Every business — large or small — needs internal controls for operational efficiency. Internal controls are:
There are five components of internal controls as defined in The Committee of Sponsoring Organizations of the Treadway’s (COSO) Internal Control – Integrated Framework:
This framework guides entities in the design, implementation, and evaluation of their system of internal controls. It demonstrates that the system of internal controls is not just the individual activities that are performed on a regular basis but the overall environment in which those control activities take place, including management’s attitude, the risks applicable to the business, and the flow of information throughout the organization. All of these factors inform the appropriate design of internal control activities, mitigate the greatest risks, and ensure the proper reporting of financial information for the entity.
The most important controls for an entity are key controls because they are steps within the process that address the risks of what could go wrong during transaction processing and financial statement preparation. It is very important that these controls are designed effectively and are properly implemented; failure to do so could materially affect the relevant assertions, as errors could go undetected. For small businesses, there may only be one key control that can fully address the control objective, such as management’s oversight of the financial reporting system. However, for larger companies, some key controls must be combined with an indirect or complementary control to meet its objective. Complementary controls are controls over the accuracy and completeness of information used in the performance of key controls, IT general controls, segregation of duties and the control environment.
Depending on its objective and design, key controls could be performed routinely on a periodic basis and are primarily performed by supervisory personnel. Examples include requiring two signatures when issuing a check over a certain amount, bank reconciliations and the review of the monthly reporting package. Moreover, there are some key controls that are not performed by an individual but instead by an IT program. Examples include programmed restriction access for users, programmed detection of edit routines or unusual inputs and/or generation of unusual activity or error reports.
As previously noted, key controls should be well designed and properly implemented to be effective. The best way to test this is with a top-down approach, which starts with determining how well the entity-level controls are designed and whether or not they are properly implemented. If they are not, then the activity-level key controls will not be able to meet their objectives, no matter how well designed and properly implemented they may be. From the auditor’s perspective, this approach is very cost effective and is the most efficient way to determine if testing these controls is productive. Although many auditors would rather test transactions substantively, testing controls provides more assurance than performing substantive testing alone.
There are many ways to test key controls: an inquiry with the client or appropriate individual performing the key controls, observation during fieldwork or virtually, or obtaining and inspecting reports or documents. For key controls combined with complementary controls, the auditor should determine whether to test those along with key controls.
There can be confusion when differentiating key and complementary controls from processes. Processes are necessary steps to execute the transaction; they do not prevent or correct a material misstatement relevant to the assertions. Examples include preparing batch deposit slips and depositing checks, coding an invoice, mailing out checks and preparing reports. These routine processes ensure that the transaction is executed; however, the review and monitoring activities surrounding these processes.
Understanding the design and implementation of internal controls is important for auditors and their clients’ management. Distinguishing between entity- and activity-level controls, and key, complementary and process controls, helps to ensure the system properly captures financial information and guides the auditor in efficiently assessing and testing audit assertions.
Not All Risks Come With Reward - Why Every Business Needs Timely Internal Reporting: Check out our whitepaper on why every business needs timely internal reporting