You have 3 free guides left 😟
Unlock your guides
Unlock Cram Mode
You have 3 free guides left 😟
Unlock your guides

3.2 Evaluating Internal Control Effectiveness

5 min readaugust 13, 2024

Internal control effectiveness is crucial for reliable financial reporting. Auditors use methods like inquiry, observation, and re-performance to evaluate controls. They assess design and implementation, considering factors like control nature, personnel competency, and performance consistency.

Key controls in business processes are vital for preventing material misstatements. Auditors focus on these controls, which vary by process but often involve , , and . Control deficiencies can significantly impact audit risk and procedures.

Evaluating Internal Control Effectiveness

Methods for Evaluating Internal Control Effectiveness

Top images from around the web for Methods for Evaluating Internal Control Effectiveness

  • Effective Internal Controls by @EricPesik View original

    Is this image relevant?

  • Role of Internal Control Components in the Development of External Auditor Performance in ... View original

    Is this image relevant?

  • Effective Internal Controls by @EricPesik View original

    Is this image relevant?

1 of 3

Top images from around the web for Methods for Evaluating Internal Control Effectiveness

  • Effective Internal Controls by @EricPesik View original

    Is this image relevant?

  • Role of Internal Control Components in the Development of External Auditor Performance in ... View original

    Is this image relevant?

  • Effective Internal Controls by @EricPesik View original

    Is this image relevant?

1 of 3
  • Internal control effectiveness is evaluated through a combination of methods, including inquiry, observation, inspection of documents and records, and re-performance of control procedures
  • Inquiry involves asking management and employees about the design and operation of internal controls provides auditors with an understanding of how controls are supposed to work
  • Observation involves watching employees perform their duties and control activities allows auditors to see if controls are being performed as designed
  • Inspection of documents and records provides evidence that controls were performed and helps auditors assess the quality of documentation supporting the performance of controls
  • Re-performance involves the auditor independently executing control procedures to verify they are working as intended is the most reliable form of evidence for testing operating effectiveness of controls

Factors to Consider in Assessing Design and Implementation

  • Assessing the design of internal controls involves determining whether controls, individually or in combination, are capable of effectively preventing, detecting or correcting material misstatements
  • Assessing the implementation of internal controls verifies that the controls exist and are in use by the company auditors cannot rely on controls that are not implemented
  • Auditors consider factors such as the nature of the control, competency of personnel performing the control, frequency and consistency of control performance, and evidence of performance when assessing design and implementation
  • Controls can be preventive (stop errors from occurring), detective (identify errors after they occur), or corrective (remedy identified errors) effective systems have a mix of all three types
  • General IT controls and application controls in IT systems need to be assessed as part of internal control over financial reporting ensure integrity of data and reports used in the financial reporting process

Internal Control Design and Implementation

Preventive, Detective, and Corrective Controls

  • are designed to stop errors or irregularities from occurring in the first place (segregation of duties, authorization limits)
  • are designed to identify errors or irregularities after they have occurred but before financial statements are issued (reconciliations, exception reports)
  • remedy identified errors or irregularities to mitigate their impact (adjusting entries, backups and recovery procedures)
  • An effective internal control system will have a combination of preventive, detective, and corrective controls to address risks at various points in the process

IT General Controls and Application Controls

  • IT general controls apply to all systems, components, processes, and data for a given organization or systems environment (access controls, change management, backup and recovery)
  • Application controls are specific to individual applications and ensure completeness, accuracy, authorization and validity of data capture and processing (input validation, error checks, interface controls)
  • IT controls are critical to assess as most financial reporting processes are highly dependent on information systems
  • Weak IT general controls can undermine application controls and impact multiple financial statement accounts and disclosures
  • Auditors need to test both IT general controls and application controls relevant to financial reporting as part of their internal control assessment

Key Controls in Business Processes

Identifying Key Controls

  • Key controls are those that provide that material misstatements will be prevented or detected in a timely manner not all controls within a process are considered key controls
  • Auditors focus testing on key controls to obtain sufficient evidence over relevant financial statement assertions (existence, completeness, accuracy, cutoff)
  • Factors to consider in identifying key controls include materiality of the account balance or disclosure, volume of transactions, complexity and subjectivity, susceptibility to loss or fraud
  • Key controls often involve segregation of duties, authorization, reconciliation, and management review but can vary based on the specific risks of each business process
  • Automated controls and manual controls can both be key controls depending on their design and impact on relevant assertions

Key Controls by Business Process

  • Business processes relevant to financial reporting include the revenue cycle, purchasing cycle, payroll cycle, production cycle, and financial reporting cycle each process has unique risks that require specific controls
  • In the revenue cycle, key controls include customer acceptance policies, credit approvals, shipping documentation, invoice verification, and cash receipts reconciliations
  • In the purchasing cycle, key controls include purchase requisitions, purchase order approvals, receiving reports, invoice approvals, and cash disbursement reviews
  • In the payroll cycle, key controls include authorized pay rates, time tracking, payroll register reviews, and segregation of payroll duties
  • In the production cycle, key controls include production planning, inventory tracking, cost accounting, and inventory counts
  • In the financial reporting cycle, key controls include account reconciliations, journal entry approvals, and financial statement reviews

Impact of Control Deficiencies on Audit Risk

Evaluating Internal Control Deficiencies

  • An internal control deficiency exists when the design or operation of a control does not allow management or employees to prevent, detect or correct misstatements on a timely basis
  • Deficiencies are categorized as a deficiency, significant deficiency, or based on the likelihood and magnitude of the potential misstatement resulting from the deficiency
  • A deficiency is less severe, while a material weakness is the most severe category indicating a reasonable possibility that a material misstatement will not be prevented or detected on a timely basis
  • Significant deficiencies are less severe than material weaknesses but important enough to merit attention by those charged with governance
  • Auditors evaluate the severity of deficiencies based on criteria such as the nature of the control, possible magnitude of the potential misstatement, and likelihood of occurrence

Impact on Audit Procedures and Reporting

  • The existence of deficiencies increases control risk, which is the risk that a misstatement could occur and not be prevented or detected by internal controls
  • Auditors must consider the impact of identified deficiencies on the nature, timing and extent of substantive audit procedures needed to reduce audit risk to an acceptably low level
  • More severe deficiencies require more extensive substantive testing to address the increased risk of misstatement and provide sufficient appropriate audit evidence
  • The existence of material weaknesses may preclude an unqualified audit opinion on internal control over financial reporting and require auditors to issue an adverse opinion
  • Auditors are required to communicate significant deficiencies and material weaknesses to management and those charged with governance in a timely manner
© 2024 Fiveable Inc. All rights reserved.
AP® and SAT® are trademarks registered by the College Board, which is not affiliated with, and does not endorse this website.
Fiveable
About Us
About FiveableBlogCareersTestimonialsCode of ConductTerms of UsePrivacy PolicyCCPA Privacy Policy
Resources
Cram ModeAP Score CalculatorsStudy GuidesPractice QuizzesGlossaryCrisis Text LineRequest a Feature
Stay Connected
© 2024 Fiveable Inc. All rights reserved.
AP® and SAT® are trademarks registered by the College Board, which is not affiliated with, and does not endorse this website.
About Us
About FiveableBlogCareersTestimonialsCode of ConductTerms of UsePrivacy PolicyCCPA Privacy Policy
Resources
Cram ModeAP Score CalculatorsStudy GuidesPractice QuizzesGlossaryCrisis Text LineRequest a Feature
© 2024 Fiveable Inc. All rights reserved.
AP® and SAT® are trademarks registered by the College Board, which is not affiliated with, and does not endorse this website.
Back
Glossary
Glossary
Next