Understanding and Documenting Internal Control for CPA Exams
Effective internal control is a cornerstone of financial reporting and auditing. For CPA candidates, a deep understanding of its components, objectives, and documentation methods is crucial for success on the Auditing and Attestation (AUD) section of the exam. This module will guide you through the essential concepts.
What is Internal Control?
Internal control refers to a process, effected by an entity's board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: (1) reliability of financial reporting, (2) effectiveness and efficiency of operations, and (3) compliance with applicable laws and regulations.
Components of Internal Control (COSO Framework)
The most widely accepted framework for internal control is the one developed by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). It outlines five integrated components that work together to achieve the entity's objectives.
| Component | Description | Key Elements |
|---|---|---|
| Control Environment | The foundation for all other components, setting the tone of an organization. It influences the control consciousness of its people. | Integrity and ethical values, commitment to competence, board of directors or audit committee participation, management's philosophy and operating style, organizational structure, assignment of authority and responsibility, human resource policies and practices. |
| Risk Assessment | The entity's process for identifying and analyzing risks to the achievement of its objectives. | Objectives setting, risk identification, risk analysis, fraud risk assessment, assessment of changes. |
| Control Activities | Policies and procedures that help ensure management directives are carried out. | Segregation of duties, authorization and approval, reconciliations, performance reviews, physical controls, information processing controls (general and application). |
| Information and Communication | The systems that identify, capture, and exchange information in a form and timeframe that enable people to carry out their responsibilities. | Relevant information, internal communication, external communication. |
| Monitoring Activities | The process of assessing the quality of internal control performance over time. | Ongoing evaluations, separate evaluations, reporting deficiencies. |
Documenting Internal Control
Auditors must understand and document the client's internal control system to plan the audit and determine the nature, timing, and extent of audit procedures. Common documentation methods include:
Flowcharts are graphical representations that depict the flow of transactions and the related controls within a business process. They use standardized symbols to show the sequence of operations, decision points, and the individuals or departments involved. Flowcharts are excellent for visualizing the 'walkthrough' of a transaction from initiation to completion, highlighting where controls are applied at each stage. For example, a flowchart might show a sales order being entered, credit being checked, inventory being picked, and the invoice being generated, with specific control points like 'credit approval' or 'inventory count verification' clearly marked.
Text-based content
Library pages focus on text content
Other common documentation methods include narrative descriptions and internal control questionnaires (ICQs).
Narrative Descriptions
These are written descriptions of a client's internal control system. They detail the flow of transactions, the responsibilities of personnel, and the controls in place at each step. Narratives are useful for complex processes where a flowchart might become too cluttered.
Internal Control Questionnaires (ICQs)
ICQs are standardized questionnaires used to assess the design of internal controls. They ask specific questions about the existence and application of controls. A 'yes' answer generally indicates the presence of a control, while a 'no' suggests a potential deficiency. ICQs are efficient for gathering information but may not capture the nuances of a process as well as narratives or flowcharts.
Walkthroughs
A walkthrough is a procedure in which an auditor follows a transaction from its origination through the company's accounting system until it is reflected in the financial statements. This is done by tracing a small number of transactions through the accounting system. Walkthroughs are performed to confirm the auditor's understanding of the client's internal control system and to identify potential control deficiencies.
Control Environment, Risk Assessment, Control Activities, Information and Communication, and Monitoring Activities.
Assessing Control Risk
After understanding and documenting internal controls, auditors assess control risk. This involves evaluating the effectiveness of the design and operation of internal controls. If controls are deemed effective, the auditor may be able to reduce substantive testing. Conversely, if controls are weak, more extensive substantive procedures will be required.
Remember, the goal of understanding and documenting internal control is to identify potential misstatements and design an audit strategy that addresses those risks effectively.
Learning Resources
The official and comprehensive framework document from COSO, detailing the five components and their principles. Essential for a deep understanding.
An article from the AICPA that provides a concise overview of internal control concepts relevant to auditors and CPA candidates.
A broad overview of internal control, its history, objectives, and common frameworks, offering context and definitions.
Auditing Standard No. 1105 from the PCAOB discusses audit evidence, including how auditors document their understanding of internal control.
Investopedia provides a clear explanation of internal control systems, their purpose, and key components with practical examples.
A Journal of Accountancy article that delves into the auditor's perspective on understanding and testing internal controls.
Corporate Finance Institute offers a practical guide to internal control systems, including their objectives and common examples.
A blog post specifically tailored for CPA exam preparation, focusing on how internal control is tested and what candidates need to know.
A video tutorial that visually explains the COSO framework and its five components, aiding comprehension through visual aids.
This video demonstrates and explains the different methods auditors use to document their understanding of internal controls, including flowcharts, narratives, and questionnaires.