(The article featured
below is a selection from PCAOB
Reporter, which is available to subscribers of that publication.)
PCAOB Issues Guidance on Audits of Internal Control
at Smaller Companies
The PCAOB staff has issued guidance on the audits of
internal controls for small companies based on the core principle of scaling the
audit for smaller and less complex companies. The staff guidance is a key
component of the PCAOB's overall effort to support the successful implementation
of Auditing Standard No. 5, according to PCAOB Chairman Mark Olson, by assisting
auditors of smaller companies in implementing the standard. However, while the
size and complexity of a company are important factors in the auditor's risk
assessment and determination of the necessary audit procedures, the PCAOB staff
emphasized that Auditing Standard No. 5 establishes requirements that apply to
audits of internal controls of all companies, regardless of their size.
In smaller, less complex companies, senior management
often is involved in many daily activities and performs duties that are
important to effective internal control. The auditor's evaluation of
entity-level controls can provide a substantial amount of evidence about the
effectiveness of internal control over financial reporting.
The extensive involvement of senior management in
daily activities can also provide additional opportunities for management to
override controls or intentionally misstate the financial statements in smaller
companies. In the integrated internal control and financial statement audit, the
auditor should consider the risk of management override and company actions to
address that risk in connection with assessing the risk of material misstatement
due to fraud and evaluating entity-level controls.
The staff noted that the company's audit committee
should also be evaluating the risk of management override, including identifying
areas in which management override of internal control could occur and assessing
whether those risks are being appropriately addressed. Since the consideration
of the effectiveness of the audit committee's oversight is part of the
evaluation of the control environment, the staff suggested that auditors
determine the level of audit committee involvement and its activities regarding
the risk of management override. For example, the auditor might read minutes of
audit committee discussions on matters related to the committee's oversight. In
addition, the auditor can examine evidence of the audit committee's activities
that address the risk of management override, such as the monitoring of certain
transactions.
Smaller companies also have fewer employees, which
limits the opportunity to segregate incompatible internal control duties. They
might use alternative approaches to achieve the objectives of segregation of
duties. Auditors are cautioned to evaluate whether those alternative controls
achieve the control objectives.
Smaller companies with less complex business processes
and centralized accounting operations will generally have less complex
information systems that make greater use of off-the-shelf packaged software.
When off-the-shelf software is used, the auditor's testing of information
technology controls should focus on the application controls built into the
prepackaged software that management relies on to achieve its control objectives
and the testing of IT general controls should focus on those controls that are
important to the effective operation of the selected application controls.
Smaller companies are also more likely to address
their need for financial reporting competencies by hiring outside professionals
rather than using internal staff. The staff advises auditors to consider the
firm's use of those third parties when assessing competencies of the company.
For example, auditors should consider how management determines that the outside
professionals possess the necessary qualifications. Auditors must also evaluate
the controls the company has established over the work of the outside third
parties.
Smaller companies typically need less formal
documentation to run the business, including maintaining effective internal
control over financial reporting. Auditors should take that factor into account
when selecting controls to test and planning the tests of controls.
The staff recognizes the challenge of obtaining
sufficient evidence about the effectiveness of controls when there is limited
documentation of their operation. In those situations, the staff recommends that
auditors use inquiry combined with other procedures, such as observation of
activities, inspection of the documentation that was produced or used by the
controls and the retesting of certain controls in order to obtain sufficient
evidence about whether a control is effective. The staff warned that a pervasive
lack of documentation and other audit evidence could prevent the auditor from
being able to obtain sufficient evidence to support an opinion on internal
control.
|