Increasing Audit Profits Series No. 33—Identifying and Testing an Entity’s Key Controls
Key Controls at the Entity Level
Key controls are those elements of the five components of internal control that have a pervasive affect upon the accomplishment of management’s control objectives. While key controls may exist at both the entity level and the activity level, an auditor is primarily concerned with key controls at the entity level, a “top-down” approach as described in SAS No. 109. For smaller entities, these controls may be informal and ordinarily carried out by one or a few persons, such as an owner or manager. The design and operation of these key controls can prevent material misstatements due to error or fraud from occurring and going undetected. Successful operation of key controls, subjected to auditors’ tests of controls, may reduce control risk to some level less than high, possibly moderate. A lower assessed level of control risk can result in reductions of more expensive tests of balances evidence, even on small audits!
Components of key controls for both large and small entities are:
• Management’s integrity and ethical values
• Management’s commitment to doing things right.
• Management’s ways of doing things.
• The involvement of persons charged with governance.
• The delegation of authority and responsibility.
• Personnel policies and procedures.
Activity-level controls are the policies and procedures established to help ensure that management directives are carried out. The entity-level key controls are primary to accomplishing this objective. Absent the design of key controls, or when key controls are designed but not operating, activity-level controls may be necessary to prevent misstatements from occurring and going undetected.
These controls may be applied through features in an accounting software system, by personnel while performing accounting procedures or by the design of documents or data. If key controls are not designed or operating, certain activity-level controls may prevent errors from occurring and going undetected. Knowledge of these controls should be part of the auditor’s risk assessment procedures. The degree to which these controls may be regarded as substantive evidence by an auditor depends on the extent to which tests of controls or systems walk-through procedures may be performed.
Can Key Controls at the Entity Level Be Audited?
Many auditors believe that key controls performed by an owner or manage are un-auditable because their performance is usually not documented. Interestingly, the risk assessment standards effective in 2007 identified inquiries and observations as acceptable procedures for testing internal control, both entity level and activity level controls. For example, obtaining a copy of a monthly bank statement and asking a business owner to explain how she approaches its preliminary review before reconciliation may provide substantive evidence, when combined with evidence from other risk assessment procedures, that the assessed level of risk of material misstatements for cash is less than high.
An auditor’s evaluation of management’s integrity as high has at least two significant affects on audits. First, a strong control environment reduces risk at the financial statement level. Lower risk mean less evidence is required to reach an audit opinion on the financial statements as whole. Second, high management integrity means higher reliance can be placed on responses to inquiries in tests of key entity-level controls, thereby reducing the amount of other substantive evidence necessary at the assertion level. Tests of activity-level controls can also be performed by inquiries, inspections and observations of other employee’s activities.
For live and on-demand webcasts discussing testing key entity-level controls as a part of an audit strategy, click on the applicable box on the left side of my home page, www.cpafirmsupport.com.