Why it is important for the auditor to obtain an understanding of the company and its environment including the companys internal controls?

Assessment of internal controls is part of today’s auditing requirements and helps identify risk factors. But, it can sometimes be unclear why auditors ask so many questions about their clients’ internal controls. 

The American Institute of Certified Public Accountants (AICPA) issues technical Q&As to address member inquiries on certain issues, and they recently shed some light on this subject. Here’s a set of five common questions and answers that the AICPA issued in April to help clarify an auditor’s responsibility for assessing a client’s internal controls.

Are auditors required to obtain an understanding of business processes relevant to financial reporting in every audit engagement?
Yes, the auditing standards require an auditor to understand a client’s information system, including the related business processes and communication relevant to financial reporting. The AICPA reminds auditors that it’s important to distinguish between business processes and control activities. Business processes are the activities designed to:

• Develop, purchase, produce, sell and distribute an entity’s products and services
• Ensure compliance with laws and regulations
• Record information, including accounting and financial reporting information

The AICPA defines control activities as “steps put in place by the entity to ensure that the financial transactions are correctly recorded and reported.” Auditors are expected to obtain an understanding of only those control activities that are considered relevant to the audit. There are no “cookie cutter” approaches when it comes to understanding business processes and control activities; rather, the requirements differ from audit to audit.

Does an auditor’s understanding of internal controls encompass more than control activities?
Yes, an auditor must understand each component of the client’s financial reporting controls. This includes the control environment, risk assessment process, information system, control activities that relate to the audit, and the client’s monitoring of the controls.

Should the auditor evaluate the design of controls and determine whether they’ve been implemented every year?
Yes, each year auditors must evaluate the design of the financial reporting controls that are related to the audit and determine if they’ve been properly implemented. This requires more than just inquiring with company personnel. Auditors must use additional procedures—such as observations, inspection or tracing transactions through the information system—to obtain an understanding of controls relevant to the audit. The appropriate procedures are a matter of the auditor’s professional judgment.

For existing clients, an auditor may leverage information obtained from his or her previous experience with the entity and the results from audit procedures performed in previous reporting periods. In doing so, the auditor should determine whether changes affecting the control environment have occurred since the previous audit that may affect that information’s relevance to the current audit.

Which control activities are considered relevant in every audit?
Auditors are specifically expected to understand controls that address “significant” risks. These are identified and assessed for risks of material misstatement that, in the auditor’s professional judgment, require special audit consideration. Examples include control activities 1) relevant to the risk of fraud or 2) over journal entries (such as nonrecurring, unusual transactions or adjustments).

Which relevant control activities may vary from audit to audit?
Control activities that are relevant to a given audit may vary, depending on the client’s size, complexity and nature of operations. The AICPA advises auditors to consider such issues as materiality, risk, other components of the internal controls, and legal and regulatory requirements. Again, what’s relevant is a matter of the auditor’s professional judgment.

5 Components of Internal Controls
Modern business and operating environments are rapidly changing. To reflect these changes, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) updated its Internal Control — Integrated Framework in 2013. The updated framework outlines five components of internal controls that are required under the Sarbanes-Oxley Act’s Section 404 provisions:

1. Control environment. A set of standards, processes and structures is needed to provide the basis for carrying out internal controls across the organization.
2. Risk assessment. This dynamic, iterative process identifies stumbling blocks to the achievement of the company’s strategic objectives and forms the basis for determining how risks will be managed.
3. Control activities. Policies and procedures are necessary to help ensure that management’s directives to mitigate risks to the achievement of objectives are carried out.
4. Information and communication. Relevant and quality information supports the internal control process. Management needs to continually obtain and share this information with people inside and outside of the company.
5. Monitoring. Management should routinely evaluate whether each of the five components of internal controls is present and functioning.

The updated COSO framework isn’t just for public companies that must comply with Sarbanes-Oxley. The framework applies to all entities that follow U.S. Generally Accepted Accounting Principles (GAAP), including for-profits, not-for-profits and government bodies.

June 21, 2017

Internal controls are accounting and auditing processes used in a company's finance department that ensures the integrity of financial reporting and regulatory compliance. Besides complying with laws and regulations and preventing fraud, internal controls can help improve operational efficiency by ensuring budgets are adhered to, policies are followed, capital shortages are identified, and accurate reports are generated for leadership.

• Internal controls are the mechanisms, rules, and procedures implemented by a company to ensure the integrity of financial and accounting information, promote accountability and prevent fraud.
• Besides complying with laws and regulations, and preventing employees from stealing assets or committing fraud, internal controls can help improve operational efficiency by improving the accuracy and timeliness of financial reporting.
• Internal audits play a critical role in a company’s internal controls and corporate governance, now that the Sarbanes-Oxley Act of 2002 has made managers legally responsible for the accuracy of its financial statements.

Internal controls have become a key business function for every U.S. company since the accounting scandals in the early 2000s. In their wake, the Sarbanes-Oxley Act of 2002 was enacted to protect investors from fraudulent accounting activities and improve the accuracy and reliability of corporate disclosures. This has had a profound effect on corporate governance, by making managers responsible for financial reporting and creating an audit trail. Managers found guilty of not properly establishing and managing internal controls face serious criminal penalties.

The auditor’s opinion that accompanies financial statements is based on an audit of the procedures and records used to produce them. As part of an audit, external auditors will test a company’s accounting processes and internal controls and provide an opinion as to their effectiveness.

Internal audits evaluate a company’s internal controls, including its corporate governance and accounting processes. They ensure compliance with laws and regulations and accurate and timely financial reporting and data collection, as well as helping to maintain operational efficiency by identifying problems and correcting lapses before they are discovered in an external audit. Internal audits play a critical role in a company’s operations and corporate governance, now that the Sarbanes-Oxley Act of 2002 has made managers legally responsible for the accuracy of its financial statements.

No two systems of internal controls are identical, but many core philosophies regarding financial integrity and accounting practices have become standard management practices. While internal controls can be expensive, properly implemented internal controls can help streamline operations and increase operational efficiency, in addition to preventing fraud.

Regardless of the policies and procedures established by an organization, only reasonable assurance may be provided that internal controls are effective and financial information is correct. The effectiveness of internal controls is limited by human judgment. A business will often give high-level personnel the ability to override internal controls for operational efficiency reasons, and internal controls can be circumvented through collusion.

The U.S. Congress passed the Sarbanes-Oxley Act of 2002 to protect investors from the possibility of fraudulent accounting activities by corporations, which mandated strict reforms to improve financial disclosures from corporations and prevent accounting fraud.

Internal controls are typically comprised of control activities such as authorization, documentation, reconciliation, security, and the separation of duties. And they are broadly divided into preventative and detective activities.

Preventive control activities aim to deter errors or fraud from happening in the first place and include thorough documentation and authorization practices. Separation of duties, a key part of this process, ensures that no single individual is in a position to authorize, record, and be in the custody of a financial transaction and the resulting asset. Authorization of invoices and verification of expenses are internal controls.

In addition, preventative internal controls include limiting physical access to equipment, inventory, cash, and other assets.

Detective controls are backup procedures that are designed to catch items or events that have been missed by the first line of defense. Here, the most important activity is reconciliation, used to compare data sets, and corrective action is taken upon material differences. Other detective controls include external audits from accounting firms and internal audits of assets such as inventory.

Auditing techniques and control methods from England migrated to the United States during the Industrial Revolution. In the 20th century, auditors' reporting practices and testing methods were standardized.

Internal controls are the mechanisms, rules, and procedures implemented by a company to ensure the integrity of financial and accounting information, promote accountability, and prevent fraud. Besides complying with laws and regulations and preventing employees from stealing assets or committing fraud, internal controls can help improve operational efficiency by improving the accuracy and timeliness of financial reporting.

The Sarbanes-Oxley Act of 2002, enacted in the wake of the accounting scandals in the early 2000s, seeks to protect investors from fraudulent accounting activities and improve the accuracy and reliability of corporate disclosures.

Internal controls are broadly divided into preventative and detective activities. Preventive control activities aim to deter errors or fraud from happening in the first place and include thorough documentation and authorization practices. Detective controls are backup procedures that are designed to catch items or events that have been missed by the first line of defense. 

Separation of duties, a key part of the preventive internal control process, ensures that no single individual is in a position to authorize, record, and be in the custody of a financial transaction and the resulting asset. Authorization of invoices, verification of expenses, limiting physical access to equipment, inventory, cash, and other assets are examples of preventative internal controls.

Detective internal controls attempt to find problems within a company's processes once they have occurred. They may be employed in accordance with many different goals, such as quality control, fraud prevention, and legal compliance. Here, the most important activity is reconciliation, used to compare data sets, and corrective action is taken if there are material differences. Other detective controls include external audits from accounting firms and internal audits of assets such as inventory.