As originally described in SAS No. 55, the internal control structure was comprised of an organization's accounting system, control environment and control procedures. While SAS No. 78 expanded the definition of these three components, it also added internal risk assessment and internal monitoring of internal control performance. Since we are primarily concerned about the original three components of the internal control structure for most of our clients, this will be the focus of this discussion.
To properly evaluate risk of material misstatement, we must first distinguish between the accounting system (information and its communication) and the control procedures or activities. Simply put, the accounting system is comprised of the accounting records and the record keeping procedures necessary to prepare reliable financial information. Internal control activities consist of procedures and activities that check the operation of the accounting system. Our evaluation of a client's internal controls will be relative to nature, size and complexity of an entity. In a recent COSO report on internal control for smaller entities, the authors indicated that smaller entities may have more informal internal controls and that key controls would ordinarily be carried out by one or a few individuals.
As SAS No. 107 indicates, we are concerned primarily about an entity's key controls. Key controls are those performed at the entity level which can prevent deficiencies in other related control activities from causing material misstatements. A small entity, for example, could have both a good accounting system and good internal controls because an owner or manager with high integrity diligently performs key controls such as signing checks and reviewing vendor invoices, reviews bank statements before and after reconciliation, reviewing mail opening prelists and bank deposit details, reviews customer statements and/or aged trial balances of accounts receivable and so forth.
Because we thought we couldn't audit these controls in the past, we didn't regard them as evidence. Risk assessment standards make it clear we can test these and other controls by making inquiries, observations and inspections. Testing controls in this way may enable the auditor to assess control risk at less than maximum, even on small audits!