Auditors often fail to capture and communicate internal control weaknesses, but doing so is sometimes required by audit standards. Additionally, your client’s awareness of control weaknesses allows them to improve their accounting system. The result: prevention of future fraud and errors. In this article, I’ll show you how to capture and communicate internal control deficiencies. By doing so, you’ll add value to your audit services and you’ll help your client protect their business.
You are concluding another audit, and it’s time to consider whether you will issue a letter communicating internal control deficiencies. A month ago you noticed some control issues in accounts payable, but presently you’re not sure how to describe them. You hesitate to call the client to rehash the now-cold walkthrough. After all, the client thinks you’re done. But you know that boiler-plate language will not clearly communicate the weakness nor tell the client how to fix the problem. Now you’re kicking yourself for not taking more time to document the control weakness (back when you did the initial walkthrough).
Here’s a post to help you capture and document internal control issues as you audit.
Today, we’ll take a look at the following control weakness objectives:
As we begin, let’s define three types of weaknesses:
As we look at these definitions, we see that categorizing control weaknesses is subjective. Notice the following terms:
Now let’s take a look at discovering, capturing, and communicating control weaknesses.
Capture control weaknesses as you perform the audit. You might identify control weaknesses in the following audit stages:
You will discover deficiencies as you perform walkthroughs which are carried out in the early stages of the engagement. Correctly performed walkthroughs allow you to see process shortcomings and where duties are overly concentrated (what auditors refer to as a lack of segregation of duties).
Are accounting duties appropriately segregated with regard to:
Notice the first letters of these words spell CRAB (I know it’s cheesy, but it helps me remember).
Auditors often make statements such as, “Segregation of duties is not possible due to the limited number of employees.”
I fear such statements are made only to protect the auditor (should fraud occur in the future). It is better that we be specific about the control weakness and what the potential impact might be. For example:
The accounts payable clerk can add new vendors to the vendor file. Since checks are signed electronically as they are printed, there is a possibility that fictitious vendors could be added and funds stolen. Such amounts could be material.
Such a statement tells the client what the problem is, where it is, and the potential damage.
While I just described how a lack of segregation of duties can open the door to theft, the same idea applies to financial statement fraud (or cooking the books). When one person controls the reporting process, there is a higher risk of financial statement fraud. Appropriate segregation lessens the chance that someone will manipulate the numbers.
Within each transaction cycle, accounting duties need to be performed by different people. Doing so lessens the possibility of theft. If one person performs multiple duties, ask yourself, “Is there any way this person could steal funds?” If yes, then the client should add a control in the form of a second-person review.
If possible, the client should have a second person examine reports or other supporting documentation. How often should the review be performed? Daily, if possible. If not daily, as often as possible. Regardless, a company should not allow someone with the ability to steal to work alone without review. The fear of detection lessens fraud.
If a transaction cycle lacks segregation of duties, then consider the potential impact from the control weakness. Three possible impacts exist:
My experience has been that if any potential theft area exists, the board wants to know about it. But this is a decision you will make as the auditor.
While auditors should consider control weaknesses that allow fraud, we should also consider whether errors can lead to potential misstatements. So, ask questions such as:
While it is more likely you will discover process control weaknesses in the planning stage of an audit, the results of control deficiencies sometimes surface during fieldwork. How? Audit journal entries. What are audit entries but corrections? And corrections imply a weakness in the accounting system.
When an auditor makes a material journal entry, it’s difficult to argue that a material weakness does not exist. We know the error is “reasonably possible” (it happened). We also know that prevention did not occur on a timely basis.
When concluding the audit, review all of the audit entries to see if any are indicators of control weaknesses. Also, review your internal control deficiency work papers (more on this in a moment). If you have not already done so, discuss the noted control weaknesses with management.
Your firm may desire to have a policy that only managers or partners make these communications. Why? Management can see the auditor’s comments as a criticism of their own work. After all, they designed the accounting system (or at least they oversee it). So, these discussions can be a little challenging.
Now let’s discuss how to capture control weaknesses.
So, how do you capture the control deficiencies?
First, and most importantly, document internal control deficiencies as you see them.
Why should you document control weaknesses when you initially see them?
Second, create a standard form (if you don’t already have one) to capture control weaknesses.
What should be in the internal control form? At a minimum include the following:
After capturing the weaknesses, it’s time to communicate them.
Material weaknesses and significant deficiencies must be communicated in writing to management and those charged with governance. Other deficiencies can be given verbally to management, but you must document those discussions in your work papers.
Provide a draft of any written communications to management before issuing your final letter. That way if something is incorrect you can make it right (before it’s too late). And you’ll want to have verbal communications earlier (e.g., when you discover the control weakness); you don’t want the client to see a deficiency for the first time in the internal control letter.
The main points in capturing and communicating internal control deficiencies are:
These communications can be somewhat challenging since you’re telling management they need to make improvements. So make sure all information is correct and let your senior personnel do the communicating.
Whew! We’ve covered a lot of ground today. How do you capture and report control deficiencies? I’m always looking for new ideas: Please share.
Charles Hall is a practicing CPA and Certified Fraud Examiner. For the last thirty years, he has primarily audited governments, nonprofits, and small businesses. He is the author of The Little Book of Local Government Fraud Prevention and Preparation of Financial Statements & Compilation Engagements. He frequently speaks at continuing education events. Charles is the quality control partner for McNair, McLemore, Middlebrooks & Co. where he provides daily audit and accounting assistance to over 65 CPAs. In addition, he consults with other CPA firms, assisting them with auditing and accounting issues.
Please log in again. The login page will open in a new tab. After logging in you can close it and return to this page.