SAS No. 109, COSO and SOX all suggest consideration of internal control systems from the top down, by management and by auditors. The concept of top-down is, of course, starting with key controls at both the entity level and the activity level.
Performing a top-down evaluation of internal control is not particularly easy, especially if we’ve not done it before. Here are some considerations that may help.
Key or Entity-Level Controls
Key controls are those elements of the five components of internal control that have a pervasive affect upon the accomplishment of management’s control objectives. For smaller entities, these controls may be informal and ordinarily carried out by one or a few persons such as an owner/manager. The design and operation of these key controls can prevent material misstatements due to error or fraud from occurring and going undetected. Successful operation of key controls, subjected to auditors’ tests of controls, may reduce control risk to some level less than high, maybe even moderate. An assessed lower level of control risk can result in reductions of more expensive tests of balances evidence, even on small audits!
Components of key controls for both large and small entities are:
• Management’s integrity and ethical values
• Management’s commitment to doing things right.
• Management’s ways of doing things.
• The involvement of persons charged with governance.
• The delegation of authority and responsibility.
• Personnel policies and procedures.
The COSO Report states that control activities are the policies and procedures established to help ensure that management directives are carried out. The key controls described above are primary to accomplishing this objective. Absent the design of key controls, or when key controls are designed but not operating, key activity-level controls may be necessary to prevent misstatements from occurring and going undetected.
These controls may be applied through features in an accounting software system, by personnel while performing accounting procedures or by the design of documents or data. If key controls are not designed or operating, certain activity-level controls may prevent errors from occurring and going undetected. Knowledge of these controls should be part of the auditor’s risk assessment procedures. The degree to which these controls may be regarded as substantive evidence by an auditor depends on the extent to which formal or informal tests of controls may be performed.
How Do Key Controls Affect an Audit?
Here are some ways:
1. If key controls are designed and operating properly there should be limited risks of misstatements.
2. When risk assessment procedures reveal limited risks of material misstatements, less evidence is required from costly tests of balances. In such cases, significant time savings can be achieved, even on small audits!
3. If key controls are not designed, or designed controls are not operating effectively, risk of material misstatements may occur. These risks of material misstatements will ordinarily be significant deficiencies or material weaknesses reported in the internal control communication letter.
Why Aren’t More Auditors Evaluating Internal Control Top-Down?
First, there is a lingering perception that there are limited benefits that can be obtained from evaluating and testing internal control. Auditors’ evaluations, therefore, are often cursory and performed only to satisfy the requirements of the auditing standards.
Second, internal control questionnaires are not ordinarily constructed to identify key controls. In this situation, many auditors are not sure about how to identify the key controls. The result is that the auditor completes the entire questionnaire to comply with auditing standards and rarely achieves a level of risk assessment less than high, particularly on small audits.
On our website, www.cpafirmsupport.com, you can register for live and on-demand webcasts, or purchase small PDF books on various auditing topics including understanding internal control. Each of these internal control products is accompanied by a Small Audit Internal Control Questionnaire that identifies key controls. The bottom line is that identifying and testing key controls may enable the auditor to reduce risk of material misstatement to a level less than high. This reduction can reduce audit time charges and enable CPA firms to make more money on audits, even smaller ones!