Assessing internal controls is just one step in the external audit process, but it’s a big step toward avoiding risks and setbacks down the road. By understanding an auditor’s approach to assessing internal controls, a business or organization can be better prepared for audit inquiries and additional procedures performed during fieldwork.
Guided by COSO framework
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) Internal Control: Integrated Framework outlines five components of internal controls that are required by Sarbanes-Oxley Act’s Section 404:
Control environment. A set of standards, processes, and structures is needed to provide the basis for carrying out internal controls across the organization.
Risk assessment. This dynamic, iterative process identifies stumbling blocks to the achievement of the company’s strategic objectives and forms the basis for determining how risks will be managed.
Control activities. Policies and procedures are necessary to help ensure that management’s directives to mitigate risks to the achievement of objectives are carried out.
Information and communication. Relevant and quality information supports the internal control process. Management should continually gather and share this information with people inside and outside company.
Monitoring. Management should routinely evaluate whether each of the five components of internal controls is present and functioning.
The COSO framework isn’t just for public companies that must comply with the Sarbanes-Oxley Act. It applies to all entities that follow U.S. Generally Accepted Accounting Principles (GAAP) standards.
The audit inquiry
During fieldwork, auditors will ask questions about your company’s internal controls. Under auditing standards set by the American Institute of Certified Public Accountants (AICPA), auditors must have a thorough understanding of a client’s information system, including the related business processes and communication relevant to financial reporting. They also need to distinguish between business processes and control activities.
Business processes are activities that accomplish three things:
- Develop, purchase, produce, sell and distribute products and services
- Ensure compliance with laws and regulations
- Record information, including accounting and financial reporting information
In contrast, control activities are “steps put in place by the entity to ensure that the financial transactions are correctly recorded and reported.” Auditors are expected to obtain an understanding of only those control activities that are considered relevant to the audit. There are no standard approaches when it comes to understanding business processes and control activities. The requirements vary from audit to audit.
Auditors often use detailed internal control questionnaires to perform a comprehensive assessment of the internal control environment. The content of these questionnaires is usually customized for a particular industry or business, although most include general questions about the company’s mission, control environment, and compliance situation. There also may be sections dedicated to mission-critical or fraud-prone elements of the company’s operations. Examples include accounts receivable, inventory, intellectual property, related-party transactions, and payroll.
Additional audit procedures
Each year, auditors must evaluate the design of the financial reporting controls that are related to the audit and determine if they’ve been properly implemented. This requires more than just inquiring with company personnel. Auditors must use additional procedures — such as observations, inspection, or tracing transactions through the information system — to obtain an understanding of controls relevant to the audit. The appropriate procedures are based on the auditor’s professional judgment.
For existing clients, auditors may leverage information from their previous experience with the entity and the results from audit procedures performed in previous reporting periods. In doing so, auditors evaluate whether changes affecting the control environment have occurred since the previous audit that may affect that information’s relevance to the current audit.
Eye on risk factors
Auditors are specifically expected to understand controls that address significant risks. These controls are identified and assessed for risks of material misstatement that require special consideration. Examples include control activities that:
- Are relevant to the risk of fraud
- Relate to nonrecurring, unusual transactions, or adjustments
Control activities that are relevant to a given audit may vary, depending on the client’s size, complexity, and nature of operations. Auditors consider such issues as materiality, risk, other components of the internal controls, and legal and regulatory requirements. Again, what’s relevant is a matter of the auditor’s professional judgment.
Changes are inevitable
Internal and external risk factors change over time. Upon completion of the year-end financial statements, you should brainstorm ways to update and strengthen your controls with an eye on the changing risk environment. Your review should cover the following three basic controls:
Physical restrictions. Employees should have access only to those assets necessary to perform their jobs. Locks and alarms are examples of ways to protect valuable tangible assets, including petty cash, inventory, and equipment. But intangible assets — such as customer lists, lease agreements, patents, and financial data — also require protection with controls including passwords, access logs, and appropriate legal paperwork.
Account reconciliation. Management should confirm and analyze account balances on a regular basis. To illustrate, proactive organizations reconcile bank statements and count inventory on a regular basis. Waiting until year end to complete these basic procedures can be a sign of weak oversight.
Job descriptions. Another basic control is maintaining detailed, up-to-date job descriptions. This exercise can help you better understand how financial job duties interact with one another. It can also highlight possible conflicts of interest that could lead to improper recordkeeping. Your policies should call for job segregation, job duplication, and mandatory vacations.
Team effort
Effective internal controls are critical to accurate financial reporting. It’s important to work closely with your external audit team to ensure your organization has a solid system of controls in place to help prevent, detect and correct financial misstatements due to errors and fraud.
© 2024 KraftCPAs PLLC
KraftCPAs can help.
Call us at 615-242-7351 or complete the form below to connect with an advisor.