Question

Discuss what significant elements should a CPA firm’s methodology for assessing internal controls have? Why is each of these elements important? What risk does the CPA firm run if each of these elements were not included in the assessment of the internal controls process?

Answer 1

Assessment of internal controls is part of today’s auditing requirements and helps identify risk factors. But, it can sometimes be unclear why auditors ask so many questions about their clients’ internal controls.

A system of internal control has five components. An accountant must be aware of these components when designing an accounting system, as does anyone who audits the system. The components of an internal control system are as follows:

• Control environment. This is the attitude of management and their employees regarding the need for internal controls. If the controls are taken seriously, this greatly enhances the robustness of the system of internal control.

• Risk assessment. This is the process of reviewing the business to see where the most critical risks lie, and then designing controls to address those risks. This assessment must be conducted on a regular basis, to take into account any new risks introduced by changes in the business.

• Control activities. This is the use of accounting systems, information technology, and other resources to ensure that appropriate controls are put in place and operating properly. For example, there may be accounting systems in place to periodically conduct inventory audits and fixed asset audits. In addition, there may be off-site backups to minimize the risk of lost data.

• Information and communication. Information about controls should be communicated to management in a timely manner, so that shortfalls can be addressed promptly. The amount of information communicated should be appropriate to the needs of the recipient.

• Monitoring. This is the set of processes used by management to examine and assess whether its internal controls are functioning properly. Ideally, management should be able to spot control failures and make adjustments to improve the control environment. Otherwise, an improper or ineffective control may allow misstatements to pass through into the financial statement