How to Assess Internal Control Procedures
During an audit, you have to assess your client’s control risk. This audit procedure involves evaluating control risk, which means you need to find out as much as you can about your client’s internal control procedures. Auditing those procedures involves several steps:
Consider external factors: Uncover as much as you can about environmental and external influences that may affect the company, such as the state of the economy, changes in technology, the potential effect of any laws and regulations, and changes in generally accepted accounting principles (GAAP) that relate to the client’s type of business.
External changes (such as technological or GAAP changes) may decrease your reliance on the company’s internal controls, unless the client can demonstrate that it has modified internal controls in response to the changes.
Evaluate how management assesses its controls: The Sarbanes-Oxley Act of 2002 (requires that management of publicly traded companies create a written self-assessment document at this stage, which demonstrates how well it believes its internal controls are working.
Your evaluation of how well management thinks its internal controls work during the initiating, authorizing, recording, and reporting of significant accounts can help you identify areas where material misstatements due to error (mistake) or fraud (intentional) could occur — thus increasing your efficiency during an audit of a private company.
When reviewing the self-assessment, keep the following points in mind:
Management should take a close look at the controls for significant accounts.
If the company has many business units or locations, management should come up with a logical game plan as to which units and locations it looks at.
Management should assess the design and operating effectiveness of its controls.
Review management’s self-assessment: After management finishes its work, it’s your turn! You have to review management’s written assessment to come to your own conclusion about how well management is performing.
Use questionnaires to evaluate internal controls: When evaluating your client’s internal controls, two questionnaires can help you gather important information for your assessment:
The first, created by your CPA firm and given to the client, consists of yes and no questions about the company’s operating structure. It also asks who performs each of the operating tasks so that you know which employee to pursue with your auditing questions.
The second questionnaire, which you fill out, documents your understanding of the client’s control environment. It covers topics such as the client’s commitment to competence, the assignment of authority and responsibilities, and human resources policies and procedures.
Design your tests of controls: After you review management’s self-assessment and document your understanding, you design your tests of controls and decide which procedures to use while testing. Tests of controls over operating effectiveness should include the following five procedures:
Talk with the client: Ask questions ranging from how often performance reviews are carried out to segregation of duties to discover if policies and procedures allow the carrying out of management objectives.
Look at client documents: These source documents, such as invoices and loan paperwork, back up information on the financial statements.
Observe the client: You check out for yourself how the company operates. For example, you observe the procedures for opening mail and processing cash receipts to test the operating effectiveness of controls over cash receipts.
Conduct walkthroughs: A walkthrough refers to tracing a transaction from the original document to where the client includes it in the financial statements. You do this by questioning the client about the transaction, having staff members show you how they entered the transaction into the books, and inspecting the documents involved in the transaction.
Do reperformance: Reperformance means that you use the client’s source documents to check the client’s work by redoing it — such as totaling a line of numbers to see if you get the same grand total as the client.