Chapter 5
In This Chapter
Understanding the nature and components of internal controls
Deciding whether to audit internal controls
Figuring out whether controls are strong or weak
Designing audits around strong or weak controls
Timing internal control procedures
Your client's management is responsible for making sure checks and balances are in place to safeguard all its assets — both cash and noncash — and to avoid material (significant) misstatements of its financial information. In the accounting world, these checks and balances are called internal controls.
Think of the internal controls you use in your everyday life: Before you go to bed at night, do you check all the doors and windows to make sure they're locked? That's an internal control procedure that helps you ensure safety and protect your assets. Do you go around the house turning off lights and checking that your children are in bed? More internal controls (to help you conserve energy and to protect your most prized assets).
As part of an audit team, you evaluate your client's internal control structure in the audit planning stage. You use that evaluation to decide how best to audit the client to make sure that its financial statements are materially correct (meaning they don't contain any serious errors or fraudulent information).
This chapter defines business internal controls and walks you through the process of evaluating them. You start by questioning management and other employees about internal control procedures. You then review management's self-assessment of how well its internal controls are working, and you report to your firm whether you agree or disagree with that assessment. You also find out when to audit your client's control procedures — during or at the end of the year under audit.
Your evaluation gives you a base line for determining how much you can rely on the client's accounting work. It also steers you in the right direction for picking out which audit techniques to use, identifying risky areas that demand more of your attention, and deciding how many of the client's records you need to review.
Internal controls are operating standards that a client uses to make sure the company runs well. The internal controls set in place for each type of financial account are structured differently. For example, an internal control for payroll would involve making sure that no fictitious (nonexistent) employees are getting paychecks. One good internal control to avoid mistakes in payroll is to have a clear segregation between the department supervisors and those staff members responsible for personnel records and payroll processing. This type of operating standard is usually created by group effort: The board of directors, management, and internal control employees are all involved. (The board of directors usually consists of the corporation's president, vice president, treasurer, and secretary.)
This chapter assumes you're auditing a company in which a group of people — such as the board, management, and employees — design operating procedures. They create these rules to ensure four things:
Regardless of the type of business you're auditing, you look for a few major hallmarks of internal control:
In large companies, members of the board of directors usually aren't company employees. On the flip side, in some small companies, one person may be the company's sole shareholder and its only employee. In this case, you'd never have an effective internal control situation, because segregation of duties is lacking. The best you can hope for is that some sort of independent oversight exists — maybe by the person who prepares the company's tax return.
To judge the reliability of a client's internal control procedures, you first have to be aware of the five components that make up internal controls. For each client, you need to understand each component in order to effectively plan your audit. Your understanding of these components lets you grasp the design of internal controls relevant to the preparation of financial statements. That understanding also enables you to verify whether each internal control is actually in operation.
Here are the five components of internal controls:
For example, to safeguard assets, does the client tag all computers with identifying stickers and periodically take a count to make sure all computers are present? Regarding the accounting system, is it computerized or manual? If it's computerized, are authorization levels set for employees so they can access only their piece of the accounting puzzle? For data, are backups done frequently and kept offsite in case of fire or theft?
Federal regulations dictate that internal controls that affect financial reporting for publicly traded companies must be audited, as explained in Chapter 1. But what about audits of privately owned companies? Do you always have to audit your client's internal controls? Not exactly.
In every audit, you must get at least a preliminary understanding of the client's internal controls that affect each business and financial process. But after gaining that preliminary understanding, you may decide not to conduct a full audit of internal controls. You may decide, instead, that you need to test every transaction that occurred during the year under audit.
When do you audit internal controls (use a control strategy), and when do you forgo that audit and test every transaction (use a substantive strategy)? This section shows you how to make that decision.
As explained in Chapter 3, control risk is the risk that weaknesses exist in both the design and operation of your client's internal controls. If control risk is high, you have to conduct your audit very carefully because you can't place a lot of trust in the information the client gives you.
If your preliminary research indicates that your client's internal controls for some business or financial processes are seriously lacking, you set the control risk for that part of the audit at the maximum (100 percent). By doing so, you effectively halt your audit of internal controls in these specific areas because you already know how to approach the audit. You're going to use an audit approach called substantive strategy, and you do a lot of substantive testing to support it. Substantive testing occurs when you test not only the balances of a client's financial statement accounts but their details as well. For example, to check the existence of an asset on the client's balance sheet (like a car), you ask the client to show you the asset (such as the actual car in the parking lot).
The other approach to an audit is called the control testing strategy (also known as the reliance strategy, referring to the fact that you attempt to limit your substantive testing by relying to some degree on the client's internal controls). When you use control testing, you do a thorough audit of the client's internal controls so you can limit the amount of substantive testing you have to do. If you find that internal controls are strong in some departments, for example, you know that you don't have to test quite as meticulously as you would if those controls were weak.
Before deciding on an audit strategy (or a combination of strategies), you have to interview the client to obtain a preliminary understanding of its internal control structure. You can't automatically set control risk at the maximum; you have to first assess your level of control risk.
Keep in mind that most audits combine substantive and control testing strategies. For example, the same company that has weak internal controls for cash disbursements may have very effective internal controls for cash receipts, such as segregation of duties. You could use the substantive strategy for cash disbursements and control testing strategy for cash receipts.
When would you decide to use the substantive strategy? Here are two situations:
Clients often think that goodwill refers to a company's reputation in the community. It doesn't. When someone purchases a business and the purchase price is greater than the fair market value (FMV) of the net assets acquired (FMV is what an unpressured person would pay for the same assets in the open marketplace), goodwill is the difference between the dollar amount of the purchase price and the FMV of the assets purchased. So if the purchase price is $1,000,000 and the FMV of the assets is $800,000, goodwill is $200,000.
If you decide to use only substantive testing, you skip your audit of the client's internal controls and proceed directly to your substantive procedures. If you determine that the control risk level is less than 100 percent (meaning that at least some internal controls are effective and can be effectively tested), you continue with the control testing strategy. The remainder of this chapter explains how to proceed with your audit of internal controls so you can figure out how (and how much) to limit your substantive testing.
Chapter 3 introduces the audit risk model, which consists of inherent risk, control risk, and detection risk. As explained in that chapter, when evaluating your control risk, you need to find out as much as you can about your client's internal control procedures. Auditing those procedures involves several steps, as this section explains.
Before you can look at your client's internal control procedures, you need to uncover as much as you can about environmental and external influences that may affect the company, such as the state of the economy, changes in technology, the potential effect of any laws and regulations, and changes in generally accepted accounting principles (GAAP) that relate to the client's type of business.
For example, does your client operate a type of business that's subject to outside regulation, such as a franchise or a company that accepts government contracts? If so, that company's internal controls are likely fairly reliable, because the company is subject to continual outside review.
Any types of external changes you identify (such as technological or GAAP changes) may decrease your reliance on the company's internal controls, unless the client can demonstrate that it has modified internal controls in response to the changes.
Your next step is to judge how well management's assessment of its own internal controls is working. The Sarbanes-Oxley Act of 2002 (see Chapter 1) requires that management of publicly traded companies create a written self-assessment document at this stage, which demonstrates how well it believes its internal controls are working.
However, many privately held companies complete a similar assessment in order to gauge effectiveness and efficiency during operational audits. Your evaluation of how well management thinks its internal controls work during the initiating, authorizing, recording, and reporting of significant accounts can help you identify areas in which material misstatements due to error or fraud could occur — thus increasing your efficiency during an audit of a private company.
This section explains what you should find in that assessment and how you evaluate its accuracy.
When reviewing the self-assessment, keep the following points in mind:
If, after implementing controls, the company finds that a necessary control is missing or an existing control isn't well-designed, management should include that fact in the self-assessment. A control is considered not well-designed if it fails to prevent or detect errors or misstatements when used properly. The self-assessment should include suggestions for improving the design.
Judging operating strength measures whether a well-designed control is very effective, moderately effective, or ineffective when preventing and detecting errors or misstatements. Any evaluation lower than very effective requires that management figure out why a well-designed control isn't working. Is more employee training required? Are controls being ignored because departmental management finds them unimportant? Whatever the reason, management includes suggestions for operational improvement in its self-assessment.
After management finishes its work, it's your turn! You have to review management's written assessment to come to your own conclusion about how well management is performing.
Look at how well management thinks its internal controls work during the initiating, authorizing, recording, and reporting of significant accounts. Through this transaction flow, you can identify areas where material misstatements due to error or fraud could occur. You should definitely be concerned if the internal control for authorization of transactions isn't consistently followed.
You must also see how well management thinks its controls are working to prevent fraud and to detect it if it were to occur. Doing so includes how well management believes it's using different people to perform different parts of the control process (segregation of duties) and how good a job the company is doing at safeguarding its assets.
When evaluating your client's internal controls, two questionnaires can help you gather important information for your assessment:
This questionnaire, which is different from the management's assessment documentation, is one of the first documents you give to the client after your firm accepts the engagement. Give the client a firm deadline early in the audit for its return. You'll refer to it during the entire audit as you question the client's management and staff and review books and records. Figure 5-1 shows you a partial example of what the questionnaire looks like.
This document is your checklist to make sure you've gone over all the tasks you need to perform to understand the client's control environment. Whether this is the first time you audit the client or the hundredth, you still need to review and answer all the questions on your firm's client internal control questionnaire.
Think about aircraft pilots — no matter how many hours they've logged in the cockpit, they still run through an exhaustive list of questions prior to taking that plane down the runway. Although your questionnaire isn't as critical to safety, its information is still significant to you.
The strength of an internal control questionnaire is that it provides you with a comprehensive way to evaluate the client's internal controls. A weakness of using an internal control questionnaire is that you look at and evaluate your piece of the internal control system without an overall view of the system. That's because you're part of a team, and other team members look at other internal controls. Your team leader or senior associate will review all the pieces and advise you if anything you're doing is affected by someone else's work.
After you review management's self-assessment and document your understanding, you design your tests of controls and decide which procedures to use while testing. Tests of controls over operating effectiveness should include the following five procedures, which are often interrelated:
Obviously, looking at every document or questioning every employee isn't practical; doing so would just take too much time. Instead, select records to sample, as discussed next.
Even a very small company produces voluminous records; no auditor could ever audit all the records available and still get the audit done in time for the data obtained to be relevant. Sampling enables you to choose a small but pertinent and representative group of records that will give you an accurate picture of the company.
Here, you find out how to use sampling to judge the effectiveness of your client's internal control design (how well the internal control prevents material misstatements) or test how well the internal control is working. Auditors refer to both situations as tests of controls.
For example, a potential creditor is probably very interested in the current ratio (Current assets ÷ Current liabilities) because it shows how capable the business is of paying back short-term debt. If the client mistakenly posted short-term debt as long-term debt on its financial statements, it would show an incorrect ratio — which may be misleading to the potential creditor.
This section walks you through the sampling steps to test internal controls. You start by determining the objective of the control and end with identifying the method you use to select your test sample. Of course, you also have to document in writing your professional opinion regarding the effectiveness of the control.
Eight steps are involved in audit sampling for tests of controls. The following steps use the example of the customer billing process:
The objective of tests of controls is to provide yourself with evidence about whether controls are operating effectively. For example, suppose the audit objective of a test (focusing on customer billing) is to find out whether client invoices are correct. Audit objectives vary between accounts and the purpose of your procedure. Your audit supervisor can provide you with more guidance about what the firm considers to be proper audit objectives in each particular circumstance. Workpapers of a continuing client provide guidance as well.
The control activity is the policy or procedure management uses to provide assurance that material misstatements will be prevented or detected in a timely fashion. For example, your control activity is that the price per unit on the client invoice agrees with the client's standard price list. Also, the control activity ensures that the expanded line item totals mathematically agree with the number of each unit ordered times the cost per unit. For example, if the customer orders 135 widgets and the cost per widget is $5, the expanded total is 135 × $5 = $675. If all facts reconcile without discrepancy to the records, note your assessment in your workpapers.
To do so,
What time frame you're testing is also a consideration in defining the population. Usually, you define the period as the entire year under audit. For a calendar year, this means January 1 through December 31.
The control is that client invoices are correct. An error or deviation in this control would be if the cost per unit on the client invoices doesn't agree with the standard price list without an explanation for the deviation (such as the fact that the client was given a discount). Even if an explanation exists, you still have a deviation if the proper authority didn't okay the discount.
Consider the number of errors you anticipate finding. If you're working on a continuing engagement, you can look at last year's audit results. Otherwise, your audit team leader gives you guidance on how to come to an appropriate number.
This step addresses whether the population is free from material misstatement. You rank the risk as low, moderate, or maximum. Normally, you want a moderate assurance from your test of controls. Moderate assurance means you obtain sufficient, appropriate evidence satisfying you that the charges on the client invoices are reasonable taking into consideration all circumstances surrounding the sale. Your audit supervisor can provide firm guidance on ranking criteria.
You know that looking at all your client's customer invoices isn't feasible. So how many customer invoices from the entire population of invoices are you going to test? Your sample size can be a factor of your firm's policy (the number of items your firm normally samples), or you can use sampling software to select the sample size.
This describes the method you plan to use to select your sample. A common sampling method for tests of controls is attribute sampling. Attribute sampling means that an item being sampled either does or doesn't have certain qualities, or attributes. An auditor selects a certain number of records to estimate how many times a specific feature will show up in a population. When using attribute sampling, the sampling unit is a single record or document — in this case, your single record is the customer invoice.
You need to evaluate your sample results, which can give you a conclusion to reflect on your work. Basically, you need to know what your bottom line analysis is and how strong or weak the controls are. In doing so, you can tell whether the control is weak and unreliable or is functioning and gives you reasonable assurance that the control objective is being achieved.
In order to determine whether the internal controls are strong or weak, consider the difference between the two. Strong internal controls should prevent — or detect in a timely fashion — inadvertent errors and fraud that could result in material misstatements in the financial statements. Continuing the example from the previous section, a reliable internal control would be one that resulted in all customer invoices being correct.
After conducting your test, you find that the control is well designed. For instance, the control requires segregation of duties because the billing clerk prepares the invoice by using the shipping document, and another employee actually ships the goods to the customer. Additionally, the billing clerk reconciles the per-unit invoice charges with the standard price list, which is updated by yet another employee. And the appropriate managers approve any customer discounts — a fact clearly evident by looking at the customer record.
In addition to being well-designed, the control is implemented by employees who are properly educated in the correct way to do their jobs. Finally, you found no mistakes in your test sample of invoices. Based on these three facts, you can conclude the internal control over the objective is sound.
Internal controls are weak when the design or operation of the control doesn't allow management or staff, during the normal course of doing their jobs, to find or correct mistakes in a timely fashion. In auditing, you classify internal control weaknesses according to their level of severity:
The client is responsible for finding who is making off with the missing computers and to design internal controls to prevent it from happening in the future. Your responsibility is to make sure the thefts are properly accounted for in the books.
Keep in mind that all significant deficiencies added together could constitute a material weakness. Also, significant deficiencies and material weaknesses must be communicated to the audit committee of the board of directors if one exists. In a smaller company, provide this information to an officer/owner or someone in similar authority of the business.
After you decide whether the internal controls are adequate or deficient, you document the audit procedures and results. This means putting in writing everything you've done to test the control. For example, identify which particular invoices you test, compare the price per unit to the standard price list, and trace the total amount of the sample invoices to the sales journal and then to the accounts receivable subsidiary ledger.
Next, you present the results of the tests and your conclusion via a workpaper (see Chapter 3). For example, the result may be that the tested invoices reconcile without discrepancy to the standard price list and sales journal. Your conclusion is that the test discloses no actual deviations in the sample; therefore, the internal control is working as designed.
The whole point of doing a test of internal controls is for you to rely on your results to reduce the extent of your substantive procedures. Substantive procedures involve checking the client's financial statement facts, such as confirming a customer's accounts receivable balance by directly contacting the customer. Face it: If internal controls are strong, you (and your firm) don't want to do unnecessary work.
A positive evaluation of internal controls influences the nature, extent, and timing of the audit procedures in these ways:
Analytical procedures compare what you expect to see versus what actually happens. For example, you review the ebbs and flows of financial statement results quarter by quarter. Sudden spikes or drop-offs should be explainable. Comparing budgeted figures to actual numbers is another analytical procedure.
For lower-risk accounts with good internal controls, you may need only to round out your tests of controls with analytical procedures that address the completeness, occurrence, and accuracy of transactions.
If you find internal control deficiencies during an audit of a publicly traded company, Public Company Accounting Oversight Board (PCAOB) Auditing Standard No. 5 requires that you consider the effect of each deficiency on the nature, extent, and timing of your substantive procedures. You can read the entire PCAOB standard at pcaobus.org/Standards/Auditing/Pages/Auditing_Standard_5.aspx. Most CPA firms make the same considerations for private company internal control weaknesses.
Here are some considerations for modifying your audit procedures in the face of weak internal controls:
You conduct all audit procedures at either an interim date or at year-end. Interim dates are any dates other than year-end. Year-end procedures take place at the end of the current year and into the next. For a client with a December 31 year-end, procedures start around the end of November and continue until you issue the audit report. The earlier you can issue the report in the subsequent year, the better. A report issued quickly after year-end provides the financial statement reader with more timely information.
This section explains how you establish the proper timing for your audit procedures, based on your firm's and your client's needs.
When conducting interim tests of controls, the average CPA firm waits until the client is past the halfway point in the year. So if the client is on a calendar year-end, interim control procedures are usually done from the end of July through the end of November.
You consider two components when evaluating the timing of audit procedures:
Fieldwork (also known as being in the field) means you work at the client's location. For a new client, during the client acceptance stage, you make the client aware of the fact that if you accept the engagement, you need adequate workspace in its office. Continuing clients anticipate your need to have the audit proceed as effectively and efficiently as possible and will automatically set aside workspace for your entire team. Normally, you'll all be housed in the same conference room.
For example, your client may decide to black out two weeks each quarter so its finance personnel can close the books and compile results. By blacking out, the client can't have you doing fieldwork during those two weeks each quarter. Based on this restriction, you develop an audit calendar that has interim and year-end procedures starting immediately after the blackout periods.
You have relevant information about the effective operation of an internal control only up to the date you test it. So if you're limiting your testing of financial statement account balances because you believe that internal controls are strong, you should continue your testing of internal controls at year-end.
You may be wondering why you shouldn't just wait until the end of the year and do your testing of internal controls all at the same time. The reason is that you'll have enough to do at year-end with testing account balances and writing reports. You don't want to throw an entire year's worth of testing internal controls into the mix.
Starting your testing of internal controls at an interim date can usually give you some benefits. An interim test
Say you wrap up your interim tests of controls on September 30. Your results lead you to limit testing for some income statement accounts because of strong controls. What testing should you conduct for October 1 through December 31?
Factors to consider include the length of the remaining period, your level of certainty about the evidence you gather at the interim date, any changes in the entity's business activities, turnover in company management, cooperation by management, significant changes in internal controls, and the susceptibility to fraud in the industry.
If a client experiences significant changes, or you believe that some evidence isn't sufficient, or your interim testing took place early in the year, you conduct additional testing of controls at year-end. Additional tests may include comparing the year-end account balance with the interim account balance, or reviewing related journals and ledgers for large or unusual transactions that take place during the remaining period.
13.58.150.59