5035.6 Scalability
Sep-2022

In This Section

Scalability

Scalability

CAS Guidance

Controls in the control activities component for less complex entities are likely to be similar to those in larger entities, but the formality with which they operate may vary. Further, in less complex entities, more controls may be directly applied by management (CAS 315.A156).

Example:

Management’s sole authority for granting credit to customers and approving significant purchases can provide strong control over important account balances and transactions, lessening or removing the need for more detailed control activities.

It may be less practicable to establish segregation of duties in less complex entities that have fewer employees. However, in an owner-managed entity, the owner‑manager may be able to exercise more effective oversight through direct involvement than in a larger entity, which may compensate for the generally more limited opportunities for segregation of duties. Although, as also explained in CAS 240, domination of management by a single individual can be a potential control deficiency since there is an opportunity for management override of controls (CAS 315.A157).

OAG Guidance

Implementation of Controls

For general considerations related to obtaining evidence about the implementation of controls in less complex entities see OAG Audit 5031.

Segregation of Duties

Size and economic considerations in less complex entities mean that sophisticated internal controls are often unnecessary. The fact that there are sometimes fewer employees limits the extent to which segregation of duties is practicable for a less complex entity. For example, accounting procedures may be performed by a small number of individuals who may have both operating and custodial responsibilities. Although initially appropriate segregation of duties may appear challenging in less complex entities, even entities that have only a few employees may be able to assign their responsibilities to achieve appropriate segregation or, if that is not possible, to use management oversight of the incompatible activities to achieve control objectives. When this is the case, we consider the impact of this lack of segregation of duties when planning our audit procedures to address the presumed significant risk of fraud related to management override of controls and we take this risk into account when determining whether we plan to test the impacted controls as a source of audit evidence.

For example, in cases where there is limited segregation of duties in the area of purchasing and payables, internal control is improved when an owner or senior level of management authorizes all purchase orders and approves all the payments (e.g., signs all checks, authorizes all electronic fund transfers). Other controls that may help to mitigate the risk arising from an inability to segregate incompatible duties in the purchasing business could include the owner:

  • Opening and reading all incoming invoices received by mail

  • Is the signatory for the bank accounts and authorizes all transactions out of the bank account

  • Performs his/her own manual checks on liquidity/cash flow and monitors closely areas such as accounts payable

  • Has a close relationship with major suppliers and other vendors and follows‑up on incoming invoices that are incorrect

  • Selects certain transactions for review of supporting documents

  • Periodically conduct counts of physical inventory, equipment, and other assets and compares balances with accounting records.