Internal controls are designed to protect an organization from fraud, loss of assets, compliance failures, and other obstacles to overall business objectives. After the time, money, and effort you spent implementing a system of internal controls, you certainly don’t want that system to fail.
The best way to assess the effectiveness of internal controls is through internal audit control testing.
What Is Internal Audit Control Testing?
Internal audit control testing aims to improve operations, financial reporting, and compliance by evaluating the effectiveness of the internal control system. An auditor uses a series of assessment techniques to gather a complete understanding of control procedures.
For example, using a risk-based approach to audit testing, an auditor can focus on areas where risk is more likely to occur, identify areas of concern or weakness, and make recommendations to improve the internal controls. This exercise assures that the organization can reap the full benefits of internal controls.
Let’s look at the fundamentals necessary for a successful auditing process.
What Are the Advantages of an Internal Control System?
Some advantages of internal controls are:
- Only a few, trusted senior-level workers have the ability to modify internal controls. It’s easier to keep track of and guard against abnormalities when fewer persons are engaged.
- Well-designed and executed internal controls increase efficiency by making transactions transparent to anyone who looks.
- When internal controls balance transparency and promote efficiency, they protect employees from accusations of irregularities or misappropriation of funds.
- Internal controls make the organization process-driven rather than people-driven, reducing the risk of too much dependence on specific key employees.
- Internal controls can identify redundancies in operating and compliance procedures, giving you opportunity to simplify operations.
- Internal controls can be an early warning system, enabling early identification and correction of deficiencies (that is, before external, regulatory, or compliance audits).
What Are the Five Steps to an Audit?
Auditors can vary their overall audit approach, but the fundamental structure of the audit process remains the same. There are five stages necessary for a successful internal audit.
Stage 1: Selection
During the selection phase, the overall objective and scope of the audit are determined. After conducting a risk assessment, specific audit activities are outlined and approved by an audit committee.
Stage 2: Planning
The auditor meets with management, department heads, or supervisors to discuss the scope of audit procedures, relay audit timelines, and gather all necessary background information, including findings from prior audits.
Stage 3: Fieldwork
Also called the execution phase, fieldwork is the physical on-site audit work. The auditor may:
- Investigate the overall control environment;
- Interview random employees and managers;
- Review financial information;
- Inspect legal documents;
- Review policies and procedures manuals;
- Examine information technology systems;
- Perform walkthroughs of certain business processes;
- Distribute surveys regarding control activity requirements for specific job duties;
- Perform tests of controls (we discuss the specific procedures used to perform tests of controls in the next section).
Throughout the entire phase, the auditor communicates with management to relay preliminary findings.
Stage 4: Reporting
The auditor compiles all observations and findings, including recommendations of methods to improve the operating effectiveness of controls. Management reviews the conclusions and is asked to respond to requests in an action plan. These responses are included in the final audit report.
Stage 5: Follow-Up
Within a year of issuing the final audit report, the auditor conducts a follow-up audit to determine progress made on the action plan. If necessary, additional internal audit control testing is completed.
How Is Internal Audit Control Testing Done?
Following generally accepted auditing standards (GAAS), an auditor evaluates an organization’s control procedures. As a result of the Sarbanes-Oxley Act (SOX) in the United States, internal controls over financial reporting receive significant attention during internal audit control testing.
The auditor collects sufficient audit evidence to conclude whether an organization’s financial statements are clear of material misstatements. Then, to substantiate that assertion, the auditor conducts a test of controls.
The Four Categories for Test of Controls
To verify operational efficiency and effectiveness of internal control processes, an auditor uses a variety of testing methods:
- Inquiry. Ask staff to describe verbally how a control activity is performed.
- Observation. Observe a control procedure as it is physically performed.
- Inspection. Examine documents as physical evidence that a control procedure was performed.
- Re-performance. The auditor initiates a transaction and re-performs the specific steps of the control activity to judge the effectiveness of the control.
Suppose audit evidence leads the auditor to believe there are possible risks of material misstatement in the organization’s financial statements. In that case, the auditor may increase the sample size and employ tests of details to verify the reliability of financial reporting. When errors are discovered in an audit, the auditor will issue findings that require corrective action.
What Are the Six Principles of Internal Control?
These principles are the basis that management uses to create and implement the internal controls it establishes. In other words, they are the critical components of an effective internal control system. Leadership must apply these concepts to their particular business.
Establishment of Responsibility
Assigning authority and responsibility are essential to driving accountability. A clearly defined organizational structure helps stakeholders understand who leads each team and illustrates an escalation path.
Segregation of Duties
Clearly defined responsibilities and limits of authority are defined in the segregation of duties. “SoD” provides checks and balances to catch errors. Segregation of duties also ensures that no single person has too much power to perpetrate fraud. For instance, responsibility for maintaining an asset’s records in the accounting system should be separate from the physical custody of the asset.
Physical control refers to safeguarding assets and improving the accuracy of records. It is a preventive control that attempts to deter or prevent undesirable events such as theft or damage.
Control systems should require that employees promptly submit source documents for accounting entries to the accounting department. This control measure helps to ensure the timely recording of transactions.
Independent Internal Verification
Companies should verify records on a regular or ad hoc basis. An employee who is not part of the team in charge of the data should double-check. An outside eye provides objectivity and reduces bias. Exceptions and discrepancies should be notified to a level of management that can take corrective action.
Human Resource Control
Human resources policies and procedures inform the employees about expected integrity, ethical behavior, and competence. Human resource policies also drive other internal controls such as rotating employee duties, requiring employees to use vacation time, and conducting thorough background checks.
Integrate ZenGRC in Your Internal Controls Plan
Overall, internal audit control testing is a form of risk management. When internal auditors help find and correct weaknesses in an internal control system, an organization is better for it.
Of course, even a solid auditing process is subject to human error. ZenGRC software streamlines the internal audit control testing process by keeping tabs on issues and flagging potential control risks.
With all of your information housed in a single cloud-based space, you can manage and automate your controls effectively and efficiently, leaving your employees more time to move your company forward. ZenGRC also offers easy reporting, making external and internal audits less painful.
Schedule a demo today to learn more about how ZenGRC can help your business with internal controls.