Will Your Private Company’s Internal Controls Pass the Test During Your Next Audit?– October 11, 2019

A solid system of internal controls for any organization translates into more reliable financial reporting and can help companies prevent, detect and correct financial misstatements. In contrast, weak controls can result in costly errors — and even fraud.

And while internal controls are certainly important for publicly traded companies, they may be even more critical for smaller private companies — regardless if they have prepared financial statements or not. These companies are often more susceptible to fraud caused by weak controls, and tend to have less sophisticated internal audit and accounting departments than public companies. As a result, many companies, particularly those required to have an audit of their financial statements, are spending more time assessing and improving their internal controls.

5 Components of Internal Controls and 2 Common Weaknesses

According to the Committee of Sponsoring Organizations of the Treadway Commission (COSO), internal controls should be “designed to provide reasonable assurance of the achievement of objectives in the effectiveness and efficiency of operations, reliability of financial reporting, and compliance with laws and regulations.”

COSO lists five components of internal controls:

  1. Control environment,
  2. Risk assessment,
  3. Control activities, 
  4. Information and communication, and
  5. Monitoring. 

Companies must continually review and improve internal control performance. For companies with audited financial statements, AICPA standards also require external auditors to evaluate their client’s internal controls as part of their audit risk assessment procedures. Private auditors tailor audit programs for potential risks of material misstatement, but they aren’t required to specifically perform procedures to identify control deficiencies — unless they’re hired to perform a separate internal control study. 

Statement on Auditing Standards (SAS) No. 115, Communicating Internal Control Related Matters Identified in an Audit, requires auditors to consider whether controls are sufficient to prevent and detect misstatement, as well as whether they enable management to correct misstatements in a timely manner. Under SAS 115, management letters must identify two types of deficiencies in internal controls unearthed during audit procedures:

1. Material weaknesses. Such shortcomings refer to “a deficiency, or combination of deficiencies, in internal control, such that there is a reasonable possibility that a material misstatement of the entity’s financial statements will not be prevented, or detected and corrected on a timely basis.”

2. Significant deficiencies. This type of concern is “less severe than a material weakness, yet important enough to merit attention by those charged with governance.” Note that a control deficiency is dependent on the potential for misstatement; misstatement need not actually have occurred.

When classifying deficiencies as material or significant, auditors evaluate the probability and magnitude of the potential misstatement. They also consider “compensating controls,” which are substitute procedures that limit the severity of a deficiency. 

How to Improve Your Internal Controls

If your organization has significant control deficiencies or weaknesses, whether determined by a formal audit or by management review, you must act to reduce the severity. There are many types of controls you can implement to help:

  • Performance reviews — Budget vs. actual, comparing internal data from external sources, reviewing performance by business line
  • Automated controls — Editing checks of input data
  • Reconciliations — Reviewing account, bank and aging reconciliations
  • Management review - Checking the arithmetical accuracy of records, reviewing accounts and trial balances
  • Physical controls — Periodic counting and comparison with amounts shown on control records for cash, fixed assets or inventory
  • Segregation of duties — Assigning different people the responsibilities of authorizing transactions, recording transactions and maintaining custody of assets

To make these new controls effective, you must train employees not only on how to implement them but why it is so important. Subsequently, management must develop an action plan to enforce the new controls. Employees’ understanding and follow-through on these controls, which are embedded in critical daily processes, are key to reducing the likelihood of costly errors and fraud in the future.  

If your organization does not have the internal resources to identify where the organization is most at risk in its internal control structure, you may find it valuable to hire external consultants to provide management with an objective, third party perspective and meaningful recommendations for improvement. If email fraud is a concern for your organization, you may want to consider seeking assistance to implement a security awareness training program.

Contact Tina Dzik at tdzik@cohencpa.com or a member of your service team to discuss this topic further.

Like what you read? Sign up to receive our latest tax, accounting and business blogs and podcasts.

Cohen & Company is not rendering legal, accounting or other professional advice. Information contained in this post is considered accurate as of the date of publishing. Any action taken based on information in this blog should be taken only after a detailed review of the specific facts, circumstances and current law.