A solid system of internal controls translates into more reliable financial reporting and can help companies prevent, detect and correct financial misstatements. In contrast, weak controls can result in costly errors — and even fraud. Internal controls have become a key area of focus. If your company or organization seems to be putting more hours into evaluating its control systems, it is not alone. Many companies and organizations have spent more time assessing and improving internal controls in recent years.
According to the Committee of Sponsoring Organizations of the Treadway Commission (“COSO”), internal controls should be “designed to provide reasonable assurance [of] the achievement of objectives in the effectiveness and efficiency of operations, reliability of financial reporting, and compliance with laws and regulations.”
COSO lists five components of internal controls:
Information and communication, and
Companies must continually review and improve internal control performance. The American Institute for Certified Public Accountants’ auditing standards also require external auditors to evaluate their client’s internal controls as part of their audit risk assessment procedures. In response, auditors then tailor audit programs for potential risks of material misstatement, however, they are not required to specifically perform procedures to identify control deficiencies — unless they are hired to perform a separate internal control study.
Statement on Auditing Standards (“SAS”) No. 115, Communicating Internal Control Related Matters Identified in an Audit, requires auditors to consider whether controls are sufficient to prevent and detect misstatement, as well as whether they enable management to correct misstatements in a timely manner. Under SAS 115, management letters must identify two types of deficiencies in internal controls unearthed during audit procedures:
Material weaknesses. Such shortcomings refer to “a deficiency, or combination of deficiencies, in internal control, such that there is a reasonable possibility that a material misstatement of the entity’s financial statements will not be prevented, or detected and corrected on a timely basis.”
Significant deficiencies. This type of concern is “less severe than a material weakness, yet important enough to merit attention by those charged with governance.” Note that a control deficiency is dependent on the potential for misstatement; not on the fact that a misstatement has been identified or occurred.
SAS 115 permits significant leeway in how auditors classify internal control weaknesses, such as lack of segregation of duties, inadequately trained accounting personnel, restated prior period financial statements, and material audit adjustments.
When classifying deficiencies as material or significant, auditors evaluate the probability and magnitude of the potential misstatement. They also consider “compensating controls,” which are substitute procedures that limit the severity of a deficiency.
Internal controls are just as important for privately held companies as they are for publicly traded ones. In fact, smaller private companies are often less resilient to frauds caused by weak controls — and they also tend to have less-sophisticated internal audit and accounting departments than public companies.
Contact us if you need help identifying ways to improve your existing internal controls system.