Risk management is an essential part of any company’s operations. The need for this process has increased due to the changes in the business world. Most companies now have many complex systems, which also increases their risks. Therefore, companies must have a robust risk management process to mitigate any risks.
One area associated with risk management is internal controls. Many companies have increased their reliance on internal controls to detect and prevent any risks. These controls can be significantly effective in doing so. However, they may also fail sometimes due to deficiencies. For auditors, it is crucial to evaluate the control deficiencies of a company. However, it is necessary to understand what internal control deficiencies are.
What are Internal Controls Deficiencies?
Internal controls represent the policies and procedures that companies employ to mitigate any risks. Similarly, these controls exist to improve a company’s operating efficiency. However, internal control deficiencies may exist in these procedures. The control deficiencies exist when the design or operation of control fails to prevent or detect a material misstatement on a timely basis.
Internal control deficiencies occur due to two reasons. Firstly, these may happen when a company does not have internal controls to prevent or detect material misstatements. It is when the absence of internal controls causes internal control deficiencies. On the other hand, it may also occur when existing controls fail to detect or prevent material misstatements. In this case, internal controls exist but are flawed.
How to evaluate the Control Deficiencies of a company?
Control deficiencies relate closely to proper internal controls. Internal control deficiencies exist when internal controls fail. Therefore, auditors must evaluate a company’s internal controls to identify control deficiencies. In this regard, the COSO framework for assessing internal control deficiencies provides guidance to auditors.
The COSO framework provides five fundamental areas for internal controls. Therefore, auditors need to examine these areas to evaluate the control deficiencies of a company. Auditors must follow the steps below to use the framework to identify control deficiencies.
Assess the Control Environment
The first requirement for a system of internal controls is a control environment. A control environment sets the tone for a company’s overall internal control procedures. Auditors must assess a company’s control environment to get a general overview of its operations. This environment can provide insight into the company’s overall internal control structure.
If auditors deem the control environment as satisfactory, it will have a positive impact on further assessments. However, if this environment does not meet the required standards, auditors will be more sceptical with further investigations.
Evaluate Risk Assessment
Risk assessment is the process in which companies evaluate their risks. This process also acts as a base for the internal control systems that companies apply. Based on the risk assessment, companies use internal controls. If this process is unsatisfactory, it is likely that the company will employ inappropriate internal controls.
Auditors need to understand the process behind the internal controls used. For that, they need to evaluate the company’s risk assessment process. Any deficiencies in this process can cause problems in the internal controls employed by the company.
Investigate Control Activities
The risk assessment process applies to the company as a whole. Control activities, on the other hand, are more specific. These are internal controls that companies have employed in specific areas. As mentioned, these controls will depend on the risk assessment process. On top of that, the effectiveness of such activities also relates to the control environment.
Investigating the control activities is a detailed process. Auditors will need to use a hands-on approach in this step to assess a company’s internal controls and identify deficiencies. Auditors must evaluate primary internal control activities such as segregation of duties, performance reviews, authorization, etc.
Examine Information and Communication Systems
Information and communication systems play a supporting role in a company’s internal controls. One of these includes the financial information systems that relate to a company’s financial statements. For auditors, it is an area of interest as it binds internal controls and financial systems together. For auditors, it is crucial to examine the information and communications systems.
Any deficiencies in the information and communication systems can have an impact on the company’s financial systems. Therefore, auditors need to evaluate these systems to identify any control deficiencies.
Analyze Monitoring Activities
Once companies employ internal control systems, they need to monitor them. This process helps identify any deficiencies within any of the above processes. On top of that, it also allows companies to evaluate risks and adapt to any changes. Auditors also need to focus on monitoring activities to identify control deficiencies.
Any deficiencies within the monitoring activities imply that the company failed to identify deficiencies on its own. Auditors need to consider both the frequency of any monitoring activities and their quality.
Internal control deficiencies exist when internal controls fail to prevent or detect material misstatements. Auditors need to evaluate control deficiencies as a part of their work. There are five factors that they can consider based on the COSO framework. Based on these five areas, auditors can evaluate the control deficiencies of a company.