Let's just get down to the skinny of it, audits in any form are painful. We get that.
Google SAS 104-115 and you will find mostly articles by us (Vibato) discussing the need for auditors to pay special attention to internal controls as part of their audit. Why? Because the AICPA & the PCAOB dictates standards that the auditors must adhere to in order to perform their audits. Parts of these requirements include reviewing your internal controls and this applies to ANY COMPANY THAT IS AUDITED – public, private, non-profit; it doesn’t matter. If you are audited, your auditors must look at your internal controls as part of your audit. If you do not have any documented internal controls then be prepared for a higher audit bill because your auditors will have to go looking for internal controls at your company on your dime year-over-year. Moreover, due to independence issues, they are not allowed to share their work with you to use going forward so they will do this work each year and all you will see for it is a higher bill. Period.
Yesterday, the PCAOB issued Staff Audit Practice Alert No. 8: Audit Risks in Certain Emerging Markets, which the PCAOB says "focuses on the risks of misstatement due to fraud that auditors might encounter in audits of companies with operations in emerging markets, auditors' responsibilities for addressing those risks, and certain other auditor responsibilities under PCAOB auditing standards."