Why is it important for the auditor to obtain an understanding of the clients internal control?

Why do auditors ask so many questions about their clients’ internal controls? Assessing internal controls is part of today’s auditing requirements. It helps identify risk factors — but the requirements can sometimes be unclear. 

The American Institute of Certified Public Accountants (AICPA) uses Technical Questions and Answers (Q&A) to address inquiries from members seeking guidance on certain technical issues. Here’s a set of five common questions, along with answers that the AICPA issued on April 27 to help clarify an auditor’s responsibility for assessing a client’s internal controls.

Are auditors required to obtain an understanding of business processes relevant to financial reporting in every audit engagement?

Yes, the auditing standards require an auditor to understand a client’s information system, including the related business processes and communication relevant to financial reporting. The AICPA reminds auditors that it’s important to distinguish between business processes and control activities. Business processes are the activities designed to:

• Develop, purchase, produce, sell and distribute an entity’s products and services,
• Ensure compliance with laws and regulations, and
• Record information, including accounting and financial reporting information.

The AICPA defines control activities as “steps put in place by the entity to ensure that the financial transactions are correctly recorded and reported.” Auditors are expected to obtain an understanding of only those control activities that are considered relevant to the audit. There are no “cookie cutter” approaches when it comes to understanding business processes and control activities; rather, the requirements differ from audit to audit.

Does an auditor’s understanding of internal controls encompass more than control activities?

Yes, an auditor must understand each component of the client’s financial reporting controls. This includes the control environment, risk assessment process, information system, control activities that relate to the audit, and the client’s monitoring of the controls. (See “Close-up on internal controls.”)

Should the auditor evaluate the design of controls and determine whether they’ve been implemented every year?

Yes, each year auditors must evaluate the design of the financial reporting controls that are related to the audit and determine if they’ve been properly implemented. This requires more than just inquiring with company personnel. Auditors must use additional procedures — such as observations, inspection or tracing transactions through the information system — to obtain an understanding of controls relevant to the audit. The appropriate procedures are a matter of the auditor’s professional judgment.

For existing clients, an auditor may leverage information obtained from his or her previous experience with the entity and the results from audit procedures performed in previous reporting periods. In doing so, the auditor should determine whether changes affecting the control environment have occurred since the previous audit that may affect that information’s relevance to the current audit.

Which control activities are considered relevant in every audit?

Auditors are specifically expected to understand controls that address “significant” risks. These are identified and assessed for risks of material misstatement that, in the auditor’s professional judgment, require special audit consideration. Examples include control activities 1) relevant to the risk of fraud or 2) over journal entries (such as nonrecurring, unusual transactions or adjustments).

Which relevant control activities may vary from audit to audit?

Control activities that are relevant to a given audit may vary, depending on the client’s size, complexity and nature of operations. The AICPA advises auditors to consider such issues as materiality, risk, other components of the internal controls, and legal and regulatory requirements. Again, what’s relevant is a matter of the auditor’s professional judgment.  

© 2017

By Indeed Editorial Team

Updated March 17, 2021 | Published February 8, 2021

Updated March 17, 2021

Published February 8, 2021

The Indeed Editorial Team comprises a diverse and talented team of writers, researchers and subject matter experts equipped with Indeed's data and insights to deliver useful tips to help guide your career journey.

A company establishes internal controls as a measure against wrongdoing and as a tool to protect the company's interests. Internal controls ensure a company complies with federal and state laws and regulations in the management of financial data. Strong internal controls can improve operational efficiency and ensure accurate financial reporting during internal or external audits. In this article, we explain the benefits of internal controls and provide you with 12 reasons why they are important to your business.

What are internal controls?

Internal controls are procedures and processes put into place by a company to prevent fraud, promote accountability and ensure the integrity of financial data. Internal controls are unique to every company and designed according to the company's size and structure. Effective and efficient internal controls aim to meet company objectives and protect the company's interests. Internal controls not only address risks to the company but also reduce incurrences of unnecessary cost or effort.

The core purposes of internal controls are to:

• Explain the process in which internal controls are carried out

• Identify risks

• Mitigate risks

• Control the sharing of information

• Evaluate effectiveness of internal controls

What are the benefits of internal controls?

Internal controls provide cohesion and consistency to establish order and protocol within a business. Business owners establish protocols and set boundaries around how the procedure is followed and regularly review controls for efficacy and accuracy. An established internal control process outlines how the company handles financial transactions as well as the assignment of administrative and management tasks. When protocol and procedure are clear, employees understand what is expected of them and how to complete day-to-day tasks.

Related: Internal Controls: Definition, Advantages, Disadvantages and Examples

12 reasons internal controls are important

Here are 12 reasons internal controls are important to protect your business, clients and assets.

1. It establishes the processes

Internal controls outline employee protocol and procedures so employees aren't left guessing how to perform their job duties or which procedure to follow. Changes to internal controls are reported to employees so they are promptly informed of changes to improve efficiency and reduce errors. Internal controls are stringently documented to improve employee understanding and compliance of protocols which can increase productivity and boost morale.

Example: The Lighting Co. publishes an annual update of its employee handbook and documents who receives and reviews the handbook. The company schedules departmental meetings to answer questions about changes and review new procedures.

2. It improves process performance

As processes are implemented, the continuous monitoring of their effectiveness helps management make decisions about whether the process is working or if it needs additional attention. When processes are improved, so is the accuracy of financial reporting which management may rely on to make informed business decisions or judgments.

Example: In 2020, The Lighting Co.'s revenue was down by 30% because of a reduction of in-store traffic. Management decides to focus on the company's website to increase web traffic and boost online sales.

3. It improves operational efficiency

Internal controls can improve the efficiency of operations by removing unnecessary or duplicate steps in a procedure or process. This might include automation of manual controls or combining functions cost-effectively. Improved operational efficiency allows management to receive timely information to verify current operations are meeting the company's objectives.

Example: The Lighting Co. has maintained several email addresses monitored by different employees to communicate with customers, vendors and address social media requests. After reporting a reduction in email subscriptions, the company decides to combine customer emails and social media to the same inbox with one employee handling both.

4. It keeps duties separated

Internal controls ensure the separation of duties to avoid conflicts of interest and reduce the chances of financial mismanagement. Separating duties establishes a system of checks and balances so no one person has access to every piece of information.

Example: Janet works in accounts receivable and has access to the financial transactions of clients. Internal controls dictate that Janet cannot also handle accounts payable so that the sharing of information is controlled and the risk for fraud is reduced.

5. It mitigates business risk

One function of internal controls is to limit the company's losses due to misappropriated or mishandled funds by employees or management. Internal controls reduce loss by identifying fraud or financial loss through theft or other illegal means. This may include controlling the reconciliation of bank statements as well as conducting internal audits to safeguard inventory and assets. Some internal controls may require the approval of vendors or employees before work begins.

Example: The Lighting Co. contracts with the local government to provide light fixtures to city government buildings or structures. Internal controls require employees and vendors to pass background checks before they can work on government projects.

6. It organizes information

Organized data means the company is prepared in the event of litigation or external audit. Internal controls protect company and client interests by creating systems to file client data or documents, or by implementing restrictions such as requiring passwords to access data. Organizing information improves efficiency by ensuring financial data is secure yet accessible.

Related: 8 Common Internal Audit Interview Questions

7. It produces timely financial statements

Timely financial statements not only aid management in making decisions about the company's future, but also protect stakeholders and the company's reputation. Regular financial statements help identify and correct small errors before they become bigger problems while building trust in the company and proving its transparency.

8. It reduces errors

Internal controls help in the reduction of errors by defining protocols and procedures to reduce employee mistakes and make improvements as needed. The company reduces income losses and marks on its reputation by effectively training employees to reduce errors or misunderstandings. Internal controls such as employee training may begin with an orientation and continue with ongoing training programs such as learning a new computer system or work process.

9. It improves accountability

With internal controls that designate roles, key members are responsible for monitoring and reporting throughout the year so errors are identified and improvements implemented promptly. Accountability is achieved when clear protocols as to how data is transmitted, recorded, shared and reported are outlined. Improved accountability means the company stays in compliance with regulatory and statutory filing requirements.

Related: What Is a Financial Controller?

10. It stabilizes operations

When protocols for company operation are in place, the business is better able to meet company objectives. Management has better control of how the company is operating and whether or not it is following procedures. A stable operation defines employee roles, manages information effectively and has detailed processes in place to identify issues and make improvements.

Example: The Lighting Co.'s annual report shows that protocols are not being followed for employee time-off requests. The company analyzes the data to determine if the procedure is obsolete, whether steps can be removed or combined or how to implement a new process to ensure protocol is followed while remaining fair to the employees.

11. It reduces audit fees

Established internal controls may reduce external audit fees by providing a clear structure of how internal controls are implemented and their result. Clearly mandated internal controls reduce the need for revisions or an entire internal controls rebuild following an external audit and review.

12. It recognizes the Sarbanes-Oxley Act

The Sarbanes-Oxley Act was established for accountability purposes and to maintain internal controls for financial reporting. The act is a federal law that protects investors and ensures corporations provide accurate and reliable financial disclosures. Public companies large and small are required to include details of their internal controls and file an annual report. By following the Sarbanes-Oxley Act, companies raise confidence with investors and prove the company's integrity in its management of financial data.