Internal controls are the safeguards that protect both the finances and the operations of a company. The owners of the business are charged with developing these controls. The effectiveness of the controls can be determined through external or internal evaluation. The process of evaluating internal controls is called auditing. A company usually hires a professional or an accounting firm which follows a particular set of steps to evaluate the internal controls (Goetsch and Davis, 2014). This paper seeks to present a plan to evaluate the internal controls for a client’s organization with an aim of presenting an evaluation report to the Board of Directors.
Evaluating Internal Controls
Planning is an important part in auditing. This is because a good plan means better and more accurate results. An auditor, therefore, needs to have plans underway on how the entire evaluations will be carried out even before commencing the work. Evaluation of internal controls is divided onto four key phases. These are acceptance of the audit assignment, planning, the actual auditing, and reporting on the finding of the audit. Under planning, there are various stages that have to be contained in an internal control evaluation plan in order to have a comprehensive evaluation. These include oversight, control environment, compliance testing, substantive testing, risk assessment procedures, and test of the control activities (COSO, 2013).
Delegate your assignment to our experts and they will do the rest.
Oversight for the evaluations will be provided by those charged with governance in the organization. Evaluation of the control environment will involve looking at the commitment of the organization’s management to competence, there techniques of scrutinizing risks, and there attitude towards reporting of internal control findings. Understanding the control environment will make it possible for the auditor to assess the efficiency of the control procedures. The control environment could provide important information such potential misstatements in financial statements by the organization. Compliance testing and substantive testing are techniques utilized in understanding the internal controls structure of the organization. They also help determine elements that made it possible to effectively meet the objectives of the internal controls as designed by the organization. In the risk assessment stage, the auditor would examine the industry factors, external relationships held by the company, the culture in place, and the financial characteristics of the organizations. Understanding of these factors will help in the identification of any areas that are susceptible to fraudulence. Test of control involves testing of transactional data to determine whether if complies with the procedures and policies of the organization (COSO, 2013).
The evaluation of the organization’s internal controls will begin with an evaluation of the processes and procedures adopted by the organization. The operations will then be reviewed from a different perspective to obtain knowledge on the current responsibilities. Knowledge on responsibility includes who is in charge of making a particular decision such as a transaction. The decisions will also be assessed for their validity, completeness, and value to the organization. Validity is checking whether the transactions were recorded, completeness is checking for any omissions, while valuation is checking that the transactions were correctly valued in the records.
Criteria to Identify and Report Identified Control Deficiencies
A control deficiency is a flaw in the operation of design of a control that affects the procedures and policies negatively. Identification and reporting of the evaluation findings is the ultimate goal of an auditor. To achieve this, the auditor must provide a description of evidence acquired regarding the controls, the testing and sampling techniques used, and a description of the importance of the presented report. The report is only meant to reflect the opinion of the auditor regarding the evidence obtained. Identity of the control deficiencies would involve assessing the preliminary level of control risk, getting evidence to support assess level of control risk, evaluating results of the evidential matter, and lastly establishing the wanted level of detection risk (Hoitash & Johnstone, 2012).
Identifying Control Deficiencies
Assessing Preliminary Level of Risk Control
A preliminary assessment of control risk or deficiencies should be made after getting an understanding of the organizations systems as described in the first part of the plan. In this stage, auditing involves evaluating the effectiveness of the organization’s internal control procedures and control policies in detecting and preventing misstatements. Control risk can be assessed in quantitative terms on non-quantitative terms. Quantitative means in terms of numbers and percentages while non-quantitative term examples can be ranges such as good to bad. Preliminary assessment of level of risk control should be high. Some of the factors that can be evaluated for level of risk control are transaction levels, nature of the organization, completion of complex or unusual transactions, integrity of the management, transactions that do not undergo the normal processing, and unusual pressure on the management.
Evaluating Results of the Evidential Matter
Evidential matter helps in the determination of the correct level of control deficiencies. This information is obtained by doing compliance and control test on some of the procedures and policies in the organization. The tests include inquiring about the appropriate entity personnel, direct observation of application of the controls, and inspection of previous reports and documents. Evidential matter should be obtained for any assessment risk that was below maximum. While obtaining evidence concerning the deficiencies, I would consider the application of internal controls, how they were applied, and who was responsible for their application. Computer assistant evaluation techniques would be used to factor deviations that may have resulted from human error.
Establishing the Wanted Level of Risk Detection
Acceptable level of detection risk is utilized in the determinations of timing, extent, and nature of the audit procedures that will be used to identify deficiencies. These procedures are what were referred as substantive tests in the previous section. For the organization there are a number of factors to consider. These are nature of the substantive procedures, the scope of the substantive procedures, and the timing of the substantive procedures. Changing the extent or order of the above three factors can help in making the substantive tests more effective.
Reporting Control Deficiencies
The above listed procedures will help in the detection of internal control deficiencies. As the deficiencies come to light, they should be examined further to determine their magnitude and extent so as to develop appropriate corrective measures. Reporting of control deficiencies involves capturing, recording, processing, and summarizing the evaluation data. A consensus should be reached on the where the deficiencies lie in the spectrum. Some deficiencies are categorized as inconsequential while others are significant. A deficiency that is very significant is referred to as a material weakness (COSO, 2013).
The report would outline the significance of the deficiencies identified and the chances that a particular deficiency will lead to failures in the detecting faults in the system. This means significance and likelihood are the dimensions that can be used in the reporting of the deficiencies. If a deficiency has even the slightest chance of causing a material error, it is referred to as a material weakness (Hoitash & Johnstone, 2012). Material weaknesses have to be indicated in the report.
Reporting Requirements for Public and Private Organizations
There are regulations that stipulate what needs to be disclosed to the public after the evaluation of internal control. Some of the rules apply to both public and private organizations while others only apply to a particular type of organization. In the event that a material weakness is identified from the evaluation of internal controls, it has to be disclosed in the report to the Board of Directors and to the public in case it is a public company. The disclosed report will include the fact that a material weakness has been identified, a definition of the term “material weakness,” and the action that will be taken or that have been taken by the company to mitigate the deficiency (Goetsch and Davis, 2014).
Reports concerning the internal controls are expected to be reported as of a particular point in time not a span of time. A well thought-out conclusion of the internal control audit has to be made since several changes might have occurred along the way such as correction of material weaknesses identified earlier. Determination of whether an enough period of time has passed includes examining the nature of the control objective, the nature of the correction, and the frequency of performing the control procedures. All this information should be included in the disclosed report.
Conclusion
In conclusion, evaluation of internal control is an essential part in any modern audit. This is because it helps one obtain data that would help in the creation of an opinion concerning the controls. It involves digging into an organization’s internal control to obtain the necessary information rather than seeking it directly from the management. All the information from the evaluations should then be prepared in the form of a report. There are guidelines that stipulate what needs to be disclosed as discussed in the paper above. The procedures and techniques discussed in the paper will be used as the plan for the evaluation of internal controls for the organization. The generated report will be shared with the board of directors and will contain all the necessary information regarding the internal controls.
References
COSO. (2013). Internal control-Integrated framework . Committee of Sponsoring Organizations of the Treadway Commission, American Institute of Certified Public Accountants.
Goetsch, D. L., & Davis, S. B. (2014). Quality management for organizational excellence . Pearson Publishers.
Hoitash, R., Hoitash, U., & Johnstone, K. M. (2012). Internal control material weaknesses and CFO compensation. Contemporary Accounting Research, 29(3), 768-803.