What Are Audit Controls in a Financial Audit?

A financial audit is an independent examination of an entity’s financial statements to provide an opinion on their fairness and accuracy. This process involves the auditor’s evaluation of the company’s internal controls, which are the policies and procedures a company puts in place to manage risk, ensure the integrity of financial information, and maintain compliance with regulations.

An auditor’s understanding of these controls is a preliminary step in planning the audit itself. The strength of a company’s internal control system directly influences the nature, timing, and extent of the audit procedures performed. A company with well-designed and consistently operated controls may require less intensive testing. Conversely, if controls are found to be weak, the auditor must expand their testing to gain comfort over the financial figures.

Core Objectives of Internal Controls

A primary objective of internal controls is to ensure the reliability of financial reporting. These controls are designed to make certain that financial data is recorded accurately, transactions are complete, and the resulting financial statements are presented fairly. For instance, a procedure requiring a three-way match between a vendor invoice, purchase order, and receiving report before payment ensures the company only pays for goods and services it received. This supports the accuracy of reported expenses and liabilities.

Another objective is to promote operational effectiveness and efficiency. These controls help the business run smoothly and avoid waste through procedures like production quality checks, performance reviews, and budgetary controls that prevent unnecessary expenditures. By preventing the inefficient use of resources, these controls contribute to the company’s financial health.

Internal controls are also established to safeguard a company’s assets from theft, damage, or misuse. This objective covers both physical assets, like inventory and equipment, and intangible assets, such as intellectual property and sensitive data. Controls in this area include physical security measures like locked warehouses, password protections for computer systems, and firewalls.

A system of internal controls is also designed to ensure compliance with applicable laws and regulations. Companies operate under many legal and industry-specific requirements, and controls help ensure adherence. This can involve procedures to correctly calculate and remit payroll taxes, comply with environmental regulations, or handle customer data according to privacy laws, helping the company avoid fines and penalties.

Key Categories of Audit Controls

Controls are often categorized by function, with preventative controls being a primary type. These are proactive measures designed to stop errors or fraudulent activities from occurring. Examples include the segregation of duties, where different individuals are responsible for related tasks to minimize opportunities for misappropriation. Other preventative controls include requiring pre-approval for expenditures and enforcing strong password policies.

Detective controls are designed to find errors or irregularities after they have occurred. An example is a monthly bank reconciliation, where a company’s cash records are compared to the bank’s records to identify discrepancies. Other detective controls include physical inventory counts and management reviews of budget-to-actual variance reports.

Corrective controls are actions taken to remedy problems identified by detective controls, fix the issue, and prevent its recurrence. If a bank reconciliation uncovers an error, the corrective control is the process of investigating the discrepancy and making the necessary adjusting journal entry. This might also involve updating training manuals or implementing new procedures to address the problem’s root cause.

Information Technology General Controls (ITGCs) relate to the overall IT environment and support the functioning of all business applications. These controls provide a reliable operating environment and include logical access controls to restrict user access to systems, system development life cycle controls, and program change management controls to ensure software changes are properly authorized and tested.

Application controls are automated or manual procedures that apply to processing individual transactions within a specific software application. They are designed to ensure the completeness and accuracy of transaction processing. For example, an application control might prevent payment of a duplicate invoice or automatically check a customer’s credit limit before accepting an order.

The Auditor’s Evaluation of Controls

The auditor’s evaluation begins with understanding the design of controls for significant business processes. This is accomplished by inquiring of company personnel, observing controls in operation, and inspecting documents like process manuals and organizational charts.

A procedure in this phase is the “walkthrough,” where the auditor traces a single transaction from its initiation to its recording in the financial statements. For example, an auditor might follow a sales transaction from the customer order, through credit approval and shipment, to invoicing and cash collection. This confirms the auditor’s understanding of the process and its associated controls.

Once the auditor understands the design of the controls, they assess whether those controls can effectively prevent or detect and correct material misstatements. This involves a professional judgment about the control’s ability to meet its objective. An auditor might conclude that a designed control is ineffective if a required review is assigned to an individual who lacks the expertise to identify a problem.

If the auditor determines the control is well-designed and plans to rely on it, they must then test its operating effectiveness. This phase answers the question: “Is the control actually working as intended?” Auditors use several methods to test this, including inquiry of employees about how a control is performed and then observing them perform it.

For more robust evidence, auditors inspect relevant documentation, such as looking for a manager’s signature of approval on an expense report. Another method is re-performance, where the auditor independently executes the control procedure, such as re-performing a portion of the company’s bank reconciliation. Since it is impractical to test every instance of a control, auditors use sampling to select a representative number of transactions to test.

Communicating Control Deficiencies

When an auditor identifies issues with internal controls, they assess the severity of the finding according to a hierarchy. The least severe finding is a control deficiency. This exists when the design or operation of a control does not allow management or employees to prevent or detect misstatements on a timely basis.

A more serious issue is a significant deficiency. This is a control deficiency, or a combination of them, that is important enough to merit the attention of those charged with governance, such as the audit committee. An example is a lack of adequate segregation of duties in a financial reporting area.

The most severe classification is a material weakness. This is a deficiency, or combination of deficiencies, where there is a reasonable possibility that a material misstatement of the financial statements will not be prevented or detected on a timely basis.

The auditor must communicate these deficiencies to the appropriate parties. All control deficiencies are reported in writing to the company’s management, which allows them the opportunity to correct the issues.

The auditor must communicate all significant deficiencies and material weaknesses in writing to both management and the audit committee. This formal communication ensures that those responsible for overseeing the company’s financial reporting are made aware of control issues that could impact the financial statements. This reporting is a standard part of the audit process.