During your risk-assessment procedures before you begin an audit, you interview members of the company and observe how they do their jobs to make your assessment of control risk. Company management is ultimately responsible for the financial statements. The internal controls set in place by the company have the goal of producing accurate and effective reporting.
Here are some examples of control activities and the specific procedures that should be in place in an adequate control environment:
Segregation of duties: In particular, this applies to authorization, custody, and recordkeeping. For example, the person who requests an order of computer components shouldn’t be the person who authorizes the request. The physical custody of the computer components after receipt should be the task of a third employee. The business should also have yet another employee keeping files of the related purchase orders and paid invoices.
Adequate documents and records: The company must maintain source documents like purchase orders, paid invoices, and customer invoices in a proper filing system. A classic documentation control is using prenumbered documents and saving voided documents. If you spot a missing invoice number with no void information, you know right off the bat that the company may have sales that haven’t hit its financial records.
Physical control of assets and records: This includes providing safe and secure locations for the assets, tagging furniture and equipment, and having backup procedures for records should they be misplaced or lost in a fire or flood.
Not quite sure what it means to tag a piece of furniture? Businesses with good internal controls have a unique label on each piece of furniture and equipment they own and a record of where each label is placed. Every year, someone goes around to see if any tagged assets are missing.