Internal Controls: Significant Business Processes
Identifying and documenting relevant automated and manual internal controls over significant business processes is an essential part of an auditor’s evaluation of an entity’s internal control over financial reporting. Here are the steps an auditor can follow to identify and document these controls:
- Identify significant business processes: Start by identifying the significant business processes that directly or indirectly impact the entity’s financial statements. These processes may include revenue recognition, procurement, inventory management, payroll, or financial reporting.
- Understand the process flow: Obtain an understanding of the process flow for each significant business process, including how transactions are initiated, authorized, recorded, processed, and reported. This understanding can be obtained through interviews, review of process documentation, or observation of the processes in action.
- Identify key control points: Within each significant business process, identify key control points where errors or fraud may occur, and where internal controls are necessary to mitigate those risks. This identification can be achieved by performing a risk assessment of the process and considering the control objectives.
- Identify relevant internal controls: For each key control point, identify the relevant automated and manual internal controls that have been implemented to address the risks. Consider both preventive and detective controls, as well as compensating controls that may be in place if primary controls are not sufficient.
- Assess the design of controls: Evaluate the design of the identified controls to determine whether they are appropriately designed to achieve their control objectives and mitigate the risks associated with the key control points.
- Document the controls: Create clear and comprehensive documentation of the identified controls, including their purpose, process flow, control objectives, and the key control points they address. This documentation may take the form of a narrative description, flowcharts, or a combination of both.
- Perform walkthroughs: Conduct walkthroughs of the identified controls to gain a better understanding of how they operate and to verify that they have been implemented as designed. This involves tracing a sample of transactions from initiation through completion and observing the control activities in action.
- Assess control effectiveness: Based on the walkthroughs and other information gathered, assess the effectiveness of the identified controls in addressing the risks associated with the key control points. This assessment should consider whether the controls are operating as designed and whether they are likely to achieve their control objectives.
- Update documentation as needed: As the audit progresses, and additional information is gathered about the significant business processes and their associated internal controls, update the documentation as necessary to reflect any changes in understanding or the identification of additional controls.
By following these steps, auditors can identify and document the relevant automated and manual internal controls over significant business processes, providing a solid foundation for their evaluation of the entity’s internal control over financial reporting.