by Diane M. Zimmerman, CPA, Director, Baden, Gage & Schroeder, LLC
In 2006, policy makers for auditors of non-public companies set new standards that introduced a comprehensive audit methodology that differs significantly from the way audits have been performed for the past three decades. One of the key elements in the new standards is the requirement that auditors evaluate the design effectiveness of an entity's system of internal control.
Internal controls can be further classified as "entity level" controls or "activity level" controls.
Entity Level Controls
Entity level controls normally have a permeating effect on the other control components. For example, if management demonstrates a poor attitude toward hiring, training and promotion, the chance of the accounting department having the ability to produce accurate financial statements is significantly reduced. Entity level controls can influence the design and operating effectiveness of other controls and will likely influence how the auditor evaluates other controls.
Examples of entity level controls include:
- Communication and enforcement of integrity and ethical values
- Conservative attitude in managing business
- Organizational structure conducive to efficiency and effective communication
- Appropriate assignment of authority and responsibility
- Hiring, training and promotion policies
- Policies and procedures to prevent or detect fraud
Activity Level Controls
Activity level controls relate to a particular class of transactions, account balances or financial statement disclosures. Generally a business has three to six significant distinct business activities, which may include:
- Sales/accounts receivable/revenue recognition/cash collection
- Purchases/accounts payable/expenses/cash disbursements
- Inventory
- Debt/interest expense
- Hiring/payroll
Controls in each of these activities will affect a more limited portion of the financial statements and will directly affect the nature and timing of other auditing procedures for that activity. Examples of activity level controls include:
- Segregation of accounts payable transaction processing from bank reconciliations
- Approval requirements for new vendors
- Regular bank account reconciliation
- Time cards approval policies
- Authorization for pay rate changes
Under the new standards, auditors are required to evaluate whether the design of internal control is such that the combination of controls is capable of effectively detecting or correcting material misstatements in the financial statements. Understanding the nature of a control will enable an effective risk assessment, which will enable an effective and efficient audit strategy.
