Taking Control
Public company auditors use internal controls to measure effectiveness.

Internal controls are a company’s system of checks and balances, a way to ensure that safeguards are in place to mitigate risk and promote a system of reliable, accurate financial reporting and efficient operations. Internal controls are designed to keep assets safe, practices compliant and guarantee that all policies and procedures are followed to the letter. Understanding the do’s and don’ts of internal controls is critical for public company auditors.

For smaller companies, entity-level controls (also called top-level controls or management review controls) can provide effectiveness for all controls.

“Entity-level controls are often related to the monitoring process and financial close and reporting cycle — although small companies may not refer to them in those words,” explains Wayne Kerr, senior consultant with Thomson Reuters. Kerr says that these top-level controls are items such as weekly or monthly top management reviews of financial information; approval of large transactions, such as disbursements or sales; and reviews of bank reconciliations.

“Smaller companies rely on these types of controls, in part, because they often lack the resources or capacity to incorporate separation of duties and other ‘prevent’ controls into their processes,” he adds.

With smaller public companies, auditors are charged with determining which controls to test and how to select controls that test multiple controls. This means that auditors should analyze all transactions to see if the related controls operate to the most effective degree, according to Kerr.

“If an auditor tests controls and determines that they are operating effectively, he or she can rely on those controls — which means he or she can reduce some of the other audit work that would otherwise be needed,” Kerr says.

According to the Public Company Accounting Oversight Board (PCAOB), a private, nonprofit entity formed to oversee public company auditors, the company’s complexity is a critical factor in an auditor’s assessment. The smaller the company, the less complex it may be due to fewer lines of business and management levels, explains the PCAOB.

It’s also more likely that with smaller companies, senior management is involved (or more involved) in the daily business activities and that these levels of management have a greater variety of control. As such, these smaller company variables could result “in material misstatement of the company’s financial statements and the controls that a company might establish to address those risks,” explains the PCAOB. To aid in risk mitigation, the PCAOB says there are certain key matters related to internal controls that are of particular interest to smaller company entities.

Smaller companies can use entity-level controls which then allow the auditor to provide evidence of internal control over financial reporting. Because smaller companies have fewer employees, these entities may use alternative approaches to the segregation of duties, and the auditor is charged with reviewing these duties to ensure the control objectives are met.

Also, the use of off-the-shelf software may be more plausible with smaller companies, but this prompts auditors to then review the application controls within the computer program to ensure they are effectively operating and meeting the appropriate objective, explains the PCAOB.

Auditing Standards, Revised
Auditors can learn about testing internal controls for their clients through a variety of means, first by looking at the methodologies used by their audit firm, Kerr says, which would provide guidance on how to test. “In addition, there is guidance within the audit standards themselves,” he says. Further, the PCAOB offers guidance.

“Although this guidance is meant for public companies that are required to have internal controls under Section 404 of the Sarbanes-Oxley Act, the guidance is very good and could also be applied to small, non-public companies as well,” Kerr adds.

In 2007, the Securities and Exchange Commission passed Auditing Standard No. 5 to help auditors of public companies construct audits based on that company’s size and structure. Auditing Standard No. 5 replaces Auditing Standard No. 2 and provides new professional standards and related performance guidance for tax and accounting practitioners.

“I believe that Auditing Standard No. 5 is superior to Auditing Standard No. 2 because it focuses the auditor’s testing of controls on those controls that matter the most (top-level or management review controls). This may or may not strengthen investor protection, but I believe it makes the internal controls audit process more efficient without weakening investor protection.”

Kerr also explains that although non-public company audits “do not incorporate the requirements of Auditing Standard No. 5,” and even though testing controls are not required, they are allowed and “similar concepts apply.”

“The biggest difference is that auditors of non-public companies are not required to give an opinion on the operating effectiveness of an entity’s internal controls,” Kerr says. “Rather, they would test controls as a matter of audit effectiveness or efficiency.”

In short, internal controls for public companies are designed to protect against risk. Kerr also recommends that auditors consult with the American Institute of Certified Public Accountants (AICPA), which outlines the required sample sizes for monthly and weekly controls. Says Kerr: “As most small companies rely on controls that operate on a monthly or weekly basis, auditors should become familiar with this guidance in determining whether or not to test controls.”

By Laurie Dent
The Webinar Learning Network:
Available This Week: December 10

Internal Control Communications: ASB and PCAOB Plus FREE Checkpoint Training. Once again, the definitions of internal control deficiencies have been revised in the interest of convergence between the ASB, PCAOB, and International Auditing and Assurance Standards. We’ll bring you up-to-date information on how and when to apply this standard in your practice, and then provide an hour of free Checkpoint training!

Click here for more information and to order.

 

PASS Online

Internal Control and Fraud Detection. The essential tools you need to perform internal-control related services! This course takes you through your clients’ responsibility to design and implement programs and controls to prevent, deter, and detect fraud. Click here for more information and to register.

Practice Issues—Compilation and Review Update. Learn of the various changes proposed by the Accounting and Review Services Committee of the AICPA and practice issues surrounding compilation and review engagements. This course discusses SSARS No. 8, management-use only financial statements, changes in SSARS Nos. 9 through 14, and responsibility for fraud, internal control and going concern, representation letters for reviews, personal financial statements, using staff, compiling pro forma financial information, OCBOA financial statements, legends on financial statements, and more. Click here for more information and to register.

 

Online Course from MicroMash

Internal Controls for Auditors and Managers: Evaluation

This comprehensive internal controls course provides a detailed examination of all aspects of the topic as it pertains to the evaluation of internal controls by auditors and managers. Among the topics you will cover are COSO's internal controls definition; the BSA system; scoping audits; the Woods, Mair, and Davis Method; and the Criticality Index Method. Also covers methodology to meet the requirements of the Sarbanes-Oxley Act for the corporation to evaluate and document internal controls.

Click here for more information and to register.