Controls protect an entity’s assets against fraud or severe loss, preserve the integrity of financial data and transactions and assure financial, accounting, and regulatory compliance when properly designed and implemented.
Having adequate controls in place is just half the fight; after these controls are in place, an entity must have policies and processes in place to reduce risks to acceptable levels. A healthy control environment will include control procedures that decrease the risk of misstatements and fraud.
Besides, regular and continuous reviews of internal controls will eventually reduce risks to an acceptable level for an entity. The more often an entity analysis assesses and corrects control deficiencies, the more effective it will be at controlling the risks and threats it faces.
While it is primarily the duty of an entity’s management to set suitable control procedures and seek regular assurance that the system is working properly, external auditors also play an important role in assessing control deficiencies.
High levels of inadequacies in the audits of controls continue to be a source of worry. It could be caused by auditors either not being able to completely comprehend the relevant auditing standards or simply not having a thorough understanding of an audit client’s operations.
For the audit client, the implications of such mistakes may be devastating. Depending on the severity of the audit deficiencies and the prominence of the audit client, a client may face a significant loss of resources, assets, or even investor trust.
One of the most famous cases is the Enron scandal where the investors have lost a huge sum of money as its share price dropped from $90 to $1 in just a year’s time.
We can avoid this by properly evaluating control deficiencies.
How to Evaluate Control Deficiencies?
Because the entities’ processes are becoming increasingly complicated, detecting and analyzing control deficiencies may be difficult for both the entities and the external auditors. Here are steps the auditors can take to perform the evaluation:
1) Assess Risks
The underlying risks must be properly assessed before good internal controls can be designed and implemented. An entity must identify and assess risks based on whether its objectives have been attained to decide how these risks may be effectively handled.
One of the common risk areas is fraud. The auditors may use a company’s overall risk assessment strategy to see if sufficient controls are in place and structured appropriately to help deter fraud.
2) Assess the Control Environment
In order to evaluate control deficiencies, the auditor also needs to assess the control environment. This is because the control environment is the basis of the controls as it establishes the tone of an entity and determines how its staff members act or react.
An entity that has a strong control environment will function better as it believes in integrity and ethical principles. This will, in turn, help the entity to attract and retain competent staff who have no problem being held accountable for their control obligations.
3) Identify Existing Controls
Once the risks and control environment is determined, it is time to identify the existing controls. Internal controls will almost certainly exist, regardless of how large or small the organization you are auditing is, even if they are not as sophisticated as they could be.
Nearly every entity has certain controls, such as review and approval processes, password protection to access certain programs, segregation of duties, etc. While it is a good idea to look at how well these controls are working, it would be hard to conduct a thorough audit without first knowing the controls that are in place.
4) Perform the Audit
Now that the controls have been identified, the auditors will perform the audit by gathering audit evidence regarding an identified control. There are many methods to gather audit evidence, they include:
- ● Observing the process as the employees perform them
- ● Assess the monitoring activities in accordance with their frequencies and qualities
- ● Reviewing reports and documents such as invoices, delivery orders, etc.
- ● Testing a sample of transactions
5) Analyse the Information and Communication Systems
Internal communications must be of high quality for controls to work properly. The auditor will also analyze the entity’s information and communication systems as part of an audit, particularly the accounting system, which may have a big influence on report efficiency and accuracy.
One of the ways to look at it is by determining whether the entity is able to create accounting reports that are free of misstatements using the control it has in place. If not, the entity’s accounting system may need to be reassessed or perhaps replaced with an improved version.
6) Determine the Nature of the Deficiency
With all the analyses performed, the auditor will determine the reasons these deficiencies arose. Control deficiencies are mostly caused by design or operational flaws.
A design flaw exists when control fails to reliably deter or identify material misstatements. while there is an operational flaw if control is properly designed yet still causes a misstatement. It could be the person operating the control did not follow all of the procedures required to run the control successfully or simply was not properly trained to perform them.
7) Review the Significance of the Deficiency
Once a deficiency has been discovered, an auditor must determine the severity of the deficiency based on two factors: probability and magnitude. For instance, how probable is it that the faulty control will fail to deter or identify a material misstatement, and what is the extent of the misstatement that might arise due to the faulty control?
A thorough assessment can be performed to determine the magnitude of misstatements caused by a faulty control and its significance once the auditors identify the whole population of transactions that control is meant to address.
8) Identify Additional Audit Procedures to Address the Risks
Lastly, the auditor will perform additional audit procedures to address the risks caused by the faulty controls. This may necessitate more effective implementation or the creation of new control procedures, depending on the risks.