Internal Controls the Generalized Lack

¶ … Internal Controls

The generalized lack of literary interest in the field of internal controls can be attributed to the perception that internal controls do not represent core organizational processes. Core organizational processes are product manufacturing or service delivery activities, those which directly serve the customers and retrieve income. But it is also true that the core operations could not be completed without the continuous completion of internal controls which ensure the correctness of the organizational processes and that of organizational budgeting, reporting and so on.

In order to ensure that a process of internal control is able to adequately answer the control need of the entity, it should be conducted onto three gradual stages. At the first stage, it is of the utmost importance for the audit party to ensure that they understand the control system and needs of the client; additionally, it is required that they conduct an analysis to document the understanding of the internal control. At the second stage, the audit team would conduct a preliminary assessment of the control risk. Finally, at the third stage, it would test and reassess; this virtually means that it would "perform tests of controls audit procedures [and] re-assess control risk" (Phases of a Control Evaluation PowerPoint).

At a more specific level, control audit elements at each of these three phases would include:

Phase 1: Understanding

In order to understand the control processes within an organization, it is necessary to conduct sustained interviews with several organizational players. Traditionally, it could be accepted that these interviews only target the control managers, but it is also true that organizational leaders might feel a necessity to present an improved version of the organization and its control functions and processes. In this order of ideas, it would also be necessary to conduct interviews with the staff members -- with those employees conducting the control, but also with those employees observant or otherwise integrated in the control processes.

As a parenthesis, it should be noted that employees are often reticent to participating in organizational evaluations by external auditors as they fear managerial repercussions for their answers. In order to reduce this threat, the auditor could promise to only communicate the result of the audit to the managerial team and keep employee information private. Such a measure would increase the chances of an objective and more realistic audit, which would also lead to more reliable results.

At the level of assessing the understanding of organizational employees' of the internal control process, the following questions should be answered:

Are all the organizational staff members -- in all divisions, including accounting, human resource management, and others -- aware of the current legislations and conducting all of their operations in accordance with the laws?

Do the organizational staff members implement prudential and preventive actions, even when these are not literally required by law?

Do the employees prepare reports and request the approval of their supervisors in the implementation of actions?

Are the communications among employees and between employees and managers adequate, in terms of efficiency and sufficiency? (IDAHO Management Control System)

Phase 2: Assessing

During the assessment stage, the auditor would be presented with the necessity to gather information from all organizational documents, including stock records, income statements, balance sheets, cash flow statements, annual reports and so on. They would have to conduct their own analysis and ensure that their findings correspond to the findings of the internal audit. This implies a comparison of the results of the internal and external audits. Additionally, aside results and documents consulted, it is also necessary to assess the various variables used in the evaluations.

It is for instance possible for the company to alter the findings by focusing on more favorable variables. As a specific example, a financial audit could reveal increased organizational abilities to honor company debts, but this conclusion could solely be founded on the assessment of the company's short-term liquidity, in a context in which the assessment of the long-term liquidity would have revealed financial instabilities. In this order of ideas, the risks of altered results would decrease and the relevance of the findings would increase to better allow the auditor to assess the quality of the internal control systems.

At this stage, the auditors would make use of several technological applications through which to increase the efficiency of the data analysis process. In terms of the financial assessments for instance, they could implement the several AXS-One systems for the analysis of the general ledger, through which they would assess the correctness of the balance entries, the inter-company accounts, the amounts of money used in the consolidation of other subsidiaries or several other financial aspects (AXS-One, 2003).

Particular elements which should be assessed at this stage of the assessment include:

The levels of organizational integrity and ethics

The organizational commitment to competence

The structure of the company and the control processes at each organizational level

The assignment of authority and responsibility

The practices regarding accounting, human resources and other organizational processes (the University of Utah).

Phase 3: Testing

Finally, in the third stage of the control process, it is necessary that tests be conducted on the efficiency of the control mechanisms. Specifically, the following questions should be answered:

Do all the tests conducted respect the pre-established organizational requirements and legislative stipulations?

In terms of organizational compliance with the above mentioned requirements and stipulations, is the degree of compliance adequate?

Do the control systems break into specific sub-task control operations which test particular operations, functions, risks and so on?