A solid system of internal controls translates into more reliable financial reporting and can help companies prevent, detect and correct financial misstatements. In contrast, weak controls can result in costly errors — and even fraud.
Internal controls have become a hot button in the 21st century. If your company seems to be putting more hours into evaluating its control systems, it’s not alone. Many companies have spent more time assessing and improving internal controls in recent years.
According to the Committee of Sponsoring Organizations of the Treadway Commission (COSO), internal controls should be “designed to provide reasonable assurance [of] the achievement of objectives in the effectiveness and efficiency of operations, reliability of financial reporting, and compliance with laws and regulations.”
COSO lists five components of internal controls:
- Control environment,
- Risk assessment,
- Control activities,
- Information and communication, and
Companies must continually review and improve internal control performance. AICPA auditing standards also require external auditors to evaluate their client’s internal controls as part of their audit risk assessment procedures. Private auditors tailor audit programs for potential risks of material misstatement, but they aren’t required to specifically perform procedures to identify control deficiencies — unless they’re hired to perform a separate internal control study.
Statement on Auditing Standards (SAS) No. 115, Communicating Internal Control Related Matters Identified in an Audit, requires auditors to consider whether controls are sufficient to prevent and detect misstatement, as well as whether they enable management to correct misstatements in a timely manner. Under SAS 115, management letters must identify two types of deficiencies in internal controls unearthed during audit procedures:
- Material weaknesses. Such shortcomings refer to “a deficiency, or combination of deficiencies, in internal control, such that there is a reasonable possibility that a material misstatement of the entity’s financial statements will not be prevented, or detected and corrected on a timely basis.”
- Significant deficiencies. This type of concern is “less severe than a material weakness, yet important enough to merit attention by those charged with governance.” Note that a control deficiency is dependent on the potential for misstatement; misstatement need not actually have occurred.
SAS 115 permits significant leeway in how auditors classify internal control weaknesses, such as lack of segregation of duties, inadequately trained accounting personnel, restated prior period financial statements, and material audit adjustments.
When classifying deficiencies as material or significant, auditors evaluate the probability and magnitude of the potential misstatement. They also consider “compensating controls,” which are substitute procedures that limit the severity of a deficiency.
Public company SOX compliance
In addition to SAS 115, Section 404 of the Sarbanes-Oxley Act (SOX) requires a public company’s management to assess its internal control over financial reporting (ICFR). The provision also requires the company’s external auditor to attest to the effectiveness of management’s internal controls.
Last year, roughly half (51%) of the public companies in a survey by consulting firm Protiviti reported spending more time checking ICFR than they had in the previous fiscal year. Why? The main reasons are:
- Accounting standard changes (in particular, the new guidance on revenue recognition and reporting leases),
- The use of technology (such as robotic process automation and artificial intelligence) that requires testing of new controls, and
- Rigorous inspections of controls by the Public Company Accounting Oversight Board (PCAOB).
Among the companies that reported an increase in their Section 404 compliance hours, 59% reported an increase of more than 10% over the prior year. Only 15% of the respondents reported a decrease in compliance hours. The increase in the time devoted to complying with Section 404 was more evident among larger companies than small ones.
Internal controls are just as important for privately held companies as they are for publicly traded ones. In fact, smaller private companies are often less resilient to frauds caused by weak controls — and they also tend to have less-sophisticated internal audit and accounting departments than public companies.
Contact us at firstname.lastname@example.org if you need help understanding the recent changes to the accounting and tax rules. We can also help brainstorm cost-effective ways to improve your existing internal controls system.