The auditor’s understanding of the design and implementation of internal control components

What are the considerations for smaller, less complex entities?

• The control environment is all about setting the tone at the top of an organisation, and influencing the control consciousness of its people. In many smaller entities, management and those charged with governance are likely to be the same – either the board of directors or the owner-manager, and may not include independent or outside members. With not for-profit organisations the position is different because those charged with governance, such as trustees are often not involved in the day-to-day management of the business. The tone at the top can sometimes involve mixed messages and poor messages tend to have more impact than the good ones.
• Formalised policies such as a written code of conduct may be present in some smaller not-for-profit organisations but are less likely in other smaller entities. Even so, a culture of ethical behaviour can be established through oral communication and leading by example.
• If the tone at the top is good, the owner-manager may exercise effective control over transactions which otherwise might be achieved through extensive segregation of duties in a larger entity. However, if the tone at the top is poor, management override can easily occur and even the very best transactional controls over processes, such as purchases and revenue, can be overridden.

Examples of types of work on control design and implementation

•  Auditors may obtain an understanding of the control environment in a smaller entity by inquiry of management or the owner-manager, by considering management’s attitudes and motives based on prior experience and by observing management’s actions during the audit.
• ISA 315 does not permit auditors to base their understanding of the design and implementation of controls on inquiries alone. Evidence from inspection, observation and walkthroughs is also required. Walk-through tests are particularly important in understanding implementation.
• Understanding the design and implementation of controls is not the same as tests of the operational effectiveness of controls, although such tests are sometimes performed at the same time as work on design and implementation. It is often not possible to perform tests on the operational effectiveness of the control environment, but obtaining an understanding of the design and implementation of the control environment (and of all of the other control components) is critical to the control risk assessment.
• The tone at the top of a small, simple owner-managed business may be reflected in the extent to which the owner manager segregates personal assets and transactions from those of the business. Owner-managers who make a clear distinction demonstrate a good tone at the top.

What are the considerations for smaller, less complex entities?

• In a smaller, less complex entity, it is unlikely that such a formal risk assessment process will be in place. It is more likely that management will identify risks through their direct personal involvement in the business. If this is the case, or there is an ad hoc process, auditors may discuss with management whether business risks relevant to financial reporting objectives have been identified and how they have been addressed. 
• Owner-managers are generally very aware of the risks facing their business. They simply see no need to write them down – but this does not mean that they have not thought about the risks to their business and made changes if they consider them necessary.

Examples of the types of work on control design and implementation

• Auditors discuss business risks with management as part of the planning process and conclude on whether the risk assessment process in place is appropriate given the size and complexity of the entity. The risk assessment process need not be formal or documented. 

• It is unlikely that when auditors ask a smaller, less complex client about their risk assessment process that they will get a positive response. However, using more common terminology may result in a different answer. For example, instead of asking about business risks, auditors could consider asking the following: 
• what are the current threats to profits?
• is the entity experiencing increasing costs?
• how is the business performing against its competitors?
• what impact has the current economic environment had on the business?
• Depending on the response, auditors will then need to ask how these issues have been addressed. Has the business cut costs, sought new suppliers, reduced their workforce, found new customers, or investigated new markets/territories, for example?

What are the considerations for smaller, less complex entities? 

• Information systems and related business processes relevant to financial reporting in a smaller entity are likely to be much simpler and easier to understand than in larger entities, but are equally important. 
• Typically, the bookkeeping procedures and accounting records will be simple with no documented descriptions of accounting policies or procedures. Smaller entities generally use off the-shelf, accounting packages with no modifications to produce their accounts. Properly tailored good quality off-the-shelf packages operated by appropriately trained staff may well constitute a good quality control over information systems and accounting records.
• For a smaller, less complex entity, management and those charged with governance are likely to be the same body or person. Communication is likely to be informal and easily achieved due to fewer levels of responsibility and management’s greater direct involvement with the entity.

Examples of the types of work on control design and implementation

•  Auditors can gain a good understanding of the information systems through inquiry of management and other relevant personnel and are less dependent on formal documentation such as client pre-prepared system notes. As before though, understanding the design and implementation of systems should not be based on inquiry alone. It needs to be corroborated by reference to inspection of documentation, client staff observations on the operation of systems, and walk-throughs to ensure that systems have been implemented, and operate as prescribed, in accordance with the auditors’ understanding. 
• Gaining an understanding of the accounting package, of the extent of staff competence and training, and of how well its security and other features are used also helps auditors assess risk. 
• Understanding obtained in prior audits and other audits of entities that use the same package can help auditors identify areas of risk that arise from the information system.
• An understanding of the communication processes will be most easily obtained though discussion with management supported by documentary evidence.

What are the considerations for smaller, less complex entities?

• The concept of control activities is universal, irrespective of the size and complexity of an entity. 
• Control activities are likely to be limited to the main transaction cycles such as revenue, purchases and payroll. 
• Management’s greater direct involvement in the day-to-day operations of smaller entities means that control activities are likely to be less formal than in a larger entity and rely more on reviewing daily, weekly and monthly reports on revenue, purchases and payroll, for example. 
• Automated controls within computer packages may provide some comfort on completeness and accuracy in the main transaction cycles but they must be tested like any other control. 
• Management’s direct involvement in key decision-making is often an important feature of the management of any smaller entity.

Examples of the types of work on control design and implementation

• Understanding control activities can be obtained through discussion with management and other staff, observation of their activities and inspection of documented controls, such as authorisations. 
• Audit work might focus on understanding how, for each of the main transaction cycles, a transaction is initiated, processed and recorded in the accounting system and reported in the financial statements. 
• Any lack of control activities, inappropriate design or failure to implement control activities will have an effect on the assessed level of control risk. 
• Tests of the operational effectiveness of controls are more likely to be performed in this area than other areas. If such tests show that control activities are not operationally effective, the control risk assessment needs to be revisited.
• Where management makes key decisions and has the ability to intervene at any time to ensure an appropriate response to changing circumstances, auditors may decide that this control is sufficient to prevent or detect and correct material misstatements. There would be no need to consider more detailed control activities as part of the risk assessment process in such cases. For example:
• if management has sole authority for granting credit to customers and approving significant purchases, it might constitute a strong control over important account balances; and
• for a company holding a single leased asset with no indicators of impairment, management might use the lease contract as evidence of the assertions underlying the disclosure of the asset in the financial statements. There may be no specific controls relating to the asset other than management’s knowledge and use of the lease contract. Auditor documentation of the use of the contract as the control over that asset may be sufficient for risk assessment purposes.

What are the considerations for smaller, less complex entities?

• In a smaller entity, management’s monitoring of controls may be through management’s own close involvement with the operations of the entity. This may be through a review of:
• any management accounts and significant variances;
• key performance indicators set by management; and
• errors in financial data leading to remedial action.
• It is important to recognise that in very small entities, where control is achieved through management’s day-to-day involvement in the running of the business, it may not be possible for management to monitor controls because it would be effectively monitoring itself.

Examples of the types of work on control design and implementation

• Auditors can obtain their understanding of management’s monitoring of controls by inquiry of management and inspection of items monitored such as completed bank reconciliations. Evidence of changes made in prior years as a result of monitoring may also be relevant. 
• The absence of effective monitoring controls is not necessarily fatal as other controls may be sufficient to reduce control risk to an acceptable level.