Question

evaluate the internal control structure of an organization

discuss the required documentation and audit work based on the evaluation of internal controls

Answer 1

An evaluation of internal control involves an examination of the effectiveness of an organization's system of internal controls. By engaging in this evaluation, an auditor can determine the extent of other tests that must be performed in order to arrive at an opinion regarding the fairness of the entity's financial statements. A robust system of internal controls reduces the risk of fraudulent activity, which moderates the need for additional audit procedures. The examination concentrates on such issues as:

• The separation of duties
• Checks and balances
• Safeguarding of records
• The training level and competence of employees
• The effectiveness of the entity's internal audit function

The steps involved in this evaluation process include the following:

1. Determine the extent and types of controls being used by the client.
2. Determine which of these controls the auditor intends to rely upon.
3. Based on the first two steps, determine which audit procedures should be expanded or reduced.
4. Make recommendations to the client regarding how to improve its system of internal controls.

Control Objectives

In addition to detailing risks and controls, control documentation needs to identify control objectives clearly. To better understand the control objectives related to an activity, process, or system, internal auditors can reference regulatory compliance documentation from relevant authorities, including capital market regulators and central banks. Auditors can also leverage freely available Internet resources such as those found on AuditNet.org and The IIA's Web site.

Control objectives may be articulated in a variety of documents, including the organization's mission statement, strategic plan, business plans, and budgets. Internal auditors can use a risk and control matrix that incorporates COSO concepts to document the objectives and the relevant risks identified. Control objectives should be established mainly for the operating and compliance elements of coso and should address information processing objectives:

• Completeness — what prevents duplicate postings by the system?
• Accuracy — what ensures accurate data input?
• Validity — what prevents unauthorized transactions?
• Restricted access — what ensures data confidentiality?

Control objectives should address specific organizational risks, such as those related to strategy, operations, reporting, and compliance.

Understanding Controls

To document internal controls effectively, internal auditors must understand the flow of transactions, including how transactions are initiated, recorded, authorized, processed, and reported. Auditors must also identify and document the risks within the process, including fraud risk, and identify and document the controls that should be implemented to manage those risks.

Internal auditors must be able to determine which controls are necessary to the process, activity, or system under review in light of the risk profile and desired level of control. Management is responsible for establishing adequate business processes and measuring performance, as well as determining how best to monitor the operating effectiveness of enterprise processes and controls. Internal auditors should consider these responsibilities when documenting either formal (written) or informal (undocumented) controls.

Types of Documentation

Internal control documentation can take various forms, including flowcharts, policy and procedure manuals, and narrative descriptions. No one particular form of documentation is required by The IIA's Standards, and the extent of documentation may vary depending on the complexity of the area. Depending on the nature of the organization, control documentation may range from generic guidelines to detailed written policies and procedures.

In most instances, internal auditors use flowcharts supplemented by narrative descriptions as a starting point for documentation work. Once these items are completed, auditors often use risk and control matrices for more specific analysis. These methods, as well as internal control questionnaires (ICQs) and policy and procedure manuals, constitute the most well-known and commonly used forms of control identification and documentation.