Growing up Strong: Assess Your Company’s Internal Controls
Never miss a thing.
Sign up to receive our insights newsletter.
A stable system of internal controls translates into more reliable financial reporting and can help companies prevent, detect and correct financial misstatements. In contrast, weak controls can result in costly errors — and even fraud.
Internal controls has become a hot button issue in recent years. If your company seems to be putting more hours into evaluating its internal controls, you’re not alone. Many companies have spent more time assessing and improving these systems.
Key elements
Internal controls should be “designed to provide reasonable assurance [of] the achievement of objectives in the effectiveness and efficiency of operations, reliability of financial reporting, and compliance with laws and regulations,” according to the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Five components of internal controls listed by COSO include:
- Control environment
- Risk assessment
- Control activities
- Information and communication
- Monitoring
Companies must regularly review and improve internal control performance. As part of their audit risk assessment procedures, AICPA auditing standards also require external auditors to evaluate their client’s internal controls. Private auditors tailor audit programs for potential material misstatement risks, but they aren’t required to perform control deficiencies identification procedures, unless they’re hired to complete a separate internal control study.
Identify the weaknesses
Auditors are required under Statement on Auditing Standards (SAS) No. 115, Communicating Internal Control Related Matters Identified in an Audit to consider whether controls are sufficient enough to prevent and detect misstatements, as well as whether they enable management to correct them in a timely manner. Management letters must identify two types of deficiencies in internal controls if found during audit procedures:
- Material weaknesses. Such shortcomings refer to “a deficiency, or combination of deficiencies, in internal control, such that there is a reasonable possibility that a material misstatement of the entity’s financial statements will not be prevented, or detected and corrected on a timely basis.”
- Significant deficiencies. This type of concern is “less severe than a material weakness, yet important enough to merit attention by those charged with governance.” Note that a control deficiency is dependent on the potential for misstatement; a misstatement need not have occurred.
SAS 115 gives significant latitude to auditors when it comes classifying internal control weaknesses. Such classification may include lack of segregation of duties, inadequately trained accounting personnel, restated prior period financial statements and material audit adjustments.
Auditors evaluate the potential misstatement’s probability and magnitude when classifying deficiencies as material or significant. Substitute procedures that limit the deficiency’s severity, known as “compensating controls,” are also considered.
SOX compliance for public companies
In addition to SAS 115, Section 404 of the Sarbanes-Oxley Act (SOX) requires a public company’s management to assess its internal control over financial reporting (ICFR). The provision also requires the company’s external auditor to verify the effectiveness of management’s internal controls.
Consulting firm Protiviti conducted a survey and found that approximately half (51%) of the public companies surveyed spent more time checking ICFR last year than they had in the previous fiscal year. Why? The primary reasons are as follows:
- Accounting standard changes (in particular, the new guidance on revenue recognition and reporting leases)
- The use of technology (such as robotic process automation and artificial intelligence) that requires testing of new controls
- Rigorous inspections of controls by the Public Company Accounting Oversight Board (PCAOB)
Among the companies that reported an increase in their Section 404 compliance hours, 59% reported an increase of more than 10% over the prior year. Only 15% of the respondents reported a decrease in compliance hours. The increase in time devoted to complying with Section 404 was more evident among larger companies than small ones.
Need guidance?
Internal controls are equally as important for private companies as they are for public ones. Smaller private companies, in fact, are often less resilient to frauds due to these weak controls — and they often have less-sophisticated internal audit and accounting departments than their public counterparts.
If you need help understanding these recent accounting and tax rule changes, contact a Weaver professional and we can help you improve your existing internal controls system.
© 2019