What is an internal control Why is an auditor interested in a clients internal control?

Internal controls are measures and tools to protect the interest of the company against wrongdoings. It ensures that a company complies with state and federal laws and regulations in managing the financial data of the organization. 

Having strong internal controls can improve efficiency and ensure accuracy in financial reporting during external and internal audits. 

The internal controls prepared by an organization also help in preventing fraud, ensuring the integrity of the financial data, and promoting accountability. The internal controls of each company are different from the other and are designed by keeping in mind the size of the company and its structure. Efficient and effective internal controls help in meeting the objectives of the company. 

Given below are some of the reasons why internal controls are important for business:

• Helps decrease audit fees- Properly established internal controls reduce the need for having external audits reducing the fees of audits. When an organization provides a clear structure of the implementation of internal controls and their results, this reduces the need for revisions or the need for the rebuilding of the entire internal control after an external review and audit.
• Recognizes SOX Act- The main purpose of establishing SOX was to maintain accountability in an organization and maintain internal controls for financial reporting. The SOX Act is a federal law that was enacted to protect investors and ensure that the organization provides reliable and accurate disclosure of finances. By following the SOX Act, companies gain confidence in the investors and gain trust in the company’s management of financial data.
• Produces financial statements on time- Timely preparations of financial statements help management in making future decisions for the company and also protect stakeholders and the reputation of the company. Regular financial statements help in identifying and correcting small errors which help in building trust and proving the company’s transparency.
• Helps reduce errors- Internal controls help in reducing errors by defining procedures and protocols which reduce mistakes of the employees and make improvements when needed.
• Improves Accountability- Internal controls that are created with designated roles for key members help in reducing errors and improving the functioning of the procedures. This leads to improvement in accountability when clear protocols are maintained on the transmission of data, recording of data, and data sharing. Improvement in accountability means the company stays in compliance with statutory and regulatory filing requirements.
• Helps keep tasks separated- Internal controls ensure the duties are separated for different persons as this avoids conflicts of interest and reduces the chances of mismanagement in finances. Separating duties also ensures that a system of balances and checks is established so every person does not have access to all data.
• Organized information- Properly organized data of any organization helps in preparing for events such as litigation and external audits. Internal controls protect the interest of the clients by creating systems that would file client data or documents, or by putting restrictions such as the requirement of passwords to access data. Information organization also helps in improving efficiency by ensuring the security of financial data yet accessible.
• Stabilizes operations- When the protocols of company operations are in place, the organization meets the objectives in a better way. Management controls the operations in a better way and checks whether the procedures are being followed in the right manner or not. A stable operation or an organization defines the roles of the employee, effectively manages the information, and has detailed processes in place to identify problems and make improvements.
• Improves process performance-  Once the processes are implemented in the right manner, the continuous monitoring of the processes helps in making apt decisions by the management and checking their effectiveness if it needs additional attention.
• Improves operational efficiency- The efficiency of the operations can be improved by applying internal controls as it helps in removing duplicate and unnecessary steps in a process or procedure. Improvement in operational efficiency allows management to get timely information about the organization which helps in verifying the current operations and checking whether the company's objectives are met or not.

So, it is very much important for organizations to have internal controls and it improves the overall performance of the organization.

NSKT Global understands the importance of internal controls for small businesses.   We help small businesses reach their full operational potential by helping them to implement correct internal controls that will save them from staggering losses and fraudulent activities. 

We are delighted to provide a free 20-minute business consultation. (The session will center on providing you with specific suggestions to help your business thrive.)

Good afternoon. It is a pleasure to be here – I want to thank Steve Harris for inviting me to speak with you. I think we as a group share the same interests – protecting the investor by improving audit quality – and I am looking forward to today's discussion. Before I begin, I must say that the views I express are my own and should not be attributed to the PCAOB as a whole or any Board members or staff.

Internal control over financial reporting ("ICFR") attracts much attention. And it should. When ICFR is effective, it helps companies make sure that they produce reliable financial statements that investors can use to make investment decisions. When it is not, it can damage the integrity of financial reporting that is the very foundation of the capital markets.

Deficiencies in audits of internal control also can affect the audit of the financial statements. In integrated audits, auditors often rely on controls to reduce their substantive testing of financial statement accounts and disclosures. Thus, deficiencies in testing and evaluating internal control can lead to inadequate testing of accounts and disclosures in the financial statement audit.[1] This means that investors may not have the same level of assurance that an audit should provide about the financial statements upon which they are relying.

At the PCAOB, our focus remains clear. We are here to protect the interests of investors. Our inspectors – who are very seasoned and experienced professionals with an average of 17 years of audit experience — perform risk-based inspections of audit firms.

Our collective goal is to ensure that the audits of public companies are performed in accordance with PCAOB auditing standards and that firms have designed and implemented systems of quality control that would result in the performance of high quality audits. Our inspections are designed to identify and address weaknesses and deficiencies related to how a firm conducts audits. To achieve that goal, our inspections evaluate a firm's performance in selected audit engagements, as well as the design and operating effectiveness of a firm's own quality control policies and procedures.[2]

Today, I would like to provide a perspective on the state of the audit work we see through inspections.

The Big Picture

Over the last few years, the audit of internal control has topped the list of deficiencies in the audit work we have reviewed. In 2013, approximately 36 percent of the integrated audits inspected had some deficiency related to internal control. While not all of the 2014 reports are out yet, we saw some improvement at certain firms, but deficiencies were still high.

Of course, I am disappointed to see this. Auditing Standard No. 5,An Audit of Internal Control Over Financial Reporting That Is Integrated with An Audit of Financial Statements ("AS No. 5") has been out since 2007. It has not changed. Nor have our expectations about the audit work changed. But there continue to be challenges.

No doubt firms have taken significant actions in an effort to perform an effective ICFR audit. Many engagement teams, in fact, do perform an effective ICFR audit. We have, however, observed some engagements teams that do not. There could be many reasons that firms and engagement teams are struggling with ICFR audits and they range from not fully understanding the requirements of AS No. 5, the firm's methodology, and/or the audit client's business, to not having the necessary experience to perform the work or appropriate supervision by more senior members of the team.

A deeper and more holistic understanding of what causes some to get it right and others to miss the mark is necessary.

The Challenges

Where are the challenges? As we have looked at audit work, we have seen that some auditors do not properly apply the top-down risk-based approach that is required by the auditing standard. In some cases, we have seen some apply a mechanical approach that is not appropriately tailored to the risks and that of course can lead to an ineffective audit.

There are three areas where we most commonly see problems.

The first area is in understanding a company's flow of transactions.[3] This is a critical first step in planning an effective audit. Without this understanding, engagement teams may not identify all of the risks that exist and select the appropriate controls to test. Further, the controls that are selected for testing may not be responsive to the risk of material misstatement (including fraud risk) that the engagement team has identified. We've observed this scenario commonly when auditors were testing revenue.

The second area is the testing of management review controls. Management review controls serve as a form of detective control – meaning it is intended to help management identify errors, inaccuracies, or fraud. In order to rely on management review controls, the auditor needs to understand the control and test it to see if it is operating or operating at a precise enough level to detect material misstatements.[4]

So what does this mean? Let's say that the auditor selects management's monthly review of budget-to-actual financial results to test. If the auditor only looks to see that management performed the review and does not understand what management looked for in the review, what matters were investigated, and how they were resolved, the auditor has failed to obtain evidence that the review could in fact prevent or detect a material misstatement. We have seen this sort of ineffective testing by some engagement teams that placed significant reliance on certain management review controls.

One explanation some auditors provided for the deficiencies we observed in this area is the lack of documentation to support the operation of the controls at the audit client. This is not to say that management is not maintaining sufficient documentation for their purposes, but the documentation may not support the testing that the engagement teams are required to perform. As a result, engagement teams may not be able to place the level of reliance that they would like on these controls, and may have to identify and test other controls to support their audit approach.

The third area is the testing of system-generated data or reports. If a control selected for testing uses system-generated data or reports, the effectiveness of the control depends in part on the controls over the accuracy and completeness of the system-generated data or reports.[5] For example, if the control relies on sales prices coming from a price list, the auditor needs to understand where the price list is coming from and identify and test the controls over the accuracy and completeness of the price list.

What could be the cause of such deficiencies? In some instances, firms' methodology and guidance needed to be revised in this area. When that happened, Inspections staff saw that this contributed to fewer related audit deficiencies.

In other instances, decreases in audit staffing and turnover, particularly in the periods from 2007 - 2010, have contributed to the audit deficiencies seen at firms.[6] This can create a situation where less experienced audit staff, who may not have a good understanding of the auditing standard, are performing the work without proper supervision by more experienced staff.

We have also heard from auditors that the quality of an issuer's processes and controls also can affect the audit. When an issuer has well documented processes and controls, audit quality tends to be higher. This is particularly true when auditing internal control.

The Actions

Firms have taken varying actions to address the problems. We have seen firms issue new templates and tools to guide their staff through the audit of internal control. We have seen some require enhanced documentation; others have added additional layers of review and most have enhanced their training. Of course, some staff may follow the steps prescribed by their firms through these tools and training and still not tailor the work to the audit being performed.

The Way Forward

The answer to everything is not more work – it is "smart work" and by this I mean a balance of efficiency and effectiveness. Sure, when procedures were not performed in the first place, more work will be entailed. But auditors that are thoughtful in applying the top-down, risk-based approach may find that they don't necessarily need to do more work.

Smart work involves taking the time and effort for careful planning in advance. This involves having a good understanding of the audit client's business and flow of transactions to identify the risks, making a thoughtful selection of controls that address those risks, and calibrating the testing of controls along with obtaining sufficient audit evidence based on the associated risks.

Applying a mechanical approach to the audit, for example, just checking that management performed a review, without proper planning can lead to ineffective testing of controls and other problems.

If the auditor does not understand the risks in the company's processes, he or she might not select the right controls to test, which can lead to ineffective auditing. As the audit gets closer to completion date, there are fewer options – no one wants to pivot back.

If the auditor does not properly design the control testing, it can lead to unsupported opinions on internal control and on the financial statements. It is just like planning a trip. It is important to be smart about the plan and the procedures before hitting the road. And, of course, be ready to respond to bumps encountered along the way. Sometimes, the plan doesn't go as expected and the auditors need to be ready to respond or make appropriate changes to the plan as necessary throughout the audit.

We have a significant root cause initiative underway to better understand these challenges. We are looking at what makes one engagement team do a great job when other engagement teams at the same firm are not necessarily doing a great job. We have seen that some things – as simple as good project management skills – contribute to a better quality audit. That has real implications for the amount of effort that is necessary in an audit, especially around the testing of internal control.

The Continued Dialogue

We have seen a lot of ups and downs in the inspected work. I am encouraged by what we saw in 2014 and the early signs of 2015 are that the gains made by some firms have been retained, but others still have challenges. Not all firms are equal in their progress.

Our inspectors engage in a lot of dialogue with audit firms – not only as issues in audit work are identified but, most importantly, as they take steps to understand the underlying cause and implement remedial action.

So again, just like planning a trip, thoughtful, planned work is a key step in any audit to help protect the integrity of financial reporting and the capital markets.

I look forward to hearing your thoughts and input as we all continue to work to protect the interests of investors.