07.19.21 | Assurance Chat
Auditors are required to gain an understanding of the internal control environment at the client (which is not an audit of internal controls) in order to identify and assess the risks of material misstatement. While gaining that understanding, auditors have a unique opportunity to use the knowledge gained to provide a value-added “bonus” to the client well beyond the audited financial statement. The internal control communications to those charged with governance and management provide a forum for discussing innovative ideas to improve internal controls, streamline operations, and cut back on expenses – a.k.a. showing that the auditors care about clients and the success of the business, strengthening the relationship and trust with the client.
Where to Start?
Throughout the audit process, auditors use their professional judgment to compile a list of internal control weaknesses and operating inefficiencies that may warrant attention. These weaknesses and inefficiencies are considered deficiencies if management and/or employees would not be able to prevent, detect, or correct misstatements on a timely basis in performing their normal duties. Controls may be missing in their entirety, poorly designed and not working effectively, or the assigned personnel lack the competence or authority to perform the control.
AICPA standards specifically require auditors to communicate two types of deficiencies to management in writing:
- Material weakness: These are defined as “a deficiency, or combination of deficiencies, in internal control over financial reporting, such that there is a reasonable possibility that a material misstatement of the entity’s financial statements will not be prevented, or detected and corrected, on a timely basis.”
- Significant deficiency: This type of deficiency is similar to a material weakness but “less severe than a material weakness yet important enough to merit attention by those charged with governance.”
Operating inefficiencies and other deficiencies in internal control are not necessarily required to be communicated in writing. Most auditors include these less significant items in their internal control communications to inform the client about risks and opportunities to improve operations. The auditors and the client need to look at all of the weaknesses and inefficiencies, individually and in the aggregate, to get a full picture of the client’s control environment. The presentation and discussion of the auditors’ findings serves as the jumping-off point to demonstrate an understanding of the business, the risks related to the business, and suggestions for improvement.
What Should Be Communicated?
Typically, internal control deficiencies identified during an audit cover a broad range of topics, including, but in no way limited to, segregation of duties, account reconciliations, physical asset security, credit policies, employee performance, safety, cybersecurity, and expense reduction. The following three elements constitute the discussion of a deficiency:
- Observation: Describe the condition, identify the root causes (if possible) and explain the necessity for improvement.
- Impact: Quantify the deficiency’s potential monetary effects and identify any qualitative effects, such as decreased employee morale or delayed financial reporting.
- Recommendation: Suggest one or more solutions or list alternative approaches to address the issue.
The communication should focus on how the leaders of the entity look at the business. The focus will be on those items which have the potential to keep the business’ leaders up at night.
When the auditor delivers the audited financial statements, pay close attention to the related internal control communication and compare it to the previous year. Quite often, the same items recur year after year, potentially highlighting areas to start on making improvements. Target these areas and set goals using the elements in the internal control communication to manage projects and track the results.
Business enhancements enrich the auditor/client relationship evolving the auditor into a trusted professional.
Questions? I can be reached at 516.806.1193 | BMannFalk@berdonllp.com or reach out to your Berdon advisor.
Bonnie Mann Falk is a Partner in the Quality Control (QC) Department of Berdon LLP with nearly 30 years of experience in public accounting and expertise in a variety of areas including quality management, compliance, and risk management. As a QC Partner, Bonnie advises the Firm on policies and procedures to enhance quality, increase efficiency, and elevate communication.