5 missteps to avoid when evaluating internal controls
Understanding a client’s internal control gives auditors insight into the testing needed to assess management’s assertions.
By Deana Thorps, CPA; Hiram Hasty, CPA, CGMA; and Bob Dohrer, CPA, CGMA
Are you an auditor engaged to audit an entity that is less complex? If so, you may wonder why you spend time on the audit evaluating internal control. This may seem like an exercise that is much more relevant in an audit of a more complex entity, and you may question its usefulness when auditing less complex entities.
So why is gaining an understanding of controls necessary? The understanding of internal controls assists the auditor in assessing the risks of material misstatement, which in turn assists in designing and implementing audit responses that are tailored to a client's assessed risks. This is true regardless of the size of the entity.
Without properly understanding controls, an auditor may not identify risks associated with the client's internal controls and therefore may not design and implement appropriate responses. Because the audit procedures should be linked to the assessed risks, failing to gain an understanding of controls leaves the auditor without an adequate basis for the assessment of the risks of material misstatement. This may result in failing to obtain sufficient appropriate audit evidence to support the audit opinion and at a minimum constitutes an omitted procedure in accordance with AU-C Section 585, Consideration of Omitted Procedures After the Report Release Date.
Auditors are expected to obtain an understanding of only those control activities considered relevant to the audit. And yet, a recent survey of peer reviewers participating in the AICPA Peer Review program indicated that nearly half of the 400 audits they reviewed last year didn't comply with AU-C Section 315, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement, or AU-C Section 330, Performing Audit Procedures in Response to Assessed Risks and Evaluating the Audit Evidence Obtained, because auditors did not properly obtain an understanding of relevant controls.
By analyzing the results of hundreds of peer reviews, we have detected trends that are leading to noncompliance with AU-C sections 315 and 330. Here are the most common missteps in practice detected through that analysis and ways to avoid them.
Misstep No. 1: Assuming the client has no controls
Auditors of less complex entities often assume that their client has no controls in place. While their controls may not be sophisticated or documented, virtually all clients have controls over financial reporting.
Some questions to consider might be:
Has management created a culture of honesty and ethical behavior?
Are login credentials required on computers or operating systems?
Does the company have policies (formal or less formal) related to the competency of the accountant or bookkeeper?
If the answer to any of these questions is "yes," the client has controls.
Some auditors believe that the only controls they need to consider are control activities, like performing bank reconciliations. AU-C Section 315 explains that internal control is composed of the following:
The control environment;
The entity's risk assessment procedures;
Information and communication; and
Monitoring of controls.
If a client had no controls in place, there would be no way to prevent or detect and correct a material misstatement. If that's true, it would not be possible to do sufficient audit work to reduce audit risk to an acceptable level.
Misstep No. 2: Not understanding which controls are relevant to the audit
Auditors are required by paragraph .13 of AU-C Section 315 to obtain an understanding of internal control relevant to the audit. This includes all controls assessed as relevant by the auditor and is not limited to those controls that the auditor plans to test for operating effectiveness. Further, control activities relevant to the audit include those control activities that the auditor judges necessary to understand in order to assess the risks of material misstatements at the assertion level.
Controls relevant to a given audit will vary, depending on the client's size, complexity, and nature of operations. Control activities that are always relevant to the audit are defined as those that:
Address significant risks (including fraud risks);
The auditor intends to rely upon and test for operating effectiveness;
Address risks for which substantive procedures alone do not provide sufficient appropriate audit evidence; or
Support journal entries.
Misstep No. 3: Stopping after determining whether controls exist
Peer Review program data show that many auditors think determining whether controls exist is the extent of their responsibilities, but that's not true. Auditors have additional responsibilities concerning a client's system of internal control.
After identifying controls that are relevant to the audit, the auditor has to evaluate the design effectiveness of those controls and determine whether the controls are implemented.
For example, the design of controls over a client's bank reconciliation processes should be evaluated. The procedures involved in the bank reconciliation should be designed to prevent, or detect and correct, a material misstatement. Does the client's bookkeeper receive the bank statements unopened? Does the client limit who has access to the online banking account? If so, the auditor should evaluate these controls to ensure they are designed effectively to address the risks of misstatement.
The auditor can obtain audit evidence about the relevant controls' design and implementation by observing the client applying the controls, inspecting documents and reports, or tracing transactions through the client's financial reporting system. All of these procedures can provide evidence that controls were properly designed and implemented and are functioning as intended; however, it is important to understand that directing inquiries at client personnel alone for these purposes is not sufficient.
If the design of the client's controls is ineffective or if the controls have not been implemented properly, the auditor is obligated to evaluate the severity of the deficiency. If a significant deficiency or material weakness is assessed, the auditor is obligated to report these deficiencies under AU-C Section 265, Communicating Internal Control Related Matters Identified in an Audit.
Misstep No. 4: Improperly assessing control risk
Peer Review results indicate that some auditors believe they can default control risk assessments to "maximum" without any consideration of their client's controls. But is this the right approach? Many will be shocked to learn that the answer is "no."
Auditors should not default to any level of control risk. An auditor should have a reasonable basis for his or her assessment of control risk, regardless of the assessment level. Defaulting to a control risk assessment of "maximum" without evaluating the design and implementation of relevant controls could lead an auditor to failing to identify risks that are relevant to the audit. The evaluation of the design of controls and the determination of whether the controls are implemented provide the basis for designing an effective response to the risk of material misstatement. The auditor's strategy may or may not include testing the operating effectiveness of controls. In other words, a substantive audit approach may be implemented as long as your audit procedures are responsive (and linked) to the assessed risks of material misstatement.
Peer Review results also indicate that some auditors believe they can lower their control risk assessment without testing whether the controls are operating as designed, but that's not true. If the auditor's response (i.e., substantive procedures) to the assessed risk of material misstatement is based on an expectation that controls are operating effectively, then the auditor is required to perform tests of the controls upon which reliance is placed.
Evaluating control design and implementation is not the same thing as testing the operating effectiveness of those controls. Many auditors confuse the terms "implementation" and "operating effectiveness," but as paragraph .A77 of AU-CSection 315 states, "obtaining audit evidence about the implementation of a manual control at a point in time does not provide audit evidence about the operating effectiveness of the control at other times during the period under audit."
Misstep No. 5: Failing to link further procedures to control-related risks
Once the auditor has assessed the risks of material misstatement including risk associated with the client's internal control, his or her next step will be to design and perform further audit procedures that are responsive to the client's risks. The auditor should not simply perform the same procedures that were required for another client in the same industry or even those audit procedures performed in the prior year.
To illustrate, consider two clients in the manufacturing industry. For both clients, the auditor has assessed the risks of material misstatement related to the rights and obligations assertion in the accounts payable balance as maximum.
Client A's bookkeeper records all invoices in the accounting system once the invoice is received. Because the invoices are not matched to a purchase order or otherwise reviewed to confirm their validity, the auditor determines that Client A's controls over the recording of accounts payable are ineffectively designed. A specific concern is the risk of recording fictitious invoices. Alternatively, Client B's bookkeeper records all invoices for authorized purchase orders in the accounting system when the invoice is paid. Because recording of invoices is delayed until payment occurs, the auditor determines that Client B's controls are ineffectively designed because a risk of unrecorded liabilities exists. While both clients are in the same industry and both have maximum risks of material misstatement related to the accounts payable rights and obligations assertion, they may require two very different audit responses.
Client A's auditor may determine that the best way to lower detection risk would be to compare invoices received from vendors with a listing of approved vendors and purchase orders. Conversely, Client B's auditor may lower the threshold amount in performing a search for unrecorded liabilities.
Tips to help comply with AU-C sections 315 and 330
When performing future audit engagements, auditors should be sure to:
Obtain a robust understanding of the client's system of internal control;
Identify controls relevant to the audit;Evaluate the design effectiveness of each relevant control and determine whether the controls have been implemented as designed;
Identify and assess the client's risks of material misstatement (including control risk) at the assertion level;
Design and perform audit procedures that are responsive to the assessed risks; and
Document the linkage between the assessed risk and the audit procedures.