ACC 544
CHECKLIST FOR EVALUATING INTERNAL CONTROLS
Introduction
“In response to the number of major corporate accounting scandals rocking the financial world (e.g., Enron, WorldCom, Xerox, KMart, etc.), on July 30, 2002, Congress passed the most wide-sweeping financial reporting legislation since the 1930s (when it established the Securities and Exchange Commission). The Sarbanes-Oxley Act is intended to strengthen corporate financial reporting by assessing stiffer criminal penalties for white-collar crimes, increasing management accountability, and enhancing auditor independence. The act is very specific about management 's responsibility for organizational internal control” (University of Phoenix, 2007, para. 6). According to the University of Phoenix Auditing and Assurance Services, Chapter Five, 2007, the auditor has two primary reasons for conducting an evaluation of a company 's internal control: (1) All publicly traded companies are required to have an audit of …show more content…
management’s assessment of internal controls, and (2) it is used to assess control risk and help the auditors in planning the audit and determining the nature, timing, and extent of audit procedures. The most effective way to gather information and evidence about control objectives is to conduct an interview with managements using a “checklist type of internal control questionnaire” (University of Phoenix, 2007). The following example will assist in evaluating whether any controls are at risk:
Control Environment
YES
NO
1. Does management set an example of integrity and ethical behavior?
2. Is there a formal, written code of conduct for management and employees? Is it reinforced by training and communication from the top down?
3. Is it made clear to all within the organization that fraud at any level will not be tolerated?
4. Is there a process in place to resolve ethical issues/questions?
YES
NO
5. Is a formal hiring process in place?
6. Are employee responsibilities clearly defined in written job descriptions?
7. Are employees trained to obtain the necessary knowledge and skills required for their position?
8. Are personnel adequately supervised?
9. Is inappropriate behavior consistently reprimanded?
10. Is there an organized evaluation process in place?
11. Are compensation decisions based on a formal process?
Risk Assessment
1. Does management develop strategies and objectives?
2. Is the Board of Directors involved in setting strategy and is the process formal?
3. Is the process realistic?
4. Is the process evaluated and updated periodically?
5. Does management perform risk assessment at every level of the company?
6. Is sufficient information gathered and risks linked?
7. Is the risk assessment updated periodically?
8. Are employees at all levels represented in the establishment of objectives?
9. Are processes in place to minimize risks?
10. Are both long and short range plans developed?
11. Are external advisors consulted as needed?
12. Are mechanisms in place to identify, prioritize, and react to routine events, economic changes, regulatory changes, and technological changes?
Control Activities
1. Are there policies and procedures and are they current?
2. Does staff have access to the policies and procedures?
3. Does management monitor staff performance against objectives and budgets?
4. Are reviews made of actual performance compared to objectives from previous periods?
5. Are unexpected operating results or unusual trends investigated?
6. Are accounting statements and key reconciliations completed timely?
7. Are controls in place to monitor the accuracy and completeness of information as well as authorization of transactions?
8. Are equipment, supplies, inventory, cash and other assets physically secured?
9. Are financial duties divided among different people?
10. Do employees understand which record they must maintain and the required retention period?
11. Does the company have a disaster response and recovery plan?
YES
NO
12. Are system operations documented; software appropriately acquired, access to the system controlled, and the system maintained in a secure environment?
13. Are key data and programs appropriately backed up and maintained?
Information and Communication
1. Is information evaluated and classified based on level of integrity?
2. Are individuals with access to information trained to understand their responsibilities?
3. Is information reliable and relevant?
4. Does management promote trust between employees, supervisors, and other management?
5. Are employees who violate company policy disciplined and are management 's communications and actions consistent with the policies?
6. Are employees encouraged to provide recommendations for improvement?
7. Are there formal methods used to communicate policies and procedures, written codes of conduct, and acceptable business practices?
8. Are standards and expectations communicated to key outside groups or individuals?
9. Are employees kept informed of important matters and able to communicate problems to persons with authority?
10. Is information shared with outside evaluators?
Monitoring
1. Does management routinely spot check transactions, records and reconciliations?
2. Are accounting policies defined and adopted after appropriate consideration?
3. Are accounting policies communicated in writing?
4. Are policies defined for developing new systems or changes to existing systems?
5. Are budgets compared to actual results and deviations followed up on a timely basis?
6. Is data compared to industry standards?
7. Are vendor complaints and compensation analyzed?
8. Are customer complaints and compensation analyzed?
9. Are reports completed in compliance with applicable laws and regulations?
10. Is information provided by external auditors about control-related matters considered and acted upon timely?
11. Does management periodically assess employee attitudes, the effectiveness of the organizational structure, and evaluate the appropriateness of policies and procedures?
YES
NO
12. Are internal controls subject to a formal and continuous assessment process?
13. Does management periodically evaluate the accuracy, timeliness, and relevance of its information and communication systems?
(Albany State University, 2014).
The above five components are essential to maximize the effectiveness of the internal control system.
The control environment is the overall attitude, awareness, and actions of management regarding the internal control system and its importance to the business. Risk assessment and analysis promote awareness of issues by identifying internal and external risk factors and increase the achievement of company objectives. Control activities include both preventative controls used to avoid potential problems and detective controls, used to detect errors, fraud, and irregularities. Communicating the information from internal and external sources in a reliable, relevant, and timely manner is vital to the operation and control of a company. Monitoring is the last component and entails reviewing and assessing the internal control procedures to evaluate the design, execution, and effectiveness (UCOP,
2010).
Conclusion
“A major goal in performing audits is to be efficient without losing effectiveness” (University of Phoenix, 2007). The importance of internal controls goes beyond preventing risks. They can also be used to systematically improve businesses, particularly in regard to effectiveness and efficiency. Internal controls play an important role in preventing and detecting fraud, and protecting assets and resources. Why would a company not want to improve business processes, policy, and its internal environment? (DeepSky, 2010).
References
Albany State University. (2014). Retrieved from http:// https://mycampus.asurams.edu/web/general-internal-audit/risk-assessment
DeepSky. (2010). Retrieved from http://www.deepsky.co/2010/04/the-importance-of-internal-control/
University of California Office of the President. (2010). Retrieved from http://www.ucop.edu/ucophome/businit/boi/docs/03-understanding_internal_control.pdf
University of Phoenix. (2007). Auditing and Assurance Services, Chapter 5. Retrieved from University of Phoenix, ACC 544-Internal Control Systems website