What is the main purpose of an auditor in his evaluation of the clients internal control system?

Why do auditors ask so many questions about their clients’ internal controls? Assessing internal controls is part of today’s auditing requirements. It helps identify risk factors — but the requirements can sometimes be unclear. 

The American Institute of Certified Public Accountants (AICPA) uses Technical Questions and Answers (Q&A) to address inquiries from members seeking guidance on certain technical issues. Here’s a set of five common questions, along with answers that the AICPA issued on April 27 to help clarify an auditor’s responsibility for assessing a client’s internal controls.

Are auditors required to obtain an understanding of business processes relevant to financial reporting in every audit engagement?

Yes, the auditing standards require an auditor to understand a client’s information system, including the related business processes and communication relevant to financial reporting. The AICPA reminds auditors that it’s important to distinguish between business processes and control activities. Business processes are the activities designed to:

• Develop, purchase, produce, sell and distribute an entity’s products and services,
• Ensure compliance with laws and regulations, and
• Record information, including accounting and financial reporting information.

The AICPA defines control activities as “steps put in place by the entity to ensure that the financial transactions are correctly recorded and reported.” Auditors are expected to obtain an understanding of only those control activities that are considered relevant to the audit. There are no “cookie cutter” approaches when it comes to understanding business processes and control activities; rather, the requirements differ from audit to audit.

Does an auditor’s understanding of internal controls encompass more than control activities?

Yes, an auditor must understand each component of the client’s financial reporting controls. This includes the control environment, risk assessment process, information system, control activities that relate to the audit, and the client’s monitoring of the controls. (See “Close-up on internal controls.”)

Should the auditor evaluate the design of controls and determine whether they’ve been implemented every year?

Yes, each year auditors must evaluate the design of the financial reporting controls that are related to the audit and determine if they’ve been properly implemented. This requires more than just inquiring with company personnel. Auditors must use additional procedures — such as observations, inspection or tracing transactions through the information system — to obtain an understanding of controls relevant to the audit. The appropriate procedures are a matter of the auditor’s professional judgment.

For existing clients, an auditor may leverage information obtained from his or her previous experience with the entity and the results from audit procedures performed in previous reporting periods. In doing so, the auditor should determine whether changes affecting the control environment have occurred since the previous audit that may affect that information’s relevance to the current audit.

Which control activities are considered relevant in every audit?

Auditors are specifically expected to understand controls that address “significant” risks. These are identified and assessed for risks of material misstatement that, in the auditor’s professional judgment, require special audit consideration. Examples include control activities 1) relevant to the risk of fraud or 2) over journal entries (such as nonrecurring, unusual transactions or adjustments).

Which relevant control activities may vary from audit to audit?

Control activities that are relevant to a given audit may vary, depending on the client’s size, complexity and nature of operations. The AICPA advises auditors to consider such issues as materiality, risk, other components of the internal controls, and legal and regulatory requirements. Again, what’s relevant is a matter of the auditor’s professional judgment.  

© 2017

Internal controls can be:

Mandatory or voluntary:
Mandatory controls are those which must be applied, irrespective of circumstances. These are widely used to prevent breached of laws or policy, as well as to minimise risks relating to health and safety. Voluntary controls are applied according to the judgement of the organisation and its managers.

Discretionary or non-discretionary:
Managers may be permitted discretion according to their interpretation or judgement of risks in given circumstances. Non-discretionary controls must be applied.

Manual or automated:
Manual controls are applied by the individual employee whereas automated controls are programmed into the systems of the organisation. Some systems combine the two: for example, when deciding on whether a customer should be permitted days on hand for payment, there could be automated ‘accept’ above a specified credit rating or ‘decline’ or below a specified credit rating, and an intermediate range in which a manager may be able to override the automated system.

General controls or application controls:
This classification of controls applies specifically to information systems. General controls help to ensure the reliability of data generated by systems, helping to ascertain whether systems operate as intended and output is reliable. Application controls are automated and designed to ensure the complete and accurate recording of data from input to output.

Common control procedures

Physical controls:
These controls include restrictions on access to buildings, specified office or factory areas or equipment, such as turnstiles at the entrance to the premises, swipe cards and passwords. They also include physical restraints, such as fixing non-current assets to prevent removal.

Authorisation and approval limits:
Many employees must adhere to authorisation limits, and these will usually be specified in the terms of employment. For example, a junior manager may be permitted to book business flights up to the value of $500, but for tickets costing more than this, the purchase may have to be approved by someone more senior.

Segregation of duties:
To minimise the risk of errors and fraud, duties associated with cash handling are often segregated. For example, in the post room of a company that received cash by post, the employee recording the cash will be a different person to the one who opens the post. Segregation is also relevant to other functions. At executive level, it is now best practice to segregate the roles of chairman and chief executive officer, and as an independent assurance function, internal audit should be totally segregated from the finance department, with a reporting line direct to the board of directors or the audit committee.

Management controls:
These controls are operated by managers themselves. An example is variance analysis, through which a manager may be required as part of their job to consider differences between planned outcomes and actual performance. Performance management of subordinates is also an integral part of many managerial positions. Further down the chain of command, supervision controls are exercised in respect of day-to-day transactions. Organisation controls operate according to the configuration of the organisation chart and line/staff responsibilities.

Arithmetic and accounting controls:
These controls are in place to ensure accurate recording and processing of transactions. Procedures here include reconciliations and trial balances.

Human resources controls:
Controls are implemented for all aspects of human resources management. Examples include qualifications verification, references and criminal record checks on recruits, checks on staff who have to be attested for competence and training effectiveness.

Internal check

Internal check is a system through which the accounting procedures of an organisation are so laid out that the accounts procedures are not under the absolute and independent control of any person. The work of one employee is complementary of that of another, enabling a continuous audit of the business to be made.

The essential elements of an internal check are:

• checks are implemented on day-to-day transactions
• checks operate continuously as a part of the system
• the work of each person is complementary to the work of another.

By allocating duties in this way, no one person has exclusive control over any transaction.

Internal audit

Definition and purposes of internal audit:
Internal audit may be defined as an independent appraisal function established within an organisation to examine and evaluate its activities as a service to the organisation.

Internal audit supports management in the effective discharge of their responsibilities. To this end, internal audit furnishes management with analyses, appraisals, recommendations, counsel and information concerning the activities reviewed.

Objectives of internal audit

The formal objectives of internal audit may include some or all of the following:

• review of accounting and internal control systems
• examination of financial and operating information
• review of the ‘three E’s (economy, efficiency and effectiveness)
• review of compliance with laws and regulations
• review of arrangements for the safeguarding of assets
• review of implementation of corporate goals and objectives
• identification of significant risks to the organisation, and monitoring risk management policy and risk management strategies
• special investigations as required.

Why internal audit necessary?

The importance of internal audit was highlighted by the Turnbull Report. It states that listed public companies that do not have an internal audit function should review the need to have such a function at least annually. Turnbull goes on to state that listed public companies that do have an internal audit function should review the scope, authority and resources of this function at least annually.

Turnbull suggests that the need for the internal audit function will depend on several factors. These include:

• the scale, diversity and complexity of the organisation’s activities
• the number of employees – the need for an internal audit function increases as the number of employees increases, or if employee interrelationships become more complex
• where the benefits of such a function will outweigh the costs of implementation and operation
• when changes occur over time in the organisation’s structures, reporting processes or underlying information systems
• the nature of risks, changes to risks and emerging risks
• problems and issues arising with internal control systems, both actual and perceived
• the occurrence of an increasing number of unexplained or unacceptable events.

Internal audit and internal control

Internal audit is an internal but independent assurance function. While internal auditors are usually employees of the organisation, they should operate independently of management so that their analyses, judgements and reports are free from bias or undue influence. The head of internal audit should report to the board of directors, or to the audit committee. Some organisations reinforce independence by outsourcing the internal audit function to professional external firms.

Internal audit testing is the internal assessment of internal controls and as such is a management control to ensure compliance and conformity of internal controls to pre-determined standards.

Key risks:
Internal audit reviews and reports on internal controls in relation to key risks affecting the organisation. The objective here should be to test the extent to which the controls will control the risk if it crystallises. The conclusions of these reports should enable management to reconsider the controls and modify or redesign them if appropriate.

Financial and operating information:
Internal audit may examine this information in order to ensure it is accurate, fit for purpose and timely. Tests may be applied to determine whether information is correctly measured and therefore suitable as a basis for informing management and external stakeholders.

Compliance:
Increasingly, organisations have to implement performance standards in relation to compliance. This may be to satisfy the demands of external regulators, or to operate to pre-determined internal standards. Internal audit should review operations for compliance with such standards. In this respect, the work of internal auditors in broadening, as organisations increasingly pursue compliance not only with industry standards for products and service provision, but also with criteria relevant to environmental standards.

Types of audit

In the course of their duties, internal auditors may carry out various types of audit. These include the following:

Operational audits may be concerned with the efficiency of the organisation’s activities. They consider performance relative to pre-determined criteria.

Systems audits are used to test and evaluate controls as described in the last section. They test whether the controls can be relied upon to ensure that resources are allocated and managed effectively. They also test whether the information provided by the organisation’s systems is accurate. Compliance tests verify whether internal controls are being applied in a proper manner. Substantive tests verify the accuracy of figures, and can be used to identify errors and omissions.

A transactions or probity audit is concerned with detecting fraud and other types of criminal or unlawful behaviour. However, it can also be extended to matters relating to fairness of dealings, impartiality, accountability and transparency, sometimes considered to be within the scope of social audit. Generally, social audit may be concerned with any matters relating to governance.