Continuing our last posting Internal Control Deficiencies Examples
, we would like to share how to assess the adequacy / existence of internal control.
Next posting we will try to discuss how to assess the effectiveness/ functioning of internal control. Just keep visiting our blog.
Aspect of Internal Control Assessment
Basically, the assessment of internal control consist of two aspects:
a. The adequacy of the design of internal control.
b. The operating effectiveness of controls.
Approach in Assessing Internal Control
There are some approaches in assessing internal control. Each approach is used in different situation:
- Overall assessment of internal control, concluded from a single engagement. See COSO: Illustrative Tools for Assessing Effectiveness of a System of Internal Controls, September 2012.
- Overall assessment of internal control, concluded from multiple individual engagements. See IIA Practice Advisories 2130-1: Assessing the Adequacy of Control Processes.
- Assessment of control related objectives/ activities/ financial statements, concluded from individual engagements / financial audit. See related standards, e.g.: International Auditing Standards 530: Audit Sampling and Other Means of Testing, published by IFAC.
- Assessment of internal control over financial reporting, concluded from engagement as required by SOX 404. See IIA Professional Guidance: Sarbanes-Oxley Section 404: A Guide for Management by Internal Controls Practitioners The Institute of Internal Auditors, 2nd Edition, January 2008.
Which approach is used will much depend on the objective of the internal control assessment engagement and the objective will affect the assessor how to develop procedures to assess the adequacy and the effectiveness of the internal control. For example:
- If the objective of assessment is to assess the adequacy and the effectiveness of control over operational activities, the procedures developed is start with the identifed significant risks, then asses controls related to those risks.
- If the objective of assessment is to provide opinion over financial statement or ICoFR, the procedures developed is start with management assertions, then asses controls related to those assertions.
To be focus, this posting is trying to share how to assess the adequacy of control over operational activities.
For those who want to learn about assessing internal control over financial statement, please review other reference such as Arens’s Auditing and Assurance Services: an Integrated Approach.
The Process of an Adequate and Effective Internal Control.
|IC Assess Process|
In order to have an adequate and effective internal control, a company needs to:
- identify its business objectives;
- identify and assess the risks which threaten the achievement of those objectives;
- design internal controls to manage those risks;
- operate the internal controls in accordance with their design specification; and
- monitor the controls to ensure they are operating correctly.
The Process of Assessing the Adequacy of Internal Control
A six-step approach can be used to identify deficiencies, significant deficiencies, and material weaknesses in the design of internal control:
1. Understand the identified significance risks.
One basic principle to understand is control is developed to mitigate the organizations significant risks
. So one thing that must be understood by auditor is the organization risk register. Therefore, which control is important (key controls) is highly depend on the significant of the risks mitigated. So, in assessing the adequacy and the effectiveness of IC, NEVER try to weighting (scoring) the component of internal controls.
In practice, what first I usually do to assess the adequacy of internal control over operational activities is simply by reviewing the risk management process and the risk register or risk mapping, developed by management. Of course with an assumption that the risk management of the organization is at mature level. Here is an example of risk register.
|Risk Register Example|
Assessment When No Risk Management
Many questions come arise, how to assess the adequacy of internal control when there is no risk management process in an organization? I will respond that I believe that every ordinary person have a risk management in his daily life activities, so does business person. However, their risk management is not formal and not documented.
In that situation, I will simply asking the management to fill the following table:
||Identify Division’s / Your Objectives
||Control to Mitigate the Risks
The purpose of this procedures is to test whether the management/ personnel know :
- Their objectives, KPI, and their achievement.
- Their significance risks (even though, no formal risk management).
- Their control to mitigate those risks.
- Effectiveness of their risk management and control
2. Identify existing controls
Because deficiencies and material weaknesses are the absence of adequate controls
, the auditor must first know which controls exist. One way for the auditor to do this is to identify controls to mitigate each risk. For example, the auditor can use knowledge of the client’s system to identify controls that are likely to prevent errors or fraud.
- Use the five control activities (separation of duties, proper authorization, adequate documents and records, physical control over assets and records, and independent checks on performance) as reminders of controls.
- For example:
Is there adequate separation of duties and how is it achieved?
- Are transactions properly authorized?
- Are prenumbered documents properly accounted for?
- Are key master files properly restricted from unauthorized access?
The auditor should identify and include only those controls that are expected to have the greatest effect on meeting the activities objectives. These are often called key controls
. Examples of identifying key controls:
|Flowchart - Control Example|
NOTE: Which control is important (key controls) is highly depend on the
significant of the risks mitigated. So, in assessing the adequacy and
the effectiveness of IC, NEVER try to give a weight / score to the
component of internal controls. I have seen an institution use IC questionnaires, in which each IC components/ elements are weighted, and given a score and use the score of the questionnaire to assess the level of IC effectiveness. Remember, IC questionnaire is used for understanding the IC, to assess the adequacy of the design of IC, and NEVER used for assessing the effectiveness of IC.
3. Identify the absence of key controls
Internal control questionnaires, flowcharts, and walkthroughs are useful tools to identify where controls are lacking and the likelihood of not meeting operational objectives / KPIs are therefore increased. NEVER use IC questionnaires/flowchart as a tools to assess the effectiveness of internal control. I have seen an institution use IC questionnaires to score the effectiveness of IC. Remember, IC questionnaire is used for understanding the IC, to assess the adequacy of the design of IC.
It is also useful to examine the control risk matrix, to look for objectives where there are no or only a few controls, that adversely affects the likelihood that the entity will achieve its objectives.
- Observe Entity Activities and Operations
When auditors observe client personnel carrying out their control activities, including their preparation of documents and records, it further improves their understanding and knowledge that controls have been implemented. Example: auditor observe the process of quality control check performed in production site, to gain understanding how the quality control procedures is implemented in the site.
- Perform Walkthroughs Test
In a walkthrough, the auditor selects one or a few documents of a operation and traces them from initiation through the entire operation process. At each stage of processing, the auditor makes inquiries, observes activities, and examines completed documents and records.
Walkthroughs conveniently combine observation, documentation, and inquiry to assure that the controls designed by management have been implemented.
Example of risk control matrix:
|Control Risk Matrix Example|
4. Consider the possibility of compensating controls.
A compensating control is one else-where in the system that offsets the absence of a key control.
A common example in a small business is the active involvement of the owner. Remember: using COSO, all 17 principle must be exist, but what must be exist is the 17 principles, not the component of COSO IC
. So, it is OK some components are not exist, as long as there is compensating controls to offset the absence of those controls, so although the component is not exist but the principles are still there.
When a compensating control exists, there is no longer a significant deficiency or material weakness.
- Example: there is no segregation of function at bank teller. Bank teller is the one who receive cash deposit, authorize the deposit slip, record it into the bank system, and kept the cash in the teller box.
- The lack of segregation of function (and other internal control principles) does not mean there must be a significant weakness. We must assess whether there is compensating control to offset the absence of key controls.
- In bank teller case, the compensating controls exist are: 2 CCTV monitors the teller activities, cash counting at the end of the day, daily reconciliation by supervision between bank system, cash, and deposit slip approved. Cash counting and reconciliation is recorded by CCTV.
Example of COSO Illustrative Component Evaluation of Control Activities, with considering compensating controls:
|COSO Illustrative IC Evaluation|
5. Decide whether there is a significant deficiency or material weakness.
Our conclusion about the adequacy of the internal control design is a result from:
- Understanding risk management and identify significant risks (study risk register).
- Understanding and reviewing internal control design. (use the combination of tools: IC questionnaire, flowchart, narrative, process mapping, observations, walkthrough tests, risk control matrix).
- Identifying key controls, compensating controls, and the absence of required controls (the result of reviewing IC, using the combination of the tools, as stated above).
- Deciding the existence of deficiency in internal control's design. (use likelihood and impact matrix, see below).
As stated in our previous posting, control deficiency = a shortcoming in some aspects (principle, attribute, components) of the system of internal control, and no compensating controls. Classification of control deficiencies is assessed by two dimension = likelihood and impact.
- Dimension of weaknesses = (likelihood of impact x impact). Use risk analysis approach for determining the level of likelihood and impact.
- There are some methods in determining the likelihood and the impact, and which method used is depend on the complexity of business and the risks affected. One of method widely used is focus group discussion (FGD), because of the method simplicity.
- Likelihood = the possibility of the impact will occur. Example: if there is no quality control, then there is a high probability that the products will not meet customer expectations.
- Impact = its magnitude effect on the achievement of organization objectives. Example: if there is no quality control, then the impact is the product will not meet quality requirement and customer expectations. This impact is considered major.
|Table Weaknesses Type|
1. Minor/ Deficiency (No. 4).
2. Major/ Significant deficiency (No. 2 or 3).
3. Major/ Material weakness (No. 1).
Based on our assessment, then we summarize any material and significant deficiencies found. The example of summary is as follows:
|Deficiency Summary Example|
For assessing ICoFR, a guideline for differentiating material weaknesses and significant weaknesses, please see our previous posting.
This was so informative and assisted me to further understand and dissect the difference and what can be performed under adequacy testing and under effectiveness testing of controls. Thanks.ReplyDelete
Thanks for posting, it's really useful and practical.ReplyDelete