Confusion over
Internal Control?
By – Steven Firer
ISA 315 P 12 states that “The auditor shall obtain an understanding
of internal control relevant to the audit”. P A42 explains “An understanding of internal control
assists the auditor in identifying types of potential misstatements and factors
that affect the risks of material misstatement, and in designing the nature,
timing, and extent of further audit procedures”.
The above quotes from ISA 315 raise two questions:
1. To
what extent do the controls relevant to the audit have to be understood; and
2. To
what extent do the controls relevant to the audit have to be tested?
Understanding (Reviewing) Internal Control
In the larger company audit
environment the auditor very often knows that the controls relevant to the
audit will have to be relied upon for the major transaction cycles as the
amount of substantive testing required without the confidence from internal
controls is likely to be prohibitive. In this situation most auditors would
agree that an understanding of those internal controls relevant to the audit
and the basis for concluding that the controls are suitably designed should be
documented. In fact ISA 315 P 32 (b) states that “The auditor shall include in the audit documentation: Key elements of
the understanding obtained regarding each of the internal control components”.
This documentation would normally
take the form of answers to an internal control questionnaire, flowcharts, or
system narratives. The problem of the extent of the understanding and its
documentation in the audit file normally arises in the smaller company
environment. In this case the auditor often knows that either controls are
inadequate or it will not be cost effective to obtain audit comfort from
testing and evaluating the internal controls relevant to the audit. To what
extent must the internal controls be understood in this situation to satisfy
auditing standards?
ISA 315 P 13 states: “When obtaining an understanding of controls
that are relevant to the audit, the auditor shall evaluate the design of those
controls and determine whether they have been implemented”. ISA 330 P 8
states: “The auditor shall design and
perform tests of controls to obtain sufficient appropriate audit evidence as to
the operating effectiveness of relevant controls”.
From the above quotes it is clear
that auditing standards splits the auditor’s responsibilities with respect to
internal controls relevant to the audit into two phases – the “review” of the
controls and “tests” of controls. The purpose of the “review” is to enable the
auditor to make a preliminary evaluation to decide on the extent to which
he/she proposes relying on the controls for the purposes of the audit. Auditing
standards do not state directly the purpose for which internal controls must be
understood. Auditing standards state “An
understanding of internal control assists …. in designing the nature, timing,
and extent of further audit procedures”. ISA 330 P A4 explains that further
audit procedures consist of test of controls, substantive tests or a
combination of both. One could thus argue that if the auditor does not propose
to rely on internal controls there is no need to perform or document the “review”.
However the counter arguments
are:
1. In
most cases if the auditor is to issue an unqualified opinion some reliance must
be placed on internal controls, particularly as far as the assertion of
completeness is concerned: and
2. The
auditor needs a basic understanding of the company and its method of operation
to prepare effective substantive detailed audit plan.
There can be no doubt that
auditing standards require that there must be some review of the internal
controls on every audit and consequently to demonstrate compliance with
auditing standards (ISA 315 P 12).
The question arises as to what
constitutes “internal control relevant to
the audit”? ISA 315 P 12 states: “Although
most controls relevant to the audit are likely to relate to financial reporting,
not all controls that relate to financial reporting are relevant to the audit.
It is a matter of the auditor’s professional judgment whether a control,
individually or in combination with others, is relevant to the audit”.
A control is always designed to
respond (mitigate) to a possible risk. A control that does not address a risk
is obviously redundant. The first step in evaluating control design is to
identify the risks that require mitigation by control. The second step is then
to identify what controls are in place to address those risks. Internal control
is management’s response intended to mitigate an identified risk factor or
achieve a control objective. There is a direct relationship between an entity’s
objectives and the internal control it implements to ensure their achievement.
Once objectives are set, it is possible to identify and assess potential events
(risks) that would prevent the achievement of the objectives. Based on this
information, management can develop appropriate responses, which will include
the design of internal control.
A suggested approach
in identifying internal controls relevant to the audit:
Step 1 - Identify which risks require mitigation. It is important
that the auditor takes the time to understand, identify, and assess the
significant and other risk factors present before evaluating internal control
design. Otherwise the internal control evaluation will take place without any
entity-specific context or knowledge of what risks the entity faces that need
to be mitigated. If this step is skipped, audit time may well be spent
assessing internal controls that may be irrelevant, unnecessary or that, even
if well designed, would not mitigate entity’s specific risks that do exist.
Step 2 — Document Relevant Internal Control. The completed
documentation should provide information on the following:
·
The design of internal control over all relevant
assertions related to significant accounts and disclosures in the financial
statements;
·
How significant transactions are initiated, authorized,
recorded, processed, and reported;
·
The flow of transactions in sufficient detail to
identify the points at which material misstatements due to error or fraud could
occur; and
·
Internal control over the period-end financial
reporting process, including significant accounting estimates and disclosures.
Step 3 — Assess Control Implementation.
The first part to step 3 would be to evaluate the control design. Are
the controls capable of effectively preventing, detecting and correcting
material misstatements? If the answer is no then there is no need to evaluate
control implementation and the auditor must report the deffiency in control to
management and those charged with governance.
The second part to step 3 would
apply if the answer to the first part is yes. The second part would entail
evaluating control implementation. This simply means – does the control exist
and is the entity using it?
The recommended approach is to
conduct a walkthrough. In a walk-through, the auditor traces a transaction from
each major class of transactions from origination, through the entity’s
accounting and information systems and financial report preparation processes,
to it being reported in the financial statements.
The writer is of the opinion that
if the auditor decides not to rely on the internal controls they are not
relevant to the audit and the auditor’s documentation is limited to a record of
his/her reasons for not testing the controls i.e. reasons for not moving from
phase one to phase two.
An example of such a conclusion is:
“While the control environment is favourable, and there are reasonable
control activities and monitoring by management of risk assessment and the
information system, we do not feel that there are controls strong enough to
warrant testing and that leave a trail that is conducive to testing.
Accordingly, we anticipate relying primarily on substantive testing”.[1]
This view must not be interpreted
to mean that the only record of the “review” phase that is required is this
statement. The auditor should always have evidence on file of the reasons for
making such a statement and that would entail a more rigorous approach to
documentation. Thus the minimum documentation for the “review” phase of
internal control on an audit should comprise:
1. The
organizational structure;
2. Delegated
authority such a signatories on bank accounts and buyers authority limits;
3. The
extent of management involvement in the accounting system for authorisation,
execution or approvals;
4. A
listing of transactions types to-gether with a brief description of the major
cycles and the documentation involved; and
5. The
accounting entries that record the transactions in the accounting records.
6. Conclusions
on control design and implementation.
Testing Internal
Control
In the writers own experience and
discussions with audit practitioners in South Africa indicate that many
auditors would perform tests of controls on internal controls even if a
preliminary evaluation indicated that they could not rely on them. The writers
experience also indicates that system narratives are the most accepted manner
in which internal controls are documented. System narratives are not the most
suitable form of documenting internal controls relevant to the audit. For the
most part system narratives comprise a documentation of the entire system which
is not limited those controls relevant to the audit. System narratives do not
facilitate the three step approach as recommended above as a narrative
encourages an auditor to test what is described without giving due
consideration to whether the controls as described are capable of effectively preventing,
detecting and correcting material misstatements. The auditor in most cases
would skip this vital step and conduct audit tests that are a complete waste of
time.
Auditing standards make it quite
clear that the auditor does not have to test internal controls unless he/she
wishes to rely in the controls to reduce the level of substantive testing. Even
if the client has installed an excellent system of internal controls the
auditor is under no obligation to test them. This supported by ISA 330 P 8
which states: “The auditor shall design
and perform tests of controls to obtain sufficient appropriate audit evidence
as to the operating effectiveness of relevant controls if: a. The auditor’s
assessment of risks of material misstatement at the assertion level includes an
expectation that the controls are operating effectively (that is, the auditor
intends to rely on the operating effectiveness of controls in determining the nature,
timing and extent of substantive procedures); or b. Substantive procedures
alone cannot provide sufficient appropriate audit evidence at the assertion
level”. This might apply where sales are made over the Internet and no
documentation of transactions is produced or maintained, other than through the
IT system.
The decision to test controls
would be made by the auditor after considering the costs of the various ways of
auditing those accounts to obtain the necessary audit confidence. In those
situations where there are high value/low volume of transactions it is often
more efficient to obtain all the required audit confidence from substantive
tests alone.
It would thus appear there is a
certain amount of wasted effort on many audit as tests on the system will not
lead to a reduction in substantive tests under circumstances where the internal
controls cannot be relied upon. The problem may well be one of the auditor
thinking that some tests on the transactions must be performed so he/she tests
20 items through the system. Unless the auditor is absolutely clear on what
objectives are being achieved by this type of test, it might as well not be
performed for all the use or comfort it gives. It may well be that the auditor
decides that some substantive tests of transactions are required to achieve
specific audit objectives – but these tests will invariably be less
comprehensive that the tests through the whole of the system. So to save audit
time the tests on transactions should be designed to cover only the essential
elements and not to test the transactions through the system.
Conclusion
To comply with auditing standards the auditor:
1. Should
perform a preliminary review of the control environment and transactions which
comprise the business. The scope and extent of documentation of this review is
discussed above; and
2. Does
not have to perform tests of transactions to determine if the internal controls
are operating effectively.
Comments