What are Internal Controls?
Internal controls are policies and procedures put in place by management to ensure that, among other things, the company’s financial statements are reliable. Some internal controls relevant to an audit include bank reconciliations, password control systems for accounting software, and inventory observations.
The objective of the auditor is to identify and assess the risk of material misstatement, whether due to fraud or error, at the financial statement and assertion levels. It includes understanding the entity and its environment and the entity’s internal controls in order to design the proper audit procedures to achieve the desired level of assurance.
Limitations of Internal Controls
Although management puts in place internal controls to ensure that the financial statements are more reliable and less prone to error, there are still limitations, such as the possibility of collusion. Even if certain transactions require supervisor approval, if the lower level staff and his/her supervisor work together to authorize the transaction, the internal control is not very effective at preventing such a fraudulent act.
Similarly, another limitation is management override. No matter what internal control is in place, if management overrides it and decides to input something else, there is no way to stop the practice. Also, internal controls are designed to address normal transactions and not unusual transactions. And finally, there is the risk of human error due to employees making mistakes during busy periods when transaction volumes are significantly higher. Mistakes also arise as a result of staff turnovers.
Components of Internal Controls
A company’s internal controls framework generally consists of five different aspects, as shown below:
The control environment at the top refers to the attitudes, awareness, and actions of management and those charged with governance towards internal controls. A simpler way to describe this is to call it the “tone at the top.” Such tone is highly important because it filters down to all the other components and has a huge impact on the company. For example, with a less committed and relaxed tone, lower level employees are less likely to properly follow the internal controls in place.
Entity Risk Assessment
The entity’s risk assessment relates to how the client identifies and responds to business risks, such as new personnel and new accounting pronouncements. Is the proper training given to employees? Are the new pronouncements fully prepared for and implemented effectively?
Information Systems & Communication
The information systems component refers to how the company captures, processes, reports, and communicates transaction information. For example, does the company use distributed processing, how does it deal with system changeovers, and is it using a highly recognized software or just something off the shelf.
Control activities refer to the specific detailed level policies and procedures such as review of company performance through variance analysis, physical and logical controls, and segregation of duties. Segregation of duties is an important internal control that prevents a lot of problems, one of which is fraud. By having different employees count inventory and have access to the ledger records, it prevents employees from stealing inventory and writing it off on the sub-ledger.
Finally, monitoring controls deal with management’s ongoing and periodic assessment of the quality of the internal controls to determine which controls need modification. A common example of this in larger companies is the work done by internal auditors.
The Auditor’s Role in the Internal Control Process
Once the auditor gains an understanding of the client’s system of internal controls, the auditor must assess control risk. Control risk is the risk that the client’s system of internal controls will fail to prevent or detect and correct an error. Ratings range from low to high to maximum. Low means that the client’s internal controls are strong and maximum means that the internal controls are useless. If a client’s system of internal controls is assessed below maximum, the auditor must test the internal controls to ensure that they are functioning in accordance with the auditor’s understanding.
Testing of internal controls includes making inquiries to management and employees, inspecting source documents, observing inventory counts, and actually re-performing client procedures. Finally, the auditor will perform more substantive procedures to reach its desired level of overall risk according to the audit strategy.
There are two types of audit strategy:
- Combined Audit Approach – Includes tests of controls and substantive testing (this means that control risk is assessed to be below maximum)
- Purely Substantive Audit Approach – No tests of controls are performed and only substantive tests are done (this means that control risk is assessed to be maximum)
Thank you for reading CFI’s guide to internal controls. To learn more, see the following resources: