FRC Practice Note 28 Key Summary

Practice Note 28 gives auditors guidance on how to apply the ISAs (UK) to audits of small and medium-sized entities (SMEs) in a way that is scalable, proportionate and effective. It is aimed at statutory audits, but can also be relevant to voluntary audits.

Important Notes:

It is not a standalone audit framework and does not replace the ISAs (UK). The FRC is clear that auditors still need to read and apply the underlying standards; PN 28 only highlights areas where proportionality and scalability matter most.

It is intended for SMEs that show signs of being less complex, such as concentrated owner-management, simple operations, straightforward accounting systems, and relatively few or informal controls. The FRC also says size alone is not enough—a small entity can still be complex in certain areas.

The standards apply to all audits, but the way they are applied should reflect the entity’s complexity. Auditors are expected to use professional judgement to scale the work appropriately rather than defaulting to a large-entity approach.

Summary of Practice Note 28

PN 28 is organised into six sections: Introduction, Planning, Risk Identification and Assessment, Responses to Assessed Risks, Group Audit Considerations, and Concluding.  

Key summary of Practice Note 28 are as follows:

Planning and materiality: In planning, the note highlights that materiality should be based on the needs of the likely users of the SME’s financial statements. In some SME situations, users may be less sensitive to small misstatements, so a higher materiality may sometimes be appropriate, depending on the facts.

Risk assessment is central: The FRC says risk identification and assessment is a fundamental aspect of any audit. For SMEs, the risk assessment process should still be robust, but it can be less elaborate where the business is simpler and the risks are fewer.

Focus on key problem areas: The note gives particular attention to areas where SME audits often need more judgement, especially:

• understanding the entity and internal controls

• going concern

• accounting estimates

• fraud

Internal controls in SMEs: PN 28 recognises that smaller entities often have limited segregation of duties, informal controls, and simple bookkeeping systems. In these cases, the auditor still has to understand the system of internal control, but the documentation and testing can be more proportionate.

Documentation should be proportionate: One of the clearest points in the note is that SME audit documentation will usually be simpler and less extensive than for larger, more complex entities. Auditors do not need to document irrelevant requirements, and they do not need to record every matter considered—documentation should focus on significant matters and key judgements.

Substantive work may do more of the heavy lifting: PN 28 acknowledges that in many SME audits, much of the evidence may come from substantive procedures, especially where formal controls are limited. Even where no specific risk has been identified for a material balance or class of transactions, the extent of substantive work is still a matter of judgement and can be less extensive if that is appropriate.

Fraud: The note recognises that SMEs may have less formal controls, but also that direct owner-manager oversight can sometimes reduce certain fraud opportunities. That said, management override remains a key risk, and the auditor should design journal testing and other procedures accordingly. PN 28 also notes that simple automated tools can help identify unusual journals.

Going concern: The FRC expects auditors to assess going concern in a practical SME context. That can include reviewing cash flow forecasts, budgets, business plans, external developments, licences, key customers or suppliers, and the realism of management’s assumptions. Where management has not prepared enough analysis, the auditor may need to prompt a more robust assessment.

Takeaway:

Practice Note 28 is the FRC’s attempt to make SME audits better scaled, not weaker. It encourages auditors to keep standards high while avoiding unnecessary work, excessive documentation and large-company habits that do not fit smaller, less complex entities.