Jori Johnson
Dr. Gasper
Internal Auditing
April 29, 2002
Auditing is a necessary and important endeavor that all companies are required to perform every year to ensure validity and an absence of fraudulent activity. In small businesses there are different techniques involved in auditing then there are in larger firms. Some of these differences can prove to be advantageous for the smaller firm while others only serve to complicate the process of starting and maintaining a small business even further. Differences in companies can range from such things as number of employees to structure and development. Most small organizations are not as formal in their operations, which makes auditing an easier and more relaxed venture. Fraud plays a large role in the importance of auditing and should be thoroughly examined and understood not only in order to detect, but to prevent as well.
I begin the paper with an introduction to auditing that gives not only a definition, but also a broad view of why many companies should choose to audit. I follow with a step-by-step examination of the auditing process for a small business, which explains certain measures that must be examined, and what the three important elements of internal control are and how they are related to auditing. I mentioned that small businesses and large businesses differ in their auditing approach and I take a few paragraphs to highlight not only what those differences are, but also how they affect the process as a whole. Fraud is an important issue related to auditing and dedicated to the prevention and detection are ways to ensure avoidance of fraudulent behavior within a company. Auditors and investigators have responsibilities pertaining to the organization itself, but also to those involved, including employees, managers, supervisors, shareholders, etc. An internal audit is best, but must be substantiated with audits performed by those that do not hold a vested interest in seeing the company prosper and do well. These external auditors work with the companys own auditors to seek a happy medium and to ensure that the audit performed is valid and follows all rules that apply.
In doing research for this paper, I spent a lot of time looking through journals, not only online, but in the library as well. I started with the basic approach of the audit and then worked inward from there focusing on small businesses and the differences they encounter. Once I had information pertaining to both I then assembled the information in what I thought was an easy to read manner that included an introduction of the basics of auditing as well as a definition. Information was not easy to come by because there was not a lot out there concerning the audit of a small business. However, I pulled what I could from the sources that I had and worked from there.
The major findings of the paper are basically the differences in the auditing process for a large and small business, which include control environments, risk assessment, monitoring, information and communication, and the level of formality between the two. In researching external auditing versus internal auditing I discovered that most small businesses used some form of both. This was called internal audit with external controls and basically ensured that neither the internal auditor nor the external auditor could lie or cheat to benefit themselves or the company in any way. It proved to be a system of checks and balances that worked well in a small organizational environment.
Executive Summary ...2
Introduction ..4
Auditing Process 4
Small Business Differences ...4
Risk assessment .5
Control activities .5
Transitions .5
Communication and information .6
Managers involvement .6
Fraud .6
Detection .7
Prevention 7
Responsibilities ..7
External v. Internal ...7
Conclusion 8
Glossary 9
References 11
About the author 12
Auditing is defined as a systematic process of objectively obtaining and evaluating evidence regarding assertions about economic actions and events to ascertain the degree of correspondence between those assertions and established criteria and communicating the results to interested users (Guy, p. 4-5). Companies use auditing to increase the credibility of their financial statements and to allow for a system of checks and balances where all parties are involved including employees, the auditor(s), managers, supervisors, etc. The emphasis of auditing has shifted from the detection of fraud to the needs of the various users of financial statements. However, in light of recent events, it would seem that the audit should focus on detecting and preventing the possibility of fraud. Small businesses have more to lose financially if fraud is detected. They usually dont have the means to make a comeback and therefore the audit should be specific in detecting fraud to prevent possible financial failure. Although there is quite a bit of information pertaining to auditing, there is not a lot of information regarding auditing in small businesses. Due to a lack of information it was difficult to obtain sources and therefore I have written solely on the difference in processes between large and small businesses as well as ways to detect and prevent fraud and the responsibility of the auditors and investigators.
In an audit for a small business there are many things to consider. First, a sufficient understanding of the three elements of internal control is necessary to plan the audit. These three elements are control environment, accounting system, and control procedures. The understanding of the internal control structure should be used to identify types of potential misstatements, to consider factors that affect the risk of material misstatements, and to design substantive tests. This knowledge is usually obtained through employees, information from previous audits, document inspection, and observation. Second make sure to document your understanding of the three elements of internal control for those that might use the information after you. This may be done through flowcharts, questionnaires, decision tables or memorandums. Then assess the control risk for statements in the account balance, transaction class, and disclosure components of the financial statements. After assessing the control risk then it must be documented by making a statement in the work papers of the audit. Finally, consider further reducing control risk if necessary. Upon obtaining an understanding of the internal control structure and assessing control risk, the auditor may want to further reduce control risk for certain claims (Murphy p. 5).
When a small business is under audit, allowances must be made for the number of people employed and the control attitude of important managers and owners. Generally, in large businesses there is a formal, written code of conduct; however, in a small business, instead of having a formal code of conduct, managers may develop an ideal corporate culture that emphasizes integrity and ethical behavior. Given this added flexibility, owners are thus capable of a more relaxed control environment. The control environment sets the tone of the organization and is the foundation for all other components of internal control because it provides discipline and structure. These control factors include the integrity, ethical values, and competence of the companys people. They may use oral communication and personal example to carry the message rather than a lengthy manual that spells things out for everyone. Small business may also not have outside members on the board of directors and its audit committee. In a company that conducts its affairs with integrity, outside members are not a necessary means of ensuring that practices are handled ethically.
Risk assessment
The risk assessment process may be informal and less structured in a small business. Recognition of financial reporting objectives may be generally understood by accounting personnel instead of written in a large manual. Managers can deal with financial reporting risks through direct personal involvement instead of through a chain of complicated reporting paths of communication involving numerous lower-level executives (Berry, p. 16). Financial reporting risks are those risks associated with financial statements and the inherent risk associated with business. If not dealt with carefully they may enable competition to gain an advantage that could send a small business spiraling into failure. In a small business, managers are directly involved with what is going on throughout their business, which allows them more control and a better understanding of what is going on within the company. This also allows the manager or owner a competitive advantage in the sense that they are more aware of what is necessary to ensure the success of their organization. Those in large corporations are more removed from basic operations that they leave to the discrepancy of lower-level supervisors and managers. They are not as involved in the daily procedures and therefore do not have the same amount of knowledge and control given to those in smaller businesses.
Control activities
Detail control activities help ensure that managements orders are carried out. They include performance reviews, information processing, physical controls, and segregation of duties and need not be highly formal because managers and owners can be personally involved. They may themselves approve routine transactions and check the accuracy of recording them in the accounts. When the company has too few people to segregate duties to a high degree, the owner may conduct personal reviews. In a small business, when the owner conducts reviews because of a lack of personnel or qualified people, it allows them to gain more knowledge and understanding of how their employees function. In creating a repertoire with their employees, they are creating a friendly atmosphere in which people are more likely to be cooperative and less likely to do something that might harm the company. By getting to know employees, the owner is given the opportunity to cater to their personal as well as professional needs.
Transitions
However, as a small business begins to grow, the transition to more formalized internal control tends to lag behind. The owner may become overburdened with control duties and may tacitly delegate these to others. The intermediate-size stage represents a turning point where both owner and auditor need to be very careful. At this point, such measures as limited specialization and surety bonding of employees may help to make the transition, and an auditor may offer many suggestions to the owner as an added service (Carey, p. 3). Specialization allows a company to focus their efforts on certain areas of interest and by limiting the amount of specialization within a company uncertainty is reduced. Many people are capable of doing numerous jobs, which makes the transition from small business entity to intermediate go more smoothly. With all the changes being made, an organization that limits specialization is able to focus more on operations and what it takes to move to the next level. Surety bonding is a three-party agreement in which the surety company guarantees the obligee that the principal will perform the contract (Carey, p. 22). Surety bonding of employees will assure that a project is completed, a qualified contractor is on the project, everyone will be paid, and that intermediaries will be provided. It is just one more assurance that the transition will be made smoothly by ensuring an understanding between what is expected from the employees and what they should expect in return. It is a guarantee that customers will understand and be grateful for.
Communication and information
When it comes to information and communication, again, small businesses have less formal systems. They may not have a written credit policy, extensive security over records and files, a competitive policy for purchases, or elaborate error-checking control activities. Basically what this means is that information is easily accessible and readable. The audit will therefore not take as long nor require as much effort because communication is freer and information is readily available. The availability of management for consultation and the ability of employees to reach a small number of colleagues and co-workers easily makes communication quick and effective.
Managers involvement
Managers and owners direct day-to-day involvement enables them to notice such problems as errors in journal entries, budget variances, unreconciled differences in accounts etc. Budget variances are merely differences in the budget created and the actual amount of money spent. Unreconciled differences in accounts are differences in the financial statements that could not be resolved through investigation. The managers themselves may conduct the monitoring part of their risk assessment, communication, and detail control duties.
When can fraud occur? The probability of fraud is the function of three factors- motive, opportunity, and lack of integrity (Louwers, p. 166). When one or more of these factors is involved, the likelihood of fraud occurring increases proportionately. In a small business, fraudulent activity could destroy a business and therefore it is important to not only recognize the occurrence or likelihood, but also understanding ways to prevent. Many frauds are investigated because someone noticed the signs and signals associated with fraud, and then followed the trail of missing, mutilated, or false documents that were part of the accounting records cover-up.
Detection
Observations of peoples habits and lifestyle and changes in habits and lifestyles may reveal some red flags. They may exhibit these characteristics: lose sleep, take drugs, cant relax, cant look people in the eye, drink too much, become irritable easily, get defensive, argumentative, work alone and work late (Louwers, p. 185). Catching people in the fraud act is difficult and unusual, but using these characteristics as a guide, you are one step further along in protecting yourself and your business.
Prevention
Besides being able to detect fraud, managers should also know how to prevent fraud. Managers and employees must have freedom to do business, which means giving them the freedom to commit fraud as well. Effective long-run prevention measures are complex and difficult, involving the elimination of the causes of fraud by mitigating the effect of motive, opportunity, and lack of integrity. Every once in a while, people will experience financial and other pressures. These pressures cannot be eliminated, but providing someone with whom employees and managers can discuss ethical dilemmas faced in the workplace may be appropriate as well as necessary. Also, a hot line can be set up for anonymous reporting of ethical problems. This may be applicable if a business plans to grow, however, if the company remains small, it is probably unlikely that a hotline will be necessary. Both of these allow for people within the business to rethink and review their decisions and hopefully make the right one.
The most effective long-run prevention, however, lies in the practice of management by caring for people. Managers and supervisors at all levels can exhibit a genuine concern for the personal and professional needs of those who work for them. Many companies facilitate this caring attitude with an organized Employee Assistance Program. They offer a range of counseling referral services dealing with substance abuse, mental health, family problems, etc.
Auditors and investigators have a responsibility to review the financial statements and determine if they are held in accordance with the Generally Accepted Accounting Procedures (GAAP). This requires them to understand fraud, assess fraud risks, and design audits to provide reasonable assurance of detecting material management fraud and employee fraud that could have a material effect on financial statements. They are then obligated to report on findings to management, directors, users of financial statements, and outside agencies. Not only do they have to understand what constitutes fraudulent behavior, but they also must be able to determine what impact fraud will have on a certain company. Obviously, small businesses will be more affected financially than a larger corporation. The auditors must have a strong grasp of how financial statement will be affected in order to gain a better understanding of what to deal with and what to focus on. Taking all of this into consideration they must then design an audit tailored to meet the needs of a specific company that will ensure if fraud does occur it will be discovered as quickly as possible to prevent further ruin. It is then their responsibility to convey all information to those who will be affected and those who have a stake in the company whether personal or financial in nature.
External auditors often find themselves working with internal auditors on an independent audit of a companys financial statements. They consider the internal audit in two contexts: the internal audit is part of a companys control system, and external auditors must understand how the control system operates in order to gain an understanding of the companys controls. Internal auditors may help the external auditors gather evidence about internal control and about balances in accounts. External auditors can make their audits more efficient by utilizing the work of a companys internal auditors and, thus, avoid duplication of effort. This is the concept of internal audits with external controls.
External auditors must obtain an understanding of a companys internal audit department and how it programs work. This task is part of the understanding of the entire control system. If a preliminary review of the internal audit function shows that the internal auditors have developed, monitored, and made recommendations about internal controls, the external auditors will probably decide the use of this information will reduce their own work on the audit. The external auditors cannot share responsibility for audit decisions with the internal auditors and must supervise, review, evaluate, and test the work performed by the internal auditors. External auditors are brought in as an independent entity to ensure the validity of the audit. Therefore, they must perform their own audit that in no way can be linked to the internal audit done by someone within the company. This requirement applies both to the work of obtaining an understanding of the internal control system and the work of using internal auditors evidence about financial statement balances.
In conclusion, auditing is a necessity for small businesses. It can be used to detect fraud and thus prevent the deterioration of a business. Small businesses differ from large businesses in more ways than just size and taking into consideration these differences allows one perform a correct audit with correct procedures. By examining differences in control environments, risk assessment, monitoring duties of management, how information and communication are designed to benefit the organization, and formality, one has laid the groundwork necessary for a smooth auditing process. Out of the responsibility of the auditors and investigators comes a compromise of internal audits with external controls.
ascertain An audit procedure to determine or to discover with certainty. For example, to ascertain the date on which an investment was purchased by examining source documents.
control A policy or procedure that is part of internal control.
control environment is the attitude, awareness, and actions of the board, management, owners, and others about the importance of control. This includes integrity and ethical rules, commitment to competence, board or audit committee participation, organizational structure, assignment of authority and responsibility, and human resource policies and practices
control risk The risk that material error in a balance or transaction class will not be prevented or detected on a timely basis by internal controls.
effective internal control Reasonable assurance that the entitys operational objectives are achieved, that published financial statements are reliably prepared, and applicable laws and regulations are complied with.
external auditor Independent CPAs who audit financial statements for the purpose of rendering an opinion.
fraud A deliberate deception to secure unfair or unlawful gain. False representation intended to deceive relied on by another to that person's injury. Fraud includes fraudulent financial reporting undertaken to render financial statements misleading, sometimes called management fraud, and misappropriation of assets; sometimes called defalcations.
GAAP Generally Accepted Accounting Principles. According to Rule 203 of the AICPA Code of Professional Conduct, GAAP for nongovernment entities include (in a conflict the source earlier in the list prevails): 1. FASB Statements and Interpretations, APB Opinions, ARBs. 2. FASB Technical Bulletins, AICPA Guides and AICPA Statements of Position. 3. Positions of the FASB Emerging Issues Task Force and AICPA Practice Bulletins. 4. AICPA accounting interpretations, FASB staff "Qs and As", and widely recognized industry practices. 5. Other accounting literature, such as FASB Concepts Statements, textbooks, articles.
independent In all matters relating to the assignment, an independence in mental attitude is to be maintained by the auditors. This means freedom from bias, which is possible even when auditing one's own business (independence in fact). However, it is important that the auditor be independent in appearance (that others believe the auditor is independent).
internal auditors are employees of the client. They are responsible for providing analyses, evaluations, assurances, recommendations, and other information to the entity's management and board. An important responsibility of internal auditors is to monitor performance of controls.
internal control Policies and procedures designed to provide reasonable assurance that specific entity objectives will be achieved. It consists of: the control environment, risk assessment, control activities, information and communications, and monitoring.
objectivity The internal auditors' objectivity depends on the organizational status of the internal audit function, whether the internal auditor has direct access and reports regularly to the board, the audit committee, or owner-manager, and who oversees internal auditor employment decisions.
qualified (qualify) An audit opinion that the financial statements as a whole are presented in conformity with U.S. GAAP, with the exceptions noted.
quality control systems provide a CPA firm with reasonable assurance that personnel comply with applicable professional standards and the firm's standards of quality, independence, integrity, and objectivity. It covers personnel management, acceptance and continuance of clients and engagements, engagement performance, and monitoring.
reasonable assurance (in internal control) An internal control, no matter how well designed and operated, can not guarantee that an entitys objectives will be met because of inherent limitations in all internal controls systems.
Berry, A.J., Gray, I. Some Things in Moderation: A Case Study of Internal Audit International Journal of Auditing, New York; March 2000; Vol. 4, No. 1, p. 9-11
Brody, B.G., Lowe, D.J. The New Role of the Internal Auditor: Implications for Internal Auditor Objectivity International Journal of Auditing, New York; July 2000; Vol. 4, No. 2, p. 17-21
Carey, P. Voluntary Demand for Internal and External Auditing by Family Businesses
Auditing: A Journal of Practice and Theory, Chicago; September 2001; Vol. 20, No. 2, p 23
Goodwin, J., Yeo, T.Y. Two Factors Affecting Internal Audit: Independence and Objectivity International Journal of Auditing, Burlington; July 2001; Vol. 5, No. 2, p. 3-4
Louwers, T.J., Robertson, J.C. Auditing: Ninth Edition McGraw-Hill, 1999
Murphy, L.S., SAS 55 and the small business engagement The CPA Journal Online, Jan. 1993; p. 5-6
Reed, S., Trombley, M. Internal versus External Auditing for Small Businesses Journal of Small Business Management, San Francisco; October 2000; Vol. 38, No. 4, p 45
http://www.ais-cpa.com/glosa.html
Jori Johnson is a senior at Creighton University. She will graduate in May of 2002 with a Bachelor of Science in Business Administration with special concentrations in Finance. Recently she accepted an internship position with Data Transmission Network, a full service information provider and communication network. The internship is a starting point for gaining some experience and knowledge of the finance industry in hopes of furthering her education and making herself more valuable to companies that are looking to hire her in the future. Eventually, Jori would like to get her M.B.A from a school well known for their reputation in that particular area of expertise.