* Adapted from the AICPA Audit Guide, Assessing and Responding to Audit Risk in a Financial Statement Audit.

The audit strategies used on larger companies may not be practical for audits of a small business. Big businesses can rely on their own personnel, including their own internal auditors, to provide assistance. But auditors of a small business might need to adjust their audit strategy.

Auditors of a small business may encounter certain challenges that affect their audit strategy, such as:

• Accounting records that require significant adjustments prior to the start of significant auditing procedures.
• Significant transactions with unaudited related parties.
• The need to adapt standardized audit practice aids developed for larger entities to the conditions that exist on a small business audit.

The unique demands of a small business audit typically require significant involvement of the most experienced auditors during the audit planning process. More experienced auditors will be able to make important judgments about audit strategy, including:

• The nature, timing and extent of risk assessment procedures designed to gather information about the client and its environment.
• The assessment of risks of material misstatement.
• The nature and extent of the auditor’s documentation of assessed risks.
• The nature and extent of the documentation of the client’s internal control.
• The choice of further audit procedures that are clearly linked to assessed risks.
• The allocation of audit resources to those areas of the audit that present the most risk.

Small businesses face certain challenges in implementing effective internal control, particularly if management of the business views internal control as something to be “added on” rather than integrated with core processes. These challenges to implementing effective internal control include:

• Management’s ability to dominate activities. This increases opportunities for improper management override of processes to appear that financial reporting objectives have been met.
• Obtaining qualified accounting personnel to prepare and report financial information.
• Management’s view that the primary value of internal control is in preventing the misappropriation of assets while underestimating the importance of con­trol objectives related to financial reporting.
• Obtaining sufficient resources to achieve adequate segregation of duties.
• Informal, largely undocumented decision-making processes, including risk assessment and the monitoring of internal control.
• Attracting independent, outside parties with financial and operational expertise to serve on the board of directors and on the audit committee.
• Controlling information technology. Controls over information systems, particu­larly application and general IT controls, present challenges for smaller businesses.
• Ad hoc, undocumented entity-level control policies and procedures.

Companies should implement a control structure to reduce risk to an acceptable level. Sometimes, smaller companies do not perceive that they have sufficient resources to fully implement segregation of duties or other controls that are more preventive in nature. Thus, smaller businesses may rely more on detective rather than preven­tive monitoring and personal involvement by top management in setting a control environment that brings in sufficient competence and trust to assist in reducing risk. All companies, regardless of size, need to have all components present and functioning, but the relative reliance on each component may be different in smaller companies than it is in larger companies.

Adapted from the AICPA Audit Guide, Assessing and Responding to Audit Risk in a Financial Statement Audit. This paperback, published by the AICPA, is available at cpa2biz.com, order product # 012459.