UNDERSTANDING KEY CONTROLS
Professional standards recommend a “top-down” approach to obtaining and testing internal controls. Control activities consist of entity-level and activity-level controls. Certain controls, i.e., key controls, are highly effective in detecting and preventing misstatements due to error or fraud. For larger entities, key controls may be from either category of controls. For smaller entities, key controls are normally performed at the entity level by an owner, manager or other authoritative person.
Properly designed and operating key controls can detect and prevent most misstatements from affecting the financial statements of an entity. On the other hand, improperly designed key controls, or properly designed key controls that are not operating properly, will normally result in significant deficiencies or material weaknesses in internal control. Here are illustrative key and activity-level controls for a typical small entity:
(O/M = Owner or manager or other authoritative position)
1. O/M approves all credit sales.
2. O/M reviews copies of all sales invoices and shipping reports.
3. O/M reviews customers’ statements before mailing.
4. O/M reviews monthly aged trial balance, calls past due customers and resolves customer complaints.
1. Sales are recorded in the period made or shipped (considering shipping terms).
2. Pre-numbered sales invoices and shipping reports are prepared.
3. Copies of sales invoices or customer statements are mailed at least monthly.
4. All returns, allowances, discounts and account adjustments are approved by a supervisor.
Basic Test of Controls vs. Performing a Systems Walk-through Procedure
A formal test of controls, i.e., a test of all the attributes of a transaction, is required under GAO’s “Yellow Book” standards, for audits of publically-held companies and for certain entities in regulated industries. Tests of controls are not required for non-public companies and non-profit organizations, although they may be used as risk assessment procedures. Even for some small audits, limited tests of key controls and other risk assessment procedures may enable auditors to assess control risk at a level less than high for some financial statement classifications. Tests of controls should, of course, only be performed if other substantive tests can be reduced or eliminated.
A system’s walk-through procedure, when combined with other risk assessment procedures such as reading the general ledger, can also provide substantive evidence that may enable an auditor to evaluate control risk at a level less than high. The greater the number of transaction units selected for the walk-through, the greater the substantive evidence provided by the procedure.
My illustrative Flowcharting Guide and illustrative flowcharts for the major transactions cycles can be obtained free of charge by clicking on the "Contact Us" tab on my website, www.cpafirmsupport.com, and emailing your request. Live and on-demand presentations of my webcast, Designing Internal Control Systems for Small and Medium Size Entities, can be obtained by clicking on the applicable box on the left side of my home page.