by Diane M. Zimmerman, CPA, Director, Baden, Gage & Schroeder, LLC
In 2006, policy makers for auditors of non-public companies set new standards that introduced a comprehensive audit methodology that differs significantly from the way audits have been performed for the past three decades. One of the key elements in the new standards is the requirement that auditors evaluate the design effectiveness of an entity's internal control.
Internal Control Defined
Internal control is a process, an interconnected web of policies, procedures, attitudes and actions that work together to achieve reliable financial reports. Management is responsible for establishing internal controls. Auditors analyze an internal control system by breaking it down into its five component parts.
Risk assessment - identifying "what can go wrong":
Good internal control begins with management's assessment of the risks facing the entity. In order to prepare reliable financial reports, management must have a working knowledge of "what can go wrong" in the capture, processing and reporting of financial information.
Implementing controls to manage risk:
Control activities are designed to address the specific risks that management has identified. For example, if management is concerned about fraudulent cash disbursements, then control procedures should be designed specifically to address cash disbursements.
Monitoring control performance:
Management is responsible for supervising the performance of the control activities it puts in place. Additionally, business owners or those responsible for preparing reliable financial reports should monitor the performance of the system as a whole and be alert for signs that the system is functioning poorly. If anyone in the organization becomes aware of control weaknesses, management should take appropriate, corrective action.
Communicating information:
Information must be effectively communicated throughout the organization. All employees in the organization should have a clear understanding of their responsibilities and how their actions affect transactions and financial reports. Additionally, errors in the processing of financial information must be communicated to the person who can correct them.
Establishing an effective control environment:
Management must establish a proper "tone at the top," one that consistently reinforces the company's commitment to complete, transparent and accurate financial reporting. The control environment is comprised of a variety of attitudes, policies, procedures and the conduct of its employees, which range from the company's personnel policies to how management responds to reports of potential unethical business practices. The control environment is the foundation of an organization's internal control. Without a solid foundation, all other components are quickly rendered ineffective.
Internal control is a key element to accurately originating, processing and reporting transactions. An audit focus on the design effectiveness of internal control, as outlined in the new standards, simply makes sense.
