Skip to main content
Rehmann
Rehmann
Solutions
Industries
Resources
About Us

Internal controls: Think like an auditor

February 27, 2024

Contributors: Thomson Reuters

Assessing internal controls is part of today’s external audit requirements. Internal control testing helps identify risk factors, but the requirements can sometimes be unclear. By understanding your auditor’s responsibilities for assessing internal controls, you can prepare for audit inquiries and additional procedures performed during fieldwork.

COSO framework

Business and operating environments are rapidly changing. To reflect these changes, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) updated its Internal Control — Integrated Framework in 2013. The updated framework outlines five components of internal controls that are required under the Sarbanes-Oxley Act’s Section 404 provisions:

  1. Control environment. A set of standards, processes and structures is needed to provide the basis for carrying out internal controls across the organization.
  2. Risk assessment. This dynamic, iterative process identifies stumbling blocks to the achievement of the company’s strategic objectives and forms the basis for determining how risks will be managed.
  3. Control activities. Policies and procedures are necessary to help ensure that management’s directives to mitigate risks to the achievement of objectives are carried out.
  4. Information and communication. Relevant and quality information supports the internal control process. Management needs to continually obtain and share this information with people inside and outside of the company.
  5. Monitoring. Management should routinely evaluate whether each of the five components of internal controls is present and functioning.

The updated COSO framework isn’t just for public companies that must comply with the Sarbanes-Oxley Act. It applies to all entities that follow U.S. Generally Accepted Accounting Principles.

Audit inquiries

During fieldwork, auditors will ask various questions about your company’s internal controls. Under the auditing standards set forth by the American Institute of Certified Public Accountants, auditors must understand a client’s information system, including the related business processes and communication relevant to financial reporting. Further, they need to distinguish between business processes and control activities.

Business processes are the activities 1) to develop, purchase, produce, sell and distribute products and services, 2) to ensure compliance with laws and regulations, and 3) to record information, including accounting and financial reporting information. In contrast, control activities are “steps put in place by the entity to ensure that the financial transactions are correctly recorded and reported.” Auditors are expected to obtain an understanding of only those control activities that are considered relevant to the audit. There are no “cookie cutter” approaches when it comes to understanding business processes and control activities. Rather, the requirements vary from audit to audit.

Many auditors use detailed internal control questionnaires to perform a comprehensive assessment of the internal control environment. The content of these questionnaires is usually customized for a particular industry or business. Most include general questions pertaining to the company’s mission, control environment and compliance situation. There also may be sections dedicated to mission-critical or fraud-prone elements of the company’s operations. Examples include accounts receivable, inventory, intellectual property, related-party transactions and payroll.

Additional audit procedures

Each year, auditors must evaluate the design of the financial reporting controls that are related to the audit and determine if they’ve been properly implemented. This requires more than just inquiring with company personnel. Auditors must use additional procedures — such as observations, inspection or tracing transactions through the information system — to obtain an understanding of controls relevant to the audit. The appropriate procedures are a matter of the auditor’s professional judgment.

For existing clients, auditors may leverage information obtained from their previous experience with the entity and the results from audit procedures performed in previous reporting periods. In doing so, auditors evaluate whether changes affecting the control environment have occurred since the previous audit that may affect that information’s relevance to the current audit.

Eye on risk factors

Auditors are specifically expected to understand controls that address “significant” risks. These controls are identified and assessed for risks of material misstatement that require special consideration. Examples include control activities that:

  • Are relevant to the risk of fraud, and
  • Relate to nonrecurring, unusual transactions or adjustments.

Control activities that are relevant to a given audit may vary, depending on the client’s size, complexity and nature of operations. Auditors consider such issues as materiality, risk, other components of the internal controls, and legal and regulatory requirements. Again, what’s relevant is a matter of the auditor’s professional judgment.

Team effort

Effective internal controls are critical to accurate financial reporting. It’s important to work closely with your external audit team to ensure your organization has a solid system of controls in place to help prevent, detect and correct financial misstatements due to errors and fraud.

Sidebar: Focus on 3 key areas to improve internal controls

Internal controls are a system of policies and procedures organizations put in place to protect assets and improve operating efficiency. However, internal and external risk factors change over time.

Upon completion of the year-end financial statements, you should brainstorm ways to update and strengthen your controls. Your review should cover the following three basic controls:

  1. Physical restrictions. Employees only should have access to those assets necessary to perform their jobs. Locks and alarms are examples of ways to protect valuable tangible assets, including petty cash, inventory and equipment. But intangible assets — such as customer lists, lease agreements, patents and financial data — also require protection with controls including passwords, access logs and appropriate legal paperwork.
  2. Account reconciliation. Management should confirm and analyze account balances on a regular basis. To illustrate, proactive organizations reconcile bank statements and count inventory on a regular basis. Waiting until year end to complete these basic procedures is a potential red flag of weak oversight.
  3. Job descriptions. Another basic control is maintaining detailed, up-to-date job descriptions. This exercise can help you better understand how financial job duties interact with one another. It can also highlight possible conflicts of interest that could lead to improper recordkeeping. Your policies should call for job segregation, job duplication and mandatory vacations.

© 2024