The Public Company Accounting Oversight Board has issued staff guidance on auditing internal controls in smaller public companies, allowing less complex companies to adjust more easily to a recently issued auditing standard for Sarbanes-Oxley compliance.
Auditing Standard No. 5 offers more of a risk-based approach to conducting audits of internal controls than its predecessor, Auditing Standard No. 2. "AS5 provides a single framework for all companies that have to audit internal controls in a way that's scalable to all sizes of companies," said Tom Ray, chief auditor and director of professional standards at the PCAOB. "This document feeds off of those areas in AS5 and provides further direction tailored to the unique circumstances of the smaller public companies."
Several auditing firms volunteered to help the PCAOB draw up the guidance. Among the topics discussed are entity-level controls, the risk of management override, segregation of duties and alternative controls, information technology controls, financial reporting competencies, and testing controls with less formal documentation.
Management override is an issue for all sizes of entities, noted Keith Wilson, associate chief auditor with the PCAOB. "What is unique with smaller size entities is they typically depend on a few individuals who help manage the business, and that often gives them additional opportunities just because they are involved in so many activities on a day-to-day basis," he said.
The
