What are Internal Controls?
Internal controls are policies and procedures put in place by management to ensure that, among other things, the company’s financial statements are reliable. Some internal controls relevant to an audit include bank reconciliations, password control systems for accounting software, and inventory observations.
The objective of the auditor is to identify and assess the risk of material misstatement, whether due to fraud or error, at the financial statement and assertion levels. It includes understanding the entity and its environment and the entity’s internal controls in order to design the proper audit procedures to achieve the desired level of assurance.
Limitations of Internal Controls
Although management puts in place internal controls to ensure that the financial statements are more reliable and less prone to error, there are still limitations, such as the possibility of collusion. Even if certain transactions require supervisor approval, if a lower level staff member and his/her supervisor work together to authorize the transaction, the internal control is not very effective at preventing such a fraudulent act.
Similarly, another limitation is management override. No matter what internal control is in place, if management overrides it and decides to input something else, there is no way to stop the practice. Also, internal controls are designed to address normal transactions and not unusual transactions. Therefore, if numerous unusual transactions occur outside of the ordinary controls, that can threaten the validity of the company’s financial data. Finally, there is the risk of human error due to employees making ordinary mistakes, such as during busy periods when transaction volumes are significantly higher. Mistakes can also arise as a result of staff turnover.
Components of Internal Controls
A company’s internal controls framework generally consists of five different aspects, as shown below:
The control environment at the top refers to the attitudes, awareness, and actions of management and those charged with governance towards internal controls. A simpler way to describe this is to call it the “tone at the top.” It is highly important because it filters down to other employees and to all other components of control and can, therefore, have a huge impact on the company. For example, with a less committed and more relaxed tone, lower level employees are less likely to properly follow the internal controls in place.
Entity’s Risk Assessment
The entity’s risk assessment relates to how the client identifies and responds to business risks, such as new personnel and new accounting pronouncements. Is the proper training given to employees? Are the new pronouncements fully prepared for and implemented effectively?
Information Systems & Communication
The information systems component refers to how the company captures, processes, reports, and communicates transaction information. For example, does the company use distributed processing? – How does it deal with system changeovers? – Is it using well-recognized accounting software or just something that was cheap to obtain.
Control activities refer to the specific detailed policies and procedures, such as review of company performance through variance analysis, physical and logical controls, and segregation of duties. Segregation of duties is an important internal control that helps prevent a lot of problems, one of which is fraud. By having different employees count inventory and have access to the ledger records, this helps prevent employees from stealing inventory and writing it off on the sub-ledger.
Finally, monitoring controls deal with management’s ongoing and periodic assessment of the quality of the internal controls to determine which controls need modification. A common example of this in larger companies is the work done by internal auditors.
The Auditor’s Role in the Control Process
Once the auditor gains an understanding of the client’s system of internal controls, the auditor must assess control risk. Control risk is the risk that the client’s system will fail to prevent or detect and correct an error. Ratings range from low to high to maximum. Low means that the client’s internal controls are strong and maximum means that the controls are virtually useless. If a client’s system of internal controls is assessed below maximum, the auditor must test the internal controls to ensure that they are functioning in accordance with the auditor’s understanding.
Testing of internal controls includes making inquiries to management and employees, inspecting source documents, observing inventory counts, and actually re-performing client procedures. Finally, the auditor will perform more substantive procedures to assess the level of overall risk according to the audit strategy.
There are two types of audit strategy:
- Combined Audit Approach – Includes tests of controls and substantive testing (when control risk is assessed to be below maximum)
- Purely Substantive Audit Approach – No tests of controls are performed; only substantive tests are done (when control risk is assessed to be maximum)
Thank you for reading CFI’s guide to audit procedures. To learn more, see the following CFI resources: