(The article featured below is a selection from PCAOB Reporter, which is available to subscribers of that publication.)

PCAOB Issues Guidance on Audits of Internal Control at Smaller Companies

The PCAOB staff has issued guidance on the audits of internal controls for small companies based on the core principle of scaling the audit for smaller and less complex companies. The staff guidance is a key component of the PCAOB's overall effort to support the successful implementation of Auditing Standard No. 5, according to PCAOB Chairman Mark Olson, by assisting auditors of smaller companies in implementing the standard. However, while the size and complexity of a company are important factors in the auditor's risk assessment and determination of the necessary audit procedures, the PCAOB staff emphasized that Auditing Standard No. 5 establishes requirements that apply to audits of internal controls of all companies, regardless of their size.

In smaller, less complex companies, senior management often is involved in many daily activities and performs duties that are important to effective internal control. The auditor's evaluation of entity-level controls can provide a substantial amount of evidence about the effectiveness of internal control over financial reporting.

The extensive involvement of senior management in daily activities can also provide additional opportunities for management to override controls or intentionally misstate the financial statements in smaller companies. In the integrated internal control and financial statement audit, the auditor should consider the risk of management override and company actions to address that risk in connection with assessing the risk of material misstatement due to fraud and evaluating entity-level controls.

The staff noted that the company's audit committee should also be evaluating the risk of management override, including identifying areas in which management override of internal control could occur and assessing whether those risks are being appropriately addressed. Since the consideration of the effectiveness of the audit committee's oversight is part of the evaluation of the control environment, the staff suggested that auditors determine the level of audit committee involvement and its activities regarding the risk of management override. For example, the auditor might read minutes of audit committee discussions on matters related to the committee's oversight. In addition, the auditor can examine evidence of the audit committee's activities that address the risk of management override, such as the monitoring of certain transactions.

Smaller companies also have fewer employees, which limits the opportunity to segregate incompatible internal control duties. They might use alternative approaches to achieve the objectives of segregation of duties. Auditors are cautioned to evaluate whether those alternative controls achieve the control objectives.

Smaller companies with less complex business processes and centralized accounting operations will generally have less complex information systems that make greater use of off-the-shelf packaged software. When off-the-shelf software is used, the auditor's testing of information technology controls should focus on the application controls built into the prepackaged software that management relies on to achieve its control objectives and the testing of IT general controls should focus on those controls that are important to the effective operation of the selected application controls.

Smaller companies are also more likely to address their need for financial reporting competencies by hiring outside professionals rather than using internal staff. The staff advises auditors to consider the firm's use of those third parties when assessing competencies of the company. For example, auditors should consider how management determines that the outside professionals possess the necessary qualifications. Auditors must also evaluate the controls the company has established over the work of the outside third parties.

Smaller companies typically need less formal documentation to run the business, including maintaining effective internal control over financial reporting. Auditors should take that factor into account when selecting controls to test and planning the tests of controls.

The staff recognizes the challenge of obtaining sufficient evidence about the effectiveness of controls when there is limited documentation of their operation. In those situations, the staff recommends that auditors use inquiry combined with other procedures, such as observation of activities, inspection of the documentation that was produced or used by the controls and the retesting of certain controls in order to obtain sufficient evidence about whether a control is effective. The staff warned that a pervasive lack of documentation and other audit evidence could prevent the auditor from being able to obtain sufficient evidence to support an opinion on internal control.