For publicly traded companies, the Sarbanes-Oxley Act of 2002 requires an audit of internal controls. The purpose of an internal control evaluation is to evaluate risk, which offers auditors a basis for audit planning and provides useful information to management (“Sox Law”, 2006). Auditors typically use the five basic components of internal control to approve the entire system. According to Louwers, Ramsay, Sinason, and Strawser (2007) the five components to internal controls include control environment, risk assessment, control activities, monitoring, and information and communication. Control environment involves the tone of the organization and includes “the integrity, ethical values, and competence of the company’s people” (Louwers, Ramsay, Sinason, & Strawser, 2007). Risk assessment involves a thorough assessment which “identify(s) risks, estimate their significance and likelihood, and consider how to manage the risks” (Louwers, Ramsay, Sinason, & Strawser, 2007).
Control activities involve specific actions which help ensure that management’s goals and projections are met. Monitoring involves the continuous assessment of internal controls. Information and communication relates to the efficiency and reliability of information and communication regarding how the information is presented and communicated to users. Internal controls protect the financial information and operations of a business. The development and implementation of these controls are typically the responsibility of the business owners. Internal or external audits may be used to gauge the efficiency of internal controls. This audit generally takes place following a standard process of risk measurement regarding the business operations and financial information. The measurement data is most effectively determined by using an internal control checklist.
Phase One: Understand and Document the Client’s Internal Control Obtaining an Understanding
Control Environment Evaluation
Risk Assessment Evaluation
Information and Communication Assessment
Phase Two: Assess the Control Risk
Phase Three: Test Controls and Review Control Risk
Direction of the Test of Controls
Reassess the Control Risk