To judge the reliability of a client's internal control procedures, you first have to be aware of the five components that make up internal controls. For each client, you need to understand each component in order to effectively plan your audit. Your understanding of these components lets you grasp the design of internal controls relevant to the preparation of financial statements.
That understanding also enables you to verify whether each internal control is actually in operation.
Many models have been established to help your clients identify and offset control risk. The Sarbanes-Oxley Act of 2002 recommends the Committee of Sponsoring Organizations (COSO) model as a means for companies to identify and mitigate risk that can lead to financial misstatement.
The COSO model is just one representation that can be used, and at its heart it guides management through the implementation of a control framework that's measurable and targeted at reducing risk.
Here are the five components of internal controls:
Control environment: This term refers to the attitude of the company, management, and staff regarding internal controls. Do they take internal controls seriously, or do they ignore them? Your client's environment isn't very good if, during your interviews with management and staff, you see a lack of effective controls or notice that previous audits show many errors.
Risk assessment: In a nutshell, you should evaluate whether management has identified its riskiest areas and implemented controls to prevent or detect errors or fraud that could result in material misstatements (errors that cause net income to change significantly). For example, has management considered the risk of unrecorded revenue or expense transactions?
Control activities: These are the policies and procedures that help ensure management's directives are carried out. One example is a policy that all company checks for amounts more than $5,000 require two signatures.
Information and communication: You have to understand management's information technology, accounting, and communication systems and processes. This includes internal controls to safeguard assets, maintain accounting records, and back up data.
For example, to safeguard assets, does the client tag all computers with identifying stickers and periodically take a count to make sure all computers are present? Regarding the accounting system, is it computerized or manual? If it's computerized, are authorization levels set for employees so they can access only their piece of the accounting puzzle? For data, are backups done frequently and kept offsite in case of fire or theft?
Monitoring: This component involves understanding how management monitors its controls and how effectively. The best internal controls are worthless if the company doesn't monitor them and make changes when they aren't working. For example, if management discovers that tagged computers are missing, it has to put better controls in place. The client may need to establish a policy that no computer gear leaves the facility without managerial approval.