Why must the auditor obtain an understanding of internal control?

Why do auditors ask so many questions about their clients’ internal controls? Assessing internal controls is part of today’s auditing requirements. It helps identify risk factors — but the requirements can sometimes be unclear. 

The American Institute of Certified Public Accountants (AICPA) uses Technical Questions and Answers (Q&A) to address inquiries from members seeking guidance on certain technical issues. Here’s a set of five common questions, along with answers that the AICPA issued on April 27 to help clarify an auditor’s responsibility for assessing a client’s internal controls.

Are auditors required to obtain an understanding of business processes relevant to financial reporting in every audit engagement?

Yes, the auditing standards require an auditor to understand a client’s information system, including the related business processes and communication relevant to financial reporting. The AICPA reminds auditors that it’s important to distinguish between business processes and control activities. Business processes are the activities designed to:

• Develop, purchase, produce, sell and distribute an entity’s products and services,
• Ensure compliance with laws and regulations, and
• Record information, including accounting and financial reporting information.

The AICPA defines control activities as “steps put in place by the entity to ensure that the financial transactions are correctly recorded and reported.” Auditors are expected to obtain an understanding of only those control activities that are considered relevant to the audit. There are no “cookie cutter” approaches when it comes to understanding business processes and control activities; rather, the requirements differ from audit to audit.

Does an auditor’s understanding of internal controls encompass more than control activities?

Yes, an auditor must understand each component of the client’s financial reporting controls. This includes the control environment, risk assessment process, information system, control activities that relate to the audit, and the client’s monitoring of the controls. (See “Close-up on internal controls.”)

Should the auditor evaluate the design of controls and determine whether they’ve been implemented every year?

Yes, each year auditors must evaluate the design of the financial reporting controls that are related to the audit and determine if they’ve been properly implemented. This requires more than just inquiring with company personnel. Auditors must use additional procedures — such as observations, inspection or tracing transactions through the information system — to obtain an understanding of controls relevant to the audit. The appropriate procedures are a matter of the auditor’s professional judgment.

For existing clients, an auditor may leverage information obtained from his or her previous experience with the entity and the results from audit procedures performed in previous reporting periods. In doing so, the auditor should determine whether changes affecting the control environment have occurred since the previous audit that may affect that information’s relevance to the current audit.

Which control activities are considered relevant in every audit?

Auditors are specifically expected to understand controls that address “significant” risks. These are identified and assessed for risks of material misstatement that, in the auditor’s professional judgment, require special audit consideration. Examples include control activities 1) relevant to the risk of fraud or 2) over journal entries (such as nonrecurring, unusual transactions or adjustments).

Which relevant control activities may vary from audit to audit?

Control activities that are relevant to a given audit may vary, depending on the client’s size, complexity and nature of operations. The AICPA advises auditors to consider such issues as materiality, risk, other components of the internal controls, and legal and regulatory requirements. Again, what’s relevant is a matter of the auditor’s professional judgment.  

© 2017

Are you an auditor engaged to audit an entity that is less complex? If so, you may wonder why you spend time on the audit evaluating internal control. This may seem like an exercise that is much more relevant in an audit of a more complex entity, and you may question its usefulness when auditing less complex entities.

So why is gaining an understanding of controls necessary? The understanding of internal controls assists the auditor in assessing the risks of material misstatement, which in turn assists in designing and implementing audit responses that are tailored to a client's assessed risks. This is true regardless of the size of the entity.

Without properly understanding controls, an auditor may not identify risks associated with the client's internal controls and therefore may not design and implement appropriate responses. Because the audit procedures should be linked to the assessed risks, failing to gain an understanding of controls leaves the auditor without an adequate basis for the assessment of the risks of material misstatement. This may result in failing to obtain sufficient appropriate audit evidence to support the audit opinion and at a minimum constitutes an omitted procedure in accordance with AU-C Section 585, Consideration of Omitted Procedures After the Report Release Date.

Auditors are expected to obtain an understanding of only those control activities considered relevant to the audit. And yet, a recent survey of peer reviewers participating in the AICPA Peer Review program indicated that nearly half of the 400 audits they reviewed last year didn't comply with AU-C Section 315, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement, or AU-C Section 330, Performing Audit Procedures in Response to Assessed Risks and Evaluating the Audit Evidence Obtained, because auditors did not properly obtain an understanding of relevant controls.

By analyzing the results of hundreds of peer reviews, we have detected trends that are leading to noncompliance with AU-C sections 315 and 330. Here are the most common missteps in practice detected through that analysis and ways to avoid them.

Misstep No. 1: Assuming the client has no controls

Auditors of less complex entities often assume that their client has no controls in place. While their controls may not be sophisticated or documented, virtually all clients have controls over financial reporting.

Some questions to consider might be:

• Has management created a culture of honesty and ethical behavior?
• Are login credentials required on computers or operating systems?
• Does the company have policies (formal or less formal) related to the competency of the accountant or bookkeeper?

If the answer to any of these questions is "yes," the client has controls.

Some auditors believe that the only controls they need to consider are control activities, like performing bank reconciliations. AU-C Section 315 explains that internal control is composed of the following:

• The control environment;
• The entity's risk assessment procedures;
• Control activities;
• Information and communication; and
• Monitoring of controls.

If a client had no controls in place, there would be no way to prevent or detect and correct a material misstatement. If that's true, it would not be possible to do sufficient audit work to reduce audit risk to an acceptable level.

Misstep No. 2: Not understanding which controls are relevant to the audit

Auditors are required by paragraph .13 of AU-C Section 315 to obtain an understanding of internal control relevant to the audit. This includes all controls assessed as relevant by the auditor and is not limited to those controls that the auditor plans to test for operating effectiveness. Further, control activities relevant to the audit include those control activities that the auditor judges necessary to understand in order to assess the risks of material misstatements at the assertion level.

Controls relevant to a given audit will vary, depending on the client's size, complexity, and nature of operations. Control activities that are always relevant to the audit are defined as those that:

• Address significant risks (including fraud risks);
• The auditor intends to rely upon and test for operating effectiveness;
• Address risks for which substantive procedures alone do not provide sufficient appropriate audit evidence; or
• Support journal entries.

Misstep No. 3: Stopping after determining whether controls exist

Peer Review program data show that many auditors think determining whether controls exist is the extent of their responsibilities, but that's not true. Auditors have additional responsibilities concerning a client's system of internal control.

After identifying controls that are relevant to the audit, the auditor has to evaluate the design effectiveness of those controls and determine whether the controls are implemented.

For example, the design of controls over a client's bank reconciliation processes should be evaluated. The procedures involved in the bank reconciliation should be designed to prevent, or detect and correct, a material misstatement. Does the client's bookkeeper receive the bank statements unopened? Does the client limit who has access to the online banking account? If so, the auditor should evaluate these controls to ensure they are designed effectively to address the risks of misstatement.

The auditor can obtain audit evidence about the relevant controls' design and implementation by observing the client applying the controls, inspecting documents and reports, or tracing transactions through the client's financial reporting system. All of these procedures can provide evidence that controls were properly designed and implemented and are functioning as intended; however, it is important to understand that directing inquiries at client personnel alone for these purposes is not sufficient.

If the design of the client's controls is ineffective or if the controls have not been implemented properly, the auditor is obligated to evaluate the severity of the deficiency. If a significant deficiency or material weakness is assessed, the auditor is obligated to report these deficiencies under AU-C Section 265, Communicating Internal Control Related Matters Identified in an Audit.

Misstep No. 4: Improperly assessing control risk

Peer Review results indicate that some auditors believe they can default control risk assessments to "maximum" without any consideration of their client's controls. But is this the right approach? Many will be shocked to learn that the answer is "no."

Auditors should not default to any level of control risk. An auditor should have a reasonable basis for his or her assessment of control risk, regardless of the assessment level. Defaulting to a control risk assessment of "maximum" without evaluating the design and implementation of relevant controls could lead an auditor to failing to identify risks that are relevant to the audit. The evaluation of the design of controls and the determination of whether the controls are implemented provide the basis for designing an effective response to the risk of material misstatement. The auditor's strategy may or may not include testing the operating effectiveness of controls. In other words, a substantive audit approach may be implemented as long as your audit procedures are responsive (and linked) to the assessed risks of material misstatement.

Peer Review results also indicate that some auditors believe they can lower their control risk assessment without testing whether the controls are operating as designed, but that's not true. If the auditor's response (i.e., substantive procedures) to the assessed risk of material misstatement is based on an expectation that controls are operating effectively, then the auditor is required to perform tests of the controls upon which reliance is placed.

Evaluating control design and implementation is not the same thing as testing the operating effectiveness of those controls. Many auditors confuse the terms "implementation" and "operating effectiveness," but as paragraph .A77 of AU-C Section 315 states, "obtaining audit evidence about the implementation of a manual control at a point in time does not provide audit evidence about the operating effectiveness of the control at other times during the period under audit."

Misstep No. 5: Failing to link further procedures to control-related risks

Once the auditor has assessed the risks of material misstatement including risk associated with the client's internal control, his or her next step will be to design and perform further audit procedures that are responsive to the client's risks. The auditor should not simply perform the same procedures that were required for another client in the same industry or even those audit procedures performed in the prior year.

To illustrate, consider two clients in the manufacturing industry. For both clients, the auditor has assessed the risks of material misstatement related to the rights and obligations assertion in the accounts payable balance as maximum.

Client A's bookkeeper records all invoices in the accounting system once the invoice is received. Because the invoices are not matched to a purchase order or otherwise reviewed to confirm their validity, the auditor determines that Client A's controls over the recording of accounts payable are ineffectively designed. A specific concern is the risk of recording fictitious invoices. Alternatively, Client B's bookkeeper records all invoices for authorized purchase orders in the accounting system when the invoice is paid. Because recording of invoices is delayed until payment occurs, the auditor determines that Client B's controls are ineffectively designed because a risk of unrecorded liabilities exists. While both clients are in the same industry and both have maximum risks of material misstatement related to the accounts payable rights and obligations assertion, they may require two very different audit responses.

Client A's auditor may determine that the best way to lower detection risk would be to compare invoices received from vendors with a listing of approved vendors and purchase orders. Conversely, Client B's auditor may lower the threshold amount in performing a search for unrecorded liabilities.

Tips to help comply with AU-C sections 315 and 330

When performing future audit engagements, auditors should be sure to:

• Obtain a robust understanding of the client's system of internal control;
• Identify controls relevant to the audit;
• Evaluate the design effectiveness of each relevant control and determine whether the controls have been implemented as designed;
• Identify and assess the client's risks of material misstatement (including control risk) at the assertion level;
• Design and perform audit procedures that are responsive to the assessed risks; and
• Document the linkage between the assessed risk and the audit procedures.

Following these tips will help drive high-quality, efficient audits that conform to the standards. For more help, visit aicpa.org/internalcontrol for free tools and resources on internal controls.