5 missteps to avoid when evaluating internal controls

5 missteps to avoid when evaluating internal controls

Are you an auditor engaged to audit an entity that is less complex? If so, you may wonder why you spend time on the audit evaluating internal control. This may seem like an exercise that is much more relevant in an audit of a more complex entity, and you may question its usefulness when auditing less complex entities.

So why is gaining an understanding of controls necessary? The understanding of internal controls assists the auditor in assessing the risks of material misstatement, which in turn assists in designing and implementing audit responses that are tailored to a client’s assessed risks. This is true regardless of the size of the entity.

Without properly understanding controls, an auditor may not identify risks associated with the client’s internal controls and therefore may not design and implement appropriate responses. Because the audit procedures should be linked to the assessed risks, failing to gain an understanding of controls leaves the auditor without an adequate basis for the assessment of the risks of material misstatement. This may result in failing to obtain sufficient appropriate audit evidence to support the audit opinion and at a minimum constitutes an omitted procedure in accordance with AUC Section 585, Consideration of Omitted Procedures After the Report Release Date.

Auditors are expected to obtain an understanding of only those control activities considered relevant to the audit. And yet, a recent survey of peer reviewers participating in the AICPA Peer Review program indicated that nearly half of the 400 audits they reviewed last year didn’t comply with AUC Section 315, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement, or AUC Section 330, Performing Audit Procedures in Response to Assessed Risks and Evaluating the Audit Evidence Obtained, because auditors did not properly obtain an understanding of relevant controls.

By analyzing the results of hundreds of peer reviews, we have detected trends that are leading to noncompliance with AUC sections 315 and 330. Here are the most common missteps in practice detected through that analysis and ways to avoid them.

Auditors of less complex entities often assume that their client has no controls in place. While their controls may not be sophisticated or documented, virtually all clients have controls over financial reporting.

Some questions to consider might be:

If the answer to any of these questions is “yes,” the client has controls.

Some auditors believe that the only controls they need to consider are control activities, like performing bank reconciliations. AUC Section 315 explains that internal control is composed of the following:

If a client had no controls in place, there would be no way to prevent or detect and correct a material misstatement. If that’s true, it would not be possible to do sufficient audit work to reduce audit risk to an acceptable level.

Auditors are required by paragraph .13 of AUC Section 315 to obtain an understanding of internal control relevant to the audit. This includes all controls assessed as relevant by the auditor and is not limited to those controls that the auditor plans to test for operating effectiveness. Further, control activities relevant to the audit include those control activities that the auditor judges necessary to understand in order to assess the risks of material misstatements at the assertion level.

Controls relevant to a given audit will vary, depending on the client’s size, complexity, and nature of operations. Control activities that are always relevant to the audit are defined as those that:

Peer Review program data show that many auditors think determining whether controls exist is the extent of their responsibilities, but that’s not true. Auditors have additional responsibilities concerning a client’s system of internal control.

After identifying controls that are relevant to the audit, the auditor has to evaluate the design effectiveness of those controls and determine whether the controls are implemented.

For example, the design of controls over a client’s bank reconciliation processes should be evaluated. The procedures involved in the bank reconciliation should be designed to prevent, or detect and correct, a material misstatement. Does the client’s bookkeeper receive the bank statements unopened? Does the client limit who has access to the online banking account? If so, the auditor should evaluate these controls to ensure they are designed effectively to address the risks of misstatement.

The auditor can obtain audit evidence about the relevant controls’ design and implementation by observing the client applying the controls, inspecting documents and reports, or tracing transactions through the client’s financial reporting system. All of these procedures can provide evidence that controls were properly designed and implemented and are functioning as intended; however, it is important to understand that directing inquiries at client personnel alone for these purposes is not sufficient.

If the design of the client’s controls is ineffective or if the controls have not been implemented properly, the auditor is obligated to evaluate the severity of the deficiency. If a significant deficiency or material weakness is assessed, the auditor is obligated to report these deficiencies under AUC Section 265, Communicating Internal Control Related Matters Identified in an Audit.

Peer Review results indicate that some auditors believe they can default control risk assessments to “maximum” without any consideration of their client’s controls. But is this the right approach? Many will be shocked to learn that the answer is “no.”

Auditors should not default to any level of control risk. An auditor should have a reasonable basis for his or her assessment of control risk, regardless of the assessment level. Defaulting to a control risk assessment of “maximum” without evaluating the design and implementation of relevant controls could lead an auditor to failing to identify risks that are relevant to the audit. The evaluation of the design of controls and the determination of whether the controls are implemented provide the basis for designing an effective response to the risk of material misstatement. The auditor’s strategy may or may not include testing the operating effectiveness of controls. In other words, a substantive audit approach may be implemented as long as your audit procedures are responsive (and linked) to the assessed risks of material misstatement.

Peer Review results also indicate that some auditors believe they can lower their control risk assessment without testing whether the controls are operating as designed, but that’s not true. If the auditor’s response (i.e., substantive procedures) to the assessed risk of material misstatement is based on an expectation that controls are operating effectively, then the auditor is required to perform tests of the controls upon which reliance is placed.

Evaluating control design and implementation is not the same thing as testing the operating effectiveness of those controls. Many auditors confuse the terms “implementation” and “operating effectiveness,” but as paragraph .A77 of AUC Section 315 states, “obtaining audit evidence about the implementation of a manual control at a point in time does not provide audit evidence about the operating effectiveness of the control at other times during the period under audit.”

Once the auditor has assessed the risks of material misstatement including risk associated with the client’s internal control, his or her next step will be to design and perform further audit procedures that are responsive to the client’s risks. The auditor should not simply perform the same procedures that were required for another client in the same industry or even those audit procedures performed in the prior year.

To illustrate, consider two clients in the manufacturing industry. For both clients, the auditor has assessed the risks of material misstatement related to the rights and obligations assertion in the accounts payable balance as maximum.

Client A’s bookkeeper records all invoices in the accounting system once the invoice is received. Because the invoices are not matched to a purchase order or otherwise reviewed to confirm their validity, the auditor determines that Client A’s controls over the recording of accounts payable are ineffectively designed. A specific concern is the risk of recording fictitious invoices. Alternatively, Client B’s bookkeeper records all invoices for authorized purchase orders in the accounting system when the invoice is paid. Because recording of invoices is delayed until payment occurs, the auditor determines that Client B’s controls are ineffectively designed because a risk of unrecorded liabilities exists. While both clients are in the same industry and both have maximum risks of material misstatement related to the accounts payable rights and obligations assertion, they may require two very different audit responses.

Client A’s auditor may determine that the best way to lower detection risk would be to compare invoices received from vendors with a listing of approved vendors and purchase orders. Conversely, Client B’s auditor may lower the threshold amount in performing a search for unrecorded liabilities.

When performing future audit engagements, auditors should be sure to:

Following these tips will help drive highquality, efficient audits that conform to the standards. For more help, visit aicpa.org/internalcontrol for free tools and resources on internal controls.

About the authors

Deana Thorps, CPA, is a manager; Hiram Hasty, CPA, CGMA, is a senior technical manager; and Bob Dohrer, CPA, CGMA, is chief auditor, all for the Association of International Certified Professional Accountants.

To comment on this article or to suggest an idea for another article, contact Ken Tysiac, the JofA’s editorial director, at Kenneth.Tysiac@aicpa-cima.com or 919-402-2112.

AICPA resources



CPE self-study

For more information or to make a purchase, go to aicpastore.com or call the Institute at 888-777-7077.


Online resources

Research & References of 5 missteps to avoid when evaluating internal controls|A&C Accounting And Tax Services

98 thoughts on “5 missteps to avoid when evaluating internal controls

  1. Pingback: cialis 20mg
  2. Pingback: erection pills
  3. Pingback: online pharmacy
  4. Pingback: cialis generic
  5. Pingback: vardenafil 20 mg
  6. Pingback: herbal viagra
  7. Pingback: casinos
  8. Pingback: tadalafil 20
  9. Pingback: loans online
  10. Pingback: cash payday
  11. Pingback: loans online
  12. Pingback: viagra 100mg
  13. Pingback: online casino
  14. Pingback: cialis to buy
  15. Pingback: shanon
  16. Pingback: generic cialis
  17. Pingback: cialis 5 mg
  18. Pingback: cialis 5 mg
  19. Pingback: online casino usa
  20. Pingback: online gambling
  21. Pingback: casino games
  22. Pingback: viagra online usa
  23. Pingback: free viagra
  24. Pingback: buy viagra on line
  25. Pingback: buy cialis generic
  26. Pingback: free slots online
  27. Pingback: buy cialis
  28. Pingback: site shopgenericed
  29. Pingback: slot machine
  30. Pingback: casino gambling
  31. Pingback: real casino
  32. Pingback: car insurances
  33. Pingback: payday loans
  34. Pingback: cbd oil sale
  35. Pingback: essay help
  36. Pingback: write essay online
  37. Pingback: clozaril otc
  38. Pingback: colchicine tablet
  39. Pingback: cheap combivent
  40. Pingback: coreg tablet
  41. Pingback: coumadin cost
  42. Pingback: cozaar uk
  43. Pingback: dapsone caps cheap
  44. Pingback: buy ddavp

Leave a Reply