Executive Summary
Auditing and internal controls verify that financial information is accurate, complete, and safeguarded. This article covers internal control frameworks, audit types, control objectives, and how to implement effective controls without creating operational burden.
Companies with strong internal controls suffer 70% fewer accounting errors, detect fraud 50% faster, and avoid restated financial statements. Weak controls expose businesses to fraud, error, and regulatory penalties.
By the end, you’ll understand how to design internal controls, work with auditors, and maintain an effective control environment.
Part 1: Internal Control Framework
COSO Framework (Most Common)
COSO = Committee of Sponsoring Organizations
Five components:
1. Control environment:
– Tone at the top (management emphasizes control importance)
– Code of conduct
– Ethical expectations
– Consequence for violations
Why it matters: Without strong tone, controls are compliance theater (ignored)
2. Risk assessment:
– Identify risks to financial accuracy
– Evaluate likelihood and impact
– Design controls to mitigate high-risk areas
Example risks:
– Unauthorized transactions (fraud risk)
– Incomplete recording (accuracy risk)
– Asset theft (safeguarding risk)
3. Control activities:
– Segregation of duties
– Authorization approvals
– Reconciliation procedures
– Physical safeguards
4. Information and communication:
– System records and reports accurately
– Information flows to relevant users
– External communication (financial reporting)
5. Monitoring:
– Ongoing evaluation (monthly reviews)
– Audits (internal or external)
– Feedback mechanism to fix issues
Small Business Practicality
Challenge: Small companies lack resources for full separation of duties
Mitigating controls when segregation not possible:
– Owner review (review all transactions)
– Monthly reconciliation (compare records to reality)
– Surprise audits (CPA spot-checks)
– Vendor confirmation (request invoices verify)
Example: One person writes checks and records payments
– Mitigating control: Owner reviews all checks before payment
– Reconciles to invoices monthly
– Requests vendor confirmation of balances
Part 2: Control Objectives and Design
Existence/Occurrence
Objective: All recorded transactions actually occurred; only real transactions recorded
Risks:
– Fictitious sales
– Duplicate entries
– Reversals not recorded
Controls:
– Invoice required for all revenue (customer evidence)
– Vendor verification (confirm invoice is legitimate)
– Numbering sequence checks (identify gaps/duplicates)
Completeness
Objective: All transactions that occurred are recorded
Risks:
– Unrecorded sales (revenue missing)
– Unrecorded expenses (overstated profit)
– Unrecorded assets (balance sheet incomplete)
Controls:
– Monthly bank reconciliation (catch deposits not recorded)
– Accrual procedures (expenses incurred but not paid still recorded)
– Inventory counts (record items in warehouse)
– Receivables aging (confirm sales recorded)
Accuracy
Objective: Amounts are recorded correctly
Risks:
– Wrong amount recorded
– Wrong account recorded
– Decimal point errors
Controls:
– Automated calculation (system computes amounts)
– Source document match (amount on invoice matches recorded)
– Reconciliation to supporting detail (general ledger ties to subsidiary records)
Valuation/Allocation
Objective: Assets recorded at correct value
Risks:
– Inventory obsolescence (recorded at cost but worthless)
– Receivable uncollectibility (recorded at full value, won’t collect)
– Asset impairment (intangibles losing value)
Controls:
– Allowance for doubtful accounts (estimate uncollectible portion)
– Inventory obsolescence review (write down slow-moving items)
– Impairment analysis (test if asset value impaired)
Cut-off
Objective: Transactions recorded in correct period
Risks:
– Sale recorded in wrong year (revenue in current vs. prior)
– Expense in wrong period (next period expensed in current)
Controls:
– Sales cut-off procedures (goods shipped determines timing, not invoice)
– Expense accruals (record at period incurred, not when paid)
– Manual journal entry review (identify unusual period transactions)
Part 3: Types of Audits
External Audits
Financial statement audit:
– Independent CPA audits financial statements
– Opines whether statements fairly present financial position/results
– Scope: Test transactions for accuracy, completeness, authorization
– Required: Public companies; lenders often require
Audit process:
1. Plan (understand business, identify risks)
2. Test controls (verify controls operating effectively)
3. Substantive procedures (sample transactions, test for errors)
4. Review (summarize findings, assess financial statement accuracy)
5. Audit opinion (unqualified = clean; qualified = exception noted)
Audit report output:
– Opinion on financial statements
– Description of audit scope/procedures
– Any material exceptions (misstatements not corrected)
– Management letters (control recommendations)
Internal Audits
Purpose: Continuous oversight (not one-time)
Scope:
– Test controls monthly/quarterly
– Review transactions for compliance
– Assess fraud risk
– Recommend improvements
Advantage vs. external audit:
– Continuous (vs. one-time annual)
– Current (vs. 2-3 months after period end)
– Earlier detection (problems caught sooner)
Implementation:
– Larger companies: Dedicated internal audit department
– Small companies: Outsource to CPA or use management review
Compliance Audits
Purpose: Verify compliance with regulations
Examples:
– SOX compliance (large public companies)
– Industry-specific compliance (financial services, healthcare, etc.)
– Grant compliance (nonprofits receiving government grants)
Part 4: Financial Statement Audit Process
Planning
Understand the business:
– Industry (regulatory environment, typical risks)
– Products/services (how revenue generated)
– Customers (concentration, creditworthiness)
– Operations (facilities, supply chain)
Risk assessment:
– Where are misstatement risks highest?
– Revenue (higher fraud risk)
– Cash (theft risk)
– Estimates (valuation risk)
Materiality determination:
– Materiality: How large a misstatement would affect decisions?
– Typical: 5% of profit; 1% of revenue
– Determines extent of testing needed
Testing Controls
Walkthrough: Trace single transaction from start to finish
– Sales order → Shipment → Invoice → Cash receipt
– Identify controls at each step
Control testing:
– Is control actually happening? (or just documented?)
– Is control effective? (does it catch errors?)
– Is control timely? (before financial statement preparation?)
Example: Authorization control
– Policy requires manager approval for orders >$5K
– Auditor checks sample of large orders
– Verify approval documented before shipment
– If controls effective: Rely on control; less substantive testing
Substantive Procedures
Revenue testing:
– Sample sales transactions
– Confirm customer existence (send confirmation letter)
– Verify shipment (trace to shipping documents)
– Verify customer paid (trace to cash receipt)
Asset testing:
– Inventory count (observe physical count)
– Receivables confirmation (customer confirms balance)
– Fixed asset existence (observe assets exist)
Liability testing:
– Vendor confirmation (vendor confirms balance owed)
– Accruals cutoff (verify expenses recorded in correct period)
Audit Findings and Communication
Material misstatements: Errors large enough to affect financial statements
– Adjusted before audit opinion
– If not adjusted: Auditor notes in report
Deficiencies in controls: Weaknesses that should be corrected
– Communicated in management letter
– Not in audit opinion but management responsibility to address
Going concern assessment: Is company able to continue operations?
– If substantial doubt: Auditor notes in opinion
– Prompts disclosure and potentially restructuring
Part 5: Fraud Detection and Prevention
Fraud Risk Factors
Opportunity:
– Weak controls (easy to commit fraud without detection)
– Limited monitoring (supervisor doesn’t watch closely)
– Segregation of duties failures (one person can commit and hide)
Incentive:
– Financial pressure (need money urgently)
– Bonus structure (incentive to misstate performance)
– Debt stress (pressure to show ability to repay)
Attitude:
– Justification (I deserve it; company won’t miss it)
– Lack of integrity (willing to bend rules)
– Recklessness (willing to risk consequences)
Common Fraud Schemes
Lapping: Conceal theft of receivables by using later receipts to cover earlier ones
– Steal $5K customer A payment
– Apply customer B payment to customer A account
– Apply customer C payment to customer B account
– Eventually caught when later customer complains
Control: Monthly receivable confirmation with customers
Ghost employees: Create fictitious employee, issue paychecks
– Employee exists only in payroll system
– Perpetrator cashes checks
Control: Segregate duties (different person approves hires, different person processes payroll, different person authorizes payments)
Expense falsification: Submit fake expense reports or invoices
– Claim mileage not driven
– Invoice for goods/services not received
Control: Receipt requirement; supervisor review; vendor confirmation
Part 6: Internal Control Assessment
Control Self-Assessment
Step 1: Document existing controls (list what controls are in place)
Step 2: Test operating effectiveness (is control actually working?)
Step 3: Identify gaps (what risks don’t have controls?)
Step 4: Implement improvements (add controls for high-risk gaps)
Step 5: Monitor (ongoing review to ensure controls maintained)
Control Documentation
What to document:
– Control objective (what risk does it mitigate?)
– Control procedure (what specifically happens?)
– Responsible party (who performs it?)
– Frequency (daily, monthly, etc.?)
– Evidence (how do we verify it happened?)
Example:
| Control | Objective | Procedure | Frequency | Evidence |
|———|———–|———–|———–|———-|
| Bank reconciliation | Completeness/accuracy | Match ledger to statement monthly | Monthly | Reconciliation document |
Part 7: Audit Preparation
Before the Audit
Organize documents:
– Banking records (statements, reconciliations)
– General ledger (trial balance, posting)
– Subledgers (AP, AR, payroll)
– Supporting detail (invoices, receipts)
Reconcile accounts:
– Balance sheet accounts to supporting detail
– Fix discrepancies before audit starts
Prepare schedules:
– Depreciation schedule (additions, disposals)
– Loan detail (payment schedule, covenants)
– Investment detail
– Debt schedule
Complete accruals:
– Month-end adjusting entries processed
– Payroll accrued
– Expenses accrued
During the Audit
Designate contact person (one point of contact for auditor questions)
Provide access:
– Bank records
– Subsidiary ledgers
– Supporting documents
– System access (to trace transactions)
Respond timely (auditor requests need prompt responses)
After the Audit
Review findings:
– Understand any exceptions noted
– Plan corrections
Management letter:
– Control recommendations
– Strengthen weaker areas
– Implement within reasonable timeframe
Conclusion
Auditing and internal controls protect assets, ensure accuracy, and build stakeholder confidence. The COSO framework provides structure (control environment, risk assessment, control activities, information/communication, monitoring). Controls should be designed around specific objectives (existence, completeness, accuracy, valuation, cut-off). External audits provide independent assurance; internal audits provide ongoing oversight.
Effective internal controls:
1. Establish tone at top (management emphasizes control)
2. Segregate duties (no single person controls transaction)
3. Require authorization (approvals before action)
4. Reconcile accounts (monthly verification to reality)
5. Document procedures (clear who does what)
6. Monitor continuously (reviews catch issues early)
7. Work with auditors (external validation of controls)
Companies with strong control environments detect problems faster, prevent fraud more effectively, and maintain stakeholder confidence.
Word Count: 2,250 words