Key controls are those elements of the five components of internal control that have a pervasive affect upon the accomplishment of management's control objectives. These key controls will be similar for all financial reporting frameworks, including special purpose frameworks. At the entity level for smaller entities, these controls may be informal and ordinarily carried out by one or a few persons, such as an owner or manager. The design and operation of these key controls can prevent material misstatements due to error or fraud from occurring and going undetected.
Successful operation of key controls, subjected to auditors' tests of controls or systems walk-through procedures, may reduce control risk to a level that is slightly less than high or even moderate. An assessed lower level of control risk can reduce the need for more expensive tests of balances evidence.
Components of key controls at the entity level for both large and small entities are:
- Management's integrity and ethical values.
- Management's commitment to doing things right.
- Management's ways of doing things.
- The involvement of persons charged with governance.
- The delegation of authority and responsibility.
- Personnel policies and procedures.
The COSO report, Internal Control—An Integrated Framework, states that control activities are the policies and procedures established to help ensure that management directives are carried out. The key controls at the entity level are primary to accomplishing this objective. Absent the proper design of key controls at the entity level, or when key controls are designed but not operating, activity-level controls may be necessary to prevent misstatements from occurring and going undetected.
Activity-level controls may be applied through features in an accounting software system, either by personnel while performing accounting procedures, or by the design of documents or data. If key controls are not designed or operating at the entity level, certain activity-level controls may prevent errors from occurring and going undetected. Obtaining knowledge of these controls should be part of the auditor's risk assessment procedures. The degree to which these controls may be regarded as substantive evidence by an auditor depends on the extent to which tests of controls or systems walk-through procedures may be performed and documented.
Can a Small Entity Have Good Internal Controls?
For audits of smaller entities using any reporting framework, the process of understanding internal controls is primarily based on key controls at the entity level. The owner or manager (CEO, director, superintendent, CFO or other top financial authority) has primary responsibility for the design and operation of internal controls. Most of the key controls will be informal and performed by the owner or manager. It is the commitment to accurate financial reporting and the diligence of the responsible person that significantly affects the auditor's evaluation of the risk of material misstatements (the combination of control risk and inherent risk) on smaller audits.
COSO has recognized that smaller entities can have good internal controls, although they will likely be informal and carried out by one or a few persons. The design and operation of key controls can prevent material misstatements due to error or fraud from occurring and going undetected. Effectively designed and operated informal key controls may result in a less-than-high assessment of control risk for small entities. It is the auditor's evaluation of both the character and diligence of an owner or manager, and the evidence obtained by inquiries, observations and other risk assessment procedures, that form the basis for a conclusion about control risk on small audits.
For smaller audits, the auditor's primary objective should be to focus on key controls at the entity level. If risk assessment procedures determine such controls are designed and operating properly, control risk could be less than high, even moderate. If key controls are not designed at least informally, or if they are designed but not operating effectively, significant deficiencies or material weaknesses may occur and go undetected, resulting in high control risk. In cases where key controls are not operating, it is possible for documented activity-level controls to reduce control risk to slightly less than high.
Can Owner/Manager Controls Be Audited?
Some auditors believe that owner or manager controls cannot be audited because their performance is often not documented by the persons performing them. However, audit risk assessment standards identify inquiries and observations as acceptable procedures for testing controls—both key entity-level and activity-level controls. For example, obtaining a copy of a bank statement and asking a business owner how she approaches its preliminary review before reconciliation may provide evidence, along with other risk assessment procedures, that the assessed level of risk of material misstatements for cash is at some level less than high. This procedure will produce reliable evidence when the integrity of management is high and when no or limited contrary evidence is obtained from other risk assessment procedures.
An auditor's evaluation of management's integrity as high has at least two significant effects on small audits. Since an owner's or manager's actions define the control environment for a small entity, a strong control environment reduces the risk of material misstatement at the financial statement level. Lower risk mean less evidence is required to reach a conclusion on the financial statements as whole. Second, high management integrity means an auditor can place higher reliance on responses to inquiries in tests of informal key entity-level controls on smaller audits. The auditor, after considering the results of other risk assessment procedures, may be able to reduce the amount of other necessary substantive evidence from detailed tests of balances at the assertion level. Tests of activity-level controls can also be performed by inquiries and observations of other employees' activities if the auditor has assessed their competence and integrity.
So yes, owner/manager controls can be audited. Also, by selecting and serving clients employing management and other personnel with good character and high integrity, performing key controls at the entity level can increase both engagement and firm profits!
For webcasts and self-study courses containing more information on internal controls on smaller audits, click the applicable box on the left side of my home page, www.cpafirmsupport.com.