By Kelly Wessel
I recently read an article, authored by a Certified Public Accountant, about what non-profits should do to get ready for their annual audit. It was about identifying risks and establishing internal control. This article jumped out at me because if you just read the title, and maybe if you read the article and you don’t have an audit background, you’re going to think that the whole objective of having great internal controls is to look like you’re managing your risk so you’ll “pass” your financial statement audit. Many small businesses and non-profits believe that getting a financial statement audit verifies that their business is free of fraud, has sufficient internal control, and that receiving an unqualified opinion means that they don’t need to be reviewing and tweaking the internal control system on a regular basis.
That’s just not true.
The purpose of a financial statement audit is for an independent objective party (the CPA) to certify that in his opinion, your business’ financial statements fairly present its financial position, i.e. the financial statements are somewhat correct. Have you ever closely read the whole audit report? Go read your last audit report after you read this post and call me.
To illustrate, the following paragraph is from a real audit report. I lifted it off an actual annual report for a local non-profit. (Oh shut-up it’s right there on their website.) Names are X’d out but I added italics.
“Management is responsible for maintaining X’s system of internal control that includes careful selection and development of staff, proper division of duties, and written policies and procedures. Although there are inherent limitations to the effectiveness of any system of accounting controls, management believes that X’s system provides reasonable assurance that assets are safeguarded from unauthorized use or disposition and that the accounting recordsare sufficiently reliable to permit the preparationof financial statements that conformin all materialrespects withgenerally accepted accounting principles.”
The above paragraph leads you to believe that this CPA firm didn’t perform a separate internal control review. Instead, they took management’s word that the system of internal accounting control is sufficient. I’m sure management really believes that their internal accounting control is sufficient. After all, they can trust their employees (don’t get me started). I happen to believe that in this situation the audit firm doing this audit should not be using management’s assurance of the control system’s reliability. Why? Because the CFO and the Controller of this non-profit don’t have a single accounting or audit background between them. They have lots of non-profit experience, but there’s nothing in either of their backgrounds that would suggest they know how to establish a strong system of internal control.
But there’s more to this report:
“The Board of Directors, composed exclusively of independent, outside directors, meets annually with the independent auditors and through the audit committee meets regularly with the independent auditors to review accounting and internal control matters. Part of these meetings are conducted with no staff present…”
I suppose once a year is regular enough. The Directors, who are probably volunteers, (not a single one of whom is an accountant --I looked them up -- much less a CPA), meet with the auditors to review internal control matters. My guess is that none of the Directors would know an internal control if it sat in his lap. (Oh, come on, I’ve been on plenty of volunteer, non-profit boards.)
Then there’s the explanation for what the audit firm is actually responsible:
Our responsibility is to express an opinion on these financial statements based on our audit. We conducted our audit in accordance with auditing standards generally accepted in
the United States of America. Those standards require that we plan and perform the audit to obtain reasonable assurance about whether the financial statements are free from material misstatement.
“An audit involves performing procedures to obtain audit evidence about the amounts and disclosures in the financial statements. The procedures selected depend on the auditor's
judgment, including the assessment of the risks of material misstatement of the financial statements, whether due to fraud or error. In making those risk assessments, the auditor considers internal control relevant to the entity's preparation and fair presentation of the financial statements in order to design audit procedures that are appropriate in the circumstances, but not for the purpose of expressing an opinion on the effectiveness of the entity's internal control…”
If the auditors see a material misstatement or recognize a fraud, they will alert management and probably won't issue an unqualified opinion. But what about the internal control weaknesses that management doesn’t know about? Those weaknesses, the ones that management isn’t aware of, are the most serious; they’re the ones that expose the business to errors and fraud. Did the auditors perform extra testing in those areas that no one knows are vulnerable? How could they have? Management is responsible for internal control and management said it was fine.
Also, pay attention to the word “materiality.” Financial statement items are material if they can influence the economic decisions of users. Maybe materiality was set low, like $10,000. More likely it was $100,000. What if there’s a bookkeeper or cashier who is skimming $5,000 every year? That’s not material relative to a financial statement audit. If you manage that small business or non-profit, you know that even immaterial theft is VERY. DAMN. IMPORTANT. It’s not just about the money. And again, the auditor didn't express an opinion on the effectiveness of internal control, nor are they claiming there is no fraud, because they relied on management to tell them that internal control was sufficient.
Now for the big reveal - The Opinion:
"In our opinion, the financial statements referred to above present fairly, in all material respects, the financial position of X, as of December 31, 2016, and the changes in its net
assets and its cash flows for the year then ended in conformity with accounting principles
generally accepted in the United States of America."
What does the opinion really mean? It means that the auditor thinks your financial statements are fine. That's all. How do you feel about it now? Next year, ask your auditor exactly what it means to receive an unqualified opinion - don't just take my word for it.
But no matter: hooray! You passed your annual audit. Go for drinks after work!
Because tomorrow, now that you’ve read this post, the real work begins.