Understanding Internal Control
Professional standards require an auditor to obtain an understanding of a client’s business and industry, including its internal control. Unable to default to high control risk and perform only analytical and tests of balances procedures, an auditor is required to obtain the understanding, identify and evaluate risks of material misstatement due to error and fraud and link the risks to appropriate substantive procedures to prevent financial statements from being materially misstated. Understanding and documenting internal control is integral to this process, which is called the audit strategy.
Internal Control and Audit Strategies
Profitable audits require unique audit strategies. An audit strategy for audits that includes compliance with generally accepted auditing standards and that, at the same time, maximizes engagement profitability will normally include the following components:
• Making and responding to client acceptance and retention evaluations.
• Completing only core planning practice aids.
• Reading the client’s general ledger account activity to provide low-cost substantive evidence and risk-assessment procedures.
• Preparing internal control flowcharts and memos that can be carried forward.
• Performing systems walk-procedures to reduce the assessed risk of material misstatement.
• Performing maximum analytical procedures during planning, engagement performance and engagement review to reduce detailed tests of balances.
• Performing only necessary tests of control and tests of balances procedures.
• Determining tolerable misstatement by financial statement classification to minimize auditing procedures.
• Making decisions not to sample to save time.
• Completing a planning document to facilitate planning meetings and the audit team leader’s involvement.
At the heart of each engagement’s audit strategy is the entity’s system of internal control.
Assessing risks of material misstatement (RMM) for each financial statement classification requires an understanding of both key (at the entity-level and activity-level) controls and activity-level controls. The emphasis for assessing RMM is on the design and operation of key controls, for both large and small audits. If key controls are designed and operating, formally or informally, it is unlikely material errors or fraud can occur and go undetected. If key controls are not designed, or are designed and not operating, control deficiencies are likely. Depending on the likelihood and magnitude of the deficiencies, they may be significant deficiencies or material weaknesses, risks of material misstatements in other words.
An entity’s system of internal control represents an opportunity for maximizing audit profits, for both large and small audit engagements. An auditor’s understanding of an entity’s internal control system, and its recognition as a key component of an audit strategy for each material financial statement classification, is a key to gathering the right amount of substantive evidence in the least amount of time.
My live and on-demand webcasts offer more detailed information on internal control and audit strategies, as well as courses on all other auditing subjects. You can obtain syllabuses and register by clicking the applicable box on the left side of my home page, www.cpafirmsupport.com.