As part of the year-end statutory audit of the financial statements for a company, the external auditors will often seek to adopt a controls-based approach to their audit, but only when it can be satisfactorily concluded that they are able to place reliance on the internal control environment. The benefit of an organisation having sound internal controls is that the transactional data which makes its way onto their accounts should be complete, accurate and valid, as per the underlying objectives of the associated controls.
If the external auditors can evidence that a company’s controls are designed effectively and meet their intended objectives, and that they are also operating as expected, then they already have a degree of comfort over the validity of the data. This means they are able to reduce the amount of financial audit work that otherwise would have been necessary to provide an opinion on the financial statements.
This approach has significant advantages for the auditee as it reduces the amount of required substantive testing, which includes effort intensive detailed procedures such as:
- Physically inspecting or observing assets (e.g. inventory, equipment etc.)
- Examining records to support balances and transactions
- Obtaining confirmation from 3rd parties (e.g. banks, customers, suppliers etc.)
- Checking calculations
This reduction in substantive testing means less work required by the auditors, as well as less time commitment for the auditee themselves. Overall this can have a positive impact on the overall time and cost associated with the year-end audit.
All too often however the auditors are not able to adopt a controls-based approach, as their testing of identifies significant control-related issues which means they can’t place the necessary reliance on them. As a result, the benefits associated with a controls-based approach are never realised. However, this can be easily rectified if companies implement a few simple measures:
- A periodic review of applicable business risks ensures that an organization has ongoing transparency and understanding of all those key risks which need to be mitigated, allowing them to identify necessary internal control requirements. This periodic review should be broken down into functional areas and include process owners and other key stakeholders;
- Perform regular control gap analyses to evaluate whether a company has controls in place to mitigate those risks identified as part of the periodic risk review, and the output of such reviews should be formally documented and maintained in a Risk and Control Matrix; and
- A periodic controls assurance program should be established whereby nominated control owners perform controls testing and/or assessments to conclude on the design and operating effectiveness of their controls. It’s much more desirable to be aware of, and remediate, control-related issues during the course of the year as they happen, rather than wait for problems to be identified by the auditors during year-end, which could ultimately affect their audit approach.