Audit of a company no internal controls

​Conducting a statutory audit on a company with no internal controls is indeed challenging but not impossible. The key distinction to understand is that while internal controls are a significant component of an entity’s financial reporting and governance framework, the absence of these controls does not preclude the possibility of conducting a statutory audit. Instead, it necessitates a different approach to the audit process. Here’s how it can be approached:

1. Understanding the Context: First, understand why the entity lacks internal controls. Is it due to its size, nature of operations, or a deliberate management decision? This understanding will guide the audit approach.

2. Risk Assessment: In the absence of internal controls, the risk of material misstatement due to error or fraud increases. The auditor needs to conduct a thorough risk assessment, considering the increased likelihood and potential impact of misstatements in the financial statements.

3. Focus on Substantive Procedures: Since reliance on controls is not an option, the auditor will primarily focus on substantive procedures. These include tests of details of transactions and balances, and substantive analytical procedures, to gather sufficient appropriate audit evidence.

4. Increased Sample Sizes: The auditor may need to increase the sample sizes for testing, given the heightened risk profile. This means a more detailed examination of the financial records.

5. Professional Skepticism: A heightened level of professional skepticism is necessary throughout the audit process. This involves being alert to any signs of misstatement or irregularities.

6. Direct Testing and Verification: The auditor will likely rely more on direct testing and verification of transactions and balances. This may include increased use of third-party confirmations, physical inspections, and detailed review of transaction documentation.

7. Evaluation of Audit Evidence: The auditor must carefully evaluate all audit evidence obtained to determine if it is sufficient and appropriate, given the lack of internal controls.

8. Audit Opinion: The auditor’s assessment of the financial statements and the impact of the absence of internal controls will be reflected in the audit opinion. In extreme cases, if the lack of controls prevents the auditor from obtaining sufficient appropriate audit evidence, this could affect the type of opinion issued (e.g., qualified, adverse, or disclaimer of opinion).

9. Communication with Management and Those Charged with Governance: It’s crucial to communicate the findings and implications of the lack of internal controls, including any limitations it places on the audit and the increased risk of material misstatement.

10. Recommendations for Improvement: The auditor should recommend that the entity establish at least a basic level of internal controls to manage and mitigate risks effectively.

In summary, while the absence of internal controls in a company presents significant challenges to the statutory audit process, it does not make the audit impossible. The auditor must adapt their approach, focusing more on substantive procedures to ensure that the audit objectives are met and that the audit provides a reasonable basis for forming an opinion on the financial statements.