Management is ultimately responsible for establishing and implementing internal controls. Both the COSO literature and the GAO’s Green Book make that very clear.
But because auditors use internal control concepts extensively in their work, the line can get blurred regarding management and auditor responsibilities for internal control. You see, the COSO model and the Green Book are imbedded in auditing standards, so auditors are usually required to consider controls on their audits. And maybe because auditors then end up talking about internal controls more than anyone else in the organization, management may get the mistaken idea that they can rely on the auditor to take care of internal controls.
So in an effort to clarify management and auditor responsibilities for internal control, in this article, I will address the auditor’s perspective on internal controls.
Here are the points I want to make regarding an auditor’s approach to internal controls:
- How strong controls give the auditor confidence in their conclusions
- Which steps of the audit involve internal controls
- What a control test looks like, and how a control test supports the audit report
- How auditors are required to react to weak controls
Strong controls give the auditor confidence in their conclusion
GAO and AICPA audit standards require auditors, who provide a high level of assurance that a subject matter meets a given criteria, to consider controls throughout their audits. Why? Because strong internal controls let auditors know if they can believe what they see as they gather evidence to support their conclusions. Weak internal controls make auditors doubt their conclusions. Consider this quote from the yellow book about evidence:
Yellow Book 8.104 a. Evidence obtained when internal control is effective is generally more reliable than evidence obtained when internal control is weak or nonexistent.
For instance, let’s say an auditor chooses to sample 30 credit card charges out of 1500 credit card charges to determine whether the coach’s purchases were business related or personal in nature. And lets say that all 30 tests show that the coach’s purchases are business related.
If the auditors know that the school district has strong controls over credit card purchases, the auditor can confidently conclude that yes, everything is on the up and up, and the auditor can move on to tackle another audit objective because the auditor has put this objective to rest.
If, however, the controls are weak, the auditor has to wonder if maybe the sample didn’t scoop up his bad behavior, and the auditor feels less confident in the testing results. The auditor may have to do some additional testing or a different kind of testing to comfortably conclude that the coach is not making personal purchases.
In other words, if the auditee has weak controls, the auditor’s test results are less convincing to the auditor. And auditors are not going to put their professional name behind a conclusion (a conclusion that assures the reader that the subject matter meets a given criteria) they don’t believe in.
Auditors do not always have to work at a high assurance level. Some audit standards allow auditors to get less assurance that the subject matter meets the criteria. These are sometimes called reviews or agreed upon procedures. And when an auditor is seeking limited assurance, they follow simpler standards, and these standards sometimes allow them not to worry about controls.
Which steps of the audit involve internal controls?
In an audit where the auditor is providing a high level of assurance that the subject matter meets the criteria, the auditor must consider controls in every phase of the audit: in the planning phase, the fieldwork phase, and the reporting phase.
Consider this step-by-step process for conducting an audit and note how many times internal controls are mentioned:
Planning phase:
- Receive vague audit assignment
- Gain a general understanding of the audit subject and general control structure
- Choose relevant criteria to evaluate the subject matter against
- Break the audit subject into pieces
- Evaluate inherent risk for each of the pieces
- Refine objective and define sub-objectives
- Evaluate controls for each objective and sub-objective and determine key controls
- Design relevant tests – including substantive/compliance and control tests
- Allocate resources to the testing
Fieldwork phase:
- Formalize the audit program
- Perform substantive/compliance tests and control tests
Reporting phase:
- Write findings regarding fraud, waste, abuse, non-compliance, misstatements, control weaknesses
- Conclude against objectives
- Finalize report
Look how many times in that process I mentioned controls: Step #2, Step #7, Step #8, Step #11 and Step #12! An auditor’s evaluation of the strength of the auditee’s controls shapes their audit and impacts their eventual audit conclusion that the subject matter meets the given criteria.
What kind of test is the auditor performing?
Let’s focus on step #11 – perform substantive/compliance tests and control tests – for a few minutes. Every time the auditor performs a test, they need to be conscious of how the results support their audit conclusion. Ultimately, the auditor is interested in whether the coach used his card for personal purchases. The question of how he got away with it is usually of lesser importance to an auditor.
Let’s say our internal control objective is: Do controls deter the coach from using his purchasing card for personal purchases as defined by Grace School District Policy #C7.459?
An auditor might also use that as their audit objective. But they are more likely to write an audit objective that sounds like this: Is the coach using his purchasing card for personal purchases as defined by Grace School District Policy #C7.459?
Did you catch the difference? The auditor’s objective is asking whether the coach used his card for personal purchases. The control objective we have been using throughout the book is asking whether the entity had any controls in place to deter him from using his card for personal purchases. The auditor’s objective is missing the words ‘controls in place.’
The auditor may or may not be concerned about controls, as we discussed above. The auditor has to be very clear what question he is asking because the question dictates the type of test the auditor must perform. Phrasing the audit objective without the term ‘controls’ allows the auditor to focus on whether the coach actually broke the rules instead of only looking at whether controls were in place to keep him from breaking the rules. Auditors find this demarcation so important that they label their audit tests in two categories.
What is a control test?
In general, auditors talk about audit tests as either control tests or substantive/compliance tests.
The term ‘substantive’ usually applies when the auditor is testing quantities, and the term ‘compliance’ is used when the auditor is testing another quality of the subject matter that does not involve dollars, such as eligibility. A substantive/compliance test asks whether the subject matter meets the criteria.
A control test asks why the subject matter did not meet the criteria. Auditors need to tell the user of the audit report if the coach used his card for personal purchases (the substantive/compliance test), but the auditor might also tell the users why he was able to do this without being caught (the control test).
Is it possible that the coach did not use his card for personal purchases even though there were no controls in place? Sure, maybe he is an honest man. Is it possible that the school has controls in place, but the coach still managed to buy some personal items with his card? Yes, that is possible, too. Here is a quote from the Green Book about that:
OV1.07 An effective internal control system increases the likelihood that an entity will achieve its objectives. However, no matter how well designed, implemented, or operated, an internal control system cannot provide absolute assurance that all of an organization’s objectives will be met. Factors outside the control or influence of management can affect the entity’s ability to achieve all of its objectives. For example, a natural disaster can affect an organization’s ability to achieve its objectives. Therefore, once in place, effective internal control provides reasonable, not absolute, assurance that an organization will achieve its objectives.
So if the auditor wants to answer the question “Did the coach use his purchasing card for personal purchases as defined by Grace School District Policy #C7.459?,” then the auditor could choose a sample of transactions from the credit card statement, match the transactions to the receipts and then compare the transactions to Grace School District Policy #C7.459 to determine if any of the purchases were personal. The auditor would likely call this a compliance test although some auditors may call it a substantive test.
To find out why or how the coach was able to use his card for personal purchases, the auditor could also look at the documents that evidence that the accounting department matched purchases on the credit card statement to receipts and compared them to policy each month. That would constitute a control test.
If the control test turns out well and the compliance test turns out well, the auditor can confidently conclude that the coach is not making personal purchases.
How auditors react to weak controls
If either one or both of the tests do not turn out well, then the auditor will probably write a finding and report the problems to management. The finding could look like this:
CONDITION: The coach is making personal purchases with his purchasing card.
EFFECT: 7 out of 30 transactions tested from a population of 1500 transactions were for personal items such as family meals, alcoholic beverages, and a gas grill.
CAUSE: Accounting did not reconcile credit card purchases from the credit card statement to actual receipts for 9 months out of the year.
CRITERIA: Grace School District Policy #C7.459 prohibits the use of the credit card for personal purchases and defines business purchases as bla bla bla. Accounting department policy #18a requires the accounting department to perform monthly reconciliations of the credit card statement to receipts and to verify the business purpose of all purchases.
RECOMMENDATION: We recommend that the coach reimburse the district for personal charges. The district should confiscate the coach’s card. The accounting department should perform reconciliations of the credit card statement to receipts monthly to verify that purchases are business related.
Notice that the condition statement is supported by a compliance or substantive test and the cause is supported by a control test.
How will an auditor react if the client refuses to improve?
What happens next is where the line can get blurred regarding management and auditor responsibilities for internal control. Let’s assume that the auditor includes the above finding in the audit report and recommends the auditee act to correct the problems.
What if the auditee does not accept the auditor’s recommendation? What if the auditee doesn’t want to discipline the coach because he has taken the team to the state championship for the past three years? What is the auditor going to do now?
If the audit report makes it into the hands of the oversight body and grantors, the auditor – technically – does not have to do anything further because they have fulfilled their responsibility. They sought assurance that the credit cards were being used for business purposes, and they reported that they were not being used for business purposes. The auditor suggested improvements and shared the results with all stakeholders. Now the matter is in management’s hands.
The auditor is not responsible for internal controls, only for evaluating internal controls relevant to their audit objective and reporting any weaknesses. The auditor has zero power or responsibility to change internal controls so that the coach ceases his bad behavior.
But that doesn’t mean the auditor is going to let the issue drop. Depending on the audit standards they are following, they might have a professional responsibility to follow up on the finding and report management’s progress.
Even without the prompting of a standard, the auditor might be more tenacious and decide not to let the issue drop. An auditor has a variety of techniques at their disposal to prompt the client to make the change.
The auditor may hold a formal meeting with the oversight body to impress upon them the significance of the issue. Depending on the culture of the organization, an informal chat on the bleachers at the state championship game with the chairman of the school board would be more apt to elicit change than a detailed audit report and formal meeting.
If the same auditor performs the audit next year, the auditor may expand the audit to include purchasing cards in other areas of the school and more findings may ensue.
The client’s refusal to do anything about the issue may prompt the auditor to elevate the category of finding from a ‘significant deficiency’ to a ‘material weakness’ in next year’s report. In other words, a minor finding (a significant deficiency) can become major (a material weakness) if the auditee refuses to take the auditor’s advice to strengthen controls.
The auditor can intensify the tone of the audit findings in the next year’s report by describing the situation in harsher terms and quantifying results in dramatic, eye-catching ways. The auditor can qualify their audit conclusion in future reports.
If the auditee still won’t respond, auditors can remind the auditee of who else will be reviewing the report. A friend of mine, an internal audit director of a large state agency could not get one of the divisions of the agency to improve controls after several meetings. Eventually, she reminded the division director that her report would be shared with the state auditor’s office, and the state auditor may have questions for the division director about why he refused to implement the control. So the next day, the division director sent her a fully developed plan of action for implementing every one of her recommendations!
If none of these techniques elicits change, the auditor may choose not to perform the audit the following year. As you know, auditors are often criticized once a negative behavior comes to light that the auditor didn’t uncover. In order to avoid criticism and a possible lawsuit, auditors will sometimes write a damning report, and then walk away from the client before the next risk hits the fan.
A client that refuses to acknowledge the auditors recommendations is likely engaging in other negative behaviors. An uncooperative client, obviously, does not exhibit a strong ‘tone at the top,’ which is the very first principle necessary for a strong control structure mentioned in the Green Book and the COSO literature!
What if the recommendations are not practical?
Now what if the reason the recommendations are not being followed is because the client is small and can’t implement the auditor’s recommendations because they are costly and impractical. Here the auditor gets in a bit of a bind. The auditor knows that their small clients are never going to implement all 17 principles of the COSO model, but they also know that their client is at risk of something bad happening if they don’t implement more controls.
Auditors have a professional responsibility to let all stakeholders know about the risks their auditee is taking by not investing in controls. And at the same time they know their clients can’t afford to invest any more money in controls.
In a case like this, the auditor might just mention the issue in a report once and let it go. Or the auditor could bring the issue up year after year in the audit report, but not escalate the matter if the auditee does nothing about it. Each auditor will approach their responsibility differently depending on the auditor’s tenacity, their relationship with their client and their judgment about what is best for everyone involved.
How tenacious is your auditor?
Final thoughts on management and auditor responsibilities for internal controls
In the 1980’s, when I started my career in auditing, everyone in auditing gave lip service to internal controls and understood internal controls in a vague sort of way. We knew that the same person that received the checks should not also deposit the checks and perform the cash reconciliations.
But the ideas of right and wrong procedures were not well documented and instead were passed down orally from one generation of auditors to another. If you had a good boss, they would teach you the ropes and point you to a few tools to help you out. If not, you were left hanging because there was no comprehensive literature to turn to.
Organizations who tried to do the right thing hired people who knew the ropes. Managers of organizations who didn’t care about doing the right thing – or who didn’t know how to get their act together – struggled along.
Now, with the advent of the COSO model and the internet, we all (auditors and organization managers alike) have a standard that tells us how to get our act together. Great minds who work with complex entities have spent time thinking about what ideal controls should look like. And because the internet lets these great minds share their ideas easily, we have a document that we can access easily that collects their wisdom and advice in one place!
And these great minds didn’t stop with one draft; the more they think about and use the standard, the more they learn and the more they share.
I expect even more clarity and wisdom to evolve from these efforts, and maybe, one day, all of us can get our acts together because we know both what is right and how to make it right.
Truth! Justice! Order! And the American Way! Wait… isn’t that Superman’s line?