Professional standards require an auditor to obtain an understanding of a client's business and industry, including its internal control. Unable to default to high control risk and perform only analytical and tests of balances procedures, an auditor is required to obtain the understanding, identify and evaluate risks of material misstatement due to error and fraud and link the risks to appropriate substantive procedures to prevent financial statements from being materially misstated. Understanding and documenting internal control is integral to this process, which is the formulation of an audit strategy. For special purpose frameworks, an auditor's understanding of differences from US GAAP is essential to documenting and evaluating internal control.
AU-C 315 defines internal control this way:
Internal control is a process—effected by those charged with governance, management, and other personnel—designed to provide reasonable assurance about the achievement of the entity's objectives with regard to reliability of financial reporting, effectiveness and efficiency of operations, and compliance with laws and regulations. Internal control over safeguarding of assets against unauthorized acquisition, use, or disposition may include control relating to financial reporting and operations objectives."
Internal Control and Audit Strategies
At the heart of each engagement's audit strategy is the entity's system of internal control. Assessing risks of material misstatement (RMM) for each financial statement classification requires an understanding of both entity-level controls and activity-level controls. The emphasis for assessing RMM is on the design and operation of key controls for both large and small audits, and for all reporting frameworks. For smaller audits, the most effective key controls are normally performed at the entity or management level.
If key controls are designed and operating, formally or informally, it is unlikely material errors or fraud can occur and go undetected. If key controls are not designed, or are designed and not operating, control deficiencies are likely. Depending on the likelihood and magnitude of the deficiencies, they may be significant deficiencies or material weaknesses, that is, risks of material misstatements for which audit responses must be designed.
A Historical Perspective of Internal Controls
The Committee of Sponsoring Organizations (COSO) of the National Commission on Fraudulent Financial Reporting (Treadway Commission) issued its first report stressing the importance of internal control, the control environment, codes of conduct, audit committees and internal audit functions. In 1992, a task force of COSO issued a report titled Internal Control—Integrated Framework, called the COSO Report. This report was updated in 2013 to include 17 principles underpinning the components of internal control.
Among other things, the COSO report defines internal control and its components and provides criteria for evaluating internal control. The report presents these interrelated components of internal control:
- Control Environment: The core of any business is its people and the environment in which they operate.
- Risk Assessment: The entity must be aware of and deal with the risks it faces.
- Control Activities: Control policies and procedures must be established and applied to address risks to the achievement of the entity's objectives.
- Information and Communication: These systems enable the entity's people to obtain and use information necessary to conduct, manage and control operations.
- Monitoring: The internal control process must be monitored and changed as conditions necessitate.
In future articles, I'll discuss the benefits of understanding key controls, preparing flowcharts and performing systems walk-through procedures on smaller audits.