When Do You Need to Audit Internal Controls?

By Maire Loughran from Auditing For Dummies

When you audit publicly traded companies, federal regulations dictate that you must audit internal controls that affect financial reporting. But what about audits of privately owned companies? Do you always have to audit your client’s internal controls? Not exactly.

In every audit, you must get at least a preliminary understanding of the client’s internal controls that affect each business and financial process. But after gaining that preliminary understanding, you may decide not to conduct a full audit of internal controls. You may decide, instead, that you need to test every transaction that occurred during the year under audit.

When do you audit internal controls (use a control strategy), and when do you forego that audit and test every transaction (use a substantive strategy)?

If control risk is high, you have to conduct your audit very carefully because you can’t place a lot of trust in the information the client gives you.

If your preliminary research indicates that your client’s internal controls for some business or financial processes are seriously lacking, you set the control risk for that part of the audit at the maximum (100 percent). By doing so, you effectively halt your audit of internal controls in these specific areas because you already know how to approach the audit. You’re going to use an audit approach called substantive strategy, and you do a lot of substantive testing to support it. Substantive testing occurs when you test not only the balances of a client’s financial statement accounts but their details as well.

The other approach to an audit is called the control testing strategy. When you use control testing, you do a thorough audit of the client’s internal controls so you can limit the amount of substantive testing you have to do. If you find that internal controls are strong in some departments, for example, you know that you don’t have to test quite as much as you would if those controls were weak.

Before deciding on an audit strategy (or a combination of strategies), you have to interview the client to obtain a preliminary understanding of its internal control structure. You can’t automatically set control risk at the maximum; you have to first assess your level of control risk.

Keep in mind that most audits combine substantive and control testing strategies. For example, the same company that has weak internal controls for cash disbursements may have very effective internal controls for cash receipts, such as separation of duties. You could use the substantive strategy for cash disbursements and control testing strategy for cash receipts.

When would you decide to use the substantive strategy? Here are two situations:

After your preliminary analysis of an internal control, you determine that the control itself is ineffective. For example, regarding cash disbursements, maybe the client’s check-signing policy isn’t stringent enough. (In many companies, two or more signatures are required on checks over a certain amount.) Or perhaps blank company checks aren’t kept under lock and key.
After your preliminary analysis of an internal control, you determine that testing the control would be ineffective. Testing an internal control is ineffective if the financial statement account has a limited number of transactions affecting it. For example, many companies don’t have a lot of transactions affecting their goodwill account, so internal controls over goodwill aren’t that important. It’s more important to examine the events surrounding the goodwill and confirm any relevant information.