Why do auditors ask so many questions about their clients’ internal controls? Assessing internal controls is part of today’s auditing requirements. It helps identify risk factors — but the requirements can sometimes be unclear. Show The American Institute of Certified Public Accountants (AICPA) uses Technical Questions and Answers (Q&A) to address inquiries from members seeking guidance on certain technical issues. Here’s a set of five common questions, along with answers that the AICPA issued on April 27 to help clarify an auditor’s responsibility for assessing a client’s internal controls. Are auditors required to obtain an understanding of business processes relevant to financial reporting in every audit engagement? Yes, the auditing standards require an auditor to understand a client’s information system, including the related business processes and communication relevant to financial reporting. The AICPA reminds auditors that it’s important to distinguish between business processes and control activities. Business processes are the activities designed to:
The AICPA defines control activities as “steps put in place by the entity to ensure that the financial transactions are correctly recorded and reported.” Auditors are expected to obtain an understanding of only those control activities that are considered relevant to the audit. There are no “cookie cutter” approaches when it comes to understanding business processes and control activities; rather, the requirements differ from audit to audit. Does an auditor’s understanding of internal controls encompass more than control activities? Yes, an auditor must understand each component of the client’s financial reporting controls. This includes the control environment, risk assessment process, information system, control activities that relate to the audit, and the client’s monitoring of the controls. (See “Close-up on internal controls.”) Should the auditor evaluate the design of controls and determine whether they’ve been implemented every year? Yes, each year auditors must evaluate the design of the financial reporting controls that are related to the audit and determine if they’ve been properly implemented. This requires more than just inquiring with company personnel. Auditors must use additional procedures — such as observations, inspection or tracing transactions through the information system — to obtain an understanding of controls relevant to the audit. The appropriate procedures are a matter of the auditor’s professional judgment. For existing clients, an auditor may leverage information obtained from his or her previous experience with the entity and the results from audit procedures performed in previous reporting periods. In doing so, the auditor should determine whether changes affecting the control environment have occurred since the previous audit that may affect that information’s relevance to the current audit. Which control activities are considered relevant in every audit? Auditors are specifically expected to understand controls that address “significant” risks. These are identified and assessed for risks of material misstatement that, in the auditor’s professional judgment, require special audit consideration. Examples include control activities 1) relevant to the risk of fraud or 2) over journal entries (such as nonrecurring, unusual transactions or adjustments). Which relevant control activities may vary from audit to audit? Control activities that are relevant to a given audit may vary, depending on the client’s size, complexity and nature of operations. The AICPA advises auditors to consider such issues as materiality, risk, other components of the internal controls, and legal and regulatory requirements. Again, what’s relevant is a matter of the auditor’s professional judgment. © 2017
Internal controls can be: Mandatory or voluntary: Discretionary or non-discretionary: Manual or automated: General controls or application controls: Common control proceduresPhysical controls: Authorisation and approval limits: Segregation of duties: Management controls: Arithmetic and accounting controls: Human resources controls: Internal checkInternal check is a system through which the accounting procedures of an organisation are so laid out that the accounts procedures are not under the absolute and independent control of any person. The work of one employee is complementary of that of another, enabling a continuous audit of the business to be made. The essential elements of an internal check are:
Internal auditDefinition and purposes of internal audit: Internal audit supports management in the effective discharge of their responsibilities. To this end, internal audit furnishes management with analyses, appraisals, recommendations, counsel and information concerning the activities reviewed. Objectives of internal auditThe formal objectives of internal audit may include some or all of the following:
Why internal audit necessary?The importance of internal audit was highlighted by the Turnbull Report. It states that listed public companies that do not have an internal audit function should review the need to have such a function at least annually. Turnbull goes on to state that listed public companies that do have an internal audit function should review the scope, authority and resources of this function at least annually. Turnbull suggests that the need for the internal audit function will depend on several factors. These include:
Internal audit and internal controlInternal audit is an internal but independent assurance function. While internal auditors are usually employees of the organisation, they should operate independently of management so that their analyses, judgements and reports are free from bias or undue influence. The head of internal audit should report to the board of directors, or to the audit committee. Some organisations reinforce independence by outsourcing the internal audit function to professional external firms. Internal audit testing is the internal assessment of internal controls and as such is a management control to ensure compliance and conformity of internal controls to pre-determined standards. Key risks: Financial and operating information: Compliance: Types of auditIn the course of their duties, internal auditors may carry out various types of audit. These include the following: Operational audits may be concerned with the efficiency of the organisation’s activities. They consider performance relative to pre-determined criteria. Systems audits are used to test and evaluate controls as described in the last section. They test whether the controls can be relied upon to ensure that resources are allocated and managed effectively. They also test whether the information provided by the organisation’s systems is accurate. Compliance tests verify whether internal controls are being applied in a proper manner. Substantive tests verify the accuracy of figures, and can be used to identify errors and omissions. A transactions or probity audit is concerned with detecting fraud and other types of criminal or unlawful behaviour. However, it can also be extended to matters relating to fairness of dealings, impartiality, accountability and transparency, sometimes considered to be within the scope of social audit. Generally, social audit may be concerned with any matters relating to governance. |