Every business should take the steps necessary to ensure that its internal controls are functioning effectively and efficiently. It is important to have accountability at every level of a business. Creating a checklist to evaluate internal controls will support the business in this effort. According to Louwers, Ramsay, Sinason and Stawser (2007), an internal control questionnaire aide an auditor in gathering evidence about the control environment and accounting and control procedures checking the system for errors. It will reveal if the business is following established controls. It will also identify weaknesses in the controls allowing the business to bring them into compliance before any material misstatements or audit findings are noted.
There are five components of an internal control system, and there are three phases of evaluation. “Thus, auditors must consider the five components in terms of (1) understanding a client’s financial reporting controls and documenting that understanding, (2) preliminarily assessing the control risk, and (3) testing the controls, re-assessing control risk, and using that assessment to plan the remainder of the audit work” (Louwers, Ramsay, Sinason, & Stawser, 2007, pg. 161). This paper will provide a detailed discussion on the phases of internal control evaluation and a checklist for evaluating controls will follow the discussion. Phase One – Understanding Controls
When evaluating internal controls the first step is to gain and understanding of the controls that the business has in place and how the controls are documented. During this phase the culture of the environment is evaluated. Once the auditor understands the environment and controls, a checklist can be created to evaluate the controls which will simplify the testing that will be performed in Phase Three. The auditor must perform a thorough review of controls in Phase One so that the control environment and risk can be assessed properly. The information gathered by the auditor during Phase One is used in Phase Two and Three to continue the developing of a checklist that is complete, accurate, and thorough. Phase Two – Control Risk Assessment
During Phase Two the auditor is prepared to assess control risk by analyzing the strengths and weaknesses of the controls. “Strengths are specific features of good general and application controls. Weaknesses are the lack of controls in particular areas.” (Louwers, Ramsay, Sinason & Stawser, 2007, pg. 168). In this phase it is imperative that any audit findings be documented properly and placed into the audit files. Substantive tests are performed to address weaknesses to determine if financial information reported is indeed correct regardless to the weakness in the control. If a control fails to be compliant the audit plan must be revised to take the weakness into consideration before audit work can continue. Phase Three – Testing Controls
At Phase Three the auditor is clear on the controls that need to be tested and to what degree. This phase requires observation, inquiry, and documenting. The auditor communicates to the business the risk that has been identified. Suggestions are made to help the business address and correct the identified risk. When this phase has been completed, the controls are reassessed to ensure risk has been reduced or removed. Conclusion
By developing an internal control questionnaire, auditors can evaluate thoroughly the internal control system. The auditor gains an understanding of the controls early, collecting valuable information on how the system is being implemented, and it is being monitored regularly. Strengths and weaknesses of controls are assessed and communicated to the business to reduce the risk of material misstatements in financial reporting. The result of the evaluation is to ensure that the business has an internal control system compliant both internally and externally and does not leave the business vulnerable and exposed to substantial risk.