By Phil Cowperthwaite
Illustration: Blair Kelly
To prevent fraud, auditors should be aware of the risk factors that come with micro-entity audits
Auditors are entitled to accept records and documents examined as genuine unless there is evidence they are not. This leaves primary responsibility for detecting fraud with management and those in an oversight role.
Although auditors routinely communicate their responsibilities to clients, the demarcation of roles often goes out the window the minute a fraud of any size is uncovered. This expectation gap could be called the “expectation chasm.”
In the case of micro-entities, many auditors consider the risk of not detecting fraud as significant. This is often because classic internal controls such as segregation of duties are often absent and the possibility for management override is always present. The “expectation chasm” seems very wide.
While this may be true sometimes, it’s not always the case. In fact, a number of characteristics of micro-entities can significantly reduce the risk of fraud.
Auditors should be aware of the positive characteristics as well as the perceived fraud risk factors that come with micro-entity audits. This awareness will help ensure every micro-entity audit is conducted with a level of skepticism appropriate to the circumstances of the engagement and that the audit procedures designed are effective.
A defining characteristic of a micro-entity is the small size of the management team — and that team could just be one person. The possibility of management override is ever-present.
A capable manager with a strong moral compass operating a small entity can create an environment where fraud risk is low. A less ethical manager operating in an environment with little or no oversight greatly increases the risk of fraud. This characteristic exposes micro-entities to such frauds as:
Thankfully, there are a number of procedures that can reduce the heightened fraud risk posed by a very small management team. Specifically, fraud risk can be reduced in such situations:
Competence and capabilities of the board
The competence and capabilities of a micro-entity’s board of directors can vary greatly. A board with one, or more, financially skilled member who understands the importance of a good control environment can make for strong controls over financial reporting — and dramatically reduce the opportunity for fraud.
The opposite is also true. Frauds can be missed as a result of imprudent oversight, including such situations as:
A micro-entity can often reduce costs by outsourcing financial tasks such as payroll, fee collection and donation processing. This can work well, provided the third parties are properly bonded and don’t have direct access to the entity’s assets.
However, when a third party has direct access to funds an entity is at risk. For example, third parties collecting fee revenue and processing payroll could be allowed to collect and deposit funds directly into their own accounts before sending fees on to the entity or payroll withholdings on to Revenue Canada.
Third-party fraud risk can be reduced by:
So how do you minimize the risk of undetected fraud?
Do the audit fieldwork on site Auditors are charged with being skeptical throughout every audit, recognizing the possibility that fraud could exist. Having the engagement partner or a senior staff person perform the fieldwork on site is an excellent way to assess the quality of management and the state of the books and records.
Management’s response to questions can provide firsthand evidence of management’s concern or, more importantly, lack of concern for financial controls and quality of recordkeeping. In addition, the audit plan may even need revisiting if the books and records are a mess, or if management is defensive or evasive when asked questions.
Use micro-entity appropriate audit procedures The relatively small volume of financial records in most micro-entities lends itself to a complete overview of the general ledger and bank statements by the auditor in a short period of time. This can provide an experienced auditor with an excellent opportunity to spot unusual transactions occurring during the year.
Every audit requires incorporation of an element of unpredictability into audit procedures (CAS 240.29(c)). The unexpected often provides insight into clients’ business and accounting procedures and can result in opportunities for suggesting improvements in internal control.
Being even a bit unpredictable sends a message to a client that nothing is beyond examination.
If you audit a number of micro-entities, you might select the same unpredictable procedure for the entire upcoming season. This could include testing a number of management expense reports, verifying salary levels for all staff or reviewing some minor accounts not usually questioned.
Communicate with a board member Talk with the board member responsible for finances at least once during the audit and review the board minutes. This should give you an idea of the competence of the board member and the degree of scrutiny the internal financial information receives throughout the year. If the board member appears unfamiliar with finances or there is no evidence of meaningful review of financial information throughout the year, then the audit procedures should be adjusted accordingly.
Ask if funders inspect financial transactions of specific programs Some government funders perform detailed annual inspections of program finances. Ask management if they were inspected in the year by any third parties and, if so, ask for a copy of the inspection report.
Ask if there are any dealings with immediate family Dealings with family members are not uncommon in micro-entities. But the transactions may not be either approved or at market value. Be alert for transactions outside the normal course of business and ensure that transactions with family are disclosed appropriately in the financial statements.
Communication of potential fraud and a word of caution Auditors must be careful not to overstep their professional role and attempt to make a legal determination that a fraud has occurred. However, it is very much the auditor’s role to bring circumstances that might indicate a fraud to the attention of the appropriate person in the organization.
Read and understand the audit standards CAS 240, The Auditor’s Responsibilities Relating to Fraud in an Audit of Financial Statements, is a gem. It is full of useful ideas and lists the minimum requirements that must be followed on every audit. The suggestions in the lists in Appendices 1 to 3 are especially helpful. Read it. You will not be wasting your time. The requirements will guide you in designing appropriate audit procedures to help you remain alert for evidence of fraud — for example, by being a little bit unpredictable every year.
Phil Cowperthwaite, FCA, is a partner of Cowperthwaite Mehta and a member of the IFAC’s Small and Medium Practices committeeTechnical editor: Ron Salole, vice-president, standards, CICA