A recent article in Audit and Beyond, the magazine for the Institute of Chartered Accountants of England and Wales (ICAEW)’s Audit and Assurance Faculty members, discussed the need for auditors of smaller and less-complex entities to understand the design and implementation of internal controls—even when they take a fully substantive approach to the audit. The article was authored by two practitioners with extensive experience of small- and medium-sized entity (SME) audits—Hugh Morgan of Baker Tilly and Michele Rose of BDO, both in London—and me. We consulted with a wide range of practitioners who serve on ICAEW’s International Standards on Auditing (ISAs) Implementation group.
Arriving at a consensus was unexpectedly, and exceptionally, difficult. It seems that many firms in different jurisdictions have very different approaches to the requirements of the risk ISAs regarding internal controls—ISA 315, Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and Its Environment, and ISA 330, The Auditor’s Response to Assessed Risks, in particular.
The ISAs seem to make it clear that work must be performed on the design and implementation of controls relevant to the audit—on all audits regardless of whether the controls are subsequently tested and regardless of the audit approach. There is scope for significant auditor judgement here and some firms do considerably more work in this area than others. Some take the view that for audits of smaller or less complex entities, there is little point in spending a great deal of time, if any, considering controls because they are not that relevant to the risk-assessment process or the wider audit, particularly if the controls are not going to be tested as part of the response to the risk assessment.
In the article in Audit and Beyond, my co-authors and I take the position that work on the design and implementation of controls is necessary on all audits, not the least because the ISAs require it. Examples of the types of controls typically found in SMEs are also provided.
But there is clearly a range of views on this subject. How do you approach internal controls in the audit of SMEs? And which controls do you think are relevant to the audit of SMEs?