A solid system of internal controls for any organization translates into more reliable financial reporting and can help companies prevent, detect and correct financial misstatements. In contrast, weak controls can result in costly errors — and even fraud.
And while internal controls are certainly important for publicly traded companies, they may be even more critical for smaller private companies — regardless if they have prepared financial statements or not. These companies are often more susceptible to fraud caused by weak controls, and tend to have less sophisticated internal audit and accounting departments than public companies. As a result, many companies, particularly those required to have an audit of their financial statements, are spending more time assessing and improving their internal controls.
According to the Committee of Sponsoring Organizations of the Treadway Commission (COSO), internal controls should be “designed to provide reasonable assurance of the achievement of objectives in the effectiveness and efficiency of operations, reliability of financial reporting, and compliance with laws and regulations.”
COSO lists five components of internal controls:
Control environment,
Risk assessment,
Control activities,
Information and communication, and
Monitoring.
Companies must continually review and improve internal control performance. For companies with audited financial statements, AICPA standards also require external auditors to evaluate their client’s internal controls as part of their audit risk assessment procedures. Private auditors tailor audit programs for potential risks of material misstatement, but they aren’t required to specifically perform procedures to identify control deficiencies — unless they’re hired to perform a separate internal control study.
Although under AU-265, Communicating Internal Control Related Matters Identified in an Audit, the auditor is required to communicate to those charged with governance and management any deficiencies in internal control the auditor has identified during the audit and that, in the auditor's professional judgment, are of sufficient importance to merit attention. If the auditor has identified one or more deficiencies in internal control, the auditor should evaluate each deficiency to determine, on the basis of the audit work performed, whether, individually or in combination, the deficiencies constitute a material weakness or a significant deficiency. Each type of deficiency is defined below:
1. Material Weaknesses. Such shortcomings refer to “a deficiency, or combination of deficiencies, in internal control over financial reporting, such that there is a reasonable possibility that a material misstatement of the entity’s financial statements will not be prevented, or detected and corrected on a timely basis.”
2. Significant Deficiencies. This type of concern is “less severe than a material weakness, yet important enough to merit attention by those charged with governance.” Note that a control deficiency is dependent on the potential for misstatement; misstatement need not actually have occurred.
When classifying deficiencies as material weaknesses or significant deficiencies, auditors evaluate the probability and magnitude of the potential misstatement. They also consider “compensating controls,” which are substitute procedures that limit the severity of a deficiency.
If your organization has control deficiencies, whether determined by a formal audit or by management review, you must act to reduce the severity. There are many types of controls you can implement to help:
Performance Reviews — Budget vs. actual, comparing internal data from external sources, reviewing performance by business line
Automated Controls — Editing checks of input data
Reconciliations — Reviewing account, bank and aging reconciliations
Management Review - Checking the arithmetical accuracy of records, reviewing accounts, journal entries and trial balances
Physical Controls — Periodic counting and comparison with amounts shown on control records for cash, fixed assets or inventory
Segregation of Duties — Assigning different people the responsibilities of authorizing transactions, recording transactions and maintaining custody of assets
To implement any new controls effectively, you must train employees not only on how to implement them but also why they are important. Subsequently, management must develop an action plan to enforce the new controls and formally sign off on any documents or accounts they review to ensure they are setting the appropriate tone at the top. Employees’ understanding and follow-through on these controls, which are embedded in critical daily processes, are key to reducing the likelihood of costly errors and fraud in the future.
If your organization does not have the internal resources to identify where the organization is most at risk in its internal control structure, working with third-party advisers to provide management with an objective perspective and meaningful recommendations for improvement may help.
Contact Tina Dzik at tdzik@cohencpa.com or a member of your service team to discuss this topic further.
Cohen & Company is not rendering legal, accounting or other professional advice. Information contained in this post is considered accurate as of the date of publishing. Any action taken based on information in this blog should be taken only after a detailed review of the specific facts, circumstances and current law.