5 Components
A solid system of internal controls translates into more reliable financial reporting and can help companies prevent, detect and correct financial misstatements. In contrast, weak controls can result in costly errors — and even fraud.
According to the Committee of Sponsoring Organizations of the Treadway Commission (COSO), internal controls should be “designed to provide reasonable assurance [of] the achievement of objectives in the effectiveness and efficiency of operations, reliability of financial reporting, and compliance with laws and regulations.”
COSO lists five components of internal controls:
- Control environment,
- Risk assessment,
- Control activities,
- Information and communication, and
- Monitoring.
Companies must continually review and improve internal control performance. AICPA auditing standards also require external auditors to evaluate their client’s internal controls as part of their audit risk assessment procedures. Private auditors tailor audit programs for potential risks of material misstatement, but they aren’t required to specifically perform procedures to identify control deficiencies, unless they’re hired to perform a separate internal control study.
Management letters
Statement on Auditing Standards (SAS) No. 115, Communicating Internal Control Related Matters Identified in an Audit, requires auditors to consider whether controls are sufficient to prevent and detect misstatement, as well as whether they enable management to correct misstatements in a timely manner. Under SAS 115, management letters must identify the following types of internal control deficiencies that have been unearthed during audit procedures:
Material weaknesses. Such shortcomings refer to “a deficiency, or combination of deficiencies, in internal control, such that there is a reasonable possibility that a material misstatement of the entity’s financial statements will not be prevented, or detected and corrected on a timely basis.”
Significant deficiencies. This type of concern is “less severe than a material weakness, yet important enough to merit attention by those charged with governance.” Note that a control deficiency is dependent on the potential for misstatement; misstatement need not actually have occurred.
SAS 115 permits significant leeway in how auditors classify internal control weaknesses, such as lack of segregation of duties, inadequately trained accounting personnel, restated prior period financial statements, and material audit adjustments.
When classifying deficiencies as material or significant, auditors evaluate the probability and magnitude of the potential misstatement. They also consider “compensating controls,” which are substitute procedures that limit the severity of a deficiency.
Public company SOX compliance
In addition to SAS 115, Section 404 of the Sarbanes-Oxley Act (SOX) requires a public company’s management to assess its internal control over financial reporting (ICFR). The provision also requires the company’s external auditor to attest to the effectiveness of management’s internal controls.
In addition to increased vulnerabilities caused by remote working arrangements during the pandemic, the following conditions have caused public companies to spend more time checking ICFR than they had in previous years:
- Accounting standard changes (in particular, the new guidance on credit losses and reporting leases),
- The use of technology (such as robotic process automation and artificial intelligence) that requires testing of new controls, and
- Rigorous inspections of controls by the Public Company Accounting Oversight Board (PCAOB).
Strong internal controls aren’t just important for public companies. Privately held companies are often less resilient to frauds caused by weak controls. Plus, they tend to have less sophisticated internal audit and accounting departments than public companies.
We Can Help
Our auditors have seen the best — and worst — in internal control practices. Contact us if you need help brainstorming cost-effective ways to improve your existing internal controls system.
© 2022