Understanding and applying SAS 55 to audits of small businesses is a challenge for many small practitioners. The concept of assessing control risk is not natural to them. Some CPAs are puzzled with the minimum documentation requirements. Others are perplexed about how they can most efficiently and effectively comply with and perhaps even benefit from SAS 55. Here is a summary of the requirements and some suggestions on how it can be implemented.

Since the issuance of SAS 55 Consideration of the Internal Control Structure in a Financial Statement Audit, concern has been expressed about its interpretation and application.

To address these needs, the AICPA has issued an Audit Guide, Consideration of the Internal Control Structure in a Financial Statement Audit, with numerous exhibits illustrating the work papers an auditor might prepare in complying with SAS 55. Some of the narratives and exhibits in the guide deal specifically with the audit of a typical small business called Ownco. It may be difficult to apply SAS 55 without knowledge of the guide.

While the guide appears as a formidable document (262 pages), the illustrations relating to the small business audit are readily identifiable and not difficult to understand or use.

The Auditing Standards Board issued SAS 55 to link financial statement assertions (SAS 31, Evidential Matter) with the assessment of control risk (SAS 47, Audit Risk and Materiality in Conducting an Audit). Prior standards were deemed deficient in terms of the guidance provided to auditors in assessing the types of material financial misstatements that could occur and the probability of such misstatements actually occurring. These issues were problems for audits of all sizes but were particularly troublesome for emerging or small business engagements. A summary of the requirements of SAS 55 is described in Exhibit 1.

Understanding the Internal Control Structure

SAS 55 requires an auditor to obtain an understanding of an entity's control structure sufficient enough to plan the audit no matter what its size. The audit plan, in accordance with SAS 53, The Auditor's Responsibility to Detect and Report Errors and Irregularities, should be comprehensive enough to provide reasonable assurance of detecting material misstatements and/or irregularities.

Financial statement assertions are listed in Exhibit 2. The assessment of control risk must be linked to these assertions. After obtaining an understanding of the control structure, the auditor assesses control risk for the assertions embodied in the account balances, transaction classes, and disclosure components of the financial statements. The understanding of the control structure includes three elements: control environment, accounting system, and control procedures. The auditor's understanding of all three elements must be documented. However, in cases where control risk is assessed at the maximum, no additional work would be required to obtain an understanding of the control procedures. SAS 55 states:

. . . as the auditor obtains an understanding of the control environment and accounting system, he is also likely to obtain knowledge about some control procedures. The auditor should consider the knowledge about the presence or absence of control procedures obtained from the understanding of the control environment and accounting system in determining whether it is necessary to devote additional attention to obtaining an understanding of control procedures to plan the audit. Ordinarily audit planning does not require an understanding of the control procedures related to each account balance, transaction class, and disclosure component in the financial statements or to every assertion relevant to those components.

An auditor is therefore required to gain an understanding of both the control environment and accounting system and, to some extent, depending on the assessment of control risk, specific control procedures as well.

Emerging or small businesses have unique characteristics which affect the development of audit plans and how the auditor assesses control risks. For example, inadequate segregation of duties and the lack of proper supervision is present in many cases. For this reason, as well as audit efficiency, the audit strategy for emerging or small businesses has traditionally been primarily a substantive test approach.

Control Environment. SAS 55 describes an entity's control environment as the overall attitude of the board of directors (if any), and that of the management/owners about the importance and effectiveness of internal controls. Since the owner/manager's emphasis on internal control chiefly determines the characteristics of the control environment in a small business, the control environment is a key source of information regarding the type and extent of potential misstatements.

The Accounting System. SAS 55 requires the auditor to obtain a sufficient understanding of the accounting system, regardless of complexity, to identify all significant classes of transactions that affect the financial statements. The auditor should understand how these transactions are initiated, classified, and recorded in accordance with GAAP.

The Control Procedures. SAS 55 recognizes that when obtaining an understanding of the control environment and the accounting system, the auditor may obtain an understanding of certain control procedures sufficient to assess control risk at less than the maximum. For example, the auditor will have observed, if not inspected, the client's bank reconciliations, inventory system, accounts receivable aging analysis, cancellation of paid invoices, reconciliation of cash register tapes, and the use of prenumbered documents. If a primarily substantive approach is used, additional detail testing of control procedures for a small or emerging company is generally not performed because a further reduction in control risk, as discussed later, is neither warranted nor desired by the auditor.

Documentation of Understanding of Internal Control Structure

Memorandums, questionnaires, and flowcharts are commonly used methods to document the understanding of a client's internal control structure. However, for an emerging or small business with a simple internal control structure, memorandums may be sufficient. As the size and complexity of a business and the intricacies of the internal control structure increase, then flowcharts or questionnaires may be helpful.

Examples of documenting the auditor's understanding of an internal control structure for an emerging or small business are illustrated in the AICPA Guide. Although flowcharts are used in documentation, memorandums may be sufficient in many cases. For recurring engagements, the auditor may simply update the previous flowchart, questionnaire, or memorandum for any changes.

Keep in mind that the purpose of acquiring an understanding of the internal control structure is for the auditor to "obtain a sufficient understanding of each of the three elements of the entity's internal control structure to plan the audit of the entity's financial statements." Thus, audit planning does not require an understanding of the control procedures for every transaction cycle, account balance, or disclosure component. As noted earlier, the knowledge that the auditor obtains about control procedures while trying to understand the accounting system and the control environment of an emerging or small business may be sufficient to satisfy the requirements of SAS 55.

Assessing Control Risk

The assessment of control risk is usually made in qualitative terms: maximum, substantial, moderate, or low, but some auditors prefer expressing the assessment in percentages. When assessing control risk, the auditor should consider the combined aspects of the three components to the internal control structure (i.e., control environment, accounting system, and control procedures).

Risk Assessed at the Maximum. For an emerging or small business, the need to assess control risk for every account balance and the related assertions may be unnecessary. The AICPA Guide offers an alternative. For an emerging or small business audit, the auditor might make a statement such as the following: "Control risk is assessed at the maximum for all assertions for all account balances and transaction classes except as identified." After making such a statement in the workpapers, the auditor is not obligated to explain the control risk assessment for an assertion relating to an account balance or class of transactions where such risk assessment is at the maximum. Also, since in many small audits, the auditor prepares the financial statements including disclosures, there is no need to assess control risk for the assertion of presentation and disclosure.

The maximum level of control risk is defined in SAS 55 as "the greatest probability that a material misstatement that could occur in a financial statement assertion will not be prevented or detected on a timely basis by an entity's internal control structure." A maximum control risk assessment is warranted in at least two instances: 1) when the auditor cannot discern any meaningful policies and procedures for a respective management assertion and 2) when the auditor decides that it would be inefficient to determine the effectiveness of the control procedures. In these cases, the auditor is better off going directly to a substantive- test audit strategy to evaluate the reliability of the financial statements.

Risk Assessed at Less than Maximum. SAS 55 recognizes that each assertion for each account balance may have varying levels of risk and the auditor may consider this when planning and executing the various substantive tests. For example, if during the process of gaining an understanding of the control environment and the accounting system, the auditor observes that cash is deposited daily, bank reconciliations are prepared on a timely basis, reconciliations are reviewed by the owner/manager, cash disbursements are supported by proper documentation, and documentation is canceled to prevent re-use; the auditor may assess control risk at less than the maximum level for the existence assertion for the cash account.

If control risk can be set at less than maximum, the auditor may then reduce the extent of substantive tests, such as limiting the number of bank accounts to be confirmed or reducing the number of canceled checks to be examined with post-balance sheet bank statements. On the other hand, if control risk was assessed at a maximum for the cash "existence" assertion, then the nature, timing, and extent of substantive tests for cash would necessarily increase to provide more persuasive evidence.

While obtaining an understanding of a company's internal control structure, the auditor may see other areas for which control risk may be assessed at less than maximum. For example, the recording of inventories may present such an opportunity. In today's business environment where the use of PCs is common, some emerging businesses will have automated inventory packages that keep track of sales and purchases by units. Costs of goods sold is automatically debited when a sale is recorded. In an automated system, inventory items are keyed-in by product number, description, sales price, cost bar codes, and numerous other accounting and operating data. But some emerging businesses do not have the time, expertise, or the money to invest in such inventory systems. These companies instead may rely on a perpetual card system on which necessary information is maintained. Where perpetual inventory systems are verified and adjusted by physical counts during the year, the auditor may be able to assess control risk at less than the maximum. Less substantive tests would be required than when a year-end physical count is the sole basis for the existence and completion assertions relating to inventory.

Other companies may periodically take a physical inventory; book-to- physical adjustments would be reviewed by the auditor. This would be appropriate for most small retail establishments that sell to walk-in customers. In addition, when these companies order additional merchandise for re-sale, they usually do so through area product sales representatives. Some of these representatives make house calls; they visit a retail establishment and discuss the inventory needs of that company. To access the inventory needs, an inventory of that particular product may be taken. The auditor may be able to rely on one or all of the above, if appropriate, to assess control risk at less than the maximum for inventory.

In addition, because some small businesses are labor intensive, there may be considerable risk surrounding the payroll functions. As a result, the control risk for the completeness and valuation assertions may be set at the maximum. However, if payroll tax forms are filed on a timely basis and are reconciled to the client's record, observation of these procedures may be sufficient evidence to assess control risk at less than the maximum.

The descriptions given for cash, inventories, and payroll are examples of how risk may be assessed at less than the maximum. Further reductions in the assessed level of control risk may be possible if the auditor performs more extensive tests of controls. For example, to lower the assessed level of control risk for cash balances, the auditor could again perform bank reconciliations or observe that the reconciliations are prepared by someone having no other cash responsibilities and that reconciling items are adequately supported. The auditor may also identify controls in the sales and purchasing cycles, if these transactions are significant in number, to ensure the completeness and accuracy of cash receipts and cash disbursements.

Documentation of Assessment of Control Risk

In addition to documenting the understanding of the internal control structure, the auditor is also required to document the basis for conclusions about the assessed level of control risk. When control risk is assessed at the maximum, the auditor needs to document this finding in the workpapers, but there are no requirements for documenting the basis used or for explaining why the assessment was set at the maximum. However, if control risk is determined to be below the maximum level, the auditor is required to document the basis for such an assessment.

If control risk is assessed at below the maximum level, the auditor is required to 1) identify "specific internal control policies and procedures relevant to specific assertions that are likely to prevent or detect material misstatements in those assertions" and 2) perform "tests of controls to evaluate the effectiveness of such policies and procedures." Of course, the auditors' conclusions are a matter of audit judgement which should be influenced by the type, source, and timeliness of the evidential matter.

In an audit of an emerging or small business, the auditor may decide to rely primarily on a substantive approach. Therefore, risk assessment will be set at the maximum level for most assertions. Again, the basis for assessment is not required when control risk is set at a maximum. The AICPA Guide illustrates the workpaper documentation required for the assessment of risk.

Not So Bad

At first glance, work associated with SAS 55 appears to be burdensome-- the three elements of the internal control structure (the control environment, the accounting system, and the control procedures) have to be understood and documented, and an assessment of risk needs to be made and documented for each account or group of transactions for each of five management assertions. However, the work required may not be as demanding as would first appear.

In the case of small or emerging businesses, the auditor frequently relies heavily on substantive tests of year-end balances and sets control risk at a maximum for all account balances, and thus will need only a statement documenting that risk was set at the maximum for all assertions for all accounts. However, the auditor may have actually confirmed the effectiveness of certain control procedures while obtaining the necessary understanding of the control environment and the accounting system. For example, the existence and completeness assertions for cash may be assessed at less than the maximum if the auditor has observed that the bank reconciliations are being prepared on a timely basis or that the owner/manager maintains close tabs on the cash balance by effectively monitoring the cash receipts and disbursements on a daily basis. The use of a perpetual inventory system (manual or automated) may allow the auditor to reduce control risk for the inventory's existence and completeness assertions. The day-to-day operational task of buying merchandise through sales representatives may also provide the auditor with some comfort that inventory control risk should not be assessed at a maximum level for some assertions.

SAS 55 allows the auditor to assess control risk at the maximum for assertions for some accounts but less than maximum for others. The auditor is not required to conduct tests for every assertion for every account balance or class of transactions. If, as in the previous examples, the auditor can assess control risk at less than maximum, he or she should take advantage of this opportunity to increase the audit's overall efficiency. The key point is that the purpose of assessing control risk below the maximum for an assertion is to reduce the overall audit effort in reaching the conclusion that the financial statements are not materially misstated.

James C. Flagg, PhD, CPA, Assistant Professor, Jeffrey R. Miller, PhD, CPA, Assistant Professor, and L. Murphy Smith, DBA, CPA, Associate Professor, are all professors of accounting at Texas A & M University. Professor Smith is Technical Editor of The CPA Journal, author of text books, and frequent contributor to professional journals.

EXHIBIT 1 SUMMARY OF THE MINIMUM REQUIREMENTS OF SAS 55

* Obtain a Sufficient Understanding. Obtain a sufficient understanding of each of the three elements of internal control to plan the audit. The understanding of the internal control structure should be used to identify types of potential misstatements, to consider factors that affect the risk of material misstatement, and to design substantive tests. This knowledge is ordinarily obtained through inquiries of appropriate personnel, from similar inquires made during previous audits of the entity, inspection of documents, and observation.

* Document the Understanding. Document the understanding of the entity's internal control structure elements. This documentation may include flowcharts, questionnaires, decision tables, and memorandums. However, for audits of small businesses, memorandums may be sufficient.

* Assess Control Risk. Assess control risk for the assertions embodied in the account balance, transaction class, and disclosure components of the financial statements.

* Document Control Risk Assessment. When control risk is assessed at the maximum, the auditor needs only to make a statement in the workpapers that such is the case. In this case, the assurance level provided by substantive tests will be greater than when control risk is assessed at below maximum. When control risk is assessed below the maximum, the auditor should document the basis for assessing the control risk below the maximum. Some of this evidence will be gathered while obtaining an understanding of the internal control structure. Types of evidential matter in assessing control risk at less than maximum include inspection of documentation, observation, reperformance, and inquiries. Evidential matter obtained in prior audits may also be considered in assessing control risk in the current audit. However, inquiries alone generally will not provide sufficient evidential support. No specific test of controls is always necessary, applicable, or equally effective in every circumstance.

* Consider a Further Reduction in Control Risk. After obtaining an understanding of the internal control structure and assessing control risk, the auditor may want to further reduce control risk for certain assertions. If so, additional tests of controls are necessary to provide such evidence.

* Determine Extent of Substantive Tests. The auditor uses the knowledge provided by the understanding of the internal control structure and the assessed level of control risk to determine the nature, timing, and extent of substantive tests for financial statement assertions.

EXHIBIT 2 FINANCIAL STATEMENT ASSERTIONS

* Existence or Occurrence. Assets or liabilities of the entity exist at a given date and recorded transactions have occurred during a given period.

* Completeness. All transactions and accounts that should be presented in the financial statements are so included.

* Rights and Obligations. Assets are the rights of the entity and liabilities the obligations of the entity at a given date.

* Valuation or Allocation. Assets, liabilities, revenue, and expense components have been included in the financial statements at appropriate amounts.

* Presentation and Disclosure. Particular components of the financial statements are properly classified, described, and disclosed.