(The news featured
below is a selection from the news covered in Federal Securities Law Reporter,
which is distributed to subscribers of Federal
Securities Law Reporter.)
PCAOB Issues Guidance for Auditors
of Smaller Public Companies
The Public Company Accounting
Oversight Board has issued staff guidance to assist auditors of smaller public
companies in their audits of internal control over financial reporting. The
guidance was developed with the assistance of auditors that have experience in
working with smaller public companies with less complex audit environments. The
guidance may be relied upon immediately, but the PCAOB is also seeking comments
on its preliminary staff views until December 17, 2007.
When the PCAOB adopted Auditing
Standard No. 5, one of its objectives was to enable auditors to scale the audits
for smaller and less complex companies. Many smaller companies have fewer
business lines and less complex financial reporting systems. Senior management
is frequently more involved in the company's daily activities and typically
there are fewer levels of management.
The extensive involvement of
management may increase the risk of management override of internal controls.
Smaller companies also may be more reliant on outside professionals to meet
their financial reporting requirements. They may provide less formal
documentation with respect to their internal controls. The guidance notes that
smaller companies can be particularly affected by ineffective entity-level
controls.
In considering which controls to test,
the PCAOB suggests that auditors consider whether a given control is likely to
be effective and any evidence about the operation of the control. Entity level
controls have a pervasive effect on a company's internal control, so auditors
must assess whether a control is designed and operating effectively enough to
prevent or detect material misstatements. The precision of the entity-level
controls will help determine the degree to which auditors may reduce their
testing.
In order to assess the risk of
management override, the PCAOB suggests that auditors discuss fraud risks with
the engagement team and obtain the views of management, the audit committee and
others. Among the actions a company can take to reduce the risk of management
override is to have a code of conduct or an ethics policy and make sure that
employees are informed of the company's policies.
An active and independent audit
committee can evaluate the risk of management override. The guidance suggests
that auditors interview audit committee members to determine their level of
involvement and their activities related to the risk of management override. A
whistleblower program may also be beneficial, especially if the audit committee
reviews any significant matters that are reported.
Since smaller public companies have
fewer employees, they may not segregate certain incompatible functions. Those
issues should be identified early in the audit process in order to design
procedures that are responsive to those risks. The information technology
controls may also pose a significant risk of misstatement.
Small company auditors need to assess
management's competency in identifying relevant financial reporting issues and
ensuring that events and transactions are accounted for properly. The financial
reporting personnel do not need to be experts in accounting and financial
reporting, but must be sufficiently competent to identify and address the risks
of a misstatement.
Smaller companies may be more likely
to have pervasive control deficiencies, which poses challenges for auditors. In
order to express an unqualified opinion on internal control, a company with
material weaknesses must remediate all of them early enough in the year for the
auditor to obtain sufficient evidence to support its opinion. The guidance notes
that some companies may have pervasive control deficiencies but still have
effective controls over some relevant assertions.
Pervasive deficiencies in internal
control do not necessarily prevent an auditor from obtaining sufficient audit
evidence to express an opinion, according to the guidance. However, in some
cases, an auditor may conclude that the lack of evidence constitutes a scope
limitation that would prevent him or her from expressing an opinion. The auditor
may issue a report disclaiming an opinion on internal control if he or she
concludes that a scope limitation will prevent him or her from obtaining the
reasonable assurance necessary to express an opinion. In that case, the
auditor's report should disclaim an opinion on internal control and disclose the
reasons for the disclaimer. The report should include the material weaknesses of
which the auditor is aware.
|