The Role of Internal Controls in Statutory Audit/External Auditor Procedures
Objective
Internal controls are the specific accounting and financial control procedures that are established by organizations to provide reasonable assurance that the organizations’ stated objectives will be achieved. These objectives are (1) effectiveness and efficiency of operations, (2) reliability of financial reporting, and (3) compliance with laws and regulations. These internal controls assist organizations in accomplishing the aforementioned objectives and support the preparation of reliable financial statements.
The internal controls that the organization has designed and implemented when preparing its financial statements have a direct impact on both the nature, timing, and extent of the work that the auditor is required to carry out when conducting their audit in order to form an opinion as to whether the statements are free from material misstatement, as well as having an impact on the auditors’ assessment of the risk that material misstatements may exist in the financial statements.
The theory of internal controls affecting audit procedures revolves around two categories of control: preventative controls and detective controls. Preventative controls are designed to avoid errors or irregularities that could lead to material misstatements in the financial statements occurring. If effective, an auditor will be able to place reliance upon the clients’ assertion that they have strong internal controls, as the key controls can be assessed and tested for effectiveness in reducing the risk of misstatement in a specific account balance or class of transactions. This is beneficial to an external auditor as an assessment that a control is effective will permit the use of a less substantive and more efficient audit procedure. This can lead to cost savings for the audit firm and can result in lower audit fees for the client.
A relevant example of this would be a control to ensure that a client does not make sales to customers who are poor credit risks. Such a control would reduce the risk that sales to the customer may result in account receivable balances that are bad debts. If the internal control can be assessed and tested as being effective, this would result in the auditor placing less reliance upon confirmation of sales transactions and directly confirming with the creditworthy customers that no sales have been made to them. This form of dual confirmation is a more costly and less efficient audit procedure.
2.1. Ensuring accuracy and reliability of financial statements
Internal controls are a series of activities designed to provide reasonable assurance about the achievement of an organization’s objectives with regard to reliability of financial reporting, effectiveness and efficiency of operations, and compliance with relevant laws and regulations. With reference to ensuring accuracy and reliability of financial reporting, internal controls safeguard an organization’s financial information and ensure it is relevant and reliable for use in financial statement preparation. In order to achieve this objective, safeguarding assets against theft and unauthorized use, and maintaining records in sufficient detail to accurately prepare financial statements are necessary. This ultimately helps the external auditors, as they are required to review the internal controls of the organization in order to determine the reliability and validity of the information on which the financial statement is based. An understanding of internal control is necessary for the auditors to place reliance on the internal controls as part of their substantive audit procedures. This will allow the auditors to reduce detection risk by assessing control risk below maximum and therefore obtaining audit evidence from tests of controls to support their assessed level of control risk. Substantive procedures performed by the auditors contribute towards gaining assurance about the validity of account balances, transaction classes, and disclosures in the financial statements. If internal controls are effective, the auditors may be able to reduce the extent of substantive procedures, as they have greater confidence in the reliability of the financial information. This may take form in a reduction of sample sizes or a lower extent of error projection in an attribute or variable sampling application. Ultimately, an assessment of the internal controls and the types of tests of controls and substantive procedures performed are reflected in the auditors’ opinion on the financial statements. An adverse opinion states that the financial statements do not fairly represent the operations of the company, and the effectiveness of internal controls has a direct impact on the type of opinion issued by the auditors.
2.2. Detecting and preventing fraud and errors
Fraud is a deceptive act that is done by deliberating with a view to secure some unfair or unlawful gain. Fraud involving senior management of the firm might lead to material misstatement in the financial statement in order to cover up the fraud committed. The misstatement may be in forms of overstatement or understatement on the company’s income, assets, expenses, or liabilities. Therefore, sound internal control is very crucial to prevent fraud from happening. There are several internal control objectives that can help to prevent fraud. For example, management is to demonstrate and establish the integrity and ethical values and establish the tone at the top. Then, the risk assessment and the risk of material misstatement on the financial statement due to fraud is to be identified and assessed.
Next, to prevent fraud from happening, there must be full proof of the accountability of the management over their financial reporting. It is known that fraud always happens when no one is directly responsible for the action. Therefore, if the management knows that they are accountable for the financial statement prepared, there is a lesser chance of fraud happening because they know that it will be traced back to them. Then, to have proper segregation of duties. This will minimize the conflict of interest and the temptation to act dishonestly. This is because if one person is controlling both sides of a transaction, he may be able to record it incorrectly for the benefit of the party he represents on the other side. Finally, the internal control system must implement technical and physical controls that are difficult to override. This is because fraud will usually occur when there is weakness in the internal control. Therefore, the internal control must cover the weakness and be tough to override.
2.3. Assessing compliance with laws and regulations
Assessment of compliance with laws and regulations is another point to be remembered. It might be difficult to determine the extent to which a corporation’s operations are in accordance with laws and regulations. To evaluate its compliance, one helpful indicator would be whether each significant transaction and/or account balance has been authorized or whether there’s proper documentation to support it. If it is assumed that legislation and/or regulation provide a positive authentic basis for certain accounting practices, then any departures from the specific accounting practices would be in violation of this legislation and would be deemed as non-compliance. Communication of weaknesses in internal control pertaining to compliance is necessary to those charged with governance and management as they would be required to take remedial action. Because of the inherent limitations of internal control, there is, however, an undetectable rate of non-compliance. It would be unrealistic to expect auditors to provide absolute assurance that all acts of an entity are in accordance with laws and regulations. However, in the New Zealand private sector, there’s now an expectation gap that auditors should be able to detect all illegal acts. This is clarified in the auditing standards by differentiating between illegal acts that have a direct effect on material amounts in the financial statements and those that are inconsequential. Any illegal acts and/or non-compliance discovered by the auditor should be communicated to the appropriate level of management and where it is expected to have a direct or material indirect effect on the financial statements, it should be communicated to those charged with governance.
