Accounting and Finance Foundations

Unit 13

Accounting and Finance Foundations Unit 13: Auditing 995

Auditing Student Guide

Lesson 30.3

Chapter 30

The Audit Process—Testing Internal Controls

Internal Controls

The second stage of the audit process involves testing internal controls, but before we get into the details,

let’s back up a minute to discuss what happens before an audit even occurs. For an audit to take place, the

company must develop financial statements, right? And, who is ultimately responsible for preparing those

statements? Company management. To ensure that financial transactions are accounted for correctly and

that they are presented properly in the financial statements, managers are responsible for implementing

accounting processes and internal controls.

Internal controls are policies and procedures that guide daily business operations and help management to

achieve company objectives and goals. More specifically, good internal controls help to ensure:

n    Reliable financial reporting. Internal controls increase the likelihood that information in financial

statements is presented fairly—and in accordance with Generally Accepted Accounting Principles

(GAAP).

n    Efficient and effective operations. Internal controls assist the business to run more efficiently and

effectively.

n    Compliance with applicable laws and regulations. Internal controls help prevent the business or

its employees from doing anything improper or illegal.

Management’s goal in implementing internal controls is to provide reasonable assurance—but not neces-

sarily absolute assurance—that the company is reporting its financial data reliably and fairly, that business

operations are efficient and effective, and that the company is in legal compliance.

Internal controls can be divided into two categories: preventative controls and detective controls. Preventa-

tive controls, as the name implies, help to prevent errors from occurring, while detective controls detect or

find errors after they have occurred. No matter how effective a company’s internal controls are, however,

managers assume that these controls possess inherent limitations. In other words, they will not prevent

or detect every error.

Stage 2: Testing Internal Controls

The Sarbanes-Oxley Act of 2002 requires independent auditors to examine and assess the effectiveness

of public companies’ internal controls. To become knowledgeable about a particular company’s internal

controls, an auditor might study narratives describing the internal controls written by managers or other

employees, flowcharts indicating the roles of different internal controls within business operations, and

internal control questionnaires completed by finance and accounting department staff. Then, after learning

about the company’s internal controls, the auditor tracks a sampling of transactions through the entire

accounting cycle to determine if the different internal controls are effective.

Audit sampling is the process of choosing a representative group of transactions, accounts, or other data

to study. Auditors have a number of options when it comes to audit sampling, including some that are very

systematic and statistical and others that are based more on judgment. Regardless, auditors should use

the methods that they feel will best support their audit findings.