Control Activities
Control activities are the policies and procedures that guide employees’ actions to address risks and achieve management’s objectives. Control activities include segregation of duties and controls on information processing.
Segregation of duties should create conditions where no one person is in a position to both perpetrate and conceal errors or irregularities in the normal course of processing information or data. This means procedures for separate custody, authorization, and recordkeeping.
In information processing, the auditor looks for general controls, application controls to check accuracy, completeness, authorization controls over transactions, and document controls.
Internal controls do have limits. Management can override them. If several employees collude, they can evade the controls. There are cost constraints as well. Finally, mistakes, including mistakes in judgment, can make a hash of controls.
In the fieldwork phase, auditors conduct interviews with people responsible for maintaining and preparing financial statements and operational reports. The auditors use various audit techniques to sample, test, and analyze the company’s internal controls. Depending on company procedures, this could involve a paper chase using statistical methods to examine a number of transactions or a computer program that puts several test inputs through the system. The audit team gives frequent progress reports to management, keeping them abreast of preliminary findings.
When fieldwork is done, the audit team goes back to analyze its data and prepare its findings. After they are finished, the auditors make a formal presentation of their conclusions. What you hope for is a letter that says something along the lines of “We looked at these folks using all our good auditing tricks and we conclude that they are pretty good GAAPers.” If there are deviations from GAAP that you agree to change, the audit may mention that they found deviations, but that management is taking corrective action.
What you don’t want is to get into a situation where the auditor sees a discrepancy and brings it to your attention and you disagree that it’s a problem and refuse to do anything about it. Then the auditor will give you a letter finding “material breach” and your stock will tank and the bank will call the loan.
Work with the auditors. They’re really trying to help you. If the auditors find a few things, they may come back in a year or so to see how you’re doing at making the recommended changes
|
Back: Risk Assessment |