Unpacking Internal Controls


“Our audit will include obtaining an understanding of the entity’s environment, including internal control.”

Have you ever noticed this line in the audit engagement letter? It’s often overlooked, but encompasses one of the most challenging and misunderstood areas of an audit. The paragraph usually goes on to say that the audit is not designed to provide assurance on internal control or identify deficiencies in internal control, but the auditor will communicate deficiencies if identified. Does anyone really understand what that means?! Let’s unpack these overlooked lines to determine what internal controls really mean to your organization.

Having strong organizational internal controls is vital to any entity’s financial core. Unfortunately, too many companies and organizations are undervaluing the importance of good internal controls and as auditors, we’re seeing the effects: Uninformed governance groups, frustrated organization management, and an open invitation to fraud. Let’s take a closer look at what internal controls are and how they affect an organization:

  • Internal controls over Financial Reporting (Internal Controls): The methods and procedures an organization uses to ensure the accuracy, validity, and reliability of their financial statements. They are the processes and rules in place to ensure financial information is transacted, processed, and reported accurately and timely. 

One misconception about internal controls is that auditors somehow affect the internal controls of an organization. Auditors often identify, test, and report on internal controls, but management is ultimately responsible for the design, implementation, and maintenance of internal controls. Good internal controls means having more than one set of eyes on a transaction or process. It means someone other than the preparer is reviewing and signing off. It means understanding the financial statements. It means checks and balances. For auditors, good internal controls mean fraud prevention.

Another misconception auditors often face is the idea that an audit is meant to fix internal control problems. Unfortunately, that’s just not the case. Auditors will help to identify areas of improvement, but action on the part of management is ultimately what will improve the internal control environment. Management groups need to start asking questions: What’s stopping employees from stealing cash or inventory? What preventative or review measures are in place to stop employees from manipulating financial transactions?

Auditors also focus on access. An accounting clerk may have the responsibility of maintaining the blank checks in his or her desk, but who else could access them? A controller may be the only employee with the accounting software on his or her computer, but who else could access the software? In other words, good internal controls aren’t just the processes and assigned responsibilities in place. Good internal controls are the procedures that catch fraud or errors. For the examples previously mentioned, a good control would be if the accounting clerk locked the drawer with the blank checks and had the only key or if the controller used passwords to the computer and software that are only known to that user. To identify segregation of duties issues, organizations might categorize employee responsibilities related to certain transaction cycles into three categories to help determine weaknesses in internal controls. In the payroll cycle, for example, who has access to the payroll software, who records the payroll, and who reviews the payroll? Internal controls should be reviewed more closely if an employee has responsibilities in two or three categories within the same transaction cycle.

Many auditing textbooks classify control activities into specific activities which can be helpful to organizations analyzing their control environment. Arens, Elder, and Beasley’s Auditing and Assurance Services identifies five specific activities of a strong control environment:

  • Adequate separation of duties
  • Proper authorization of transaction and activities
  • Adequate documents and records
  • Physical control over assets and records
  • Independent checks on performance

Implementing a good internal control environment has numerous benefits to an organization; those with the greatest impact include:

  • More reliable and timely financial information will be provided to management and governance groups.
  • The risk of losses due to waste, abuse, mismanagement, errors and fraud will be reduced.
  • An auditor may be able to reduce the extent of his or her procedures, which leads to time and cost benefits for both the auditor and the organization.

Smaller organizations may struggle with the feasibility of good internal controls due to minimal number of staff available or costs. In these cases, we highly encourage governance – usually the board of directors or equivalent – take an active role in the review and oversight of financial activity and reporting. For governance groups, this means taking the time to frequently review financial information and inquire about unusual or unexpected data.

Unfortunately, good internal controls don’t always mean 100% prevention against fraud or error, which is why auditors must state their purpose related to the assessment of internal controls very clearly. Financial statement auditors, unless otherwise engaged, generally do not opine on internal control over financial reporting. Their assessment is limited to reviewing the design effectiveness of internal control, not the operating effectiveness.  In other words, financial statement auditors are reviewing internal controls to determine if they are suitably designed to prevent error or fraud, not if they actually are preventing error or fraud. This fact emphasizes the need for management and governance groups to continually review and monitor their internal controls to determine areas of improvement. Overall, good internal controls can be the best defense against fraud or errors and will ultimately lead to a stronger and more efficient organization.

At HBE, we understand the unique control environments of our clients. If your organization needs help analyzing your control environment or simply needs a few suggestions on how to strengthen controls already in place, please contact us at 402.423.4343. We’d be glad to help.






By Mikaela Davis, CPA


Submit a Comment

Your email address will not be published. Required fields are marked *