future business needs.

3. Managers of small businesses exhibit reluctance to change ritualized practices even to the detriment of effective controls and productivity, especially in a resource constrained environment.

4. Undercapitalization, weak cash flows, and restrictive debt covenants are also common characteristics that create performance pressures, and oftentimes result in creative accounting practices.

FIGURE 2 INHERENT RISKS IN SMALL BUSINESS AUDITS

1. Related party transactions may exist among family members or family affiliated companies in leases, loans, purchases, and sales.

2. Lenders, suppliers, and investors normally place higher reliance on auditor's report for credit and financing decisions.

3. Accounting policies may have been selected on the basis of a more favorable financial or tax-related presentation, rather than GAAP.

4. Business relationships may lack a sufficient diversity to buffer the impact of loss of a major customer or supplier.

5. Unsophisticated employees preparing financial information may misclassify or fail to record essential transactions, particularly those related to accruals and deferrals.

6. The basis for recognizing sales income may not record income in the correct period.

7. Tax avoidance may unduly influence year-end business decisions or representations.

FIGURE 3 CONTROL ENVIRONMENT FACTORS

1. Management's personal philosophy and operating style. 2. Entity's organizational structure. 3. Functioning of the Board of

Directors. 4. Methods used to assign

responsibiliy and authority. 5. Methods used to monitor

performance. 6. Personnel policies and practices. 7. Other external influences affecting operations.

John E. McEldowney, DBA, is an Associate Professor of Accounting at the University of North Florida. Thomas L. Barton, PhD, CPA, is an Associate Professor of Accounting at the University of North Florida. Edward J. Todd, CIFA, is Director of Information Technology Audit Services with Coopers & Lybrand.