Public organizations are required to evaluate and report on internal controls over financial reporting using a recognized control framework under rules set forth by the Securities and Exchange Commission (SEC). However, private organizations also need checks and balances to check their financial statements for accuracy and reduce the risk of fraud. In addition, transparent reporting about the control system can give lenders, investors, and other stakeholders greater confidence in a organization’s financial results.
Develop An Auditor’s Mindset
The American Institute of Certified Public Accountants (AICPA) defines control activities as “steps put in place by the entity to help ensure that the financial transactions are correctly recorded and reported.” AICPA auditing standards also require external auditors to evaluate their client’s internal controls as part of their audit risk assessment procedures. They routinely monitor the following three control features:
1. Physical Restrictions. Employees should have access to only those assets necessary to perform their jobs. Locks and alarms are examples of ways to protect valuable tangible assets, including petty cash, inventory, and equipment. But intangible assets such as customer lists, lease agreements, patents, and financial data also require protection using passwords, access logs, and appropriate legal paperwork.
2. Account Reconciliation. Management should regularly analyze and confirm account balances. For example, bank statements should be reconciled monthly, and inventory should be counted regularly.
Interim financial reports, such as weekly operating scorecards and quarterly financial statements, also keep management informed. However, reports are useful only if management finds time to review them and investigate anomalies. Supervisory oversight takes on many forms, including observation, test counts, inquiry, and task replication.
3. Job Descriptions. Another essential control is to have detailed job descriptions. Organizational policies should also call for job segregation, job duplication, and mandatory vacations. For example, the person who receives customer payments should not also approve write-offs (job segregation). And two signatures should be required for checks above a prescribed dollar amount (job duplication).
Private organization auditors tailor audit programs for potential risks of material misstatement. Still, they aren’t required to specifically perform procedures to identify control deficiencies unless they’re hired to perform a separate internal control study.
Disclosures About The Control System
Audited financial statements may include footnote disclosures that describe the control environment, including policies and procedures for risk management, compliance, and governance. These disclosures help build trust with stakeholders by providing insights into the organization’s control environment and its effectiveness in helping to ensure accurate financial reporting.
Reporting on internal controls is an ongoing process, not a one-time assessment. Even if you’re not required to follow the SEC’s rules on evaluating internal controls, a thorough system of checks and balances will help your organization achieve its goals.
We Can Help
Organization insiders sometimes need more experience or objectivity to assess internal controls. Our auditors can help evaluate whether your controls are effective. Contact us for more information.